Robin Oldham


I’m Robin, founder of Cydea, the positive cyber security consultancy, and previously led BAE Systems’ Security Advisory & Technical Services business, recognised by Forrester as one of the leading information security consultancies.

I help businesses defend themselves from cyber crime and thrive in the digital world and have over fifteen years experience including advising numerous boards on how to manage crises resulting from cyber-attack.

This is my personal site, where I publish archive copies of my weekly newsletter and aggregate my posts from other platforms.

If you’re interested in improving how you manage your cyber risk, or need help governing information security at the board level, then get in touch with me via Cydea, or connect on LinkedIn or Twitter.

Robin's Newsletter
I send out a weekly information security newsletter of the news and links that have caught my attention and why I think they're interesting. Check out the previous editions, or:

Recent Posts

Robin’s Newsletter #141

IABs charge just $7,100 for access to victims networks. Accellion file transfer appliances popped left, right, centre. Former SolarWinds CEO says it is all the interns fault.

 Vol. 4  Iss. 9  28/02/2021   Robin Oldham

This week Initial Access Brokers (IABs) and the evolving economics of cybercrime Interesting research from the folks at Digital Shadows into the rise of what they have dubbed ‘Initial Access Brokers’ (IABs). These groups spend their time attempting to gain access to organisations and then sell this proven access to other cyber threat actors. IABs are closely linked with the rise of ransomware operations that are largely now manual operations design to inflict maximum pressure on a victim.

Read more… ( ~5 Min.)

Robin’s Newsletter #140

Microsoft source code stolen by Russia in Solorigate attack. France uncovers campaign targeting IT providers. SIEM & ATT&CK. And Citibank's $500M UI gaff.

 Vol. 4  Iss. 8  21/02/2021, last updated 26/02/2021   Robin Oldham

This week Microsoft source code stolen by Russia in Solorigate attack Microsoft has completed its investigation into the Solorigate breach and concluded that no production services were accessed from their network. However, Redmond added that a “small” number of repositories were accessed, with source code downloaded for: a small subset of Azure components (subsets of service, security, identity) a small subset of Intune components a small subset of Exchange components Microsoft says that, based on the search terms the attackers used, they appear to have been searching for keys used in production services (something that their development policy prohibits).

Read more… ( ~7 Min.)

Robin’s Newsletter #139

Dependency confusion: all up in your package manager and automated build process. Florida water treatment plant compromised. Details of cyber-attacks on Isis. Bloomberg back again with The ~~Big~~ Long Hack.

 Vol. 4  Iss. 7  14/02/2021, last updated 21/02/2021   Robin Oldham

Roses are red, Violets are blue, Thank you for permission, To write to you ❤️ This week Dependency confusion An excellent bit of research and write up from Alex Birsan on what is being dubbed ‘dependency confusion’. His research looked at how the package manages for various programming languages - such as Python, NodeJS and Ruby - install the dependencies and modules requested by software packages. He found that often the official repository was favoured over other sources, such as internal repos, that might be specified via command-line arguments.

Read more… ( ~8 Min.)

Robin’s Newsletter #138

SolarWinds caught up in second campaign against U.S. gov tied to China. Plus an interview with a ransomware operator and Canada declares Clearview AI is 'illegal'.

 Vol. 4  Iss. 6  07/02/2021   Robin Oldham

SolarWinds Orion ‘high-value target’ for multiple threat actors A second group are believed to have used vulnerabilities in the SolarWinds Orion platform to attack U.S. government networks. The suspected Chinese group used bugs in SolarWinds code to move laterally around their victim’s network, having already gained access through other means. Their victim was the Department of Agriculture. “But Robin,” I hear you ask, “what’s so important about the Department of Agriculture’s National Finance Centre?

Read more… ( ~7 Min.)

Robin’s Newsletter #137

Law enforcement's Emotet takedown and NetWalker leak site seized. Got root? Sudo vuln will get you there. North Korea goes after security researchers for 0-day.

 Vol. 4  Iss. 5  31/01/2021, last updated 01/02/2021   Robin Oldham

First up, a heads up for UK readers: There is an active phishing campaign pretending to be from the NHS and asking you to ‘accept or decline’ your invitation to receive a vaccination. The email links to a website to steal personal information. Please keep an eye out, and check in on elderly friends relatives and neighbours, to make sure they are not unwittingly falling for it. Example screenshots here. The NHS will never ask you for your bank or payment card details (the COVID-19 vaccine is free of charge on the NHS).

Read more… ( ~7 Min.)

Robin’s Newsletter #136

Malwarebytes compromised in Solorigate; German company fined for video surveillance of staff; Intel publish financial results early due to leaked info

 Vol. 4  Iss. 4  24/01/2021, last updated 31/01/2021   Robin Oldham

This week Continuing Solorigate fallout: Microsoft deep-dive into second stage implant; MalwareBytes also compromised Microsoft takes a deep-dive this week into the steps taken by the Solorigate attackers to segregate their initial access (via the compromises SolarWinds component) and the persistence they achieved using repackaged Combat Strike tooling. The blog post has a timeline (see below) showing how the attack unfolding over many months. In February 2020 the SolarWinds component was altered, and then subsequently removed four months later in June, presumably after achieving access to their intended targets.

Read more… ( ~6 Min.)

Robin’s Newsletter #135

WhatsApp bungles privacy policy update; U.K. police unintentionally delete 213,000 records; and 'imposing costs' the 'Brexit means Brexit' or cyber.

 Vol. 4  Iss. 3  17/01/2021, last updated 31/01/2021   Robin Oldham

This week WhatsApp pushes back privacy changes three months WhatsApp has pushed back privacy policy changes it is forcing on users for three months. The bungled rollout was characterised by an ultimatum to ‘accept or delete’ the app, and an impenetrable, 4000-word privacy tome. Ironically the Facebook-owned company characterised the confusion as the result of ‘misinformation’ as millions of people shared and read articles decrying the changes on… Facebook and via WhatsApp groups.

Read more… ( ~6 Min.)

Robin’s Newsletter #134

Cyber implications of the Capitol insurrection. Solorigate 'likely' the work of Russia. SolarWinds hires Krebs Stamos Group. Microsoft throws some shade.

 Vol. 4  Iss. 2  10/01/2021, last updated 17/01/2021   Robin Oldham

This week Capitol occupation and cyber security The Capitol insurrection by pro-Trump supporters shocked the world this week. It was a substantial breach of security at the Capitol complex that, arguably, should have been seen coming by intelligence agencies. As The Grugq put it “Thousands of people who’s grasp of operations security is so minuscule that they literally live stream their crimes… achieved strategic surprise against US security forces.” As members of congress were hurriedly moved to safety, their computers were left unlocked and photos circulated online of Speaker Nancy Pelosi’s desktop, with Outlook open and a notification of the evacuation on the screen and, in a separate incident, a laptop was stolen from another congressional office.

Read more… ( ~6 Min.)

Robin’s Newsletter #133

Microsoft source code accessed in Solorigate attack. Plus advice on buying and selling second-hand devices from NCSC. And how much does cybercrime cost Russia?

 Vol. 4  Iss. 1  03/01/2021, last updated 10/01/2021   Robin Oldham

This week Solorigate attackers accessed Microsoft source code In their first blog post on the Sunburst/Solorigate attack (vol. 3, iss. 51) Microsoft was quick to state there was no evidence of access “to production services or customer data.” That left the door open to the confirmation on New Year’s Eve that development environments were compromised and source code accessed. That, in itself, isn’t a directly ‘bad thing’. Microsoft regularly shares its source code with governments seeking to assure themselves that it is secure for use in sensitive military and intelligence systems.

Read more… ( ~5 Min.)

Robin’s Newsletter #132 — 2020 Retrospective

Strap in and get ready for a recap of the things that I think have been most _interesting_ rather than _highest profile_, in 2020.

 Vol. 3  Iss. 52  27/12/2020, last updated 03/01/2021   Robin Oldham

Strap in and get ready for a recap of the things that I think have been most interesting rather than highest profile, in 2020. (I have deliberately steered clear of vulnerabilities: there have been plenty, including ‘perfect 10s,’ and generally, patches have been released quickly). I’ve also thrown in four things I’d recommend reading, and some thoughts on what 2021 has in store to-boot. January
 The year started with a shift in privacy regulation in the United States: The California Consumer Privacy Act (CCPA) - the strongest of America’s patchwork of privacy legislation - heralded as being ‘GDPR-like’ came into force.

Read more… ( ~16 Min.)