Travel Advice

Please note: Because this is an archive of articles published on the BladeSec IA website in 2015, not all links may work.

Comment: 2015/12/28 - Rest in Peace....
Lemmy Kilmister: 1945 - 2015.

Comment: 2015/12/24 - Merry Christmas!
From everybody at BladeSec IA....

Comment: 2015/12/09 - Update.
After some more, moderately unplanned radio silence, BladeSec IA have moved premises. We've got some major plans coming off in the next twelve months, and as a consequence, we needed to relocate, temporarily, to a different location. We're now very happy residents of Wolfhill in Perthshire - probably until summer next year.

As part of the planning for the move, we sorted out all the usual transfers of services. Thing is, for some unknown reason, that we're still trying to get to the bottom of, the connection of our DSL has taken two weeks longer than we expected. This made us reliant on the mobile phone signal which, shall we say, is geared up for voice rather than data in Wolfhill.

Still, it all seems to have sorted itself out now.... And with that, we're keen to get back into things....

First up, BladeSec IA are delighted to announce that their Director, Owen Birnie has been nominated as the chair of the Scottish Branch of the Institute of Information Security Professionals.

And to that end.....

The Scottish IISP Branch are belatedly announcing a pub meet to be held next Wednesday, the 16^TH of December at The Café Royal, 19 West Register Street, Edinburgh. EH2 2AA.

The event is not ticketed - please feel free to just turn up any time from approximately 16:30. We're just going to be in the main bar so that we can enjoy the atmosphere and catch up with friends and acquaintances before Christmas.

If you are concerned about not knowing anybody, please contact us to confirm roughly what time you'll be turning up and we can keep an eye out.

The next "formal" Scottish Event is in Waxy o'Connors, Glasgow on the 10^TH of February. Keep an eye here for more information.

The Scottish Branch would like to take this opportunity to thank you for your support in the last six months and to wish you a very Merry Christmas.

Comment: 2015/10/30 - Media update.
There is a reason for the radio silence. It's been an absolutely bonkers month that culminated in a trip to The Bailiwick of Jersey to catch up with some old friends and acquaintances. Whilst in Jersey, I had the time to take a trip across to St Malo. In preparation, I went to Marks and Spencer as they had the best high street rate for Euros. I was slightly surprised that if I bought Euros using my Debit MasterCard at the Kiosk, they needed photographic ID. If I used the exact same card to withdraw Sterling from the M&S cash machine to the side of the kiosk, they would accept cash as full payment with no further checks. I guess it just goes to show the difference in liability and verification between PoS machines and cash dispensers.

Just prior to flying out to Jersey, BladeSec IA were proud to represent The Institute of Information Security Professionals at the "McICAREC" function at Edinburgh Castle. I was especially delighted to be name checked by Ross Bowerman of Dell Secureworks and Nath Clarke of Sainsbury's Bank for the meeting up with them following the inaugural meeting last year. It was an especially interesting McICAREC, with far more IA orientated delegates from industry - It's a shame that my train left when it did as I thoroughly enjoyed myself.

I'm not entirely sure that all the delegates at the Scottish IISP Hallowe'en Special enjoyed themselves earlier this month. Whilst the spooky surroundings of Jekyll & Hyde's in the Edinburgh New Town compounded the situation, many were unprepared for being placed on the spot at having to regale our judges with a horrific tale of epic security failures. In truth, judging from the feedback, everybody did enjoy themselves, and it was good to let our hair down with a more relaxed format.

BladeSec IA will once again be helping organise a Scottish IISP Christmas Drinks Reception on the run up to Christmas... watch this space.

It's been a busy month in the media. Cyber security is hitting the mainstream press in a big way:-

• Safe Harbour has failed. Interesting comments from Microsoft's Brad Smith;
• The auditor who deliberately leaked details of Morrisons Employees' has been sentenced to eight years in gaol. This case is interesting, as Morrisons themselves are being sued despite the fact that it was malicious actions by a member of staff. I'd expect the Seventh Data Protection Principle to be relevant here, and the onus is on Morrisons to prove they had adequate technical controls in place. But this may set a precedent. Why train staff if you can't hold them to account?
• Talk Talk has been hacked and a fifteen year old boy has been arrested. As I write, rumours are appearing that a second fifteen year old has also been arrested;
• SPECTRE has been released.... And in my personal opinion, it's the worst Bond film for twenty years. I won't give anything away and I acknowledge that I'm in a miniscule minority.... I hope you enjoy it!

Comment: 2015/09/30 - Closure of The CESG Listed Advisor Scheme.
Today marks the last day that BladeSec IA are able to offer CLAS. Whilst our application for CESG Certified Cyber Security Consultancy is well underway, it will be a wee while before CESG are ready to promote that. You will see from our comment from 2015/09/15 below, that we have already adopted the standards expected of CCCSC, however we are aware that operating outwith an HMG framework is concerning a number of customers. So....

Go and re-read Why choose BladeSec IA?. Take particular note of items 5, 9 and 10.

To mark the end of CLAS, all new work placed with BladeSec IA in October, will have a discount of at least 10% for the duration of that job. (The actual discount will be a minimum of 10%, but will be more for larger jobs. To be considered, a customer Purchase Order must be recieved by BladeSec IA by 16:30 on 30/10/2015.)

And so our existing customers don't feel left out. All work carried out in October will be invoiced with a 10% discount....

Comment: 2015/09/24 - Mobile security.
Now is really not a good time to own an Android phone. It would appear that there isn't a single secure phone out there.

The latest one is that unless you are running the absolute latest version of Lollipop (5.1.1, plus all security patches), then it's possible to trivially bypass the lock screen password. The work around is to use a pattern or PIN to secure your device.

Mind you, Android is in good company. An individual called Jose Rodriguez has posted a YouTube video showing how to access limited content from a locked iPhone running the latest iOS9. The workaround is to disable Siri when the device is locked.

Comment: 2015/09/22 - Media round-up....
Here is the semi-regular tour round some of the more interesting stories from the newswires:-

• A number of applications that have been approved by Apple and placed into their AppStore have been trojaned. Rumours are spreading that the widespread use of the malicious Xcode developer suite has resulted in approximately forty trojaned applications, but other sources are suggesting "thousands". This isn't the first time that Apple have slipped up.
• The issue of compromised Cisco ROM images that we reported last month, is gaining wider press attention. Original art here. CERT UK page here.
• Changes to the AVG privacy policy suggest that if you value privacy, you may want to change to a different anti-malware vendor. I especially like the bit that says "If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information". Hmm.....

Comment: 2015/09/15 - The end of CLAS....
We're two weeks away from the end of the CESG Listed Advisor Scheme. My membership expires, as it always did, on the 30^TH of September. We've yet to see much movement in terms of its replacement scheme. BladeSec IA fully expect to be one of the first CESG Certified Cyber Security Consultancies, but until it gets to that point, we want to reassure existing and future customers of a few facts:-

• We only use Senior and Lead CESG Certified Professionals to deliver projects;
• The consultants we deploy are qualified in the best role for the activity that they are wanted for;
• With your permission, we may deploy CCP Practitioner Consultants alongside our Project Leads. Professional development and mentoring is a big thing for us; &
• All our consultants have a minimum clearance of SC.

News: 2015/09/09 - Scottish IISP Event - The Hallowe'en Special: Tickets available now!
Tickets for the Scottish IISP Branch Hallowe'en Special are now available now.

News: 2015/09/01 - Scottish IISP Event - The Hallowe'en Special: Save the date!
The Scottish IISP Branch are delighted to announce that they have organised a Hallowe'en Special in the most spooky of Scottish cities... Edinburgh....

Following in the footsteps of Burke & Hare, The Corstorphine Green Lady, bricked up closes, the plague pits and the shadow of The Castle... the IISP are putting on their own horror special in Edinburgh's The New Town.

Save the date - this one will be different: 7^TH October, 2015; 17:30 for 18:00 until late.... Tickets available from 08:00 on 7^TH September. First come, first served....

More information will be revealed here soon!

Comment: 2015/08/24 - Media round up.
I can't believe that it's been a fortnight since I last posted a few links to some interesting news stories. What is very interesting is that there doesn't appear to be any reduction in the number of stories.

• The press is full of the Ashley Madison hack. Even now the blackmailers are wondering how to exploit the target material - and this is a great example of why your work and personal e-mail addresses should never meet. Rumour has it, that the hack has already led to its first suicide.
• Cisco has evidence to support real-life instances of internal threat.
• Hacking vehicles continues to be topical. It is obvious that car manufacturers still have much to learn from software manufacturers. Original research here.
• The security posture of Android continues to diminish with more significant security flaws.

Comment: 2015/08/10 - Media round up.
A few stories from the newswires:-

• Carphone Warehouse has been hacked. It is anticipated that the name, address, date of birth and bank account details of 2.4 million customers of subsidiary organisations and websites may have been compromised. The encrypted credit card information of a further 90,000 customers may also have been accessed.
• Four FireEye security researchers have discovered that Android phones store biometric fingerprint information in a world readable directory.
• In more bad news for Android users, security researches from IBM's X-Force have discovered another vulnerability in the platform. This one may not be as universal as StageFright (in that it only affects version Android version 4.3 and above), but it's still bad. The vulnerability allows a malicious application to escalate it's privileges. CVE page here.
• However, on a more positive note, Google, Samsung and largely LG will be releasing over the air monthly security updates for their mobile phones.
• An interesting interpretation of statistics by Big Brother Watch regarding "data breaches".

Comment: 2015/08/01 - Fake Windows 10 installer.
This is going to cause an awful lot of pain.

Undoubtedly, most residential customers of Microsoft will have accepted the "free" upgrade to Windows 10 from qualifying Windows 7, 8 and 8.1 editions. The amount of information - unless you go after it - about how Microsoft will handle the upgrade has been fairly sparse. There were a number of folk thought that the day Win10 was released, they'd get a download. In reality, your reserved copy of Windows 10 is queued and will be rolled out geographically.

This has opened the potential for abuse by criminals who are taking advantage of the situation to pretend to offer the update, but in reality are downloading ransomware....

As a consequence, spammers have been sending out e-mails that look like the update e-mail that Microsoft have been sending out - with the notable exception of spelling mistakes and a broken character-set encoding. The e-mail has a 734Kb attachment that contains the ransomware executable.

Here at BladeSec IA, we've been playing with the real Windows 10 - and it's not ready. Our advice to friends and family is to wait. You have a year to accept the update, and you should. You also need to be aware that despite the fact that Windows 10 will run reasonably well on most modern hardware, it's going to be the lack of device drivers that is going to cause the majority of problems. Anybody that's gone from Windows 7 to Windows 8.1 on hardware more than a couple of years old will know the pain.

Comment: 2015/07/29 - Media round up.
It's been a wee while since we had a trawl through news-worthy security stories:-

• First, we'll kick off with an under-reported issue in BIND. This is a wildly used programme that is used to handle DNS requests and this could be bad. National Vulnerability Database entry here.
• Security doozy in Android: It's possible to get any Android device to execute code simply by sending it a malformed multimedia message (an MMS). Versions from 2.2 (Froyo) to 5.1.1_R5 (Lollipop) are all affected, and indeed some editions "pre-render" the message so you don't even need to open it to be affected. There is currently no patch. CERT-UK page here and undoubtedly more information will come out after Black Hat 2015.
• As we predicted in February, where we speculated on a patch Tuesday for vehicles, Fiat Chrysler are recalling 1.4 million vehicles. Whilst the wider press are focussing on Jeeps, it also affects Dodge and Chrysler vehicles and allows anybody with an Internet connection to potentially remotely control your engine and brakes (plus some other minor systems). At the minute, it should be emphasised that this seems to only apply to State-side vehicles and Fiat Chrysler are supplying a fix in one of three ways. The one that seems to be causing the most flack is where you plug-in a USB memory stick, sent in the post, to your vehicle. There are a number of interesting security aspects to this... not least of which is why didn't the engineers on Chrysler uConnect look at the aero-industry? Or maybe they did and planes are actually hackable too!
• Pakistan has ordered the withdrawal of BlackBerry Enterprise Service (BES) from all telecommunications companies. Interestingly, this appears to be based on the fact that the Ministry of Interior cannot track the sender and content of messages sent through BES.

News: 2015/07/16 - BladeSec IA Services awarded IASME Standard.
BladeSec IA are delighted to announce that they have successfully been certified against the Information Assurance for Small to Medium-sized Enterprises (IASME) Standard by the IASME Consortium.

The IASME Standard was developed over several years during a Technology Strategy Board funded project to create an achievable cyber-security standard for small companies. Whilst it is written with the same objective as ISO27001, it is designed specifically for small organisations. The standard allows SME's in a supply chain to demonstrate their level of cyber security and that they are able to properly protect their customers information whilst proving they are following best practice.

News: 2015/07/15 - BladeSec IA Services awarded Cyber Essentials.
BladeSec IA are delighted to announce that they have successfully been certified against the Cyber Essentials scheme by the IASME Consortium.

A primary objective of the UK Government's National Cyber Security Strategy is to make the UK a safer place to conduct business online. The Cyber Essentials scheme identifies some fundamental technical security controls that an organisation needs to have in place to help defend against Internet-borne threats. By deploying these controls, organisations can defend against the most common form of basic cyber attacks originating from the Internet.

News: 2015/07/14 - Scottish IISP Event - Glasgow.
Following the Edinburgh Event in June, BladeSec IA are delighted to be assisting the Institute of Information Security Professionals run another event - this time at Waxy O'Connors, Glasgow on 12^TH August, 2015. Once again, the event is free and open to both members and non-members. For more information and registration see here.

BladeSec IA are currently in the process of lining up a Scottish IISP Hallowe'en Special and an unforgettable Christmas event. More details in due course.

News: 2015/07/13 - Revised Domestic Travel Advice.
At long last, BladeSec IA are delighted to announce the release of the third edition of the publication, Domestic Travel Advice. This entirely new version includes more information on:-

• Hired cars;
• Being followed;
• Hotel security;
• Taxis and minicabs;
• Airline baggage;
• Back scatter machines;
• Terrorism; &
• A few more brief notes on international travel.

Please request your updated version from your usual source.

Comment: 2015/07/09 - Updates.
The last few weeks have been a whirlwind of activity here at BladeSec towers. We've been involved in a couple of big customer projects that have absorbed a big chunk of our time over the last six weeks. There's one - a very interesting, high profile, procurement exercise - that we are hoping to be able to disclose some information about. It's rather revolutionary for a HMG project and needless to say, is occurring at a very interesting time for IA in government. And needless to say, it's happening at the same time as many of our customers are trying to migrate to PSN-P as part of the CJX replacement project.

The CESG Certified Cyber Security Consultancy is on the horizon too. We are taking the opportunity to get our own house in order, and blow the cobwebs off a few things to ensure that we remain a unique prospect in the former-CLAS scheme. It's obvious that because BladeSec IA have invested in, and strongly encouraged, higher levels of professionalism as a core value, we are going to find the transition an awful lot easier than some consultancies.

We have just seen the tenth anniversary of the 7/7 London bombings. When it happened, I was working in the public sector trying to understand the impact of the events as the day unfolded. I had many friends and family in London that day, and remember the slow spread of horror. Fact is, when Andrew Parker was interviewed by The Intelligence and Security Committee in November last year, he said that 34 terrorist threats had been scuppered in the time since. I can't help thinking that conventional warfare won't work anymore.

Following the success of the Scottish IISP Event in Edinburgh, we're holding another one in Glasgow in August. Watch this space for registration details.

Anyway... a few interesting media reports:-

• Edinburgh City Council have suffered a website breach. Professor Bill's comments here make for interesting reading.
• There has been a raft of cheap, hacker(*) computers released in the past couple of years. The latest is the BBC Micro Bit. I have to say that whilst stuff like this simply appeals to my inner geek, I can't help but think that it's very welcome, as I've seen the dumbing-down of IT in the last two decades.
• There's quite a lot of information coming out about the recent Hacking Team security breach. Not only can we see who they have sold their product to, but we get an understanding of how their technology is deployed, and that seems to revolve around zero-day Windows kernel and Adobe Flash vulnerabilities. I once said that there would never be such a thing as a zero-day attack, but the black economy is so fast moving, I was wrong. I never thought undisclosed vulnerabilities would be so commoditised as a means to an end.
• Finally, the Home Office admits on page 55, to 33 Personal Data Related Incidents that were not reported to the ICO.

Comment: 2015/06/15 - General round up.
Many thanks to those that came to the Scottish IISP event last week. It was clearly enjoyed by everybody and we have already put some feelers out to organise the next one. Watch this space.

In terms of other events: The Cyber Academy is hosting the Cyber Security and Education Conference in October.

Also; this snuck in under the radar somewhat. The text in the grey box at the top of page 16 is especially interesting. The gist of it is, "lead by example, get your own house in order".

Comment: 2015/06/05 - Cyber-geddon.
(Some that know me professionally will be surprised at my use of the word "cyber". They need to know that it's not often that I get to use such "high-impact", "red-top" headlines such as "cyber-geddon".)

A few days after security rock star, Bruce Schneier, announced at InfoSec that we were on the verge of cyber-war arms race, the first casualty would seem to be the U.S. Office of Personnel Management. The attack would appear to be specifically targeted and quite extensive. What an attacker could do with the intelligence is quite fascinating - and when contemplated, positively horrific. Some security architects may argue that this is why multiple eggs inserted into one basket is a design flaw.

In battles up to the 20^TH century, it was common to knock out your opponents communications networks. Now you don't. Those pathways are what allows you in.

A colleague from KPMG is running a CISM training course for ISACA.

Finally, remember that BladeSec IA are hosting the Scottish IISP Event in Edinburgh on 10^TH June. The last few tickets are available from here.

Comment: 2015/05/29 - Media round up.
It's been a slow few weeks on the security front, but here's a few sniglets to whet your appetite before the weekend:-

• The media have been quick to highlight a race condition in the Starbucks Gift Card mechanism. Starbucks aren't happy.
• The CERT Annual Report. That explains the predictions from Mr. Gibson, CERT-UK, at the CESG Update on Information Assurance on legacy malware
• The CESG Certified Cyber Consultancy Scheme has a bit more detail.
• The media are reporting on TOX as "ransomware-as-a-service". Fact is, we've known that this has been going on on the underweb for years. This remains a good analysis.
• Government Digital Services have taken a great deal of flack from The Register, much to the delight of many Local Authorities and CLAS Consultants.
• SMS of iPhone rebootness.
• And on general geekism, after some concerns that it was never going to be published, Commodore - The Amiga Years is due for release in November. I read the whole of Commodore - A Company On The Edge in one sitting, it was so gripping. And anybody who thinks Apple and PCs are the source of the IT revolution should read this introduction (after the index page) of the original publication. History is indeed written by the victors.

Finally, just a reminder that BladeSec IA are hosting the Scottish IISP Event in Edinburgh on 10^TH June. For more information and registration see here.

News: 2015/05/01 - Scottish IISP Social and Networking Event.
News item removed.

Comment: 2015/04/27 - Media round up.
It's been a while, and there's a good few bits have passed by without comment:-

First up: GHOST. A vulnerability in glibc affects all gethostbyname() functions. Linux will not operate without the library and the exploit allows a remote attacked to compromise a machine totally. There are a few nuances (such that the attacker has to be able to craft a DNS look up), however, this has a CVSS score of 10 - and yes, this is a doozy. Information on National Vulnerability Database here.

Next: The fingerprint scanner on the Samsung Galaxy S5 has been compromised.

Thirdly: The Costa Coffee Club is reported as having suffered a security breach.

Finally: The founder of a security firm was kicked off a flight after an inappropriate comment on social media. He was then subsequently banned from travelling again by the TSA.

Comment: 2015/04/24 - Scottish IISP Event.
Following a few years in the wilderness, we're pleased to annouce that we're helping the IISP stage an event in Scotland.

The date to mark out in your diary is the 10^THJune, 2015 at a location within 100 yards of Haymarket in Edinburgh. Kick off will be 18:00 for 18:30. Final location details are to be confirmed. Look for more information next week, including details on how to register.

Comment: 2015/04/02 - TrueCrypt audit.
Despite the odd circumstances currently surrounding TrueCrypt, the audit of the source code has been completed and the results are fairly good. There were a few issues found, but these would only weaken the encryption in a few, very specific circumstances. Interestingly, the audit found no evidence to support claims of back doors, or significant design flaws.

Whilst this makes it one of the most investigated disc encryption products, would I deploy it? The answer is fairly complex: It depends on the circumstances.

It also raises the question - from that the folk who jumped ship to the spiritual successors such as CipherShed or VeraCrypt - as to whether the few issues that have been identified will be fixed in their own code.

Comment: 2015/04/01 - Media round up.
In the week that we're beginning to understand what the new CLAS scheme is going to look like, there were a few other interesting media stories.

Firstly, I'm glad to say that the comment I made on 30/07/2013 was inaccurate. In June 2013, the Intelligence and Security Committee of Parliament recommended that the National Security Adviser conducted, "a substantive review of the effectiveness of HCSEC as a matter of urgency".

The first independent investigation into the Huawei Cyber Security Evaluation Centre (HCSEC) has rubber stamped its operation.

Secondly, The Register has an interesting view on the Police ICT Company.

Finally, British Airways and GitHub (amongst others) appear to have been hacked.

Comment: 2015/03/25 - Interesting, new GOV.UK publications.
Is it just me, or is GOV.UK an absolute boorach? There are some streams within the website that are fairly well established, but occasionally interesting material is published outside those areas that warrants a bit more attention:-

• UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk;
• Understanding Local Cyber Resiliance; &
• The new PSN Compliance regime is out.

And whilst not on GOV.UK, I forgot to highlight some other interesting media highlights in the last few weeks:-

• The Intelligence and Security Committee published Privacy and Security: A modern and transparent legal framework. Interestingly, the reports linked to are hosted on Google and clearly track downloads. Equally interesting is the knee-jerk reaction from all sides of the argument and that there is no representation for balance and proportion; &
• Cameras have been allowed inside GCHQ.

If you use Facebook, you should read this Belgian Academic Report, commissioned by the Belgian Data Protection Authority.

57 individuals have been arrested in a week long crack down on cyber-crime.

The latest big press security vulnerability is FREAK. Interestingly, the press don't seem to be reporting this one as widely (I suppose there's only so many times they can show banks of flashing lights). Once again, in order to maximise the impact of the vulnerability, you need to be in a position to leverage a man-in-the-middle attack. Entry in the National Vulnerability Database here.

Comment: 2015/02/23 - Current CLAS changes.
The last CLAS admission (the 2014 intake) saw changes to the way that the scheme was operated, with two levels of membership - full and associate. With the CESG membership directory now explicitly stating those members that are associates, it may be worth going over what the differences in membership levesl means to customers.

It seems likely that the two different membership levels were created by CESG to try and encourage CLAS Consultants to certify to Senior or Lead CCP roles and apply for full membership. In reality, CESG failed to make a big enough differentiation between the levels and as a result, many CLAS members were content to apply as associate members. They percieved no additional tangible benefit in adopting a full over associate membership.

The CESG website, highlights the following:-

• Full CLAS members:-
• Are security cleared to handle material up to, and including SECRET;
• Have CESG sponsorship for access to the IA Policy Portfolio;
• Are alerted to changes in the CESG IA Policy Portfolio;
• Are authorised to receive alerts and advisories from GovCERT UK; &
• Have access to CESG's IA consultants through the enquiries service.
• Associate CLAS members:-
  • Are BPSS (Baseline Personnel Security Standard) checked;
  • Have CESG sponsorship for access to the IA Policy Portfolio;
  • Are alerted to changes in the CESG IA Policy Portfolio; &
  • Are authorised to receive alerts and advisories from GovCERT UK;

• Level of clearance; &
• Access to CESG experience.

BladeSec IA, prides itself on supplying only the best, most able staff. To that end, we made the decision to apply for full membership so that we can provide the best service and support to our customers.

News: 2015/02/13 - The Future of CLAS - Additional invitations.
We are now in a position to open the event to other affected parties such as Accreditors and SIROs. Please register here, selecting "Non-CLAS Possible Attendance" as the ticket type. Please assume that you can attend unless you hear otherwise.

News: 2015/02/12 - The Future of CLAS.
There's a lot of concern among CLAS members at the moment, and the CLAS Forum Chair, Peter Bance, has very kindly agreed to head north of the Watford gap to take the opportunity to sit down with CLAS from Scotland / north of England and:-

• Explain some of the detail behind CESG's recent announcement; and
• Gather issues, concerns, etc. to pass back to CESG.

We appreciate that this is quite a late notification, and that many of those affected will be working, however if you can only attend for part of the event, we will do our best to accommodate you.

Please note that this is being held at a Scottish Government building. In order to be eligible for this event, you must:-

• Register with your corporate e-mail address; &
• Bring government issued photo-ID.

Please register here.

Comment: 2015/02/10 - More media.
I hadn't realised how topical the keyless vehicle theft was, with the Met Police launching Operation Endeavour. Interesting statement from over two years ago.

Comment: 2015/02/09 - Media round up.
Why is the latest loss of CDs not attracting as much media attention as the HMRC one?

I would suggest that the car industry has known about the theft of vehicles using the diagnostic socket since about 2011 although it only seems to have hit the mainstream press late last year. BMW appears to be the first motor manufacturer that has released a security patch for a vehicle, albeit not to address the diagnostic socket issue. As vehicles get more and more computerised, I would expect this to be a more regular event - possibly peaking in a regular "patch Tuesday"?

Comment: 2015/01/23 - Counterfeit software.
Why is it so hard to buy boxed, retail software that isn't counterfeit?

I've never really gone into the detail as to my trials against eBay over the supply of counterfeit software. Indeed, it would be inappropriate without giving them the right of reply. The bottom line is, however, that through eBay, I bought a shrink wrapped, boxed, retail copy of Windows 7 Professional from a small computer shop in north London. On delivery, it was obviously counterfeit and I obtained a letter from Microsoft to this affect. I will point out eBay played no part in the supply of the product. My gripe with them was based entirely on events following the delivery.

I had cause to purchase a new copy of Microsoft Office earlier this week. (I couldn't use my Volume License Agreement, as it was for personal use.) Having closed my account on eBay due to the previous incident, I purchased this one on Amazon. I selected a sale that was "Fufilled by Amazon" and awaited for the package to arrive.

It arrived yesterday, and once again, within three minutes, I had determined that it was counterfeit. (For those that are interested the Microsoft website about counterfeit goods is here. In each of the cases that I've dealt with in the past (including two professionally) there is one item on this website that every counterfeiter has fallen foul of). I phoned Amazon, or rather I put in a call request, and within two minutes, I was speaking to a human being who apologised, issued a credit to my account and e-mailed me a label to return the package "for investigation".

I really can't fault the way that Amazon handled the situation, but it surprised me. If Amazon can unwittingly supply counterfeit software, what chance do smaller companies have? Is the manufacture and resale of counterfeit goods really that pervasive? That is worrying....

Have a good weekend....

Comment: 2015/01/09 - Nous ne sommes pas peur.
Nos pensées sont avec nos amis en France en ce moment terrible. Les mots ne peuvent pas décrire l'horreur insensée que vous avez dû endurer ces derniers jours et nous espérons une résolution rapide.

Comment: 2015/01/01 - Happy New Year!
It suddenly dawned on me that at the stroke of midnight last night, BladeSec IA officially became three years old.

There isn't a week goes by where I don't wish I had set the company up sooner. Customers continually tell me of the benefits of dealing with a truly independent consultancy. I confess that I get a real buzz out of doing the best we can for our customers. Period.

Being successful brings its own rewards, and allows us to devote more time and money - both as an organisation and as individuals - to worthwhile causes. And I have to confess, I usually get a bigger kick out of that. That is why our Personal Integrity and Professionalism Policy encourages staff to make a difference. Scott Adams (Author of Dilbert) has a slightly different view, but the bottom line is that the last three years have been the best of my personal and professional life. Please re-read what I wrote on 2013/05/27. I'm proud of the difference my company makes.

So, as is normal, a little weird insight into our last twelve months:-

• Miles to closest job: 2.4 miles.
• Miles to farthest job: 418.6 miles.
• Largest number of miles covered in a single job: 842.5 miles (at no cost to the customer!)
• Number of products sold: Nil.
• New customers: 3.
• Number of tenders submitted: 2.
• Number of failed bids: 0.
• Number of bids withdrawn: 2.
• Most interesting place visited: Stornoway, The Western Isles - after being absent for 35 years.

Well, I think the amount of change due in the government arena is going to be the greatest for ten years. CLAS is going to change significantly. CCP may continue to replace a portion. Risk management hasn't been done terribly well by HMG for decades and as a consequence, the "nay sayers" have won - and so there's going to be "standardised risk management". It's feasible that Accreditors will have to redefine their roles along with the folks formerly known as CLAS.

At the CLAS Technical Conference, Dr. Ian Levy said that the threat is getting worse (as did Rt Hon Francis Maude MP). That doesn't correlate to the "one size fits all" commercial security approach that HMG is now rushing headlong towards. And reading between the lines at the Accreditors' Forum, it's fairly clear that GCHQ don't agree either.

At some point, somebody is going to turn round, shrug and say, "told you so".

It started when the Security Policy Framework became a "mission statement". Most recently (and somewhat most drastically) the new version of the PSN Code is going a similar route. Adopting ISO27001 is not risk management. Risk management in ignorance is not risk management.

2015: The year the lunatics take over the asylum and are then promptly invaded by a series of small furry animals from the zoo next door.

Click here for older News & Comment.