BladeSec IA Logo

Company Information

 Introduction
Company principles
Certifications and qualifications
Why choose BladeSec IA?
News and comment <

Products and Services

 Typical work
Engaging us
Specific highlights

Travel Advice

More

 Contact us
Privacy statement
Terms and conditions
Environment statement
Equality and diversity statement
 		 

Archived news and comment from 2019.

Please note: Because this is an archive of articles published on the BladeSec IA website in 2019, not all links may work.

Comment: 2019/12/31 - New year honours failure.
 The Cabinet Office has referred themselves to the Information Commissioners Office after a version of the New Years Honours list was published containing the home and business addresses of the recipients was made available for about an hour on-line.

Comment: 2019/12/24 - Merry Christmas....
 It's been a crazy twelve months, but here in the security cartshed, consensus suggests the next twelve will re-write the scale.

Have a Merry Christmas and a Happy New Year!

Comment: 2019/11/22 - We say it a lot round here....
 Some things are too important....

Comment: 2019/11/20 - The month that Blade Runner is no longer set in the future.
 It appears that today is the day that Deckard first meets Rachel.

Comment: 2019/07/26 - Marcus Hutchins set free.
 It's a fairly story book ending for MalwareTech.

Comment: 2019/07/19 - Rutger Hauer, 1944 to 2019.
 Who could fail to be moved by the cold natured killer who found his humanity and soul, portrayed by Rutger Hauer in Blade Runner? (A film so epic, this company is named in tribute).

I also remember as a young lad being utterly terrified by The Hitcher, a film credited for killing off hitching in the States. Yet again, Ladyhawk had a role to play in another of my life events.

He was possibly one of the most typecast actors of the modern generation, but he understood more than many, it was just story telling.

Comment: 2019/07/09 - Record breaking fine for BA.
 With the record breaking fine imposed on British Airways by the ICO, even as an advocate for privacy, are we at the stage where we need to question the role of the ICO?

I used to say that we would never see zero-day vulnerabilities being exploited. I was wrong. We're also seeing the commoditisation of bespoke attacks, malware-as-a-service and numerous other criminal services for hire as the dark web proliferates.

We are seeing ever more sophisticated attacks and with those attacks, we, as security professionals have to respond in an attempt to stay one-step ahead. Part of accepted convention is to build technology, with one eye on the view that at some point, it will be compromised. No amount of security controls can entirely protect against the levels of complexity present in most technology deployments these days.

The last resort is to encrypt the data at rest and manage the access keys properly. It means that even if the data is stolen, by the time the encryption is brute forced, most of the people who's data has been compromised will be dead. Indeed, it's highly likely their children will be dead too. It's the ultimate security control, render the data unusable to the enemy until it's worthless.

Assuming that BA didn't do anything monumentally stupid (and from what I've heard, they didn't), and only the blob of encrypted data was stolen, then they've largely protected the identities and financial details of their customers as a last resort.

What purpose does the fine serve except to dissuade security professionals and engineers that good engineering isn't cost effective. It's better to put no effort into building the system by doing the minimum possible and sandbag for the fine.

That doesn't encourage secure systems and cripples technology up-take and innovation.

News: 2019/07/08 - The Institute of Information Security Professionals gains Royal Charter.
 The Institute gets a name change to The Chartered Institute for Information Security as it gains Royal Chartered status.

Comment: 2019/06/06 - The 75TH Anniversary of Operation Neptune (D-Day).
 We shall never forget the acts of bravery by ordinary men and women....

Comment: 2019/05/30 - Who watches the watchmen?
 BladeSec IA's Professionalism and Integrity Policy is pretty clear on a few things. We have very high expectations for our staff. We know that the level of intrusion they endure undergoing clearance, and extensive hours they work interfere with their personal lives significantly.

The converse of that is, however, we will provide the utmost support to look after them as they go through "life events" that are nothing to do with work.

One member of staff has had their identity abused massively by an organisation. That same organisation has shown a monumental disregard in addressing the issue. To that end we stepped in and now MacRoberts are representing the interests of that individual.

It is clear, however, that the ICO appears to be the mostly badly prepared organisation in the UK in terms of GDPR. As part of the support provided to the individual, we need the ICO to fulfil their role to uphold... data privacy for individuals (their words).

A complaint was submitted to the ICO on 22TH February and at the time of writing, it has still not been allocated to a case officer. To put this into perspective, this is the second complaint made against this particular organisation as they had failed to fulfil appropriate remediation for the previous complaint. The ICO states that it expects to be able to allocate it to a case officer in four weeks, "at the earliest".

It does raise the interesting issue of who is liable if the organisation has deleted the information being sought as part of a normal document retention policy or other proper data governance activity?

Frankly, this clearly suggests to me that the the ICO were massively unprepared for the impact GDPR would have and it's wholly unacceptable. Perhaps they should stick to priorities within their defined legal framework.
--
The above comment represents the personal views of a director of BladeSec IA Services, Ltd., and not the views of the organisation itself.

News: 2019/05/22 - Now serving HTTPS.
 The eagle eyed readers of this website will notice that we've got a redirection in place, enforcing web delivery over HTTPS.

It's taken us a long time to do it as there was simply no reason for it. We don't host any sensitive material, provide any e-commerce solutions, authentication or other activity that would warrant HTTPS. In the end, we thought we would - simply so that Chrome and Firefox would stop saying, "This site is insecure". It's not, but it is a poor choice of words by Google and Mozilla.

So we've gone the whole hog, and opted for a validated GeoTrust True BusinessID certificate. It's a slightly odd blurring between the logical and physical words, as they will only issue the certificate after they've validated a few real-world facts such as phone number, address and contact details.

We hope you enjoy the TLS encrypted good-ness!

Comment: 2019/05/20 - Niki Lauda, 1949 to 2019.
 In the day of modern Formula 1, it's only fitting that we take a while to reflect on the Austrian racing driver Niki Lauda and his bravery, honour, ability and knowledge.

News: 2019/05/10 - ScotlandIS Digital Technology Award.
 Last night, BJSS and Disclosure Scotland won the Innovation in the Public Sector award.

For over eleven years, BladeSec IA Director, Owen Birnie has been the Lead Accreditor at Disclosure Scotland, and held responsibility for signing off the security of the Transformation Programme. Whilst he is very aware that he is a single cog in a very complex machine, he's also aware that DS held onto the coat tails of many clever people at AWS, the Home Office and NCSC.

And to top it all, Owen had a previous engagement in London with friends from the intelligence and security community when the news came in. Sadly, the Munich Cricket Club was too busy, and the Chinese Buffet no longer served a buffet. Whilst they were scenes of interesting historical events to the group, a small libation was consumed at The Red Lion in Whitehall in celebration.

Comment: 2019/05/02 - Peter Mayhew, 1944 to 2019.
 People know what affect Star Wars had on the young, Owen. It's only fitting that we take a moment to remember the man who gave Chewbacca his warmth and humanity.

Comment: 2019/04/27 - Second hand hard drives.
 It's been a while since I saw a report concerned with the recovery of data from second hand computer storage media. Blancco are reporting that individuals still don't know how to protect material on second hand computer equipment.

They assert that from 159 hard drives purchased from an on-line auction site, 67 devices had material that was easily discoverable to anybody with basic IT skills. The interesting part of the investigation was that as part of the purchasing process, Blancco claimed that each seller asserted that the device had been blanked properly.

Most alarmingly, is the material that Blancco say they recovered....

People need to be aware of Darik's Boot and Nuke which is free for personal use.

Comment: 2019/04/26 - CyberUK.
 In the face of the alleged leak of material from the National Security Council, staff from BladeSec IA attended CyberUK where the FIVE EYES were meeting in public in the UK for the first time.

As with all these types of events, it's catching up with old friends that makes them. At the other end of the scale, was the fact that many of the streams were too busy even for "standing room only" with poorly laid out rooms.

Perhaps more interesting was the security incident that one of our Director's noticed that several hundred people missed, and were affected by it!

Comment: 2019/04/15 - Notre-Dame de Paris.
 Avant de connaître Paris, je connaissais Notre-Dame. Je me souviens d'avoir regardé une très ancienne version de "Le Bossu de Notre-Dame" avec mon père. C'était un dimanche après-midi pluvieux à Stornoway.

Même enfant, j'étais surpris par l'ampleur et la beauté de "la vieille dame de Paris". Je ne suis pas religieux, mais les images du feu m'attristent. Je ne connaissais que légèrement Notre-Dame et je ne peux pas imaginer ce que signifie le feu pour les gens qui y vivent et y travaillent.

Comment: 2019/04/11 - Julian Assange removed from Ecuadorian Embassy.
 Mr. Assange is a polarising character and we're not going to go into the intricacies of that. There cannot be a single individual involved in government or criminal justice who won't be interested in what's to come.

Comment: 2019/03/16 - New Zealand terrorist attack.
 To our friends in New Zealand... we are not afraid....

Comment: 2019/01/14 - Credit Reference Agencies.
 I have to confess that they bother me. They hold data on you, largely collected without your permission, and are under no obligation to keep that data accurate and up-to-date.

No doubt they would argue to the contrary, but my own circumstances to not align to that. Also the fact that they then charge people to monitor the accuracy of their own data by selling "identity theft protection", is not lost on me.

I had to laugh. I had clearly booked a Starwood Hotel many, many years ago. They told me that they'd lost a big chunk of fairly important data and were still able to e-mail to tell me this. I reckon that I've had about two dozen credit and debit cards in the time since I made that booking. Some will have been new, and some will be reissues.

However, those nice people at Marriott have paid for some form of identity theft protection for a year, so I clicked the button to sign up. And then I realised that they were going to take the data I gave them to confirm my identity and ship it outside the EU. I mean, really? I appreciate that it doesn't make something bad, but it does erode your confidence in something you have no confidence in anyway.

News: 2019/01/11 - Network failure - Resolved.
 Everything's back up and working normally and first impressions are that it does appear that nobody noticed our outage at all. Wish we could say the same for the two that were were working in the shed. Their desire for rock had to be fulfilled by MP3s rather than Planet Rock.

News: 2019/01/10 - Network failure.
 The DSL here in the Security Cart Shed has gone down and we're currently operating on backup connectivity. Everything appears to be working well, but we're monitoring the situation. No ETA for a fix as yet.

Comment: 2019/01/01 - Happy New Year!
 I confess that I was away when the clock ticked over into 2019, so I'm writing this slightly late. Whilst this marks the point that BladeSec IA would celebrate it's seventh anniversary, this year will be different.

I'm honoured and humbled to be on the Isle of Lewis, sharing it with the 100TH anniversary of the Iolaire Disaster. For that reason, we're not going to take our usual tongue-in-cheek look back at the year.

Some things are more important.

Click here for older News & Comment.