Robin Oldham


I’m Robin, founder of Cydea, the positive cyber security consultancy, and previously led BAE Systems’ Security Advisory & Technical Services business, recognised by Forrester as one of the leading information security consultancies.

I help businesses defend themselves from cyber crime and thrive in the digital world and have over fifteen years experience including advising numerous boards on how to manage crises resulting from cyber-attack.

This is my personal site, where I publish archive copies of my weekly newsletter and aggregate my posts from other platforms.

If you’re interested in improving how you manage your cyber risk, or need help governing information security at the board level, then get in touch with me via Cydea, or connect on LinkedIn or Twitter.

Robin's Newsletter
I send out a weekly information security newsletter of the news and links that have caught my attention and why I think they're interesting. Check out the previous editions, or:

Recent Posts

Robin’s Newsletter #137

Law enforcement's Emotet takedown and NetWalker leak site seized. Got root? Sudo vuln will get you there. North Korea goes after security researchers for 0-day.

 Vol. 4  Iss. 5  31/01/2021, last updated 01/02/2021   Robin Oldham

First up, a heads up for UK readers: There is an active phishing campaign pretending to be from the NHS and asking you to ‘accept or decline’ your invitation to receive a vaccination. The email links to a website to steal personal information. Please keep an eye out, and check in on elderly friends relatives and neighbours, to make sure they are not unwittingly falling for it. Example screenshots here. The NHS will never ask you for your bank or payment card details (the COVID-19 vaccine is free of charge on the NHS).

Read more… ( ~7 Min.)

Robin’s Newsletter #136

Malwarebytes compromised in Solorigate; German company fined for video surveillance of staff; Intel publish financial results early due to leaked info

 Vol. 4  Iss. 4  24/01/2021, last updated 31/01/2021   Robin Oldham

This week Continuing Solorigate fallout: Microsoft deep-dive into second stage implant; MalwareBytes also compromised Microsoft takes a deep-dive this week into the steps taken by the Solorigate attackers to segregate their initial access (via the compromises SolarWinds component) and the persistence they achieved using repackaged Combat Strike tooling. The blog post has a timeline (see below) showing how the attack unfolding over many months. In February 2020 the SolarWinds component was altered, and then subsequently removed four months later in June, presumably after achieving access to their intended targets.

Read more… ( ~6 Min.)

Robin’s Newsletter #135

WhatsApp bungles privacy policy update; U.K. police unintentionally delete 213,000 records; and 'imposing costs' the 'Brexit means Brexit' or cyber.

 Vol. 4  Iss. 3  17/01/2021, last updated 31/01/2021   Robin Oldham

This week WhatsApp pushes back privacy changes three months WhatsApp has pushed back privacy policy changes it is forcing on users for three months. The bungled rollout was characterised by an ultimatum to ‘accept or delete’ the app, and an impenetrable, 4000-word privacy tome. Ironically the Facebook-owned company characterised the confusion as the result of ‘misinformation’ as millions of people shared and read articles decrying the changes on… Facebook and via WhatsApp groups.

Read more… ( ~6 Min.)

Robin’s Newsletter #134

Cyber implications of the Capitol insurrection. Solorigate 'likely' the work of Russia. SolarWinds hires Krebs Stamos Group. Microsoft throws some shade.

 Vol. 4  Iss. 2  10/01/2021, last updated 17/01/2021   Robin Oldham

This week Capitol occupation and cyber security The Capitol insurrection by pro-Trump supporters shocked the world this week. It was a substantial breach of security at the Capitol complex that, arguably, should have been seen coming by intelligence agencies. As The Grugq put it “Thousands of people who’s grasp of operations security is so minuscule that they literally live stream their crimes… achieved strategic surprise against US security forces.” As members of congress were hurriedly moved to safety, their computers were left unlocked and photos circulated online of Speaker Nancy Pelosi’s desktop, with Outlook open and a notification of the evacuation on the screen and, in a separate incident, a laptop was stolen from another congressional office.

Read more… ( ~6 Min.)

Robin’s Newsletter #133

Microsoft source code accessed in Solorigate attack. Plus advice on buying and selling second-hand devices from NCSC. And how much does cybercrime cost Russia?

 Vol. 4  Iss. 1  03/01/2021, last updated 10/01/2021   Robin Oldham

This week Solorigate attackers accessed Microsoft source code In their first blog post on the Sunburst/Solorigate attack (vol. 3, iss. 51) Microsoft was quick to state there was no evidence of access “to production services or customer data.” That left the door open to the confirmation on New Year’s Eve that development environments were compromised and source code accessed. That, in itself, isn’t a directly ‘bad thing’. Microsoft regularly shares its source code with governments seeking to assure themselves that it is secure for use in sensitive military and intelligence systems.

Read more… ( ~5 Min.)

Robin’s Newsletter #132 — 2020 Retrospective

Strap in and get ready for a recap of the things that I think have been most _interesting_ rather than _highest profile_, in 2020.

 Vol. 3  Iss. 52  27/12/2020, last updated 03/01/2021   Robin Oldham

Strap in and get ready for a recap of the things that I think have been most interesting rather than highest profile, in 2020. (I have deliberately steered clear of vulnerabilities: there have been plenty, including ‘perfect 10s,’ and generally, patches have been released quickly). I’ve also thrown in four things I’d recommend reading, and some thoughts on what 2021 has in store to-boot. January
 The year started with a shift in privacy regulation in the United States: The California Consumer Privacy Act (CCPA) - the strongest of America’s patchwork of privacy legislation - heralded as being ‘GDPR-like’ came into force.

Read more… ( ~16 Min.)

Robin’s Newsletter #131

SUNBURST attack on U.S. government is both huge, and nothing new. Google suffers multiple outages. Automated attacks on online banking.

 Vol. 3  Iss. 51  20/12/2020, last updated 21/12/2020   Robin Oldham

This week ‘SolarWinds’ breach of U.S. government networks is huge, also nothing new If you work in information security you’ve probably not been able to escape the ‘SUNBURST’ aka ’Solorigate’ news this week that popular network management tool SolarWinds Orion has been compromised and a backdoor included within its code. A sophisticated state actor gained access to the SolarWinds sometime between October 2019 and March 2020 to implant a backdoor into their software.

Read more… ( ~9 Min.)

Robin’s Newsletter #130

FireEye breached by sophisticated actor; $1TN reportedly lost to cybercrime in 2020; Zodiac killer cipher cracker after 51 years.

 Vol. 3  Iss. 50  13/12/2020, last updated 13/12/2020   Robin Oldham

This week FireEye discloses security breach The infosec community has been abuzz this week with news that industry giant FireEye, usually called in to help other government departments and large organisations unpick cyber attacks, had themselves been breached. In a blogpost CEO Kevin Mandia concluded, in the present-tense, that the firm is “witnessing an attack by a nation with top-tier offensive capabilities”. Microsoft and the FBI have been helping investigate the breach.

Read more… ( ~6 Min.)

Robin’s Newsletter #129

TrickBot is recovering from CyberCom, Microsoft takedowns, gains UEFI/BIOS capabilities. 'Cold chain' of COVID-19 vaccine targeted. Zero-click exploit in Apple iPhone.

 Vol. 3  Iss. 49  06/12/2020, last updated 13/12/2020   Robin Oldham

This week TrickBot malware gains firmware tampering capabilities To date, capabilities to manipulate device firmware have been the preserve of nation-state affiliated actors. Two public examples are known: Russia’s Fancy Bear LoJax (vol. 1, iss. 15) and China’s MosaicRegressor (vol. 3, iss. 41) malware. This week a joint report from AdvIntel and Eclypsium says that the notorious TrickBot malware has gained capabilities to inspect and modify the UEFI and BIOS of devices it infects.

Read more… ( ~5 Min.)

Robin’s Newsletter #128

RCEP, cyber cooperation and Asian data sovereignty; UK National Cyber Force; Microsoft's 'Pluton' and US Special Forces buying location tracking data

 Vol. 3  Iss. 48  29/11/2020, last updated 06/12/2020   Robin Oldham

This week Cyber public health I’ve been embracing my inner geek this week with an interesting lecture from the ‘Cyber Security in the Age of Large-Scale Adversaries’ group at Ruhr University Bochum. In it, Adam Shostack, formerly of Microsoft and responsible for a lot of their threat modelling focus, makes the case for ‘cyber public health’ against a backdrop of COVID-19 and the role that public health has played in combating coronavirus.

Read more… ( ~6 Min.)