Archived news and comment from 2020.
Please note: Because this is an archive of articles published on the BladeSec IA website in 2020, not all links may work.
Comment: 2020/12/24 - Merry Christmas.
It has been a very difficult year for many, so it seems flippant to wish you all a Merry Christmas. All I will say is that even now, there is cause for hope. Undoubtedly, it has caused many to re-evaluate what is important; a cultural reset if you like. It has also highlighted that the peoples of the world are not the masters of Mother Nature. Here we are in the 21ST century, and all we could do was retrench to our caves whilst being told to wash our hands, like some naughty child.
On the other hand, it was technology that has given us some cause for hope on the vaccine front. I have long maintained that when you give brilliant people the resources to do amazing things, the sky is the limit. The difficulty is identifying those brilliant people - and they are rarer than many would have you believe.
I do know that where we are now would be far, far worse if it was not for the folk who went the extra mile over the last nine months. It's easy to point to the healthcare staff, the social care staff, the shop staff and the delivery workers. They all finally got the recognition that they long deserved, but it has also been my privilege to work with some brilliant people over the last year. I hope that I've given them some small help or resource that would permit them to aim that little higher.
I won't wish you a Merry Christmas, but I will make you a promise; see you on the other side....
Comment: 2020/12/18 - Jeremy Bulloch, 1945 to 2020.
Following very quickly on from the death of Mr Prowse, the chap who gave Boba Fett, the bounty hunter in The Empire Strikes Back, his physicality, died yesterday. When Empire was released in 1980, Boba Fett, was perhaps only a fleeting, background character who became more important, albeit briefly in The Return of the Jedi.
I met Mr Bulloch very briefly when he was filming where I used to work. I don't remember particularly what it was that was being filmed there (there were rather a lot) but he was bemused by the fact that I knew who he was from his name alone. At the time, Star Wars had yet to become revitalised, and Boba Fett was still a very obscure character with a mask that meant that Mr Bulloch was granted anonymity with fame.
Comment: 2020/12/16 - Sideband attacks when there is no in-band option.
This feels like something that certain factions will have known about for some time - and probably exploited. And now it's public knowledge. To me, this highlights a few things:-
Disclosures like this means that many people in the security industry will have a sleepless Christmas.
- Firstly, no matter what you do to keep things secret, they will eventually become known about; and
- Secondly, the simplest of systems are the most secure. The more complex you make something the more likely it is that it will contain a "feature" that can be used against it.
Is it worth pointing out that underlying cloud infrastructure is incredibly complex? Containerisation, virtualisation and other abstraction also adds more complexity. Will this see a return to "Apollo Science", where the US Space Programme used old, established, less complex technology to send man into space?
Comment: 2020/12/13 - SolarWinds Network Management compromise.
This looks and feels very, very bad. How many organisations use SolarWinds to manage their internal networks? Given that it was an industry leader, I'd suggest many hundreds of thousands, possibly millions. And some of those are bounds to be very interesting to foreign intelligence and criminals.
Comment: 2020/12/09 - FireEye hack.
Late last night we start getting reports that FireEye had been hacked.
One presumes that the tools that were stolen, were the same tools that FireEye uses to secure their own network, or is this a case of do as we say, not as we do? Hard lessons aside, this does clearly demonstrate that if an organisation as respected as FireEye are vulnerable, then 99.999% of all other organisations are immediately vulnerable too. Regardless of what FireEye say, we're seeing increasing commoditisation of the type of attacks used against them. Hence, it's a matter of when not if - and the regulatory authorities need to recognise that a compromise does not immediately make the organisation bad. How they react, their transparency, their training, their culture and how their technology was architected all have a role to play in exactly how negligible an organisation may have been.
Don't have nightmares!
Comment: 2020/11/29 - Dave Prowse, 1935 to 2020.
It says much about Mr Prowse's character that he remained most proud of his role as the Green Cross Code man. Who can know how many young lives he saved. Yet he is revered most for his part as giving Darth Vader the physical stature that terrified those same youngsters.
As one of those youngsters, my single concession to fame was to go and meet Darth Vader when he appeared at a local toy shop. I'll never know if it was really Mr Prowse, but I'd like to think so.
Comment: 2020/11/14 - Not your computer.
Reading between the lines, this appears to be something to do with application reputation management called Gatekeeper. Whilst the intention is commendable, it is worrying that so many people did not know their Apple Macs did it and there does not appear to be a mechanism to opt out. That means that your expensive device, that you bought and you thought you owned will only run software that its manufacturer approves of.
Comment: 2020/11/06 - COVID compatibility.
So the UK's various CV19 mobile apps are now compatible. The various devolved governments solved a problem that they would never have had to solve had they supported the development of the one that had scrutiny and oversight from NCSC.
Comment: 2020/11/03 - Terrorist attack in Vienna.
To our friends in Vienna.... we are not afraid.
Comment: 2020/10/17 - ICO fine British Airways.
So the ICO fined BA £20 million. It is considerably less than the £183.39 million that the ICO said they were going to fine BA.
Comment: 2020/10/12 - ICO Consultation.
The ICO appear to be making a big deal about fining a couple of firms. Ignoring the fact that somebody in authority should be asking questions over the ICO's methods of investigation, it strikes me that they really are only going after low hanging fruit amid increased abuses of personal data under the pretense of track and trace. CV19 is not an excuse.
Despite this, the ICO has issued a consultation on it's draft Statutory role. It is interesting that it's only the Statutory portion of the ICO's work and not the Regulatory part, which currently remains under review..
We, the people, ...
Comment: 2020/10/02 - Somebody is obviously reading this....
And there it is. There is also an official page saying much the same thing.
Comment: 2020/09/28 - Windows on Linux.
Wow..... It makes the mind focus on the potential of this.
Comment: 2020/09/26 - We, the people,...
... demand that our information is protected adequately by an organisation that will enforce the law to the fullest extend possible. CV19 is not an excuse.
Comment: 2020/09/24 - More on the NHS COVID-19 application.
So it's been released and there are some very high level notes available as well as an updated "explainer".
The interesting thing from my perspective is that this one is specifically only intended for use in England and Wales. As far as I can see, this is the first mention that there has been of this. Given that we are all one country, I would have expected more compatibility with the Scottish application. If you live in the Scottish Borders, or regularly travel to England for work, should you download and install both applications? Are they even compatible in that respect?
I think the bit that I am most disappointed about is the extensive analysis that has gone into the NHS COVID-19 application. It may initially have caused an entire U-turn, but at least that analysis was done. Where's the equivalent for users of the Scottish variation? Instead, it appears that us poor Scots are expected to install it because it's almost the same as the one that has already been launched in Ireland.
That approach is not good enough.
Comment: 2020/09/21 - Patient dies in German ransomware attack.
This is why BladeSec IA are "security consultants" and not "cyber security consultants". Security has to be holistic and include business continuity, back up, audit and physical measures as well as cyber elements too.
Comment: 2020/09/16 - the wine, the bread and the seed.
I am very proud to say that my son, Jack, was not only awarded a first class honours degree in popular music, but he won an award for music production and will shortly be working with a Glasgow band as a result. That came in the face of much of his university work being shut down because of the coronavirus. Even before that, however, just before the stay-at-home order was enacted, he won a scholarship to the Popakademie at Mannheim in Germany. When I look back, I struggle to believe that it was 2013 that gave us an inkling that there might be something special there when he and his friends won The Perthshire Battle of the Bands in April despite being the youngest entrants.
If you are interested, you can support a young singer / songwriter and musician by buying his first ever solo album.
News: 2020/09/14 - Safer Travel 2020 Issue 1.
BladeSec IA are delighted (and more than slightly relieved) to announce the release of the first issue of the 2020 edition of Safer Travel. It has been a herculean effort to get to this point. The guide is now well over 130 pages, and covers a multitude of activities including specific advice on travelling outside the UK. The chapters cover topics including:-
Please see the Travel Advice page for further information on obtaining a copy.
- Preparation - Including dealing with your mortality. What travel documentation you need and what you should do with it
- Baggage - Choosing and identifying luggage. How to pack and managing the security of your baggage.
- Technology - Passwords and authentication. Travelling with laptops and other mobile devices. Accessing the internet when travelling.
- Car travel - Driving and vehicle requirements. Route planning. Driving tips to stay safe. Common pitfalls when hiring a car.
- Public transport - Including planning and security considerations.
- Taxi and mini-cab travel - Including the safest way to get one.
- Flying - Covers everything from planning, travel to the airport, screening, the flight and onward travel.
- Hotels - How to choose a hotel. The physical security of your room. Fire safety and covert devices (not really).
- Exploring a destination - Includes hints on keeping your bearings, your appearance and the three rules for staying safe.
- Terrorism - Dealing with firearms attacks, vehicle attacks, explosive devices and communications.
- Foreign travel - More information on travel documentation. Where to start for planning and researching a trip. Taking technology to high-threat jurisdictions and what to do if you are arrested.
- Moscow Rules - A bit of fun (or is it?)
At risk notice: 2020/09/07 - Reminder: Notice of power supply interruption.
The planned interruption to the power supply for the security cart shed starts at approximately 11:30 today for approximately four hours. We are anticipating no impact on any service delivery.
At risk notice: 2020/09/01 - Notice of power supply interruption.
We have been informed that the power supply to the security cart shed will be interrupted for approximately four hours on Monday the 7th of September starting at about 11:30. We'll fire up the business continuity plan for this, so customers should be completely unaware.
Comment: 2020/08/31 - Safer Travel 2020 - Update.
We're almost there. If you are interested, we hit few snags:-
So it's largely there, but just needs one final walk-through.
- Firstly, we discovered that one contributor's submission had been entirely missed. This negated an entire legibility walk-through.
- Then we decided that chapter 10, Exploring a destination failed entirely on the logic front.
- And then we noticed that there was material that was hinted at in chapter 5, Driving, but that needed expanding on.
Watch this space.
Comment: 2020/08/20 - The failure of the examinations algorithm.
As usual; I have a slightly different opinion: When you have relied on one mechanism for assessing candidates for years (using the traditional examination structure), you build an acceptance of that process - no matter how unfair or unreasonable it might be. Broadly, it is beyond contestation.
When you suddenly decide to stop assessing candidates that way (for whatever reason), the new process may as well be witchcraft or a dozen trained monkeys rolling dice. At that point, it makes no difference how accurate the results may have been, the fact that the mechanism used to derive them has changed in a largely uncontrolled manner, means the process is incomparable, unaccountable and indefensible. The fact that both the Scottish and UK Governments U-turned on their results exacerbates the problem. This approach guaranteed that there were never going to be any winners - including the future employers of those young people.
The other thing that we seem to have forgotten is the small print in every financial investment: "Evidence of past performance is not an indication of future performance". If it was, every financial investor would be a multimillionaire. Yet, these are broadly the same algorithms that were used to model the results for every young person who should have sat an exam earlier this year.
Fundamentally, society has failed every single one of them.
As an aside, most readers will be aware of my dislike for credit reference agencies. What is clear to me over the years, a significant contributor to my individual credit-worthiness is the area where I live. Moving between two destinations an hour apart saw my credit score diminish by almost 100 points (and being honest, it's never entirely recovered). I wonder if I could get credit reference agencies to address the failings of applying general views to specific circumstances based on where I live - just like the poor students. Somehow I think not. And that too is a valuable lesson: Sometimes life just is not fair.
Comment: 2020/08/13 - The return of the NHSX Track and Trace application.
Following a fairly leisurely trip to the north-east of Scotland, I had planned on making a few observations on the voluntary trace and trace mechanism that is being implemented by various places. Then I see that version two (or is it three) of the NHSX track and trace application has been released. I still think that the open-ness is to be welcomed and I hope that it will resolve what I consider to be a monumental flaw with the track and trace system as it has been implemented.
Firstly; I think it's important to highlight that the UK has had the concept of a notifiable disease since the late 19TH century. There is long-established statute in place to accommodate the notion of track and trace. So in essence, I'm not arguing with the concept. I'm ready and willing to give up a piece of my privacy for the greater good.
Instead, the flaws are reduced to (unsurprisingly) technological, economic and moronic issues:-
On the other hand, I've heard rumours that the Scottish Government is developing it's own track and trace application with a tartan stripe up the side. I mean.... really? Are we so anti-UK, that this is deemed necessary and a valid use of tax-payers money? Expect more blunt sarcasm if it's ever released....
- During our trip, I was asked to "check-in" to a location in rural Scotland. Not a problem. Happy to. Except there was no mobile coverage inside the coffee shop. This could have forced me to face the issue that I highlighted at the end of last month but instead, there was no WiFi available. I promised the owner that I would do it later. As it was the first time I had ever been asked to "check-in", I had assumed that it would log a date and a time, possibly asking if I wanted to confirm the details. As it was, I forgot until I was in bed that night. I ended up checking into a closed coffee shop in Carrbridge at 23:05.
- At one, up-market cafe, the "checking-in" was by means of a physical "guest-book". There were two issues with that. Firstly, the pen was used by everybody signing in; and secondly, it had a box to tick if you wanted to receive their newsletter. This remains the only place that I have seen that turned the voluntary activity to reduce infections into a marketing ploy. Stuff like that undermines the trust that Dr Levy is trying to build.
- And this brings me onto what I consider to be the most monumental oversight: Places get you to "check-in", but not "check-out". This suggests that track and tracing are profiling visitors to determine who may have had contact with a potential carrier, this means that some contacts will be missed. (And by profiling, I mean that they will derive some incorrect statistical maths to assert each visitor spends an average of one hour, thirty-four minutes in their particular establishment and that it is this that is used to derive a potential infection transfer from. You won't be contacted if the positive case came in two hours after you arrived even though you were actually still there.) If, on the other hand, they're not using incorrect maths, and they're just going to contact everybody that's been in an establishment in a single day, that too is significantly flawed. It will massively increase the reported infection rate, whilst missing other potential contacts. None of this makes any sense and suggests that the folk who are behind it are not familiar with the rice and chessboard problem where an exponentially growing factor will have a significant negative result. In this case, I would argue that it's being able to trace individuals that are likely to be infected, not everybody. Everybody simply won't work.
Comment: 2020/08/10 - Nvidia and ARM.
Interesting and thought provoking viewpoint regarding Nvidia's courtship of ARM. Interestingly, I heard something similar being cited for BlackBerry's OS10 being of significant importance to the Canadian Government.
Comment: 2020/08/07 - Flaw in Qualcomm chip undermines billions of Android phones.
You know when it's DEFCON as there's normally a rush of flaw disclosures as security researchers vie with each other to find the most interesting vulnerabilities. It seems that this one could take the award.
Comment: 2020/08/01 - BladeSec IA website.
It's been a long time coming, but there have been a large number of significant changes made to the BladeSec IA website to reflect the way that we work and what that work consists of. We recognised for the best part of four years that we're too small to do everything and we work better as a team. The composition of that team, and what we have been doing just might be slightly different to what you've come to expect. Take a look at typical work and stick with us whilst we iron out the glitches, and get the language to flow better.
You'll also note that we've taken down the link the the 2018 version of Domestic Travel Advice. Safer Travel (as the replacement is now being called due to a last minute change) is not quite ready, but should be available by the end of August. See Travel Advice for further information. As we hinted in the last update, we're having to make a number of changes, but we are trying to make the best of it.
Comment: 2020/07/28 - Public houses and contact tracing.
I was watching what passes for local news last night and a publican in Edinburgh was being interviewed. The camera watched as he greeted some customers and said, "Just log onto the wifi and enter your name and address". This worries me. We saw contact-tracing being weaponised by criminals even before official tracing started. In our experience, most folk simply do not understand the risks of using public wireless networks. Undoubtedly, this approach is convenient for the publican, but if you mandate that people have to use it to enter their details on your form (and hence have a drink), criminals will simply go after that as the lowest hanging fruit. They might wait until you connect to the wireless network and scan your device (and everybody else's) for vulnerabilities. It might even be simpler than that - they might just go after the database of contact details so that they can inform them that they have been in contact with an individual with C19 and they need to pay to have a test. The criminals would know where and when the victims were at the pub adding an almost undeniable degree of authenticity. Even after you have disconnected from the wireless network, unless you delete the network association, you would still be susceptible to using a cloned-hotspot to attack your device. This might be made worse by you being a wee bit worse-for-wear and not noticing suspicious behaviour.
Comment: 2020/07/21 - More on the Twitter compromise.
Bruce Schneier is well known for applying a degree of common sense and privacy focussed argument to technology. I may not always agree with him, but his opinions are always worth listening to. I have to say that his recent post on the Twitter compromise makes for very interesting reading especially in light of the recent Intelligence and Security Committee report on Russia. Whilst the press is full of speculation on what the full, unredacted report may contain, I am more curious as to what form the Russian interference took and as far as I can see, it was mostly limited to trolling on social media. To my mind, that does not exactly make it a top division cyber threat actor.
Comment: 2020/07/16 - Privacy Shield and facemasks.
Whilst the two are unrelated, they both arrived in the news today:-
Firstly, the replacement for Safe Harbour, Privacy Shield is also dead in the water. The simplistic argument was that once your data is in the US, no EU citizen can legally enforce the controls designed to protect their data protection rights. The implications are extensive.
Secondly, buried in the BlueLeaks enclave of US law enforcement data is a Homeland Security Intelligence Note dated May 22 expressing concern that facemasks worn for medical purposes is impacting on their ability to monitor public spaces.
Comment: 2020/07/15 - Extensive Twitter compromise.
Twitter appears to have suffered a substantial compromise. Now imagine it had been more subtle rather than a "get-rich-quick" scheme with one famous person backing an unsavoury cultural position every few days. It does beg the question why the attackers went all in. I'm guessing they obviously felt that they were going to be discovered quickly.
Comment: 2020/07/14 - Patch Windows Server now!
The best intelligence that we have suggests this is being actively exploited as I type.
Comment: 2020/07/02 - Euro police infiltrate an encrypted phone network.
This is interesting for a number of reasons. Firstly, it shows that when they need to, the good guys can think and act like bad guys in order to compromise something of interest. Before they went after EncroChat there were the usual legal checks and balances, judicial approval and warrants issued as part of Eurojust. Equally, having been led by the French and then the Netherlands, the case was subject to close scrutiny by their respective judicial systems. This all serves to highlight that government and law enforcement do not need to weaken encryption or insert a back door into a device in order to access it. It does therefore make a mockery of any request by the authorities to do just that.
The other aspect that I find interesting is the NCA states that every user of the EncroChat was a criminal (I admit that I'm paraphrasing, but you can see the original source highlighted in the previous link). There appears no public information to support that view and I do find it hard to believe. Even the official release from Europol states, "widespread use". What is clear is that covert, encrypted comms is of legitimate interest to a number of legal users such as political campaigners, those in the legal profession, some journalists and those in the security profession. However, in a possible contradiction, I note that the EncroChat service has been shut down. There could be a couple of reasons for that. Firstly, the business was no longer viable having lost so many users as part of the widespread arrests. Alternatively, it could simply be down to the fact that they were unaware of the scrutiny they were under by the authorities since 2017. At that point, their unique-selling-point seems to be in tatters.
Finally, There does appear to be another anomaly. The NCA state, "[they] created the technology and specialist data exploitation capabilities required...". They don't even get a look-in on the Europol statement and the UK seems to be highlighted as a passive benefactor. The Eurojust statement highlights that the UK may have attended two meetings of the five arranged. It's good to know that even the good guys conduct their own FUD.
Comment: 2020/06/19 - The NHSX COVID-19 tracking application.
So there's been a bit of a u-turn on the deployment of the UK's COVID-19 track and trace application. Whilst the press has been quick to point out the weaknesses, this still strikes me as a socio-cultural issue rather than anything else. Over the years, I have learned that sometimes it is important to be seen to be doing something. It doesn't really matter what you do. It's a form of theatre.
News: 2020/06/11 - Guide for Safer Travel 2020 Issue 1.
The first issue of the 2020 edition of the guide that was called Domestic Travel Advice is in draft. You'll note that it's been renamed to Guide for Safer Travel. There's a few reasons for that:-
And that last point is also really the only downside that we envisage. Our position right now appears to be that we will only be able to issue copies of the guide to named individuals only, possibly embedding their name as a watermark into the document. However, we will strive to make this as simple as possible.
- Firstly, the 2020 edition is breaking down barriers and going international. Yes. For the first time, this guide can be applied, and gives starting points for researching travel beyond the UK seaboard.
- Secondly, the 2020 edition has grown massively. The draft is sitting at about 100 pages already. It's written less as a technical manual and more as a "self-help" guide.
- And finally, it's companion volume, Travel OpSec which we have never been able to distribute before is now very thin as a huge amount has been transferred into Guide for Safer Travel 2020.
We don't know when we'll get the draft approved by the stake-holders, so watch this page for more news!
Comment: 2020/06/02 - Security round-up.
It's been a busy few days on the security front:-
Comment: 2020/05/31 - Black Lives Matter....
- In an interesting development, setting a particular wallpaper on any Android phone sends it into a permanent reboot loop.
- Research from OneLogin suggests that staff working from home during the current C19 situation are displaying a complete lack of diligence when it comes to using corporate devices for personal use.
- A security researcher discovered how to pretend to be anybody when you "Sign in with Apple". He received $100,000 for his efforts and responsible disclosure.
- This study discovered that most people don't change their passwords after a security breach. I confess that I'm guilty of that following the recent EasyJet breach. I haven't used the account in years (since EasyJet literally abandoned my family on the return leg of a family funeral). Hackers are welcome to my password and can knock themselves out on my EasyJet account. The password was a one-off and there's nothing useful there!
- As I write this, we're getting reports that criminals are already phoning people to say that they have been in contact with an individual with the COVID-19 virus. Oh dear....
Comment: 2020/05/26 - iPhone and eBay problems.
This was very widely reported over the last few days. I even recall noting that it was picked up by the mainstream press. It seemed reasonable given the security concerns. Now, as I try to find journalistic views, I can't find them. Not even in The Register. And that seems most peculiar.
In the last few days, we've been getting reports that eBay is port scanning Windows web browsers who fetch their site. Whilst I can see there being some reasons for doing it, it does strike me as a step too far. I would go so far to suggest that it's actually quite a sticky legal situation. The fact that a website scans a device used to access it, without consent is a Section 1 Computer Misuse Act offence in my opinion.
Comment: 2020/05/20 - Tracking the should-be untraceables.
Bellingcat has a report highlighting how to track down individuals associated with supposedly secure locations. It is broadly similar to the Strava heatmap flaw of a few years ago in-so-much its about associating innocuous information from one source, with some more innocuous information from another source (and possibly several others) until you can cut the data to reveal information that, perhaps, should remain private.
To my mind, it highlights two things:-
Firstly, it's another clear example where individuals have "slept-walked" into being privacy illiterate. Checking-in and sharing every aspect of an individual's life have become so ubiquitous, it no longer attracts the critical thought that it should. Alternatively, as we have seen some social media companies do, the privacy controls available to an individual may have been so complicated, that they just could not be bothered. This is now only the start of the problem.
Secondly, it shows how easy it is to associate information from a variety of sources in complex ways that allows you infer information that a few yours ago, you simply couldn't. Even if you understand the privacy of the technology, when it's combined with other datasets, it becomes a complex minefield, outside the governance of any one corporation.
I'd suggest that the war has been lost... In the future, everybody will want privacy for 15 minutes.
Yet another reason why we avoid EasyJet if at all possible.
Comment: 2020/05/19 - NHSX contact tracing update.
In another unprecedented attempt to get people to trust the government, Dr Levy has addressed some of the truths and falsehoods regarding the NHSX C19 contact tracing application. Regardless of whatever you think, this approach is to be commended.
Comment: 2020/05/18 - Some short updates.
Some small snippets of security news:-
Comment: 2020/05/16 - Abuse of supercomputers.
- As we predicted. Even the "experts" can't get it right.
- This is quite funny.
- I have to claim a vested interest in this. What The Register has highlighted is another piece in a puzzle that started when I first joined the RAF Kinloss Small-Bore Pistol Shooting Club when I was about 16 or 17 years old.
- Despite the very similar name, this is nothing to do with us!
It appears that a number of supercomputers throughout Europe are now mining cryptocurrency.
Comment: 2020/05/08 - 75TH Anniversary of the Victory in Europe Day (VE75).
Today marks the 75TH anniversary of the end of World War II in Europe. It is being held amidst the unusual circumstances of the current stay-at-home order. Having worked with many brave men and women from the military and security services over the years, I confess that VE75 puts a particular personal, and undoubtedly unpopular, perspective on the current situation for me.
Just like in March 2020, in 1939 the world changed. To me, that's where the similarity ends. During that spring, the deteriorating international situation forced the British government to consider preparations for a potential war against Nazi Germany. The ensuing limited conscription saw 240,000 single men between the age of 20 and 22 registered for service. By the declaration of war in September, conscription was expanded to all men between the ages of 18 and 41. Two years later, it was expanded again to include single woman and childless widows between the ages of 20 and 30. Men would now undertake some form of National Service until 60.
By the end of World War II (and not VE day), 383,700 British military casualties had been registered with a further 376,239 British wounded.
Right now, the world needs us to stay at home and not go out.
I am very fortunate to have many German friends and on a personal level, it's difficult not to reflect upon the effects of WWII on them and their families. Many mothers, fathers, brothers, sisters, sons and daughters were killed on all sides. That's why items such as this (and my own family too), that provide a personal record are so important - for everybody. It humanises the sacrifices made on a personal level so that we remember why never again....
Comment: 2020/05/06 - It might be important to somebody in the future....
More years ago than I care to remember, I went out one Sunday morning on a friend's small ship. We pulled into Findochty harbour and whilst were waiting for the pub to open we walked around the harbour. To our delight, we found a gorgeous 42' motor yacht called Revlis. She was glorious - all dark wood, chrome and brass. And she was for sale.
To cut a long story short, my friend's boss ended up buying her. My family and I had the chance to go out on her a couple of times. Life was pretty good being at sea in such a historical, magnificent little ship, drinking gin and tonic and eating bacon rolls.
In speaking to my Mother, it then turns out that she had an uncle that worked at the James Silver shipyard in Rosneath on the Clyde where Revlis was built. Indeed, it's highly likely that he would have fitted the deck as a carpenter. Ironically, my friend and I both agreed that we didn't like the name, Revlis - until somebody pointed out that it was silver backwards. It was the flagship of the shipyard.
Over the years, I lost contact with my friend (and his boss). I believe Revlis was sold shortly after our last trip out on her. I kept an eye out, but she never turned up.
Leap forward to last Thursday night. My wife and I were watching the 2017 version of Dunkirk. Needless to say, it features a "little ship" called Moonstone. Frau B and I are both sitting there and then finally, I say, "that could be Revlis". We both agree and we both start digging.
I conclude that the boat was simply very similar. James Silver and Company produced a huge number of boats, often named after stones, with the executive class being "Silver Leaf" and having "silver" in the name.
My wife on the other hand found this. The following day, I found this.
I guess I found Revlis....
Comment: 2020/05/05 - The NHSX contact tracing application.
In, what appears to be, an unprecedented attempt to allay the fears of privacy literate, Dr Levy of NCSC has written up his views into a fairly substantial 'blog. There is a more technical paper available from here.
Despite being asked repeatedly, I don't think that it's appropriate to provide any commentary at the minute for a reason that I'll expand on in a moment. Everything that relates to security and privacy is a trade off and my circumstances and opinions are not yours. I will volunteer that NHSX have done a very good job of addressing many of the issues. It will tell another story if the government (UK or Scottish, Welsh or Northern Irish) make the installation of the application as a condition of being released from quarantine.
And that's the thing. Dr Levy is intimately familiar with the development of the application. As I type this, I'm watching my mailbox fill with opinion of fellow security professionals. Broadly, they are all in agreement that they will install the application. What is clear, however, is that some of the statements they are making are incorrect or they are drawing conclusions on aspects that are not specifically drawn out by Dr Levy. Hence, I'm not going to muddy the waters by adding my views on the matter. The current circumstances are unprecedented and people need to take responsibility for their own actions and safety.
That said, I'm delighted that Dr Levy has been this open about the application and the way that it works. He clearly recognises that people need encouragement to trust the government and this is a valid mechanism to do that. I presume it's a perception of personal benefit that means that people are willing to share far more information with social media companies than the democratically elected government. For that reason, whilst I can advocate one way or the other for installing the application, it's a technological answer to a cultural problem. There are limited individual benefits to installing the application. Society, on the other hand, almost certainly will benefit.
To that end, I would strongly advocate that you need to make up your own mind based on your own circumstances and altruism. If you cannot form your own opinion, then I would advise you to install the application. What could possibly go wrong?
Comment: 2020/04/29 - Crime and CORVID19.
The Scottish Government has recommended that the general public cover their faces while in some enclosed spaces. This isn't mandatory, and won't be enforced for the time being.
As far as I can ascertain (and I am not an expert in any way shape or form), the medical evidence to support this is marginal. Ms. Sturgeon recognises herself that the evidence is weak although her tone seems to suggest that it's the amount of evidence pertaining to the use of non-medical face-masks rather than the medical benefit.
Regardless, I sincerely hope that the actual, resulting medical benefit is greater than the unintended consequences of this recommendation.
To my mind, the Scottish Government has just officially approved, and made socially acceptable, behaviour that criminals do to make it harder for them to be identified. There is little doubt in my mind that small-scale crime, muggings and retail theft will significantly increase in the coming days. Indeed, people wearing masks are a generally good indicator when somebody should avoid any situation.
Comment: 2020/04/22 - Video conferencing guidance from NCSC.
Now that "Zoom-bombing" has reached the common vernacular (like "PPE"), NCSC have issued their vendor-independent guidance on how to configure video conferencing safely and securely.
This guide from ZDNet may be slightly more practical.
Comment: 2020/04/14 - Contact tracing.
An incredibly useful paper from Ross Anderson on the nuances about using a smartphone application to undertake contact tracing. It's a techie's solution to a social issue.
Whilst it's not immediately relevant, I do remember doing a speech in 2005 that highlighted that when the national ID card was introduced in the UK in 1939, it had three purposes:-
By 1950 (before it was abolished in 1952), it had 39 purposes - the most widely used being the prevention of bigamous marriage!
- To prove that you weren't German;
- To prove that you weren't avoiding conscription; &
- To ensure that you received your food rations.
Keeping within the same paranoid context, this makes for interesting reading.
Comment: 2020/04/01 - BladeSec IA revised payment terms for customers.
It's the time of the month where BladeSec IA send out invoices to clients. In the current circumstances, we have opted to remove the 30 day payment term for all customers. BladeSec IA will continue to pay associates and suppliers on receipt of validated invoices.
News: 2020/03/19 - Risks for working from home.
With the mass exodus of staff from offices, BladeSec IA felt it would be useful to the community to highlight the types of risks that organisations should be considering at this time:-
Look after yourselves and good luck in this business-as-unusual time.
- Staff taking valuable devices home should be given on advice on how to do that. Many staff will be genuinely excited at the possibility of being freed from a corporate desktop to a device that permits them to work yards from their bed. They need to be encouraged to ensure that that transfer is done safely and securely, with an anonymous bag and definitely not going for a last drink with colleagues.
- Piggy backing onto a home network comes with its own risks. Home devices are likely to be missing patches and therefore more likely to be compromised. These compromised devices can be used to attack corporate devices on the same network. With the recent retirement of Windows 7, it's feasible that some home devices will fall into this category. Further, a home wireless network may actually be relying on old or outdated security protocols such as WPA. Even the broadband router may be several years old, and will not be as robust as an enterprise firewall.
- Corporate data that normally exists within the network boundaries, now exists outside. Depending on processes, this may even be on personal devices. The data needs to be managed commensurate to its sensitivity and will be exacerbated by the following point.
- The new ways of working may be acceptable to technically literate staff, but the vast majority will struggle to cope without the help desk on speed dial. Organisations need to ensure that they accommodate a range of abilities to ensure that a member of staff does not post a link to an internal video conference on public social media (amongst other failings).
- Companies rushing to adopt VPNs and video conferencing to support remote workers are unlikely to set them up correctly or securely. Products may even be selected on the basis of apparent popularity rather than a considered evaluation. We will almost certainly see VC hijacking attacks.
- Working expectations may surprise all staff. It's not a "seven day weekend"! Companies need to be clear about working hours. Some are even emphasising dress-codes during video conferencing. Softer security issues such as ensuring that devices are locked when not in use and not sharing them with family members. Some organisations may ask their staff to physically lock their devices securely away when not in use.
- In the ensuing chaos, there will be phishing e-mails made against staff purporting to be from seniors within an organisation. People will be worried about being paid and job security. They may not be as entirely rational as usual and so guidance on scam e-mails specifically mentioning COVID-19 needs to be clear. What should a member of staff do if they fall foul?
News: 2020/03/18 - Corona-Geddon.
Despite the poor attempt at humour, the COVID-19 situation facing the world is relatively unprecedented. BladeSec IA would like to advise you that we are still the security consultancy of last resort for our customers and how we intend to maintain this.
BladeSec IA have a duty to our clients to ensure that we keep going. Many of them operate in the emergency services and public sector and as such we are proud to be doing our bit to help them through this difficult time. Many other organisations will need to refine contingency strategies and assess the risk of managing staff remotely in the coming weeks. We'll be there for them too.
We have introduced significant measures to mitigate our own internal risk as we continue to follow WHO guidelines and listen to the UK and Scottish Governments. We are a predominantly rural organisation, with a geographically diverse staff. Remote working is part of what we do.
BladeSec IA also have a duty of care to our staff. To that end, we have asked them to each assess their own individual circumstances and not to place themselves in any additional danger. We trust our staff to do the right thing. However, we are a small firm and recognise that in the coming months, it is feasible that we may not be able to deliver to the same standard as we have set. Best estimates suggest that in the coming months, one fifth of the workforce will be unavailable at any one time. BladeSec IA, however, commit to maintaining confidence in our service by calling on associates and acquaintances as we require. It's part of our business continuity plan and we've been here before.
We're not going to try and pitch a remote access solution to you at this time. We're not going to try and talk up the benefits of off-site consultancy to plug a lack of cash-flow planning. We're not retreating to a lead-lined bunker. Our reaction will be sympathetic and proportionate as that is what we've always done. We will not compromise on the quality of what we deliver. And we will endeavour to provide continuity until the government tells us that we can't continue.
Comment: 2020/02/12 - Website update.
Eagle-eyed readers will note a few very minor changes to the website. We've been so busy, some parts haven't been updated for several years!
Comment: 2020/02/11 - Crypto AG.
Sometimes, good, old spycraft beats the application of technology.
News: 2020/01/30 - Protection of Vulnerable Groups.
BladeSec IA were delighted to host old friends and colleagues in Newcastle this evening to celebrate the secure destruction of a legacy information system.
Kicking off with no-Guinness in not Ware Rooms*, the current and former staff of Disclosure Scotland and BT were presented with certificates marking the occasion and small phials of 6mm shards of memory. The Protection of Vulnerable Groups system was first accredited on the 28TH of February, 2011 and the destruction certificates were delivered on 6TH January, 2020, having undergone 36 individual accreditation reviews.
The Accreditor for the PVG Programme, Owen Birnie, noted that, "We'll never know how many people's lives would have been different if PVG didn't exist. We'll never know how many people we protected or helped. Everybody there this evening, and a whole bunch of others who couldn't be all helped make the UK a safer place - and we should all be proud of that."
*Newcastle has changed. The Ware Rooms are now The Carloil Square Cafe, and doesn't sell Guinness.
Comment: 2020/01/15 - Isn't it ironic?
Am I the only one that sees the irony in this and this?
Interestingly, there's no actual mention of the advice on the NCSC website.
Whilst there's no doubt that you should not use legacy operating systems for anything meaningful, it just feels a bit too fortuitous given it was a controlled disclosure from the NSA.
Comment: 2020/01/01 - Happy New Year!
Once again, as the clock ticked past midnight, BladeSec IA Services became another year older as we celebrated our eighth birthday.
As usual: That means it's time for our tongue in cheek look at the last twelve months:-
- Miles to closest job: 3 yards.
- Miles to farthest regular job: 83 miles.
- Amount of money received for anything other than consultancy: £nil.
- Number of customers assisted in the last twelve months: 5.
- Number of individual projects worked on: 16.
- Number of awards ceremonies attended: None (Did you think it would be anything else?).
- Number of tenders submitted: 0.
- Number of jobs declined due to a lack of capacity: 7.
- Number of jobs declined on ethical or moral grounds: 1.
- Most interesting place visited: Pindar.
- Value of donations made by BladeSec IA to support good causes: £180.
- Amount of time donated by BladeSec IA staff pro-bono: 21 days.
- Number of redundant BlackBerry phones in the "spare handsets box": 7.
- Number of pages printed on the office colour laser this year: 434.
Click here for older News & Comment.