BladeSec IA Logo

Company Information

Company principles
Certifications and qualifications
Why choose BladeSec IA?
News and comment <

Products and Services

Typical work
Engaging us
Specific highlights

Travel Advice


Contact us
Privacy statement
Terms and conditions
Environment statement
Equality and diversity statement

Archived news and comment from 2022.

Please note: Because this is an archive of articles published on the BladeSec IA website in 2022, not all links may work.

Comment: 2022/12/21 - Happy Rush day.
(So named because of the album.)

As I look back on the year's postings, there are a couple of themes that repeat themselves:-

  • Anything you put on the internet will attract an awful lot of attention, particularly if it's an information system.
  • Some people who left a lasting impression on me have died (and yet more, whom I have chosen not to mention on this website).
  • The majority of people are actually inherently selfish to various degrees. Many people exhibit choice-supportive bias, virtue signalling and systematically fail to demonstrate any humility at all.
  • Humans are bad at producing code and that leads to vulnerabilities in operational systems.
  • Many organisations think nothing about exploiting the personal circumstances of their customers - and that includes failing to produce free fixes for vulnerabilities in their operational software in a timely manner.
  • I still like a good spy story.
  • Every once in a while, you encounter an individual who proves there are exceptions to the themes....
Many of these are fairly negative characteristics and the sad thing is, I would wager that they won't be substantially different in the coming year....
As I looked back over the least year, I wanted to expand upon one particular story that I started, yet commented out in my reflection on James Alexander:-

Mr Alexander had put me in contact with a band from Keith for my wedding ceilidh. Bob Sharp, from the band Makarakit, called to make the arrangements and I passed on my request that the first dance needed to be "Hector the Hero" by James Scott Skinner. Mr Sharp, replied, "That's strange, but no problem". I remember that at the time, he would not expand on his comment.

As it was, Makarakit did us very. very proud with an uilleann pipe version of the tune. Everybody in the village had a grand old time. Whether it was the gatecrasher who asked if they could come along as there was nobody in the pub, a seventy-two year old farmer telling me the band hadn't played the last eightsome reel fast enough, or my Dad telling me they were too loud. The band was the most perfect fit that I could have asked for.

It was some considerable time later (years rather than months), that I discovered that the tune that I thought I was so familiar with, actually had words. The versions of the tune I knew were both instrumental pieces (from Captured Alive by Wolfstone and "The Hero" from Voyager by Mike Oldfield). The words make a wonderfully emotive piece of music and turn them into a painfully sad tribute to James Scott Skinner's friend Major-General Hector MacDonald of The Black Isle. I can say in all truth, that my wife and I were inordinately proud to have chosen, "Hector the Hero" for our wedding dance.
And all that remains to be said, is to wish you a peaceful, warm, uneventful but merry Christmas and a happy new year, when it comes.

Comment: 2022/12/16 - Gateway server under targeted attack - Part II.
It took until yesterday to hit 100 blocked IP addresses for the first time ever. Indeed, it 101:-

09:14:41[~]$ f2b-report summary 7
Banned IPs on 2022-12-16 - 38
Banned IPs on 2022-12-15 - 101
Banned IPs on 2022-12-14 - 41
Banned IPs on 2022-12-13 - 38
Banned IPs on 2022-12-12 - 91
Banned IPs on 2022-12-11 - 62
Banned IPs on 2022-12-10 - 76
Some of the attacks are fairly simple attempts at trying to use weak ciphers or default credentials, but some of them are slightly more interesting such as trying to max-out the number of concurrent connections. One IP makes a conenction and then sits idling. As soon as the server drops the connection, the IP comes back again like it's waiting for something.

Whilst we are going to tweak some of the SSH settings, the server remains running and things are business as usual.

Comment: 2022/12/12 - Gateway server under targeted attack.
Just like back in January, we're seeing an unprecedented number of attacks against our gateway server. We always got background noise (that were in region of 3 to 9 attacks per day that usually tailed off over weekends), but the last few days have been off the scale. We've never seen so many brute force attempts made against the server:-

10:08:20[~]$ f2b-report summary 10
Banned IPs on 2022-12-12 - 53
Banned IPs on 2022-12-11 - 62
Banned IPs on 2022-12-10 - 76
Banned IPs on 2022-12-09 - 33
Banned IPs on 2022-12-08 - 3
Banned IPs on 2022-12-07 - 3
Banned IPs on 2022-12-06 - 8
Banned IPs on 2022-12-05 - 4
Banned IPs on 2022-12-04 - 1
Banned IPs on 2022-12-03 - 3
That's 53 IP addresses that have been banned as I type this. I expect that we'll hit 100 today for the first time ever. For that reason and given the contents of the attempted user IDs, this feels like a targeted attack. The good news is that everything is working entirely normally and we see no reason that that will change in the coming 24 hours.

Comment: 2022/11/22 - More on NCSC's scanning service.
As we highlighted earlier, NCSC are to commence scanning the UK IP space to detect vulnerabilities. At the time, we noted some further information that would be useful to owners of systems that are being scanned, but we clean forgot to highlight those salient facts here (for one reason or another).

The scanning will have a source address of one of two IP addresses:-

Both of those DNS records have forward and reverse records assigned to Where possible, NCSC probes will identify themselves. For example, the following will be included in HTTP requests:-

X-NCSC-Scan: NCSC Scanning agent -

The official page is here.

Comment: 2022/11/19 - Upgrade of Gateway Server - Job done.
The work to upgrade our gateway server was undertaken without issue.

Comment: 2022/11/17 - Upgrade of Gateway Server.
We think we've ironed out the bugs sufficiently to upgrade the main BladeSec IA Gateway Server to Ubuntu 22.04.1 LTS. We will commence this after customers have downloaded their daily reports on Saturday the 19th of November at approximately 14:00.

Comment: 2022/11/16 - The cryptic good news.
A week ago, we took ownership of a 16 week old working English Springer Spaniel. My first one since my first dog aged 9. Indeed, this is my first dog since that one - all others have been rescues or owned by others in my family.

The reason for the odd links were:-

  • The deal was done whilst we were staying in Stornoway, on the Isle of Lewis.
  • When I lived there in the late seventies, the ferry was "MV Suilvan".
  • Suilvan is also the name of a peak in Sutherland.
  • Therefore, Suilvan was a perfect name for a new dog.
  • The Northern Irish connection was because that's where he was bred.
Hopefully that explains the eclectic set of links in the update from the beginning of the month.

Comment: 2022/11/13 - Good, old fashioned spy craft, part three.
To conclude the story on Cold War spy craft; Mr Smith has admitted spying for Russia. In truth, having read a number of news reports, this character feels rather more "unwell" than "spy". However I admit that I know nothing more about the case than what is published in the news.

Comment: 2022/11/03 - NCSC to scan the UK's internet space....
I'm surprised this hasn't attracted more attention. There is something to be said when the organisation that is responsible for listening in to communications and tampering with equipment (occasionally illegally - ahem) and retaliating against foreign cyber-attacks set themselves up to scan the allied IP networking space. It is interesting that once again, Dr Levy recognises that the noise of the headline statements may be louder than benefits of the scanning service.

In truth, as a security consultancy of last resort, we use a number of NCSC services including Active Cyber Defence. In our experience, the generated reports make for interesting reading, but in our own case they were beset with false positives. We contacted NCSC to explain this and in response we were told that they were highlighting it because they thought we didn't know it was open to the internet. How they can deduce that from port scanning a fully patched Ubuntu Server with only a single port open, I have no idea, but I guess it's true to say that the road to hell is paved with good intentions!
In entirely unrelated news that is nothing to do with anything security. Something wonderful is going to happen....

Comment: 2022/10/21 - Microsoft drops the ball....
SOCRadar has announced that it detected a trove of 2.4Tb of data in a misconfigured Microsoft server. It is so bad, SOCRadar have provided access to a search engine to allow people to search to see if their details are amongst the disclosure. This approach has been criticised by Microsoft who have themselves been condemned (rightly or wrongly) for attempting to underplay the exposure whilst largely being unable to confirm the content of the data.
Interesting interview with the President of Signal, Meredith Whittaker.

Comment: 2022/10/20 - Rest of world cut off from Shetland.
Whilst the irony of that statement won't be lost on a number of folk that grew up in the northeast of Scotland, given what happened in the Baltic Sea I'm surprised this isn't attracting more attention. There is a massive amount of sea between Orkney and where the cables make landfall near Banff. Indeed, as I type this, at least one less-than-reliable source is saying that there are also power supply issues on the island.

I'm shortly returning to the Isle of Lewis where I started school. I always said the island adopted me, and I consider it to be my second home*. As a consequence, it's where I (and my wife) spend a significant chunk of time.

The Outer Hebrides's suffered from a catastrophic power outage in 2020 that was attributed to under-investment in the power supply infrastructure. That meant that every property on the islands was powered by the diesel generator at Battery Point, two streets over from our adopted residence. Equally, whilst being at the risk of breaching our apolitical stance to pass comment on "resilient communities", there cannot be a single resident in the Highlands of Scotland, hundreds of miles away from the Central Belt and it's Parliament, that isn't at least aware, never mind significantly impacted by the continually deteriorating saga of the CalMac Ferries.

Turning to my own upcoming trip.... In light of the situation in Shetland, I'll be taking a set of VHF radios just in case....
* For the avoidance of doubt, I will point out, that neither my wife nor I own any property on the island. We stay at the same wee fisherman's cottage on every trip and it is owned by the kind and helpful lady who lives next door. Our own internal moral compass means that we do not arrive with the car filled with supplies we have bought in Inverness. Sure, we occasionally transport things for folk that we know where those things are difficult to obtain on the island (lithium batteries are one example). But no, we buy locally, we fill the car locally, and we eat locally. And Lewis on a stormy day is the greatest place on Earth.

Comment: 2022/09/17 - Reports that Uber has been hacked.
Uber has disclosed they are "responding to a a cybersecurity incident".

More information available from Dark Reading, The Register and the BBC.
And whilst it's totally unrelated, it seems that Microsoft Teams clients, running on Linux, MacOS and Windows stores OAuth tokens in the clear. The result is that an attacker can capture and use a token, not only gain access to any (Microsoft) service as a current user, but also bypass any defined MFA because the existence of the the valid token means that the user has already authenticated. This compromise does not require special permissions or an advanced attack to exploit and yet Microsoft have declined to fix it saying "it does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network". As a work-around, worried Teams users should use the web client.

Comment: 2022/09/16 - Network outage.
The security cart shed is currently suffering from an unplanned network outage. As a consequence, we're operating normally on our backup connectivity. This feels serious as significant portions of the provider's upstream network appear to be reporting faults.

As a complete humorous aside, I personally didn't notice for about twenty minutes as I had been testing a new VPN. The network went down at the *exact* time that I rebooted the test chassis for the first time. When it came up with no connectivity, I automatically blamed the most obvious thing - me!

11:26: Updates will be posted here, as we get them.
12:52: Normal network connectivity has been resumed. Initial analysis suggests absolutely no impact on service.

Comment: 2022/09/15 - When The Queen came to Lewis.
Thanks to The Stornoway Gazette for publishing these photos from when The Queen and Prince Philip came to Stornoway in 1956 and 2002. I am equally delighted to have become reacquainted with Mr Matheson, the former Lord Lieutenant, earlier this year having not seen him for over forty years.

Comment: 2022/09/15 - Information on card skimmers.
Interesting article on cash machine skimmers from Brian Krebs. To the best of my knowledge, no bank in the UK has ever shown the general public pictures of what criminals use in their attempts to defraud them, or the types of alterations criminals make to automatic teller machines (ATM). Brian also points out, "it's difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off". I know that I've definately been there.

Towards the end of the article, Brian makes a very valid point, "covering the PIN pad with your hand defeats one key component of most skimmer scams". Something that we've been saying for years - as readers of Safer Travel can attest to. The particularly interesting thing that Brian observes from captured criminal video footage, is how few people actually do it.

News: 2022/09/08 - The death of Her Majesty Queen Elizabeth II.
Buckingham Palace has announced the death of Her Majesty The Queen.

As we enter into a period of national mourning, there can't be a single person who hasn't been touched by the humility and sense of duty of Her Majesty The Queen. As a world leader, her trials were surely bigger than ours, albeit different. Yet, the way she was remains an example to us all.

I think my first encounter with Her Majesty was as a very small boy who had a first hand smile and wave as she arrived one Sunday at Crathie Church near Balmoral. Then, in 1979, it was as a group welcoming her, and Prince Philip when they came to open the new office of the Western Isles Council (now the Comhairle nan Eilean Siar). This was something that I was able to revisit when I returned to work there briefly in 2014 where the kindness of strangers produced the official photo album of the day.

On Saturday, I'm participating in an activity that Her Majesty loved too. It is saying something that what she would have seen as familiar even as a wee girl hasn't changed that much in all that time. She was one of our own, and as a mark of respect, I shall wear a black tie and where there is a lull in activities, I shall offer a small toast to the new King.

Comment: 2022/08/29 - Facebook settles class action out of court.
Facebook has chosen to settle out of court for an undisclosed sum in response to lawsuits brought about from Cambridge Analytica harvesting data from the site without authorisation. Whilst there are lots of reasons for settling out of court, and we should not automatically assume guilt, it does continue to highlight a concerning lack of scruitiny. How can an organisation as powerful as Facebook continue to be fined, continue to operate in a borderline unethical manner and continue to operate without any public oversight?

Comment: 2022/08/26 - Linux is user friendly, it's just selective about who it chooses.
As we mentioned earlier we've had a few issues upgrading to Ubuntu 22.04.1. We've had some significant successes, and learned a few things that might be useful to others:-

  • During a new install of 22.04, we couldn't get a Brother QL-700 label printer to work. It worked perfectly on an older 20.04.4 laptop, but we couldn't track through change control what we had done (clearly, accidentally) to make the printer work. Brother have a Linux support page but the drivers don't work as described on 22.04. It's clear they are 32 bit old-style LPR filters. The good news is that using the CUPS built in ptouch driver and pretending it's a QL-500 seems to work a treat - as well as giving you more actual options in the driver.
  • A VIA Technologies VL805 USB 3.0 Host Controller in the backup server was seen by the OS, but just wouldn't work. Adding GRUB_CMDLINE_LINUX="iommu=soft" to /etc/default/grub and then updating grub made it work for some entirely random reason; this appears to be for AMD chipsets and should have required a BIOS change.
  • An internal 4G modem (a Dell DW5570; aka the Sierra Wireless MC8805) "pull" did not work with 22.04 out of the box. Whilst the BIOS wouldn't see it, the oddest thing was the icon in Gnome "flickered". The logs showed that the OS was attempting to initialise it, but it was caught in a loop. It transpires that since about 2015, the FCC require all internal modems to be "locked" to the hardware. The fix is documented here, but pay attention to the bit that says it relies on the libqmi-utils package that may need installing.
  • Early adopters of 22.04 may have noticed that the on-screen keyboard didn't work when trying to log-in after a suspend. That one appears fixed now.
  • ModemManager-gui is still segfaulting.
Comment: 2022/08/18 - UK Covid Application stops working.
A news article highlighting why you should always take backups of critical travel documentation - just like we pointed out earlier this year.

News: 2022/08/10 - Ubuntu 22.04.1
Ubuntu 22.04 has hit it's first point release meaning that it will be made available to devices running previous Long-Term-Support versions of Ubuntu. With the solitary exception of one device, BladeSec IA run their entire business and infrastructure on Ubuntu and have done since 2018. This includes laptops used by consultants, the network gateway server used by customers to fetch reports securely as well as the underlying backup and file server.

We've noticed that this hasn't been the smoothest upgrade on a few devices, so we've submitted some bug-reports to Ubuntu and are working with Canonical to resolve these. Whilst the file server transitioned easily to Ubuntu 22.04.1, we're wary about migrating the gateway server at this point because it's high-availability mate wanted to remove the current kernel when it was fed "sudo do-release-upgrade".

The gateway server is currently running 20.04.4 LTS and is, therefore, fully patched and supported. We will perform the upgrade before the end of the year and will announce the downtime on this website.

News: 2022/08/01 - Safer Travel 2022
Due to work extensive work commitments (this is what we do, after all!) we have made the difficult decision to postpone the delivery of Safer Travel 2022. This is largely due to the amount of additional information we want to integrate into it following Brexit and the pandemic. We appreciate that this won't be welcome news to many people, but as an incentive, for this year only, if you currently order Safer Travel, we will provide the most recent 2021 edition, plus a copy of each work-in-progress draft of Safer Travel 2023. We expect the drafts to be made available on a monthly basis - possibly with the exception of December - until the guide is finalised in early 2023.

Comment: 2022/07/31 - Congratulations!
Despite my having family in Germany, and the fact that nobody in the security cart shed is terribly engaged by any football, there isn't a single one of us that hasn't been inspired by the England woman's football team winning the UEFA European Championship.

Well done, ladies..... well done.
23:00 Update: In sadder news, I've just read about the death of Nichelle Nichols who played Nyota Uhura in Star Trek. Not all heros wear real uniforms.

Comment: 2022/07/13 - CIISec Live.
This year, CIISec Live is being held in Edinburgh. Register here.

Comment: 2022/06/27 - Privacy is not an option.
This should make for chilling reading if you think personal privacy is optional.

Comment: 2022/06/02 - The Platinum Jubilee.
All the folk in the security cart-shed would like to join with millions of others worldwide to convey our very best wishes to Her Majesty, the Queen on the 70TH anniversary of her coronation.

Comment: 2022/05/25 - When your kids do adulting....
Over the years, I've posted the occasional snippet of news regarding my son, Jack, and his successes. I do it to make up for the fact that he has no interest in joining the family firm. I do it because he boasts that he has faster broadband than the security cart-shed. I do it because he's a considerably better guitarist than me. I do it because he has the most amazing work ethic and is inordinately kind. I do it because he decided that he wanted to go his own way.

Fundamentally, I do it because he's my son, and I'm his Dad....

Yesterday, it made me amazingly proud when I found out that Jack has passed his final placement, and will start the next academic year as a probationary primary school teacher.

Comment: 2022/05/24 - Mark Zuckerberg sued in on-going spat over Cambridge Analytica.
We speculated at the time that Facebook should be implicated in the Cambridge Analytica scandal. Now, it turns out that Washington DC's Attorney General has filed a civil suit against Mark Zuckerburg, CEO of Facebook.

Comment: 2022/05/20 - Patching research.
In an actual item about information assurance rather than personal heroes, there is some fascinating research that makes a mockery of one of my fundamental controls for good security architecture. That said, key to this research is effective monitoring of exploits in the wild. I would speculate that most organisations are actually fairly poor at that, so I will stick to my mandate for "robust" patching for the time being!

Comment: 2022/05/19 - Vangelis Papathanassíou, 1943 - 2022.
As a very small child, I can remember hearing the sweeping synthesizer-based majesty of the Chariots of Fire soundtrack one weekend when my brother came home from university. The principal track (originally called Titles, but popularised as Chariots of Fire) was such an epic piece of music, I conspired to commit it all to memory - after all, small boys had very little money to spend on music. It was the first time, I had ever been inspired to do this for any piece of music - I just knew I had to remember it.

Leap forward a number of years, and I saw Blade Runner for the first time. From the point you see the huge plumes of fire reflected in an eye in the opening sequence, to the otherworldly sounds of the market, before resting on the death of an almost human android and being propelled into a high-energy closing title, this was the soundtrack above all others. It all fitted so well.

It took a while for an "official" version of Blade Runner: The Original Motion Picture Soundtrack to appear, but when it did, it was as epic as the film, representing every emotion and image you experience in the film. No other film soundtrack has ever come close.

Even when Blade Runner 2049 was released with a soundtrack by Hans Zimmer, I was overjoyed when he clearly recognised the importance of what had gone before. He gave us another interpretation of Tears in Rain that was as fitting and raw as the original.

Many composers have tried to copy Vangelis, but for inducing stories in your mind's eye, I, for one, am deeply saddened that I will never hear his musical mastery again.

Comment: 2022/05/01 - And the kindness of others....
I have just heard about the death of James Alexander, former music teacher at Milne's High School, founder and chair of Speyfest, fiddle player extraordinaire, organiser of my wedding ceilidh band, and one of the nicest lads in modern traditional music.

I was never good enough to play a musical instrument at school, but I remember my friend, Andrew Hay, being amongst the earliest forays of the new "Fochabers Fiddlers", and him writing music for the late Lady Gordon Lennox at Mr Alexander's behest.

Having returned to the north-east in 1998, I ran into Mr Alexander at a Wolfstone concert in Elgin at some point in 1999. I was looking for a ceilidh band for my upcoming wedding with one requirement; the opening wedding dance had to be Hector the Hero by James Scott Skinner. Mr Alexander - with his usual extraordinary kindness - called me a few days later with some local recommendations, and the promise that if none were suitable, he'd come along with some of the current Fochabers Fiddlers. As it was, Makarakit from Keith did an exemplary job.

The next time I heard from him was when I came across the Peatbog Faeries. They were revolutionary, and I thought they would go down well at Speyfest. I sent Mr Alexander a link. The next thing I know was that they were announced as the headliners for the Saturday night. That particular Speyfest (in 2000) goes down in time as the best ever one ever, but also the most tiring (the weekend was shared with seeing Capercaillie at Gordon 2000 on the Sunday afternoon as well as Wolfstone on the Friday). I ran into Mr Alexander at some point over the weekend, where he thanked me for remembering him and suggesting the Peatbogs in his usual humbling manner.

Leap forward a good few years - and a good few Speyfests. The last time I saw Mr Alexander was the last time I attended a concert with my late mother. Three generations of Birnie's - and a few hangers on - went to the ARC Session, "James Alexander & Friends" in October 2019. I didn't get the chance to speak to him then, but it was clear that whilst the old stalwarts of Charlie McKerron and Paul Anderson were there, the baton was being handed over to the next generation of fiddlers.

And so, I am deeply saddened by the passing of Mr Alexander. I am grateful that whilst I was never musically good enough at school, he didn't put me off music and didn't write-off my views.

As it says on Speyfest social media:-

It is with the heaviest of hearts and a feeling of immense loss, that we share the news that our Founder, long-term Chairman and dear friend James Alexander has passed away, following a bravely fought sustained period of illness.

The thoughts of everyone at the festival, and the wider Speyfest community, are with James' loved ones at this difficult time.
Please join us by raising a glass as we remember James doing what he did best with this moving performance of Hector the Hero at Speyfest 2018.

Comment: 2022/04/26 - The missed opportunity to fix the Post Office scandal.
The Post Office scandal has been held up as a travesty of injustice with the wrongful prosecution of 732 postmasters and sub-postmasters. Last night, Panorama drew together the strands of the investigation and highlighted that an opportunity to identify the faults in the bug-ridden Horizon accounting system was missed.

In May 2009, Rebecca Thompson, a junior reporter for Computer Weekly published a story entitled "Bankruptcy, prosecution, disrupted livelihoods: Postmasters tell their story". Ms. Thompson spent six months speaking to Post Office workers about faults in Horizon and discovered they were being told they were the only ones with accounting errors, even though there were multiple prosecutions underway.

Computer Weekly was never challenged over publishing their story.

Only now is Ms. Thompson getting the credit for uncovering the story that took a further decade to resolve. In that time, The Post Office stole the lives, livelihoods, reputations and time of hundreds of good people who had done nothing wrong.

To my mind, it's also a travesty why, following the publication by Computer Weekly, the story disappeared into a hole within the mainstream press.

It's been a year since the BCS proposed changes to the burden of proof of UK computer evidence. Once again, there's been little traction....

Comment: 2022/04/09 - The evil that men do....
Yesterday, I received a registration for a website that I didn't register for. It was a well known high-street bookmaker. The e-mail was to a protected e-mail address that I use to prevent giving away my real address. I immediately went to the website, hit the "recover my password" option and changed the password when the "click here to change your password e-mail" arrived.

I then took a breather and I remembered that in October last year, I had noticed a soft search in my credit file against an exceptionally old address. It was from another on-line bookmaker and somewhat worryingly, it used my correct date of birth. When I went into my credit file to look again at the detail, I saw that another search was done at the beginning of this month.

I was trying to remember why the date in October rang a bell. A quick look through my diary brought the inspiration that I was looking for. On the 18TH of October I sold my car to a individual who had travelled from England to buy it. On the 22ND I had received a Notice of Intended Prosecution as the individual had left mine and three hours later passed a police speed trap at 86mph.

The good thing was that even before I had clapped eyes on this individual, his behaviour was such that there was little doubt in my mind that he was far from being trustworthy. I responded by doing everything by the book. When it transpired he had given me a fake name and address, I was not in the least surprised.

I never told this individual what I do for a living. So when he reads this, I would imagine there will be a few moments where he thinks that he will be able to get away with it. Eventually the magnitude of the horror will hit him - probably in the next sentence.

The police were very helpful - as was I when I used my skills to track down and recover his real identity. It's clear from the individual's local press that he has been prosecuted previously for the supply of unroadworthy vehicles. Somewhat alarmingly, there's even a reference to a prosecution under The Terrorism Act as he received training on chemical and biological weapons that would be useful to terrorism.

So, the lesson here is to make sure that when you hand over car service history receipts in good faith, always take the time to go through them. It may be worth asking somebody else to check it, to ensure that there is nothing that would be useful to a criminal - and that includes addresses on garage invoices....

Comment: 2022/04/08 - Good, old fashioned spy craft, part two.
Following his arrest in Potsdam, Germany last year, the UK authorities are charging an individual with offences under the Official Secrets Act. Despite statements to the contrary - at the time - that he would not be extradited and would face charges in Germany, Mr David Smith arrived back into the UK last Wednesday.

I would speculate that Mr Smith's alleged Russian links, and the war in the Ukraine has perhaps altered things. In the face of failed and failing military tactics and tools, it might yet appear that the last bastion of Russian trade-craft is limited to what they learned in the Cold War, that the west has forgotten.

Comment: 2022/04/07 - More on QR codes.
The threat posed by QR codes as highlighted in Safer Travel has been picked up by Dark Reading.

Comment: 2022/04/01 - April Fool's Day.
I confess that this one almost got me. I had only just woken up, your honour.... We can only dream of such advanced transport integration!

Comment: 2022/03/22 - Telemetry from Google Messages and Google Dialer.
This makes for somewhat scary reading, even ignoring the apparent data protection breach. Here in the security card-shed, we've been running a project to determine the suitability of both Ubuntu Touch and LineageOS* for about a month now. We're about to commence on an operational deployment to see if either can genuinely replace Android.
* What some may find interesting is that we have previously deployed CyanogenMod (what LineageOS was forked from) on Samsung Galaxy SIIs and S3s for an interesting job back in May 2018 with much acclaim.

Comment: 2022/03/21 - European travel in a time of COVID.
On a brighter note to recent news, I have recently been in Germany visiting extended family. This marks the first visit post-Brexit and certainly post-COVID.

On the whole, it was great to be back and despite the political shenanigans of Brexit, the Germany border guards were polite and efficient when enquiring what we were doing there and where we were staying. Indeed, they seemed pleased that we were back! (Note to the wise; always ensure you get your passport stamped on entrance and exit to the EU now.)

The main concern was COVID and how odd that would make things. Germany, currently only recognises the effectiveness of FFP2 masks that have to be worn in most inside, public areas. Once your COVID pass has been validated and you are seated, you can remove your mask when eating or drinking.

(There had to be a security point to this, hadn't there?)

On one occasion, our Scottish-issued NHS COVID passes were given a cursory inspection by the restaurant staff. No validation was undertaken on either the COVID Status App or the paper certificate for this first visit. On the other hand, when we visited a very busy bierkeller one evening, our QR codes were scanned and our identities were compared to Government issued photo-ID. (Another note to the wise; whilst in Germany you do not need to carry some form of ID, it does make it much easier these days.)

And that's where it became interesting. The scanner that the receptionist used had no issue in scanning my COVID Status App QR code - but it failed to scan the QR code on my wife's paper certificate. (So a final note to the wise; be prepared and take both the paper certificate and the COVID Status App in case one does not work.)

Here's an interesting take from Mr. Schneier.

On a complete aside, this trip had been a long time in the planning. We had originally intended to visit before Christmas before deciding it was entirely irresponsible to travel due to the Omicron variant. As a consequence, preparations were "extensive" including building a specific laptop to test public wireless internet access. The results were quite interesting and will feed into this year's update to Safer Travel.

Comment: 2022/03/09 - "Z" is for Zelenskyy.
Interesting.... Clearly, no plan survives first contact.

Comment: 2022/03/07 - Boots on the ground.
It's been two weeks since Putin invaded The Ukraine. There are numerous reports that suggested that Russian forces expected to be welcomed with open arms and what little resistance they encountered would give up after two weeks. What is clear is that supply chain issues have meant that Russia are struggling to maintain their lodgement. There are rumours that Russia has lost 10,000 troops and that portable crematoria have been seen so that the scale of their defeat can be buried.

In the face of Putin declaring that economic sanctions against Russia are "akin to a declaration of war", it appears that an FSB whistle-blower has decided that it has been a "total failure". Needless to say, the West aren't the ones occupying foreign soil whilst armed with weapons all-the-time whilst denying it's a war.

Comment: 2022/02/27 - Russia invades the Ukraine.
Because of the work we do, the headlines over the last few days have sadly been expected. We'd heard various delays attributed to milder winters and supply chain issues, but there is now a war in Europe. I note that at the time of writing Putin is stating that it's not a war, and indeed is arresting people (including his own) that claim it is an "illegal war". Instead, he's calling it "special military action" because that makes all the difference.

What is clear is that Russian forces have invaded a sovereign nation. That sounds like war to me.

I'd wager a significant amount of money that at some point in the next decade Putin will be dragged to The Hague to be tried as a war criminal.

For what it's worth, BladeSec IA have always been mindful of the source of our funding. We have no Russian customers, no Russian contracts and receive no payments that we have the slightest concern may have come from Russia or Russian-sympathetic countries.

Comment: 2022/02/16 - Google Chrome Flex.
Here in the security cart-shed, we've been well aware of the benefits of using Neverware's Cloudready for many years. On every customer deployment, the binary install file goes with our consultant just-in-case. For overseas deployments, a full Google Chromebook is our particular tool of choice. Not only has it got anti-tamp that would make GCHQ jealous, but it's dead easy to flatten and re-install when it comes back to friendly soil. We do not hide that fact that our e-mail infrastructure is built on Google Workspace. Whilst the integration that you get was not a decision point for us, it is a welcome benefit.

Google bought Neverware in 2020 and now we know why. This can only be a good thing....

Comment: 2022/02/11 - The on-going saga of ssh attacks.
Could this be what's behind the sudden and almost-exponential set of ssh scans?

It is interesting that DShield is now showing a marked increase in scanning activity.

Comment: 2022/02/09 - Douglas Trumbull, 1942 - 2022.
You only have to realise the name of this company to understand the importance of Blade Runner to me. Mr Turmbull was as important to the look, feel and legacy of Blade Runner, not to mention Close Encounters of the Third Kind and 2001: A Space Odyssey. As I read about the films that he had been involved in, I remembered that he had been responsible for Silent Running. The first film that, as a small child, broke my heart.

Comment: 2022/02/08 - Safer Travel 2022.
We had an enquiry asking if we'd stopped the development of Safer Travel. Indeed, if you look at the Travel Advice page, you'll see the graphic was never updated in 2021 or 2022. In truth, with the pandemic, the changes to the 2021 edition were very small, but there were three issued versions in March, September and November.

Watch this space....

Comment: 2022/01/25 - Brute force ssh attempts.
It's been an interesting few days. The attempts against our gateway server increased almost exponentially:-

16:58:18[~]$ f2b-report summary 10
Banned IPs on 2022-01-25 - 2
Banned IPs on 2022-01-24 - 20
Banned IPs on 2022-01-23 - 16
Banned IPs on 2022-01-22 - 30
Banned IPs on 2022-01-21 - 48
Banned IPs on 2022-01-20 - 35
Banned IPs on 2022-01-19 - 33
Banned IPs on 2022-01-18 - 24
Banned IPs on 2022-01-17 - 12
Banned IPs on 2022-01-16 - 4
Whilst we still can't see similar increases of activity being reported elsewhere, it seemingly remains a less than sophisticated attack:-

16:58:20[~]$ f2b-report users sort
     20 admin
     19 test
     14 user
     10 pi
      3 ubnt
      2 worker
      2 student
      2 gitlab
      1 vpn
      1 vmware
      1 upload
      1 uftp
      1 support
      1 srvadmin
      1 sistemas
      1 redhat
      1 public
      1 operador
      1 openstack
      1 oot
      1 mailnull
      1 logcheck
      1 jenkins
      1 httpd
      1 ftpuser
      1 freebsd
      1 fmaster
      1 english
      1 cxwh
      1 admin1
      1 adam
      1 1
Yesterday, we opted to add a few more /16s to the permanently blocked list:-

17:09:40[~]$ sudo ipset list denylist | egrep "^[1-9]"
On Saturday, the service that we use to perform geolocation of source IPs started throttling our lookups, so we had to temporarily switch that off. Whilst geolocation and VPNs do fuzz matters somewhat, this still makes for interesting reading:-

17:10:24[~]$ f2b-report countries
-- Top ten worst offending countries of all time --
    132 China 
     99 United States 
     46 Viet Nam 
     30 Brazil 
     25 India 
     24 Indonesia 
     21 Korea, Republic of 
     19 Netherlands 
     18 Russian Federation 
     17 Germany 
The bottom line is that we aggressively patch the gateway server and we only permit SSH access using looonnnnggggg authentication keys. Passwords are verboten!

Comment: 2022/01/19 - Brute force ssh scans.
Yesterday, we saw an unprecedented increase in attempts made against ssh on our secure reporting server. This doesn't seem to be reflected elsewhere suggesting that something is specifically targetting us. Indeed, DShield suggests that, other than between August and September 2021, the scans have been fairly consistent, verging towards a drop off. As far as I can see, there's nothing on CISP.

Some will undoubtedly object to the detail here, but it's worth noting that these IPs have no authorisation, no legal right and no credentials to connect to us:-

09:56:19[~]$ f2b-report date 2022-01-14
-- Worst offending IP addresses for 2022-01-14 -- 0

09:56:26[~]$ f2b-report date 2022-01-15
-- Worst offending IP addresses for 2022-01-15 -- 2	1 [20220116] India City: Bangalore	1 [20220116] United States City: Kansas City	

09:56:41[~]$ f2b-report date 2022-01-16
-- Worst offending IP addresses for 2022-01-16 -- 4	3 [20220112] India City: Bangalore	2 [20220117] China City: Beijing	1 [20220116] Brazil City: Rio de Janeiro	1 [20220117] Viet Nam City: Thu Dau Mot	

09:56:43[~]$ f2b-report date 2022-01-17
-- Worst offending IP addresses for 2022-01-17 -- 12	4 [20220117] Korea, Republic of City: Taegu	2 [20220117] United States City: Santa Clara	2 [20220117] Korea, Republic of City: Munsan	1 [20220118] Georgia City: Tbilisi	1 [20220117] France City: Roubaix	1 [20220117] China City: Beijing	1 [20220118] China City: Jiaxing	1 [20220117] Brazil City: Goiania	1 [20220117] China City: Yangzhou	1 [20220117] Viet Nam City: Hanoi	1 [20220117] China City: Beijing	1 [20220117] China City: Beijing	

09:56:45[~]$ f2b-report date 2022-01-18
-- Worst offending IP addresses for 2022-01-18 -- 24	4 [20220118] Korea, Republic of City: Munsan	4 [20220118] China City: Beijing	3 [20220118] Belgium City: Brussels	3 [20220118] Netherlands City: Amsterdam	2 [20220118] France City: Roubaix	2 [20220118] China City: Beijing	2 [20220118] United States City: Mountain View	2 [20220118] Canada City: Toronto	2 [20220118] Netherlands City: Amsterdam	1 [20220118] Poland City: Warsaw	1 [20220118] China City: Yangzhou	1 [20220118] China City: Fuzhou	1 [20220118] United States City: Washington	1 [20220118] China City: Beijing	1 [20220118] United States City: North Bergen	1 [20220118] United Kingdom City: Manchester	1 [20220118] Colombia City: Cota	1 [20220118] United States City: North Bergen	1 [20220118] Singapore City: Singapore	1 [20220118] Netherlands City: Amsterdam	1 [20220118] China City: Harbin	1 [20220118] China City: Beijing	1 [20220119] United States City: Seattle	1 [20220118] Viet Nam City: Ho Chi Minh City	
Even today, as I type this:-
09:56:47[~]$ f2b-report today lookup
-- Worst offending IP addresses today - so far -- 13	2 [20220119] China City: Beijing	2 [20220119] China City: Beijing	2 [20220119] Singapore City: Singapore	1 [20220119] United States City: Ann Arbor	1 [20220119] Netherlands City: Amsterdam	1 [20220119] China City: Jining	1 [20220119] Indonesia City: Jakarta	1 [20220119] India City: Hyderabad	1 [20220119] China City: Beijing	1 [20220119] China City: Beijing	1 [20220119] China City: Beijing	1 China City: Liuzhou	1 [20220119] Indonesia City: Rembang	
None of this is causing a problem, it is just curious that they appear to be low complexity attacks:-

10:05:38[~]$ f2b-report users sort
     24 pi
     10 admin
      5 ubnt
      3 user
      2 username
      2 spark
      2 demo
      1 test
      1 telecomadmin
      1 support
      1 squid
      1 service
      1 music
      1 logcheck
      1 kkh
      1 kevin
      1 johnny
      1 engineer
      1 dell
      1 cisco
      1 asmin
      1 amanda
      1 User
      1 D
It is, however, increasing the chances that we're going to enforce some form of geographical IP restriction:-
10:05:24[~]$ f2b-report countries
-- Top ten worst offending countries of all time --
    106 China 
     81 United States 
     44 Viet Nam 
     28 Brazil 
     23 Indonesia 
     20 Korea, Republic of 
     20 India 
     18 Russian Federation 
     16 Netherlands 
     15 Germany 
We have a legitimate customer each in Germany and India - but the rest are just noise.

Comment: 2022/01/12 - Alleged remote control vulnerability - in Teslas....
This was always inevitable. It's been nine years since I coined the phrase, the "privacy-illiterate", but I should emphasise that this could be simply bad software engineering where an owner is permitted to make a poor decision without understanding the whole security context. We'll have to wait for more.

Comment: 2022/01/11 - An invite to a club you probably didn't want.
In all my years working in Whitehall and central government departments, at the lower levels of assurance, I don't think I've ever seen a specifically modified, protectively marked e-mail. Most users simply relied on the intrinsic controls of that particular network. Hence, when Friday after work drinks came around, if the network ran at OFFICIAL, the e-mail saying where and when would go out with no specific alterations making it OFFICIAL.

Contrast that with the e-mail about "Socially Distanced Drinks". Somebody has specifically chosen to mark that "OFFICIAL-SENSITIVE". I would hate to think it was because they suspected that the content might actually be sensitive given the efforts of the wider UK population.

Equally, I'm fairly sure that drinking alcohol on-site whilst "working" is frowned upon from both a Health and Safety and Civil Service Code of Conduct.

Comment: 2022/01/01 - Happy New Year!
Ten years ago on this day, BladeSec IA Services, became official and made a small, but revolutionary change to the way IA Consultancy was offered to the government, military and police. I remember the absolute terror of wondering if I had done the right thing, but I can reflect on the fact, that point was the last time that I was ever scared....

In other news, we see the clock tick over into 2022 back on the Isle of Lewis - a place that had such an influence on me growing up, and remains such an important part of my current life.

As usual here is our tongue in cheek look at the last twelve months:-

  • Average distance travelled to work: 3.35 yards - We did manage a few outings this year, so the average has increased!
  • Distance to farthest job: 438 miles (in October).
  • Most interesting place visited: Glasgow - Two weeks before COP26, but for the first time since March 2020.
  • Preferred instant messenger platform of BladeSec IA staff: Signal.
  • Number of new keyboards bought this year: 2.
  • Age of oldest work device still in use: 11 years (A Dell Latitude E6320).
  • Value of donations to Wikipedia as a result of Travel Advice: £25.
  • Value of donations made by BladeSec IA to support other good causes: £135.
  • Amount of time donated by BladeSec IA staff pro-bono: 21.5 days.
  • Number of pages printed on the office colour laser this year: 43.
  • Average rating given to No Time to Die by BIAS staff: Six out of ten.

Click here for older News & Comment.