Robin Oldham


I’m Robin, founder of Cydea, the positive cyber security consultancy, and previously led BAE Systems’ Security Advisory & Technical Services business, recognised by Forrester as one of the leading information security consultancies.

I help businesses defend themselves from cyber crime and thrive in the digital world and have over fifteen years experience including advising numerous boards on how to manage crises resulting from cyber-attack.

This is my personal site, where I publish archive copies of my weekly newsletter and aggregate my posts from other platforms.

If you’re interested in improving how you manage your cyber risk, or need help governing information security at the board level, then get in touch with me via Cydea, or connect on LinkedIn or Twitter.

Robin's Newsletter
I send out a weekly information security newsletter of the news and links that have caught my attention and why I think they're interesting. Check out the previous editions, or:

Recent Posts

Robin’s Newsletter #151

Responsible cyber power. Colonial Pipline shut down due to ransomware. Injecting malware C2 into legitimate traffic. Authentication using a severed thumb.

 Vol. 4  Iss. 19  09/05/2021   Robin Oldham

This week On being a responsible cyber power Top spot this week to a really interesting panel discussion on geopolitical cyber security and diversity, organised by the think tank RUSI. It’s a stellar lineup from government agencies and the defence sector that know their stuff: the Head of the Australian Cyber Security Centre, the CEO of U.K. National Cyber Security Centre, an executive director from the National Security Agency, chief of Canada’s Communications Security Establishment, CISO of the U.

Read more… ( ~7 Min.)

Robin’s Newsletter #150

Babuk ransomware operators demand $50M from DC police. BoJo's phone number available online. Emotet deactivated. And, burrowing beavers.

 Vol. 4  Iss. 18  02/05/2021   Robin Oldham

This week Babuk ransomware attack on D.C. Police The Metropolitan Police Department (MPD) received an ultimatum from the Babuk ransomware group this week: pay us $50 million or we will release the details of confidential informants to criminal gangs. MPD is the police force of Washington D.C. and represents an audacious target for a ransomware operator. It’s hard to see a situation where a police force would capitulate with the demands.

Read more… ( ~6 Min.)

Robin’s Newsletter #149

Ransomware in Apple's supply chain. Facebook seeks to 'normalise' scraping. The balkanisation of the Internet has intelligence agencies worried. Cellebrite's iPhone unlocking system is full of vulnerabilities.

 Vol. 4  Iss. 17  25/04/2021, last updated 30/04/2021   Robin Oldham

This week Quanta ransomware attack and questions to ask of supply chain security Quanta Computer, a Taiwanese tech manufacturer has recently become a victim of the REvil ransomware group. The reason behind their targeting offers a glimpse at how ransomware groups are evolving their tactics. Supply chains have been the security theme-de-jour since the Solarwinds attack in December 2020. That hasn’t escaped enterprise cyber-criminals either. While big brands like Apple may spend significant budgets on securing their networks, those of their suppliers may not be afforded the same luxury.

Read more… ( ~9 Min.)

Robin’s Newsletter #148

FBI gets a warrant to fix Hafnium web shells, becomes an MSSP. Sanctions for Russia over SolarWinds. Plus you cheddar believe there are some cheese puns.

 Vol. 4  Iss. 16  18/04/2021   Robin Oldham

This week FBI gets warrant, modifies victims Exchange servers to remove web shells, becomes MSSP This week the United States Federal Bureau of Investigation (FBI) cleaned up ‘hundreds’ of Microsoft Exchange servers that had been compromised by attackers exploiting the Hafnium vulnerabilities (vol. 4, iss. 10). The FBI had obtained a court order allowing them to do so and only removed the attacker’s web shells (the servers will still be unpatched).

Read more… ( ~6 Min.)

Robin’s Newsletter #147

Facebook's *ahem* 'data scraping' incident sets the stage for debate on responsible design and engineering. AWS bomb threat. Censorship by QoS. TUI's algorithm gender bias led to 'serious incident' calculating takeoff loads.

 Vol. 4  Iss. 15  11/04/2021   Robin Oldham

This week Facebook data breach, sorry, ‘data scraping’ incident Facebook fanned the flames of critics this week with their response to the details of 533 million users being posted publicly online. The data includes full name, email, telephone, date of birth and location, and counts 30 million American and 11 million UK Facebook users. You can check if your data is present by searching for your email or phone number at haveibeenpwned.

Read more… ( ~8 Min.)

Robin’s Newsletter #146

The long-tail of ransomware recovery. PHP source code compromise. Exploiting 'safe' file formats. Risk margins and early risk management decisions.

 Vol. 4  Iss. 14  04/04/2021, last updated 02/05/2021   Robin Oldham

This week Sepa, CompuCom ransomware attacks show the long tail of disruptive cyber-attacks Interesting write-up of the impact of a ransomware attack on the Scottish Environment Protection Agency (Sepa) by BBC News. The environmental regulator was the victim of a double-extortion ransomware attack on Christmas Eve 2020. Their data was subsequently released online when they refused to pay the ransom. “Over 70% of staff will be back online [by Easter]” according to Sepa chief exec Terry A’Hearn.

Read more… ( ~5 Min.)

Robin’s Newsletter #145

FatFace IR comms 'confidential' while loosing 200GB data. Cyber insurer CNA may have been targeted for policy info. OSINT on the Ever Given.

 Vol. 4  Iss. 13  28/03/2021   Robin Oldham

This week FatFace’s lesson in how not to handle a cyber crisis U.K. clothing retailer FatFace reportedly paid a £1.9 million ($2.65M) ransom to cybercriminals following a double-extortion attack that saw both customer and employee data stolen. Customers’ name, email and postal address, and the last four digits of their credit card were taken, while employees’ bank and national insurance details exposed. The negotiations between FatFace and the Conti ransomware gang have been published by Computer Weekly and provides insight into the negotiations.

Read more… ( ~6 Min.)

Robin’s Newsletter #144

Rerouting a victims SMS for $16. UK defence review: nuclear response for cyber attack. Who is buying all the data generated by your car?

 Vol. 4  Iss. 12  21/03/2021, last updated 28/03/2021   Robin Oldham

This week I founded Cydea with a mission to bring positive security to the world and have always known that supporting charities - who hold large amounts of (sensitive) data - was going to be an important part of that. So I’m feeling really proud this week to be making that commitment publicly: both in the form of pro-bono consulting, and grants for the purchase of security hardware, software and services.

Read more… ( ~7 Min.)

Robin’s Newsletter #143

Criminals jump on Hafnium/ProxyLogon. Hacktivists breach Verkada's 150K facial recognition cams. Apple's IP theft lawsuit. Google's Spectre exploit.

 Vol. 4  Iss. 11  14/03/2021   Robin Oldham

This week There are lots of security advisories that focus on technical information (TTPs, IOCs and other TLAs) but don’t often come across those that look from a business risk perspective. Something that is for senior management, to aid their understanding of current events and the cyber risk posed to their organisations. So this week Cydea issued our first ”Risk Advisory” for Microsoft Exchange and the “Hafnium” / “ProxyLogon” vulnerability. We take a look at the evolving sources of risk and the potential business consequences and I’d love to hear your feedback.

Read more… ( ~7 Min.)

Robin’s Newsletter #142

Hafnium mass-exploitation of Microsoft Exchange servers. Google, Alliaz and MunichRe team up on cloud cyber insurance. Bitflipping may be more common than you think.

 Vol. 4  Iss. 10  07/03/2021, last updated 14/03/2021   Robin Oldham

This week Over 30,000 U.S. organisations compromised by flaws in Microsoft Exchange mail server It’s been a bad week to be a Microsoft Exchange server admin as it came to light that four vulnerabilities in Outlook Web Access had been chained together and exploited by a suspected Chinese-affiliated group - dubbed Hafnium - for espionage purposes. Over 100,000 servers are believed to have been compromised worldwide. Targets include “infectious disease researchers, law firms, higher education institutions, defence contractors, policy think tanks, and NGOs.

Read more… ( ~6 Min.)