Certifications and qualifications
Why choose BladeSec IA?
News and comment <
Products and ServicesTypical work
Terms and conditions
Equality and diversity statement
Archived news and comment from 2019.
Please note: Because this is an archive of articles published on the BladeSec IA website in 2019, not all links may work.
Comment: 2019/12/31 - New year honours failure.
Comment: 2019/12/24 - Merry Christmas....
Have a Merry Christmas and a Happy New Year!
Comment: 2019/11/22 - We say it a lot round here....
Comment: 2019/11/20 - The month that Blade Runner is no longer set in the future.
Comment: 2019/07/19 - Rutger Hauer, 1944 to 2019.
I also remember as a young lad being utterly terrified by The Hitcher, a film credited for killing off hitching in the States. Yet again, Ladyhawk had a role to play in another of my life events.
He was possibly one of the most typecast actors of the modern generation, but he understood more than many, it was just story telling.
Comment: 2019/07/09 - Record breaking fine for BA.
I used to say that we would never see zero-day vulnerabilities being exploited. I was wrong. We're also seeing the commoditisation of bespoke attacks, malware-as-a-service and numerous other criminal services for hire as the dark web proliferates.
We are seeing ever more sophisticated attacks and with those attacks, we, as security professionals have to respond in an attempt to stay one-step ahead. Part of accepted convention is to build technology, with one eye on the view that at some point, it will be compromised. No amount of security controls can entirely protect against the levels of complexity present in most technology deployments these days.
The last resort is to encrypt the data at rest and manage the access keys properly. It means that even if the data is stolen, by the time the encryption is brute forced, most of the people who's data has been compromised will be dead. Indeed, it's highly likely their children will be dead too. It's the ultimate security control, render the data unusable to the enemy until it's worthless.
Assuming that BA didn't do anything monumentally stupid (and from what I've heard, they didn't), and only the blob of encrypted data was stolen, then they've largely protected the identities and financial details of their customers as a last resort.
What purpose does the fine serve except to dissuade security professionals and engineers that good engineering isn't cost effective. It's better to put no effort into building the system by doing the minimum possible and sandbag for the fine.
That doesn't encourage secure systems and cripples technology up-take and innovation.
News: 2019/07/08 - The Institute of Information Security Professionals gains Royal Charter.
Comment: 2019/06/06 - The 75TH Anniversary of Operation Neptune (D-Day).
Comment: 2019/05/30 - Who watches the watchmen?
The converse of that is, however, we will provide the utmost support to look after them as they go through "life events" that are nothing to do with work.
One member of staff has had their identity abused massively by an organisation. That same organisation has shown a monumental disregard in addressing the issue. To that end we stepped in and now MacRoberts are representing the interests of that individual.
It is clear, however, that the ICO appears to be the mostly badly prepared organisation in the UK in terms of GDPR. As part of the support provided to the individual, we need the ICO to fulfil their role to uphold... data privacy for individuals (their words).
A complaint was submitted to the ICO on 22TH February and at the time of writing, it has still not been allocated to a case officer. To put this into perspective, this is the second complaint made against this particular organisation as they had failed to fulfil appropriate remediation for the previous complaint. The ICO states that it expects to be able to allocate it to a case officer in four weeks, "at the earliest".
It does raise the interesting issue of who is liable if the organisation has deleted the information being sought as part of a normal document retention policy or other proper data governance activity?
Frankly, this clearly suggests to me that the the ICO were massively unprepared for the impact GDPR would have and it's wholly unacceptable. Perhaps they should stick to priorities within their defined legal framework.
News: 2019/05/22 - Now serving HTTPS.
It's taken us a long time to do it as there was simply no reason for it. We don't host any sensitive material, provide any e-commerce solutions, authentication or other activity that would warrant HTTPS. In the end, we thought we would - simply so that Chrome and Firefox would stop saying, "This site is insecure". It's not, but it is a poor choice of words by Google and Mozilla.
So we've gone the whole hog, and opted for a validated GeoTrust True BusinessID certificate. It's a slightly odd blurring between the logical and physical words, as they will only issue the certificate after they've validated a few real-world facts such as phone number, address and contact details.
We hope you enjoy the TLS encrypted good-ness!
Comment: 2019/05/20 - Niki Lauda, 1949 to 2019.
News: 2019/05/10 - ScotlandIS Digital Technology Award.
For over eleven years, BladeSec IA Director, Owen Birnie has been the Lead Accreditor at Disclosure Scotland, and held responsibility for signing off the security of the Transformation Programme. Whilst he is very aware that he is a single cog in a very complex machine, he's also aware that DS held onto the coat tails of many clever people at AWS, the Home Office and NCSC.
And to top it all, Owen had a previous engagement in London with friends from the intelligence and security community when the news came in. Sadly, the Munich Cricket Club was too busy, and the Chinese Buffet no longer served a buffet. Whilst they were scenes of interesting historical events to the group, a small libation was consumed at The Red Lion in Whitehall in celebration.
Comment: 2019/05/02 - Peter Mayhew, 1944 to 2019.
Comment: 2019/04/27 - Second hand hard drives.
They assert that from 159 hard drives purchased from an on-line auction site, 67 devices had material that was easily discoverable to anybody with basic IT skills. The interesting part of the investigation was that as part of the purchasing process, Blancco claimed that each seller asserted that the device had been blanked properly.
Most alarmingly, is the material that Blancco say they recovered....
People need to be aware of Darik's Boot and Nuke which is free for personal use.
Comment: 2019/04/26 - CyberUK.
As with all these types of events, it's catching up with old friends that makes them. At the other end of the scale, was the fact that many of the streams were too busy even for "standing room only" with poorly laid out rooms.
Perhaps more interesting was the security incident that one of our Director's noticed that several hundred people missed, and were affected by it!
Comment: 2019/04/15 - Notre-Dame de Paris.
Même enfant, j'étais surpris par l'ampleur et la beauté de "la vieille dame de Paris". Je ne suis pas religieux, mais les images du feu m'attristent. Je ne connaissais que légèrement Notre-Dame et je ne peux pas imaginer ce que signifie le feu pour les gens qui y vivent et y travaillent.
Comment: 2019/04/11 - Julian Assange removed from Ecuadorian Embassy.
Comment: 2019/03/16 - New Zealand terrorist attack.
Comment: 2019/01/14 - Credit Reference Agencies.
No doubt they would argue to the contrary, but my own circumstances to not align to that. Also the fact that they then charge people to monitor the accuracy of their own data by selling "identity theft protection", is not lost on me.
I had to laugh. I had clearly booked a Starwood Hotel many, many years ago. They told me that they'd lost a big chunk of fairly important data and were still able to e-mail to tell me this. I reckon that I've had about two dozen credit and debit cards in the time since I made that booking. Some will have been new, and some will be reissues.
However, those nice people at Marriott have paid for some form of identity theft protection for a year, so I clicked the button to sign up. And then I realised that they were going to take the data I gave them to confirm my identity and ship it outside the EU. I mean, really? I appreciate that it doesn't make something bad, but it does erode your confidence in something you have no confidence in anyway.
News: 2019/01/11 - Network failure - Resolved.
News: 2019/01/10 - Network failure.
Comment: 2019/01/01 - Happy New Year!
I'm honoured and humbled to be on the Isle of Lewis, sharing it with the 100TH anniversary of the Iolaire Disaster. For that reason, we're not going to take our usual tongue-in-cheek look back at the year.
Some things are more important.
Click here for older News & Comment.