Travel Advice

2025/04/17 - *Very* serious flaw in Fortinet devices.
This has been bubbling for a while and highlights how targeted Fortinet networking kit is. Whilst it was only if you used the FortiGate SSL-VPN, Fortinet are now highlighting additional steps that are required to remove persistence in the device following patching.

In other news: Signal is doing what Signal does.

2025/04/16 - And then they came for me....
Well.... maybe not, but all the chaos on the other side of the Atlantic is now impacting on IA worldwide. There can't be a single IT Health Check or Penetration Test Report in the world that doesn't refer to Common Vulnerabilities and Exposures (or CVE) scores. The thing is, the funding for MITRE the federal non-profit that maintained the CVE lists expired today. We knew this was going to happen as funding for CISA (who fund MITRE) is also facing massive funding and staff cuts. In light of the circumstances, this might be important.
--
Update: There is a report that reports CISA has extended funding to keep the CVE programme operational.

2025/04/08 - Top Gun and memories....
Last week, Val Kilmer died.

The original Top Gun was the first film I ever watched in VHS surround sound at a friend's house. And on Sunday, I watched Top Gun: Maverick for the second time. It's odd... what got me about the opening SR-72 Darkstar sequence featuring Tom Cruise, is Maverick's lack of selfishness in trying to do his best for something bigger and the people he cares about - at his own considerable expense. It was something that I could relate to.

And when Phoenix says, "Who the hell are they going to get to teach us?", it took me back 20 years when my friend and mentor at a Whitehall Department said exactly the same thing about a group (that included me) trying to improve information assurance in government.

Today marks 17 years since I started as Lead Accreditor at Disclosure Scotland and I have spent that time, putting their needs above my own. In truth, I've not had a holiday in all that time where I did not speak to somebody about something related to work and looking back, probably only 20% of what I did was "assurance". The rest of it was impartially ensuring accountability, mentoring staff, offering council to seniors, monitoring elementary security controls, facilitating relationships across government, learning, and making sure that I was sure. I have spent many years at Mach 10 for the greater good.

That's not just what I am. It's who I am.

At the end of May, my Darkstar programme with DS ends. There will be no more anniversaries. There will be no more impartial assessment and accountability. Darkstar is a deadstick.

2025/04/07 - Snippits.
Firstly, on the matter of Signal-gate, The Guardian reports that Jeffrey Goldberg was included in the chat because his contact details had been copied and saved under the name "Brian Hughes" - a Trump spokesperson.

Secondly, a judge has ruled that Apple's challenge to the UK Gov's Technical Capability Notice cannot be heard in secret.
--
16:20 A copy of the judgement is available.

2025/03/27 - Signal-gate.
It's difficult to know where to begin dissecting the US use of Signal during a live operation. And all because we have the accidental(?) addition of a journalist, Jeffrey Goldberg, to the chat that covered the US bombing of Houthis in Yemen. As usual, here in the security cartshed, we take a somewhat different view. Don't get me wrong, there's questions that have been answered, but those answers seem to show a particular form of "truth" that is rather separate to "fact".

Firstly, it doesn't matter what side of the Atlantic you are on, if a government forms a democracy, then that government has to be accountable and part of that is ensuring that adequate records of key decisions and the basis of those decisions is maintained. The truth is. Signal, with it's disappearing messages, may not be the best option for that.

Next, we turn to reports the NSA issued about a security vulnerability in Signal. Seemingly, it was issued just shortly before Signal-gate (or depending on who you are, just afterwards). Numerous sources have reported that "the NSA had warned employees against using Signal due to a vulnerability". Well, here is a copy of that report. BladeSec IA are breaching nothing in posting a link to it - as it is "Unclassified // For Official Use Only". You will note that the "F9T53 OpSec Special Bulletin" makes no mention of any vulnerability. Instead, you'll note it highlights that bad actors consider Signal to be a "high value target" (which is true) and warns the "linked devices" feature can be misused. Ironically, it doesn't warn against ensuring that you verify the identities of those you add to chats or accept as contacts. The fact is, phishing still occurs on Signal. Indeed, it happened to me, but I did wonder why a Thai woman, with a Western name and a provocative Avatar wanted to speak to me!

It's important to note, that anybody can join Signal, with just a phone number. And if you know what you're doing, you can join Signal with even less than that! This is not a flaw, but one of the reasons Signal is just so important to those who rely on privacy - not public accountability.

Finally, how many other "hidden" Signal chats are going on? We, the people, demand back-door access to all unauthorised government communications using unauthorised channels to audit the compliance of those governments!

Well. Maybe not.... but what does scare me is that somehow Signal will become the scapegoat for the stupidity of people who should have known better. That would be a catastrophe. Or that, given all this talk of Signal, it accelerates it's withdrawal from the UK - again because of the stupidity of people who should know better.

2025/03/13 - Speculation on an appeal by Apple.
The not so secret, secret Investigatory Powers Tribunal is apparently happening tomorrow.

And don't let the title of this article throw you. It's a very interesting account of the Public Account Committee from Monday.

2025/03/05 - Yet more on impact the alleged Technical Capability Notice against Apple.
Excellent opinion piece from El Reg here. And whilst it is likely to be fruitless, Apple appear to be pushing back.

Finally, NCSC have apparently changed their guidance for "high-risk" individuals.

2025/03/03 - More on impact of The Investigatory Powers Act.
Bruce Schneier's thoughts.

Sweden is trying to follow the example of the UK. As a consequence, Signal say they will pull out of there too.

The BBC report that the Director of US National Intelligence was not informed of the UK government's request to Apple.

Many commentators have pointed out that Apple have not disabled end-to-end encryption. However they have disabled Advanced Data Protection for iCloud Backups. Advanced Data Protection means that only trusted devices have access to the encryption keys. Standard data protection means that Apple has access to them and thus technically has access to material protected in this way. And that includes iCloud Drive and iCloud Backups. Access to iCloud Backups is especially concerning, as that includes a backup of your device AND a copy of your Messages. You don't need to break the end-to-end encryption, if your device is fully backed up using a mechanism that you can get access to the original content.

2025/02/21 - Apple withdraw Advanced Data Protection for UK consumers.
And there we have it. Proof that privacy is no longer a right within the UK. Keeping things secure, as an individual, is not an option that is available to you.

The vast majority of people are law abiding yet the threats posed to those people by criminals and malicious foreign powers increases annually (and that includes legitimate companies who want to do stupid things^*). Anything that can be done to prevent sensitive information falling into the wrong hands should be embraced and adopted. The approach, apparently taken by the UK government, highlights that they see everybody as a potential criminal who's most sensitive personal information can be mined without any recourse to proper judicial review. Whatever happened to "innocent until proven guilty?"

It wasn't 1984 that Big Brother was born, it was the 21^ST of February, 2025.

The thing is, I bet it will be abused by both the authorities and criminals within two years.
--
^* I am currently at loggerheads with a credit reference agency. The Financial Ombudsman Service awarded me damages and in response, the organisation want me to e-mail my bank details to a generic "customer relations" address.

In preference, I asked them to simply post me a cheque. Cheques, after all, have been an acceptable form of cash transfer for decades. I was told, "That's not how we pay compensation" with no further explanation offered. That is a stupid statement that makes no sense.

When I asked to have a named individual's e-mail address to send my bank details to, I was then told:-
Due to internal security and employee safety, [company] employees will not provide last names neither use a "personalized" email address, we use the Customer Relations address for the security of our employees.

There is a massive amount of irony that the organisation refuses to use an e-mail address specific to an individual due to "internal security", but expect me to provide my specific bank details to a generic e-mail address.

Here's the thing: If you replace "bank details" with "credit card details", my understanding of PCI (I am not an expert) means those details cannot be sent to a generic e-mail address, and the company must offer a secure alternative - such as an encrypted web form.

The matter will get referred back to the Ombudsman at the beginning of March on the basis that the credit reference agency have failed to make good on the settlement - and then I might name names. But it does show, that even huge, international organisations with access to huge amounts of your personal data will take pointless steps to protect their staff, but still fail to protect your information to a reasonable level.

2025/02/17 - Actions that have consequences.
Two US Lawmakers have written to the Director of National Intelligence expressing their concern over the alleged request from the UK government to weaken the security of Apple's iCloud backups. There are strong words in there....

And sometimes you need international partners to help further investigations.

2025/02/11 - Withdrawal of at risk notice: Power supply work completed.
The at risk notice for the power supply work in the security card shed has been withdrawn. We can confirm that there was no impact on services, although UPS01 did drop to 17 minutes of power remaining before the power was restored.

2025/02/10 - UK Gov apparently(*) undermining Apple security.
I think we knew it was coming, but I suppose every privacy and security professional based in the UK hoped we would be wrong.

The Washington Post have reported that His Majesty's UK Government have requested Apple to backdoor their encryption. Not just for an individual, but for everybody. This is an unprecedented move in any modern democracy and represents a fundamental removal of personal rights within the UK as well as marking the UK out to be technologically repressive. This is not the sort of stance that the UK would wish to promote.

It must be emphasised that the UK have previously interfered with devices to obtain prosecutions without going nuclear. The European Court of Human Rights has stated that backdoored encryption is illegal. Even more recently, Australia, Canada, New Zealand and the US endorsed the use of end-to-end encryption. And those parties should know what they're speaking about; together with the UK, they comprise FIVE EYES.

El Reg's view here. Bruce Schneier's viewpoint here.
--
* We have to say "apparently". Any organisation that acknowledges they are in receipt of a Technical Capability Notice is performing a criminal act.

2025/02/03 - At risk notice: Power supply work.
We are having some electrical work undertaken in the security cart shed next Tuesday morning the 11^TH February. As usual, there should be no interruption to services.

And whilst it is entirely unrelated, we have to highlight that over the weekend, it came out that Keir Starmer's personal e-mail account was hacked in 2022. Only when he recreated his account did he set up something as elementary as multi-factor authentication (MFA or 2FA). One has to ask where the Parliamentary personal security advisors were in all of this.

2025/01/29 - Poor progress in meeting UK Cyber Security Strategy.
The National Audit Office highlight the increasing logical threats to government systems, but that progress to meeting the Government Cyber Security Strategy: 2022 to 2030 is ambitious.

Whilst there are initiatives like GovAssure and Secure by Design, the former of those only really allows a superficial metric to be applied. It fails to understand the complexity of most wider public sector and devolved government organisations.

If only there were a group of qualified, experienced individuals who understood technology, threat, risk, programme delivery, budget, data sensitivities with a governance regime that ensured accountability and could give tailored, prioritised advice...!

2025/01/27 - Holocaust Memorial Day.
Today marks the eightieth anniversary of the liberation of Auschwitz-Birkenau, the largest Nazi death camp.

Back in 2017, my family and I visited the Dachau concentration camp near Munich. It was one of the first to be built and having enjoyed several days with friends immediately before, it was a horrific contrast. To this day, I remember standing in silence looking at the crematoria with silent tears rolling down my face. There is a malignant presence at these places that unless you have visited, you cannot fathom.

2025/01/27 - Apparent failure in the joiners, movers and leavers process at British Museum.
Over the weekend, a number of sources are suggesting that The British Museum has been temporarily forced to stop admissions and close some galleries and exhibitions. Whilst there does not appear to be any confirmation on the British Museum website, the issue is being attributed to a rogue IT contractor by a spokesman in the articles linked previously.

The interesting thing is that the contractor entered the museum (not hard, it is a public building) but then subsequently entered a restricted area before shutting down several systems. If this isn't a demonstration of ensuring that you nail your joiners, movers and leavers process, then I don't know what is.

And the key thing about the leaving part: Risk assess the circumstances:-

• Could the individual have widespread, or accumulated access credentials?
• Is the individual retiring after several years of faultless service?
• Is the individual leaving and going to a competitor?
• Is the individual unhappy about a portion of their work, or may have not got the recognition they thought they deserved?
• Is it a mundane resignation, or end of contract?

The sad thing is that it's usually only the "joiners" part of the process that is prioritised, as nobody likes having a new member of staff being paid, but unable to do anything because their clearance or access has not been sorted out.

2025/01/24 - Red weather warnings.
The red weather warnings that have been announced place the security cart shed right in the middle. I am currently in the very fortunate position of being in the Isle of Lewis. Needless to say we'll be monitoring the service remotely, but due to our business continuity planning, we do not anticipate any interruption to our service delivery.

The likelihood of widespread power outages highlights (for a few days of the year at least) the dangers of having a single national grid for power, heating, travel and underpinning the delivery of other critical services such as communications. When you look at the make-up of electricity generation, diversity is recognised as good - even critical to life. As changes to the climate makes storms like Éowyn more likely, house builders may have to consider delivering power and heating supply diversity. The general population may have to take more responsibility for maintaining their own habitable space.

If you are in the red zone... be safe and check in with others.

2025/01/20 - UK to introduce digital driving licences.
On the face of it, this seems like a reasonable idea. But instead of using the technology available, it also appears that HMG are reinventing the wheel. Instead of having a digital license that nestles nicely in your Google or Apple wallet, you have to download another government application to provide the function.

Anybody who has done anything on digital identities knows that it's inordinately difficult to get right. Physical ID needs a whole gamut of other checks and balances to verify a virtual ID. And Google is amongst the best in the world at doing it. It rather feels like doing it by a third party "government application" (that will be "secured similarly to a banking application") simply is not going to be efficient nor permit the reuse of the thinking of inordinately clever people.

BBC News report here.

2025/01/08 - Mobile phones and LineageOS.
I have mentioned LineageOS a few times on this website before. What I didn't say following the last post was that support for the Motorola G(7) Plus was restored shortly after I assumed it had been abandoned. And last night the phone that was destined to run Android 10 forever was upgraded to LineageOS 22.1 - which is Android 15. It only took a few minutes. Because it went so well, my Pixel followed suit and now seems to run just that bit more smoothly. There a few glitches, but on the whole, LineageOS, largely run by volunteers, gives every mobile phone vendor a lesson on providing support and security patches.

For the sake of completion, I should point out that LineageOS is not for everybody. Google does a very good job of maintaining device integrity, and installing LineageOS does significantly impact on that. But if you know what you are doing, then LineageOS is truly remarkable.

And in a similar note, CISA in the States has released guidance on maintaining the security of a mobile device in the face of highly targeted attacks. For those that follow mobile phone security, there's nothing new in there - but I do miss BlackBerry 7.1's resistance to sideband EMF attacks.

For the general populace, there are a couple of interesting take-aways from the guidance:-

• Only use end-to-end encrypted communications. This extends to not trusting the underlying mobile phone network. This would appear to be as a result of Salt Typhoon.
• Do not use SMS as an additional factor for authentication. This is also thought likely because of Salt Typhoon.
• Use a password manager.

2025/01/01 - Good riddance, 2024!
Like last year, we stayed put for Hogmanay this year. In truth, it's not been the best end to the year and here in the Security Cart shed, we have been finding it hard to get into the good cheer that is usually so prevalent at this time of year. It would be easy to hang my hat on one thing, but when you pick it over, there are a myriad of things that I could point my finger at that has meant the end of the year has been difficult.

So instead of looking back, I'll look forward - slightly. Whilst we're not seeing Hogmanay in in our favourite place, we are going there (weather permitting!) in a couple of weeks. Suilly gets to return to his favourite beaches (we aspire to a different one every day this time) and my better half gets to run on roads that don't muddy everything (having completed Markathon for the umpteenth time). As for me, I sense that I won't be working quite so hard, and instead will be taking some "personal" time - probably sitting by a fire, with a pint of Guinness and Suilly at my feet.

Casting my thoughts further forward, we hope to bring news of an event that will be strangely familiar to many of a particular age that harks back to when IA in the public sector was done with greater integrity and diligence. (And it may be prudent for me to emphasise, this is nothing to do with BladeSec IA, but in my capacity as the current Head of the Accreditation Specialism Advisory Group.)

And whilst I have dwelt on the negative, there is always some time for the annual tongue-in-cheek review of the last twelve months:-

• Average distance travelled to work: 4.3 miles.
• Distance to farthest job: Over 128 miles.
• Oddest destination for me to be back in: My grandfather's farm.
• Value of donations made by BladeSec IA to support good causes: £54-00.
• Amount of time donated by BladeSec IA staff pro-bono: 13 days.
• Most pleasant technical surprise: Some code that I wrote that even prints, "This programme is badly written", has never crashed or thrown an error.
• Bucket list achievement this year: Attending the Edinburgh Tattoo followed closely by seeing Rura.
• Most unpleasant surprise this year: Rura having to tell the crowd to be quiet as they were playing. Or it could be the fact that there doesn't seem to be a day goes past without me being a victim of, or witnessing tailgating.
• Most recent qualification: BFHS IL1.
• Amount of money received by BladeSec IA for anything other than consultancy: Still £nil.
• Number of technology products sold By BladeSec IA: None.