BladeSec IA Logo

Company Information

Introduction
Company principles
Certifications and qualifications
Why choose BladeSec IA?
News and comment <

Products and Services

Typical work
Engaging us
Specific highlights

Travel Advice

More

Contact us
Privacy statement
Terms and conditions
Environment statement
Equality and diversity statement
 

Latest news and comment.

2025/07/10 - A double whammy of Microsoft failures.
Job zero is always to patch, but Microsoft have borked the mechanism many enterprises use to do exactly that. And earlier today, Microsoft announced that users are unable to access their mailbox in Outlook.

I think it's fair to say that Microsoft is not having a good day...

2025/07/08 - Icons slow to appear after logging into Gnome on Ubuntu 20.04
(Another in the series of nothing to do with anything, but may be useful to somebody.)

I have an old Dell Venue 8 Pro that runs Ubuntu 20.04 passably. (It has run newer versions, but the screen rotation with the stylus always seems to get screwed up - so I've just stuck to the older version. It still works and it's supported).

Recently, I spent a bit of time exploring why the on-screen keyboard would not always appear, and neither could it be summoned - no matter what the accessibility settings were. It was frustrating entering URLs into Firefox, but it was fine when using Terminal and some other applications; you could tap the field you want to type into and the virtual keyboard appeared.

The long and short of that issue was to do with a conflict in Dash to Panel. Disabling it meant the screen keyboard could be summoned by swiping up from the bottom of the screen. Great!

It was then that the oddities started. It would take an unpredictable length of time (sometimes as short as thirty seconds, but sometimes much longer - in the order of tens of minutes) for the favourites to populate the dash. Equally, pressing the Super key, or tapping the Activities button would usually not show the usual overview - just a blank screen. The good news is that combinations of gestures would usually encourage the various icons to appear, so I lived with it for a couple of weeks. However, I have just spent too long trying to debug the installation. This is what I found:-

It is nothing to do with IPV6, Network Manager or NetPlan.

It is nothing to do with corruption of the icons or theme.

It is nothing to do with a legacy of disabling an Extension.

It took a while to track down, but the clue was in:-

sudo journalctl -b
Ubuntu moaned about a mount point for the internal MicroSD card. It appears that the internal (that is, Ubuntu / Canonical / normal) Ubuntu-dock extension struggles if it has to show mounted devices. This is a documented "feature" that you can disable by entering:-
gsettings set org.gnome.shell.extensions.dash-to-dock show-mounts false
And the various desktop parts will appear so much faster on initial login.

You're welcome....

2025/07/07 - Remembering 07/07.
Today marks the twentieth anniversary of the July 7TH suicide bombings in London. It was the biggest terrorist incident in the UK since the recently dramatised bombing of Pan Am Flight 103.

Whilst I was working in the wider-public sector in the north-east of Scotland, I was acutely aware of the impact of the day as events panned out. We had about 9500 staff who were desperate for news and on a personal front, I was worried for family and work colleagues. I can still remember the palpable sense of relief when I got word that they were okay. What mobile coverage there was in London, became very sporadic that day adding to the dread.

The organisation I worked for had a very large internet pipe and a considerably smaller GSi connection. Internet access ground to a halt, but because of the architecture of the GSI, it carried on working, conveying critical and sensitive material and e-mails in world that was not-quite-so-connected, but more resilient.

I got home late that day and remember watching the nighttime news reports of commuters having to walk home. They maybe didn't think it at the time, but in some respects, they were the lucky ones....

We are not afraid....

2025/07/02 - Final report into report into North Hyde Substation outage published.
The National Energy System Operator (NESO) has published it's final report into the substation fire that resulted in Heathrow Airport losing power and subsequently closing. As a result, Ofgem have announced they are opening an investigation into the incident, and have said they will take further action are necessary.

On the basis the fire has been attributed to something that should have been replaced within the substation, Heathrow Airport has spotted blood. Whilst it remains to be seen whether they do actually take legal action against the National Grid, it's worth reiterating the impact beyond Heathrow; three data centres, a hospital and thousands of homes and businesses also lost power - seemingly with far less of an impact. Going on, it is also interesting to note the report also highlights weaknesses in "Heathrow Airport's private internal electrical distribution network". This "meant that the loss of one of its three independent supply points would result in the loss of power to some of the airport's operationally critical systems".

So there you have it. Yes there were weaknesses in the power distribution network (which is broadly to be expected these days), but Heathrow Airport, who knew they were part of the UK Critical National Infrastructure (CNI), were also at fault.

Conversely, one interesting aspect is that "energy network operators are not generally aware whether customers connected to their networks are Critical National Infrastructure" and have "no priority within the electricity legal or regulatory framework". Whilst it is acknowledged there is work to identify and analyse this dependency, this seems an oddity. Surely it is for CNI to identify it's requirements and protect those as necessary (and proportionately)? If you look at the dependencies, then all of a sudden, everything becomes critical. And frankly, that's unsustainable with the current energy network and economic circumstances.

2025/06/23 - News round-up.
Firstly, both the Spanish Government and the Spanish grid operator have published different findings into the Iberian power loss from the end of April. Equally, I have heard an entirely plausible, but different explanation from an individual who is an expert on renewable energy. I am not going to repeat it as it must be considered speculation no matter how plausible and logical his views are.

Next: There is significant but well grounded speculation that the criminals responsible for attacking Marks & Spencer and the Co-Op went after their IT Service Desks - possibly to fraudulently request password resets. NCSC issued new advice about help desk processes and reviewing authentication attempts to determine whether they are "risky".

Jump forward a few months, and now, the bad guys are coming after the general population according to Malwarebytes Labs. If you use a browser to search for the phone number of an organisation, do not trust any contact details that appear as part of a search box on a website, even if all the security indicators point to that website being entirely valid.

Finally, the Scottish Government are ending their use of unapproved messaging applications on official devices. This comes after the Covid Enquiry discovered that WhatsApp was used as a mainstream communications tool, but that messages were largely deleted by those in authority.

Whilst we have previously suggested encrypted messaging applications such as Signal do not make good bedfellows for accountability, however, it is interesting that Kate Forbes has stated "personal phones should not be used for official business". The bottom line is that it would be inordinately unlikely that the Scottish Government would ever find out if a civil servant or politician were using WhatsApp on a personal device. And let's face it, there is some form here.

I also have personal experience of this exact situation where during one security incident within a government executive agency, I did flag that I was uncomfortable with the security team using WhatsApp on personal devices to manage communications between themselves. Mind you, the same organisation was also concerned over data retention in Slack and so just set everything to self-destruct in a very short timescale instead of using the corporately approved tool - Microsoft Teams.

I also spotted WhatsApp are currently running TV adverts highlighting that it's encrypted and secure. Whilst this is true, you should remember who the parent organisation of WhatsApp is. Meta (and Facebook) thrive on exploiting the digital information of its consumers - no matter how small or innoculous it may be. To that end, the WhatsApp Privacy Policy is here and it's a minefield to negotiate.

2025/06/16 - Android VPNs.
Further to the post from a few days ago where we speculated that owners of Android devices should not think they dodged the bullet of certain VPNs leaking information to the Chinese, the original report has been updated. This time, it specifically includes VPNs available from the Google Play Store highlighting that the issue is not unique to users of Apple's iPhone.

2025/06/06 - Safer Travel 2025.
Safer Travel 2025 is now available. It weighs in at over 200 pages, and has been entirely updated and restructured.

It now includes a chapter on some disasters as many travellers from the UK are unlikely to ever encounter things that people in other parts of the world accept as part of their everyday life. The guidance includes what to do in the event of avalanche, a chemical incident, civil unrest, earthquakes, extreme heat, flooding, a landslide, thunderstorms and lightning, a tornado, tsunamis, a volcano, wildfires and winter storms. This edition sees more detail on preparation, travel documentation, health when travelling and finances as well as travelling by ferry.

Please see the Travel page for information on how to obtain a full, unabridged copy. And whilst it is not mandatory, we would be grateful for a donation of £30 per copy. This was not a trivial document to write and maintain and many people give up their time to do so. Less than 3% of those ordering a copy last year chose to make a donation - and that is disappointing. After all, how much would you pay to save your life? That's what this document can do.

2025/05/30 - Going dark.
The six of you that regularly read this website, will have noticed that many of the updates from earlier in the month did not percolate through. Depending on your own feelings, you may be pleased to know that there are still some places where there is no mobile or wireless coverage. It is down to the never-ending generosity of Mr Alexander "Sandy" Matheson CVO OBE and Freeman of the Western Isles that permitted my family to find it.

For those of you that are heading off on your own holidays, this year's, Safer Travel is so very close to being completed - and has been since February having finally hit 200 pages!

Equally, this should make for terrifying reading for iPhone users of some VPN solutions. And I would wager that Android users should not think they dodged that particular bullet!

2025/05/26 - Digital attack on Legal Aid Agency.
This is bad. The spin put on it in this report makes it much, much worse.

2025/05/24 - Kirkcaldy and District Pipe Band.
I have previously mentioned Kirkcaldy and District Pipe Band here before, and whilst it is nothing to do with anything security or assurance related, they remain good friends - and sometimes good news from friends deserves to be highlighted. And with that in mind, earlier today they played the Dollar Pipe Band & Drum-Majors Competition. The last time they played (back in 2023), they came second in their grade. This time, they came first.

And continuing the good news, Inveraray and District Pipe Band took first place in their grade with straight firsts from the judges.

Well done! And I'm sorry that I couldn't hang around to celebrate, having to make for Morar instead.

2025/05/21 - News round-up.
Last year we reported the Post Office reported themselves to the ICO for disclosing the details of the 555 sub-postmasters who sued them in 2017. It has been announced that settlement has largely been agreed.

On the face of it, this speculation feels right. By the sounds of it, it wouldn't have required significant resources to massively influence the vote. We all know some countries that have previous for doing exactly that, who might want to disrupt Eurovision.

West Lothian Council have confirmed that "some personal or sensitive data is among the information stolen by criminals" following their recent ransomware attack. As an aside, the increasing number of public declarations of incidents can only be a good thing. Whilst it can be inconvenient for customers and damaging for shareholders, it does highlight the benefit of sharing information.

2025/05/12 - Public Accounts Committee Report.
This does not appear to be well reported, but is as equally damning as the report from the National Audit Office from earlier this year. The comments from the chair of the Public Accounts Committee highlight the revolutionary thinking that government needs to make to break the "same-old same-old".

2025/05/09 - Interim report into North Hyde Substation outage published.
The National Energy System Operator (NESO) has published it's interim report into the substation fire that resulted in Heathrow Airport losing power and subsequently closing back on March 20TH.

The bottom line is they seem to have established a timeline of events and discounted criminal or terror-related behaviour. It remains somewhat surprising to me (as somebody that knows nothing about fire investigations) that they don't appear to have any further lines of enquiry. Whilst I freely admit I know nothing about fire investigations, I've done more than my fair share of forensic root-cause analysis of significant events and there are two things that jump out at me: Firstly, NESO may not have all the resources at it's disposal that it needs; and secondly there is a disconnect between the impact of the fire on localised power distribution when contrasted with the closure of one of the world's biggest airports. The consequence of that is it feels to me like it's on the owners of Heathrow to fix, not the national grid.

I also note that NESO's final report is expected to contain "findings and recommendations relating to the resilience of energy infrastructure; the response and restoration of energy infrastructure; and the resilience of critical national infrastructure to energy disruption". Nothing there is a root cause analysis, despite what Heathrow appear to be looking for. That feels to me there is a desire to apportion blame elsewhere.

If we take the catastrophic impact on Heathrow out of the equation, the power outage appeared to last from 23:21 on 20/03 until 06:25 on 21/03 - a little over seven hours. The simple fact is - that's not actually a very big power outage and it occurred overnight when power demands are considerably less. Contrast that with the widespread loss of power in parts of Spain, Portugal and France ten days ago. I appreciate that those affected will have their own personal circumstances that will vary the impact they endured during the outage - but I still circle back to the impact on Heathrow appears to be disproportionate to an organisation that's such a significant part of the UK travel sector, UK economy and part of the UK Critical National Infrastructure.

2025/05/08 - VE80.
On this day, eighty years ago the UK, and some of her allies, celebrated the unconditional surrender of Nazi Germany following just over five and a half years of conflict. It is impossible to comprehend how the moment must have felt.

As I sit here at my desk, with a sunny day outside, it is difficult not to reflect on how that day has led to the conflicts that are increasingly widespread now. I can remember my parents speaking about the war. Whether it was prisoners-of-war working on my grandfather's farm, or the seat that saved my mother's life during a night-time bombing raid on Fraserburgh. Even having extended family in Bavaria and attending weddings in churches where the war graves are in secluded, overgrown corners far from paths. These things connect me to something that I did not witness, but I heard first-hand and saw the impact. And sadly, I think those connections are no longer there for most people and World War II is viewed as ancient history with nothing more to be learned from it. And even more sadly, I think that is to blame for the current deterioration of international relations.

2025/04/30 - News round-up.
This is unprecedented. And do not underestimate the importance of the work the CISA do. There is the old saying that "the first casualty of war is truth". Whilst the US doesn't appear to be at war with anybody, it remains to be seen for how long. Philip Pullman's views on the end of American power is interesting - at the very least.

And the news has been full of the sudden and unprecedented loss of power across large parts of Spain and Portugal. There appears to be much speculation on what caused it, with a electronic attack on the power infrastructure not entirely being ruled out. The BBC has a good fact-based article here. And if you think that could never happen here.... well, there's some news of a similar nature.

Pentesters should be aware of this. If you use Kali Linux, it is serious.

France goes public on something security pros have known for a while.

And M&S are clearly having an M&S security incident.

Finally, in the "so outlandish, it's probably true" box, it seems if you insult Kim Jong Un, you can avoid hiring a fake North Korean worker.
--
Just in the interests of a full disclaimer, the news articles linked to in the second paragraph were chosen largely at random. I have no view on how accurate, speculative or misleading they may be. I did avoid the one that stated beyond all reasonable doubt that it was a cyber-attack that Russia was behind!

2025/04/17 - *Very* serious flaw in Fortinet devices.
This has been bubbling for a while and highlights how targeted Fortinet networking kit is. Whilst it was only if you used the FortiGate SSL-VPN, Fortinet are now highlighting additional steps that are required to remove persistence in the device following patching.

In other news: Signal is doing what Signal does.

2025/04/16 - And then they came for me....
Well.... maybe not, but all the chaos on the other side of the Atlantic is now impacting on IA worldwide. There can't be a single IT Health Check or Penetration Test Report in the world that doesn't refer to Common Vulnerabilities and Exposures (or CVE) scores. The thing is, the funding for MITRE the federal non-profit that maintained the CVE lists expired today. We knew this was going to happen as funding for CISA (who fund MITRE) is also facing massive funding and staff cuts. In light of the circumstances, this might be important.
--
Update: There is a report that reports CISA has extended funding to keep the CVE programme operational.

2025/04/08 - Top Gun and memories....
Last week, Val Kilmer died.

The original Top Gun was the first film I ever watched in VHS surround sound at a friend's house. And on Sunday, I watched Top Gun: Maverick for the second time. It's odd... what got me about the opening SR-72 Darkstar sequence featuring Tom Cruise, is Maverick's lack of selfishness in trying to do his best for something bigger and the people he cares about - at his own considerable expense. It was something that I could relate to.

And when Phoenix says, "Who the hell are they going to get to teach us?", it took me back 20 years when my friend and mentor at a Whitehall Department said exactly the same thing about a group (that included me) trying to improve information assurance in government.

Today marks 17 years since I started as Lead Accreditor at Disclosure Scotland and I have spent that time, putting their needs above my own. In truth, I've not had a holiday in all that time where I did not speak to somebody about something related to work and looking back, probably only 20% of what I did was "assurance". The rest of it was impartially ensuring accountability, mentoring staff, offering council to seniors, monitoring elementary security controls, facilitating relationships across government, learning, and making sure that I was sure. I have spent many years at Mach 10 for the greater good.

That's not just what I am. It's who I am.

At the end of May, my Darkstar programme with DS ends. There will be no more anniversaries. There will be no more impartial assessment and accountability. Darkstar is a dead stick.

2025/04/07 - Snippits.
Firstly, on the matter of Signal-gate, The Guardian reports that Jeffrey Goldberg was included in the chat because his contact details had been copied and saved under the name "Brian Hughes" - a Trump spokesperson.

Secondly, a judge has ruled that Apple's challenge to the UK Gov's Technical Capability Notice cannot be heard in secret.
--
16:20 A copy of the judgement is available.

2025/03/27 - Signal-gate.
It's difficult to know where to begin dissecting the US use of Signal during a live operation. And all because we have the accidental(?) addition of a journalist, Jeffrey Goldberg, to the chat that covered the US bombing of Houthis in Yemen. As usual, here in the security cartshed, we take a somewhat different view. Don't get me wrong, there's questions that have been answered, but those answers seem to show a particular form of "truth" that is rather separate to "fact".

Firstly, it doesn't matter what side of the Atlantic you are on, if a government forms a democracy, then that government has to be accountable and part of that is ensuring that adequate records of key decisions and the basis of those decisions is maintained. The truth is. Signal, with it's disappearing messages, may not be the best option for that.

Next, we turn to reports the NSA issued about a security vulnerability in Signal. Seemingly, it was issued just shortly before Signal-gate (or depending on who you are, just afterwards). Numerous sources have reported that "the NSA had warned employees against using Signal due to a vulnerability". Well, here is a copy of that report. BladeSec IA are breaching nothing in posting a link to it - as it is "Unclassified // For Official Use Only". You will note that the "F9T53 OpSec Special Bulletin" makes no mention of any vulnerability. Instead, you'll note it highlights that bad actors consider Signal to be a "high value target" (which is true) and warns the "linked devices" feature can be misused. Ironically, it doesn't warn against ensuring that you verify the identities of those you add to chats or accept as contacts. The fact is, phishing still occurs on Signal. Indeed, it happened to me, but I did wonder why a Thai woman, with a Western name and a provocative Avatar wanted to speak to me!

It's important to note, that anybody can join Signal, with just a phone number. And if you know what you're doing, you can join Signal with even less than that! This is not a flaw, but one of the reasons Signal is just so important to those who rely on privacy - not public accountability.

Finally, how many other "hidden" Signal chats are going on? We, the people, demand back-door access to all unauthorised government communications using unauthorised channels to audit the compliance of those governments!

Well. Maybe not.... but what does scare me is that somehow Signal will become the scapegoat for the stupidity of people who should have known better. That would be a catastrophe. Or that, given all this talk of Signal, it accelerates it's withdrawal from the UK - again because of the stupidity of people who should know better.

2025/03/13 - Speculation on an appeal by Apple.
The not so secret, secret Investigatory Powers Tribunal is apparently happening tomorrow.

And don't let the title of this article throw you. It's a very interesting account of the Public Account Committee from Monday.

2025/03/05 - Yet more on impact the alleged Technical Capability Notice against Apple.
Excellent opinion piece from El Reg here. And whilst it is likely to be fruitless, Apple appear to be pushing back.

Finally, NCSC have apparently changed their guidance for "high-risk" individuals.

2025/03/03 - More on impact of The Investigatory Powers Act.
Bruce Schneier's thoughts.

Sweden is trying to follow the example of the UK. As a consequence, Signal say they will pull out of there too.

The BBC report that the Director of US National Intelligence was not informed of the UK government's request to Apple.

Many commentators have pointed out that Apple have not disabled end-to-end encryption. However they have disabled Advanced Data Protection for iCloud Backups. Advanced Data Protection means that only trusted devices have access to the encryption keys. Standard data protection means that Apple has access to them and thus technically has access to material protected in this way. And that includes iCloud Drive and iCloud Backups. Access to iCloud Backups is especially concerning, as that includes a backup of your device AND a copy of your Messages. You don't need to break the end-to-end encryption, if your device is fully backed up using a mechanism that you can get access to the original content.

2025/02/21 - Apple withdraw Advanced Data Protection for UK consumers.
And there we have it. Proof that privacy is no longer a right within the UK. Keeping things secure, as an individual, is not an option that is available to you.

The vast majority of people are law abiding yet the threats posed to those people by criminals and malicious foreign powers increases annually (and that includes legitimate companies who want to do stupid things*). Anything that can be done to prevent sensitive information falling into the wrong hands should be embraced and adopted. The approach, apparently taken by the UK government, highlights that they see everybody as a potential criminal who's most sensitive personal information can be mined without any recourse to proper judicial review. Whatever happened to "innocent until proven guilty?"

It wasn't 1984 that Big Brother was born, it was the 21ST of February, 2025.

The thing is, I bet it will be abused by both the authorities and criminals within two years.
--
* I am currently at loggerheads with a credit reference agency. The Financial Ombudsman Service awarded me damages and in response, the organisation want me to e-mail my bank details to a generic "customer relations" address.

In preference, I asked them to simply post me a cheque. Cheques, after all, have been an acceptable form of cash transfer for decades. I was told, "That's not how we pay compensation" with no further explanation offered. That is a stupid statement that makes no sense.

When I asked to have a named individual's e-mail address to send my bank details to, I was then told:-
Due to internal security and employee safety, [company] employees will not provide last names neither use a "personalized" email address, we use the Customer Relations address for the security of our employees.

There is a massive amount of irony that the organisation refuses to use an e-mail address specific to an individual due to "internal security", but expect me to provide my specific bank details to a generic e-mail address.

Here's the thing: If you replace "bank details" with "credit card details", my understanding of PCI (I am not an expert) means those details cannot be sent to a generic e-mail address, and the company must offer a secure alternative - such as an encrypted web form.

The matter will get referred back to the Ombudsman at the beginning of March on the basis that the credit reference agency have failed to make good on the settlement - and then I might name names. But it does show, that even huge, international organisations with access to huge amounts of your personal data will take pointless steps to protect their staff, but still fail to protect your information to a reasonable level.

2025/02/17 - Actions that have consequences.
Two US Lawmakers have written to the Director of National Intelligence expressing their concern over the alleged request from the UK government to weaken the security of Apple's iCloud backups. There are strong words in there....

And sometimes you need international partners to help further investigations.

2025/02/11 - Withdrawal of at risk notice: Power supply work completed.
The at risk notice for the power supply work in the security card shed has been withdrawn. We can confirm that there was no impact on services, although UPS01 did drop to 17 minutes of power remaining before the power was restored.

2025/02/10 - UK Gov apparently(*) undermining Apple security.
I think we knew it was coming, but I suppose every privacy and security professional based in the UK hoped we would be wrong.

The Washington Post have reported that His Majesty's UK Government have requested Apple to backdoor their encryption. Not just for an individual, but for everybody. This is an unprecedented move in any modern democracy and represents a fundamental removal of personal rights within the UK as well as marking the UK out to be technologically repressive. This is not the sort of stance that the UK would wish to promote.

It must be emphasised that the UK have previously interfered with devices to obtain prosecutions without going nuclear. The European Court of Human Rights has stated that backdoored encryption is illegal. Even more recently, Australia, Canada, New Zealand and the US endorsed the use of end-to-end encryption. And those parties should know what they're speaking about; together with the UK, they comprise FIVE EYES.

El Reg's view here. Bruce Schneier's viewpoint here.
--
* We have to say "apparently". Any organisation that acknowledges they are in receipt of a Technical Capability Notice is performing a criminal act.

2025/02/03 - At risk notice: Power supply work.
We are having some electrical work undertaken in the security cart shed next Tuesday morning the 11TH February. As usual, there should be no interruption to services.

And whilst it is entirely unrelated, we have to highlight that over the weekend, it came out that Keir Starmer's personal e-mail account was hacked in 2022. Only when he recreated his account did he set up something as elementary as multi-factor authentication (MFA or 2FA). One has to ask where the Parliamentary personal security advisors were in all of this.

2025/01/29 - Poor progress in meeting UK Cyber Security Strategy.
The National Audit Office highlight the increasing logical threats to government systems, but that progress to meeting the Government Cyber Security Strategy: 2022 to 2030 is ambitious.

Whilst there are initiatives like GovAssure and Secure by Design, the former of those only really allows a superficial metric to be applied. It fails to understand the complexity of most wider public sector and devolved government organisations.

If only there were a group of qualified, experienced individuals who understood technology, threat, risk, programme delivery, budget, data sensitivities with a governance regime that ensured accountability and could give tailored, prioritised advice...!

2025/01/27 - Holocaust Memorial Day.
Today marks the eightieth anniversary of the liberation of Auschwitz-Birkenau, the largest Nazi death camp.

Back in 2017, my family and I visited the Dachau concentration camp near Munich. It was one of the first to be built and having enjoyed several days with friends immediately before, it was a horrific contrast. To this day, I remember standing in silence looking at the crematoria with silent tears rolling down my face. There is a malignant presence at these places that unless you have visited, you cannot fathom.

2025/01/27 - Apparent failure in the joiners, movers and leavers process at British Museum.
Over the weekend, a number of sources are suggesting that The British Museum has been temporarily forced to stop admissions and close some galleries and exhibitions. Whilst there does not appear to be any confirmation on the British Museum website, the issue is being attributed to a rogue IT contractor by a spokesman in the articles linked previously.

The interesting thing is that the contractor entered the museum (not hard, it is a public building) but then subsequently entered a restricted area before shutting down several systems. If this isn't a demonstration of ensuring that you nail your joiners, movers and leavers process, then I don't know what is.

And the key thing about the leaving part: Risk assess the circumstances:-

  • Could the individual have widespread, or accumulated access credentials?
  • Is the individual retiring after several years of faultless service?
  • Is the individual leaving and going to a competitor?
  • Is the individual unhappy about a portion of their work, or may have not got the recognition they thought they deserved?
  • Is it a mundane resignation, or end of contract?
Only when you answer those questions, can you decide the urgency of locking out their accounts - or even having them escorted off the site without working their notice period.

The sad thing is that it's usually only the "joiners" part of the process that is prioritised, as nobody likes having a new member of staff being paid, but unable to do anything because their clearance or access has not been sorted out.

2025/01/24 - Red weather warnings.
The red weather warnings that have been announced place the security cart shed right in the middle. I am currently in the very fortunate position of being in the Isle of Lewis. Needless to say we'll be monitoring the service remotely, but due to our business continuity planning, we do not anticipate any interruption to our service delivery.

The likelihood of widespread power outages highlights (for a few days of the year at least) the dangers of having a single national grid for power, heating, travel and underpinning the delivery of other critical services such as communications. When you look at the make-up of electricity generation, diversity is recognised as good - even critical to life. As changes to the climate makes storms like Éowyn more likely, house builders may have to consider delivering power and heating supply diversity. The general population may have to take more responsibility for maintaining their own habitable space.

If you are in the red zone... be safe and check in with others.

2025/01/20 - UK to introduce digital driving licences.
On the face of it, this seems like a reasonable idea. But instead of using the technology available, it also appears that HMG are reinventing the wheel. Instead of having a digital license that nestles nicely in your Google or Apple wallet, you have to download another government application to provide the function.

Anybody who has done anything on digital identities knows that it's inordinately difficult to get right. Physical ID needs a whole gamut of other checks and balances to verify a virtual ID. And Google is amongst the best in the world at doing it. It rather feels like doing it by a third party "government application" (that will be "secured similarly to a banking application") simply is not going to be efficient nor permit the reuse of the thinking of inordinately clever people.

BBC News report here.

2025/01/08 - Mobile phones and LineageOS.
I have mentioned LineageOS a few times on this website before. What I didn't say following the last post was that support for the Motorola G(7) Plus was restored shortly after I assumed it had been abandoned. And last night the phone that was destined to run Android 10 forever was upgraded to LineageOS 22.1 - which is Android 15. It only took a few minutes. Because it went so well, my Pixel followed suit and now seems to run just that bit more smoothly. There a few glitches, but on the whole, LineageOS, largely run by volunteers, gives every mobile phone vendor a lesson on providing support and security patches.

For the sake of completion, I should point out that LineageOS is not for everybody. Google does a very good job of maintaining device integrity, and installing LineageOS does significantly impact on that. But if you know what you are doing, then LineageOS is truly remarkable.

And in a similar note, CISA in the States has released guidance on maintaining the security of a mobile device in the face of highly targeted attacks. For those that follow mobile phone security, there's nothing new in there - but I do miss BlackBerry 7.1's resistance to sideband EMF attacks.

For the general populace, there are a couple of interesting take-aways from the guidance:-

  • Only use end-to-end encrypted communications. This extends to not trusting the underlying mobile phone network. This would appear to be as a result of Salt Typhoon.
  • Do not use SMS as an additional factor for authentication. This is also thought likely because of Salt Typhoon.
  • Use a password manager.
So, it now appears that the US have wholly embraced the use of unbackdoored encryption. I wonder how long it will take the UK to draw the same conclusion.

2025/01/01 - Good riddance, 2024!
Like last year, we stayed put for Hogmanay this year. In truth, it's not been the best end to the year and here in the Security Cart shed, we have been finding it hard to get into the good cheer that is usually so prevalent at this time of year. It would be easy to hang my hat on one thing, but when you pick it over, there are a myriad of things that I could point my finger at that has meant the end of the year has been difficult.

So instead of looking back, I'll look forward - slightly. Whilst we're not seeing Hogmanay in in our favourite place, we are going there (weather permitting!) in a couple of weeks. Suilly gets to return to his favourite beaches (we aspire to a different one every day this time) and my better half gets to run on roads that don't muddy everything (having completed Markathon for the umpteenth time). As for me, I sense that I won't be working quite so hard, and instead will be taking some "personal" time - probably sitting by a fire, with a pint of Guinness and Suilly at my feet.

Casting my thoughts further forward, we hope to bring news of an event that will be strangely familiar to many of a particular age that harks back to when IA in the public sector was done with greater integrity and diligence. (And it may be prudent for me to emphasise, this is nothing to do with BladeSec IA, but in my capacity as the current Head of the Accreditation Specialism Advisory Group.)

And whilst I have dwelt on the negative, there is always some time for the annual tongue-in-cheek review of the last twelve months:-

  • Average distance travelled to work: 4.3 miles.
  • Distance to farthest job: Over 128 miles.
  • Oddest destination for me to be back in: My grandfather's farm.
  • Value of donations made by BladeSec IA to support good causes: £54-00.
  • Amount of time donated by BladeSec IA staff pro-bono: 13 days.
  • Most pleasant technical surprise: Some code that I wrote that even prints, "This programme is badly written", has never crashed or thrown an error.
  • Bucket list achievement this year: Attending the Edinburgh Tattoo followed closely by seeing Rura.
  • Most unpleasant surprise this year: Rura having to tell the crowd to be quiet as they were playing. Or it could be the fact that there doesn't seem to be a day goes past without me being a victim of, or witnessing tailgating.
  • Most recent qualification: BFHS IL1.
  • Amount of money received by BladeSec IA for anything other than consultancy: Still £nil.
  • Number of technology products sold By BladeSec IA: None.
There is a storm coming....
Click here for older News & Comment.