Travel Advice

Please note: Because this is an archive of articles published on the BladeSec IA website in 2021, not all links may work.

Comment: 2021/12/23 - That was another year....
This year seem to have flown by. Here we are at Christmas. It's been an eventful year on both a personal and professional front.

As we approach the anniversary of the attack on SEPA, everybody in the industry is still trying to understand the implications of the log4j (or log4shell) vulnerability. Who'd do our job; trying to make perfect systems out of imperfect components? And all the time, I'm mindful that we all seek to become a harder target than any another organisation so that they get attacked instead. Sacrificial protection - in the face of the commoditisation of near-zeroday attacks can't be sustained. But what is the solution?

On a personal front, I started the year with a promise that I'd look back on the events that led BladeSec IA to be formed. I had, in my minds eye, a notion to look back with as much humour as I could muster. The fact is that there are parallels in the circumstances of the last six months with those in 2011. I am mindful that a narrative of those characteristics does not belong in words at this time of year.

These days, just like ten years ago, results in a particular clarity that leads to a particular set of actions.

Ten years ago, that led to the most enjoyable, most interesting and most worthwhile professional time. And that makes me curious to see what is going to happen in the coming year... and I hope next year is equally good for you....

Merry Christmas!

Comment: 2021/12/03 - The welcome, slow descent to Christmas.
The Cabinet Office has been fined by the Information Commissioners Office after referring themselves when a version of the New Years Honours list was published on-line.

I wonder if there was an financial equivalent, whether HMRC would also fall foul?

Comment: 2021/10/03 - Weaponising the e-mails of the First Minister.
I confess that I find this fascinating, especially when you consider the allegations made south of the border about MPs using unofficial e-mail for official communications.

Here in the Security Cartshed, we don't hide the fact that we use a paid-for Google Workspace Account for many of the back-end services. And the simple fact is that Google does a really good job of detecting malicious e-mails.

Comment: 2021/10/02 - Software development failure.
Once again, the news is reporting the failure of the COVID application to prove that you have received your two injections. This follows on from the disaster that meant that you could obtain a copy of anybody's COVID PDF statement and doctor it to include your own details. And also the fact that the paper copy didn't include a QR code - at least to begin with. I'm not entirely sure what can be proved by scanning the QR code, but I hope that's been implemented in a transparent and assured way.

The cynic in me that highlights that this is what happens when you only concentrate on confidentiality of information. There is something that I have direct experience of, but it'll have to wait for my memoirs - along with a heart-breaking story about "friend or foe" indicators, half-duplex communication and cold-war technologies during The Falklands War.

Comment: 2021/10/01 - Verifying Police identities.
As a result of the appalling circumstances of the murder of Sarah Everard by a serving Police Officer, Police Scotland have devised a mechanism that asserts to positively verify the identity of a police officer.

This simply won't work as it is carried out using equipment carried by the Police Officer who's identity is being challenged. Many folk simply don't know what a Tetra Handset looks like, and whether they are genuinely speaking to the particular police force's control room. Even the alternative method where the Police Officer dials 999 and permits the individual to speak to the Emergency Operator is also flawed. This seems at odds with other police forces, who, for years, advocate asking for their "collar number" of the Police Officer and dialling 101 from any device to verify their identity.

Mind you, Police Scotland won't divulge what their warrant card looks like either. Contrast this with Wiltshire Police's response to the Sarah Everard case.

Trust by illusion - that's a new one....

Comment: 2021/09/29 - Hello, Amanda....
El Reg has an interview with Amanda Finch of the Chartered Institute of Information Security.

(Full disclaimer: Our Director, Owen Birnie, is a Fellow, Chair of the Training Accreditation Committee, former Branch Chair, assessor and interviewer for the organisation.)

Comment: 2021/09/23 - Microsoft Autodiscover flaw.
This is bad....

Comment: 2021/09/17 - Sir Clive Sinclair, 1940 to 2021.
Last night we heard the sad news that Sir Clive Sinclair, home computing pioneer, had died following a long illness.

As a lover of all things Commodore, but yet who's best friend had a Sinclair ZX Spectrum, I could spend hours arguing why one computer (with the chickenhead key) was always far better^*. But none of that should detract from the impact that Sinclair Research had on the early home computing market. Had it not been for Sir Clive's desire to make technology affordable, many great IT geniuses I work with would have been unlikely to find their niche.

You just have to look at the other areas where Sir Clive invested time, effort and significant expenditure to realise how far ahead of the game he was. After all, an electric vehicle? In 1985?

Clearly, Sir Clive had his failings, but it's a brave person that keeps trying, and taking risks again and again and again.

--
^* I bought and used a Cambridge Z88 in anger from about 1992 until the keyboard gave up in 1999. It was a genuinely brilliant device with a port that could be made to be a genuine RS232 with a simple convertor (that, ironically, I still have). This was a god-send when trying to administer headless Sun SPARCstations and SPARCservers. It was an accidental benefit that the fact that the Z88 operated on TTL voltages rather than the RS232 12V meant that when you disconnected it, occasionally, the SPARC interface wouldn't generate a BREAK and therefore the server didn't halt.

Comment: 2021/09/06 - Power interruption.
As part of the office estate's greening plans, a new hydro-electric generator is due to be wired into the mains on 15/09/2021. This means that the security cart shed will be without power from 09:00 until 16:30 on the day. This isn't the first time this has happened, and so we'll be dusting off our business continuity plans to maintain services.

It's never been a problem before, but we need to declare an "at risk period" in case it extends beyond 16:30, or something unplanned happens that takes down an external service.

We intend to take the BIAS secure server down from noon. This will permit customers to access overnight and previous day reports as normal. We will return the server to operation on restoration of the mains power and customers who urgently need reports and were unable to pick them up that morning can contact trust@bladesec.net as outlined in their customer documentation.

Comment: 2021/08/13 - Life imitating art.
This appears to be an exact case of life imitating art.

Comment: 2021/08/12 - Good, old-fashioned spycraft.
It's good to know that not everything treacherous is done in cyber-space. I've seen some analysis that suggests that despite all the disruption attributed to Russia in the digital-realm, they remain far more comfortable operating in Cold-War-esque dark alleys with cash in envelopes, working dead-drops and leaning on personal weaknesses in corrupt physical realm. There is some speculation that the west has simply forgotten how to do it as well as the east.

It is also interesting to note that the British are leaving the Germans to prosecute the individual, highlighting that The Official Secrets Act is outdated. That seems odd to me.

I suspect that there will be more to come out on many aspects of this.

Comment: 2021/07/30 - NCSC needs it's swanky office.
This made me laugh. The folk that have ever been to GCHQ's old London office(*), will know that it's worlds apart.
--
(*) No tales out of school. Most London cabbies know where it is....

Comment: 2021/07/29 - Action Fraud being shut down?
It seems odd that given the magnitude of the statement, this does not seem to have wider media coverage.

Comment: 2021/07/28 - Dusty Hill, 1949 to 2021.
I confess that it took me a while to get into ZZ Top. Sure, I was familiar with all the "classic" tracks such as Gimme all your lovin', Rough Boy and Legs, but the epiphany for me came when I bought Antenna expecting that same poppy-rock. It couldn't be further from the truth. Looking back, ZZ Top probably got me into Blues-rock long before the Black Crowes, Steve Earle and even Eric Clapton. Whilst Dusty's image mirrored Billy Gibbons (or vice-versa?), the irony was that the only guy in the band with no beard was called, Frank Beard. A couple of gigs followed, and I had no idea how three guys could layer so much sound at a live event. And with various film appearances, it was clear that - unlike too many people today - the band didn't take themselves too seriously. Makes me want to grow a "Texas-goatee".

Comment: 2021/07/23 - Guntrader breach.
In events that are a little close to home, we're seeing evidence of the Guntrader website (or at least the DB back-end) having been compromised. The point in El Reg's article about not trying to find a copy of the database yourself is also note-worthy.

Comment: 2021/07/22 - Voting for The Field gundog awards.
One of our directors, Owen Birnie, has a photograph that is up for an award in The Field gundog awards. Please vote for "Snow", here in the "In the field" category.

Comment: 2021/07/20 - NSO Group targets.
There is some speculation that the Israeli cyber-arms manufacturer, NSO Group has been hacked. It seems more likely that a whistle-blower has leaked a bunch of documents to Amnesty International and a French organisation, Forbidden Stories. Amongst the details are a list of phone numbers targetted by NSO since 2016 and they make for interesting reading.

NSO Group refute the assertions.

You can also check to see if your phone has been infected by Pegasus.

It is also worth noting this Microsoft 'blog post about another Israeli company, Candiru.

Comment: 2021/07/17 - REvil off-line?
The New York Times is reporting that one of Russia's most aggressive ransomware groups has disappeared.

Comment: 2021/07/08 - More good guys acting like the bad guys.
Seemingly, for years, the FBI have been offering a "secure", honeypot device to criminals. Just to be clear, this isn't about law enforcement breaking an existing network; this is about the FBI offering their own, compromised version. More from The Register here

Comment: 2021/06/25 - Dangers posed by evidential software.
An excellent article highlighting that flaws in code can raise legitimate questions over evidential integrity - just as we speculated back in April.

Comment: 2021/06/19 - Original GPRS algorithm deliberately weakened.
A new paper describing a cryptanalytic attack on the General Packet Radio Service GEA-1 and GEA-2 algorithms. The author strongly speculates that GEA-1 was deliberately weakened.

More here and here.

Comment: 2021/06/15 - Emphasising that the good guys can sometimes act like bad guys....
A good summary of the pros of the encryption and privacy debate that every government appears to ignore.

Comment: 2021/06/07 - Attack traffic, part 3.
As I mentioned previously, we're seeing a number of low-complexity attacks against one of our SSH hosts. It's easily blocked, but we saw a significant drop in attack traffic when we blocked two /16 addresses:-

• 209.141.*.*; &
• 205.185.*.*.

Comment: 2021/05/18 - So unlikely, it might be true.....
I had not heard this before. It's so unlikely it might be true. Indeed, there is evidence to support that it is.....

Comment: 2021/05/07 - Attack traffic part 2.
For Carlos, Obkio, Dimitri, Ho and all the others who are repeatedly knocking on the door of a BladeSec IA SSH server:-

• It is pointless trying to log in with "root", "admin", "ubuntu", "pi" or any other user ID. Default user IDs have been disabled. Oh, and logging in with *any* user ID has been disabled.
• It is pointless trying to offer weak crypto exchange keys. They have all been disabled. The server also has FIPS-certified crypto libraries - just in case you were curious.
• It is pointless hoping that a config error in SSH will creep in. The config is tested daily.
• It is pointless hoping that a vulnerability will appear. The server automatically downloads and installs updates every hour. It is also subject to enterprise management that will push security patches to it as soon as they become available.
• It is pointless trying to spray lots of traffic at it. The server is on a narrow bandwidth DSL line, so the rate limiting on the upstream firewall will prevent you flooding the server. Yes, we know a dDOS would take it off the Internet, but that's not really cricket, is it? Neither is it compromising the host.
• The server runs Tripwire and so any changes made to it will be discovered and reverted.
• The server will aggressively block all IPs that attempt to circumvent the security on it and an abuse complaint shall be made to your service provider.
• There is absolutely nothing of interest on it. Please move along.... It exists simply to attract "interesting" traffic.

Comment: 2021/05/04 - Spectre has risen from the dead.
The bottom line is that Spectre was always going to be difficult to fix despite the performance hit, and it's still not.

Comment: 2021/04/29 - First challenges to prosecutions.
There now appears to be reasonable doubt for any prosecution that has featured a Cellebrite product and as we predicted, prosecutions are being challenged. This is to be expected as Cellebrite's security engineering falls far below where it should be, and evdential integrity can no longer be guaranteed.

Comment: 2021/04/22 - Insight into Cellebrite.
The word "Cellebrite" has become known for it's for near mythological ability to unlock a fully patched Android device or Apple iPhone; never mind an older Window or BlackBerry phone. They claim to only sell their tools to law-enforcement agencies, but equally, it has been well reported that they don't deny some of those regimes are authoritarian, military juntas and oppressive governments.

Moxie Marlinspike, author of Signal has published an analysis of the Cellebrite software components having recently come into possession of what appears to be the full gamut of hardware and software. As well as being very readable, the content should be utterly alarming for any agency that has deployed a Cellebrite product as part of their legitimate interests. There now appears to be a reasonable concern that the device image generated by a Cellebrite product may not be as forensically sound as stated.

This is a bombshell for any prosecution that has relied upon Cellebrite to unlock, image or investigate a device, and it does appear that Signal will offer some resistance to any device being scanned. Expect the appeals process to kick off shortly.

Comment: 2021/03/11 - Exchange vulnerability timeline.
This is a scary analysis of the timeline associated with current MS Exchange vulnerability. It highlights that the original vulnerability was reported to Microsoft on 5/1, however it appears that exploits were in the wild from 3/1. Does this mean that the vulnerability was discovered by two researchers - one with integrity and the other malicious? Or does it mean that the research was stolen and exploited within hours? And days later, it iterates again and the vulnerability is weaponised by more than one criminal organisation?

Comment: 2021/03/10 - Attack traffic.
BladeSec IA maintain a number of small honeypots and the traffic analysis associated with that isn't normally terribly interesting. It is changing however:-

• There are a lot more attacks from the US than we'd expect. That can be written off to trojaned machines operating as friendly fire.
• The speed that the number of attacks ebb and flow is interesting. We'll see little directed traffic for at most, two days, and then the next day, we can be targetted by up to 15 different networks. Is that a fluke, or is there a brain behind that? Who knows - but it's interesting none-the-less.
• The most recent notable change has happened in the last 24 hours. There has been a widespread unilateral change to an attack vector that supports there being a single brain behind it. We might post some of the names associated with the attacks as they are not as universal as "administrator", "root", "anonymous" or "nobody". It's almost like the organ grinder has launched a new tool, and the monkeys driving it are using their real names!

There doesn't seem to be a day goes by whereby we discover another organisation has been compromised by bad guys. And some of those organisations aren't even on the roadmap for nation-state attacks. What they all have in common is that they are all alleged to be be high-complexity, sophisticated attacks.

And that pings my BS indicator.

For an attacker to perpetrate a long-term, highly sophisticated attack, the payout has to be commensurate. Cyber vandalism, for the most part is about trashing the very low hanging fruit. Hence, whilst I accept that some of those attacks are likely to be from well resourced foreign armies of chaos, there will be another significant number that are just down to bad luck such as not patching in time, not patching fully, having an excuse not to patch, failing to apply a patch, infrastructure complexity, or failing to be able to patch upstream vulnerabilities. None of these are complex attacks, they're down to failing to give appropriate priority to what should be job zero of any given IT department.

It's also worth noting when these attacks are happening. We're at the point where we've largely been working from home for ten months. Organisations, for the most part, seem to have adapted well - but staff training will have taken a hit. Equally, moving the corporate boundaries out to vulnerable home networks won't have helped.

Are all these successful, highly complex attacks by nation-state threat actors just indicative of security atrophy rather than the stated truth? In my experience, the simplest solution is the correct one nine times out of ten.

Comment: 2021/01/02 - Happy New Year!
So this year will mark ten years since bladesec.net was registered. Whilst this year is only beginning, as we get closer to the end of the year, we will look back at the events that resulted in BladeSec IA being formed. I will, however, save the blushes of the folk that had a hand in that!

As usual here is our tongue in cheek look at the last twelve months:-

• Average distance travelled to work: 3 yards - unsurprisingly it's fallen considerably this year!
• Distance to farthest job: 411 miles (in March).
• Most popular colour of facemasks used by staff: Black followed by red.
• Amount of money received for anything other than consultancy: £280 (A refund for an unused train ticket).
• Number of customers assisted in the last twelve months: 5.
• Most interesting place visited: "The Rhoddy Strip", Balbirnie, Fife (whilst armed!)
• Value of donatations to Wikipedia as a result of Travel Advice: £13.
• Value of donations made by BladeSec IA to support other good causes: £245.
• Number of new tattoos sported by BladeSec IA staff: Two.
• Amount of time donated by BladeSec IA staff pro-bono: 6 days.
• Number of redundant BlackBerry phones in the "spare handsets box": 3 (A number were securely disposed of this year).
• Model number of oldest BlackBerry in that box: Pearl Flip 8220.
• Number of pages printed on the office colour laser this year: 187.