Archive for the ‘security’ Category

Self Spreadsheet Saboteur risks 10 years porridge

Tuesday, 23rd July, 2019

I used to put a little support contact details messagebox  in some of my more complex spreadsheets in the hope I may get a lucrative support gig.

This guy went a bit further.

He time bombed his VBA and locked the projects. Now its in court and it could be 10 years in prison and/or 250kUSD fine. Oops!

I wouldn’t accept a contractor keeping passwords, a proper external supplier maintaining their IP ok, but a contractor working on company files? no. And I personally wouldn’t lock my VBA either, if the client wants to do that fine, until they lose the password and I have to hack it…



GDPR phishing

Wednesday, 16th May, 2018

We are still a few days away from the data slurppocalypse and my inbox is bulging with ‘privacy improvements’ messages. All include links to log-in or sign up or learn more. Many from complete randoms.

In general I’m ignoring them, but it does seem a great opportunity for the ne’er-do-wells to do a bit of data slurping of their own.

stay safe…

Eventbrite warning

Sunday, 22nd April, 2018

Someone recently mentioned using Eventbrite or similar for organising the next Excel Conf (I have not heard more, so no idea if anything is in the offing or not).

Their latest agreement that you sign up to (after reading carefully I’m sure) grants them (amongst other stuff) the right to enter your event , and pre and post setup/teardowns, take as much video and photos as they like of anything they like, for them to use whenever, where ever they like for ever!!!

That also means you grant them right to publish photos of any and all attendees any time any where.

Dunno if it applies in the UK/EU

Fuller details here

What an outrageous rights grab

Vetting pantomime

Thursday, 24th March, 2016

Hopefully you have heard the phrase coined by Bruce Schneier ‘security theatre’ to refer to a lot of the recent changes in travel security etc. The basic inference is that it looks like security but isn’t really.

I know this because I have had all sorts of things confiscated while trying to board a plane, but have never been arrested. Too much of a threat to take my plastic clamp on the plane but not enough for a life sentence at gitmo. At least I can take comfort knowing that none of the other passengers has a small plastic clamp with which to take over the plane (or the world).

I am now living through a vetting pantomime. I have been offered a (short term) contract at a UK bank, and now ‘just need to go through the security vetting process’.

I need a disclosure Scotland, can’t get one on line as I don’t have a uk address. One suggestion was that I use someone I knows’ address in the uk as my current residence. Hmm – false information?

They want a 5 year work history, which I have provided, but now they want the gaps explaining. Well derrr I’m a contractor, sometimes there are gaps…

No, they want me to send them bank statements for all the gaps! What the fuck for??? They haven’t specified which account so I guess I shouldn’t use the one with all those NSA/KGB payments for leaking vital information? Or at least I should ensure those payments do not fall in a month when I am not in a contract.

Someone suggested it is to see if I have ‘been away’, ie looking for lack of transactions whilst held at her Royal Britannic Majesty’s pleasure. Its a joint account – there are transaction all the time (me putting money in, wife taking it out :-))

What are they going to do with my bank information? How can it help their vetting? it can’t. its stupid. If they came to me with a list of all my accounts then maybe, but thats SC level stuff not mickey mouse 10 week contract stuff.

Why are banks wanting to recruit people that think its ok to spaff personal confidential information all over the interwebs??

That’s right they want me to email them my bank statements, no mention of a sFTP secure upload facility, no details on the usage of the information, the storage, or the expiry/deletion. they just want people who don’t give a shit about information security, incredible.

Leaving aside of course the irony that between me and this bank, only one of us has ever been found guilty of any fraud or criminality. and I don’t (mis) sell PPI or fix Libor rates.

I’m know I am too old and battle scarred for this shit but really…

You’re the bad guy, oh no I’m not you’re the bad guy, oh no I’m not etc etc. He’s behind you…

Aaaanyway if you need a grumpy old fart with just enough knowledge about security to be cantankerous then let me know. It looks like I may be having a gap opened up in my agenda for me…

secure security

Wednesday, 6th February, 2013

Got this recently:


Surprise surprise I chose… Disable!

If you are running 2010 and have VBA in password to open protected .xlsms then they should probably be in a trusted location if you want the VBA to run. (I didn’t try very hard but there didn’t seem to be an easy way to trust the doc, maybe temporarily taking the pw off it, trusting it, then redo pw, would work).

Unless you have AV that can scan them (which products do?).



Evil spreaddie fingered in RSA hack

Monday, 4th April, 2011

Dunno if you have been following the recent SecurID hack at RSA?

They fessed up then went quiet for a few weeks so a few people assumed the worst.

(If you dont know what SecurID is, is a little token (about 10mm by 30) that generates a new 6 digit number every minute. That number can be synched to a login server to ensure only people with the right physical token can login in.)

Anyway the latest news is that an Excel workbook was infected with a targeted, malicious flash swf containing a zero day.

It does appear to be a very clever attack, the spreadsheet had such an interesting name that one of the targets pulled it from the junk folder and opened it running the flash. I didn’t see anywhere whether the workbook had any VBA in or not.

One important point though is that it was a Flash vulnerability they exploited, Excel was merely the delivery mechanism. No Excel vuln was used, just its ability to act as a container.

I didn’t see how they were discovered either, but it sounds like the attackers pretty much got most of what they were after.

I wonder how many other orgs have been hit by this sort of attack, and either haven’t discovered it yet or haven’t admitted it in public?

Got any good links?



Well done Microsoft

Wednesday, 23rd March, 2011

I just wanted to congratulate MS (& partners) on their efforts to bring down the Rustock spam machine.

I must check my on line spam bin to see if it has reduced by 30% in the last few days. Either way, botnet take downs can’t be a bad thing.

Have you noticed a drop in spam recently?





Office 2003 Info Rights fixed

Monday, 14th December, 2009

A couple of weeks ago I mentioned an issue I had seen in the newsgroups of folks being locked out of their Information Rights Management protected workbooks.

Opinions seemed to be mixed between ‘never heard of it’ and ‘would never used it’. But a few people did and they got burned in November when it all stopped working and they were locked out of their own files.

Anyway the issue is now apparently resolved by renewing an Office crypto certificate, full info and download available here. If you apply this fix please let us now if it does indeed resolve the problem, or not.



Wot, No Spreadsheets? – very OT

Thursday, 10th December, 2009

I’m gutted that spreadsheets don’t seem to have been implicated in the Climate Research Unit excitement. why read_me_harry.txt instead of read_me_harry.xls?

Spreadsheets are ok for amateur mistakes, but pros use Fortran?

I’m also a little disappointed that the Government Broadcasting Company (BBC) doesn’t seem to be applying its normally fairly balanced reporting to this area.

I’ve had to switch to the Telegraph (FFS) to get some balance. And maybe even the Express!!

Over the last few months I have become more and more sceptical about the motivations and justifications for some of the stuff done ‘to save our planet’. Over the last few weeks I have become more and more sceptical about mans influence on the climate. Over the last few days I have become very sceptical that the research is fit for its current purpose.

As it happens I bought a new USB portable drive last week – 320Gb for 60 quid – I am amazed the CRU couldn’t find a similar amount to prevent the ‘loss’ of their ‘critical to the survival of mankind’ data, out of their alleged budget of 20 million.

What is your take on whether our activities are causing, or about to cause catastrophic changes to our planets climate? And what should we do about it?

Seems to me if the intention was to genuinely cut CO2 rather than fund their mates in ‘green’ industries and carbon trading the govt would be pushing for:

  • Those that can to work a min of 2 days a week from home
  • encourage local sourcing of everything where possible
  • encourage the extending of the lifetime of any and all equip
  • reforesting where ever possible
  • Local community based power generation

As it is it just looks like they are trying to move us away from oil without actually explaining why. And keep their coffers full of course.

For info here is a climate change is our fault website

Here is a climate change is normal website

Here is a WSJ article highlighting the broader concerns raised by the recent fun.

So a couple of guidelines then feel free to add you view below.

This is a fairly heated topic so I’ll moderate comments pretty tightly. The discussion is about the validity of the claim that human activity is the cause of changing climate. Comments in that area are welcome.

Personal attacks, nonsensical arguments and deceptive statements are not, I’ll delete these and publish the reason for your information.

Please keep your comments short and on topic and as polite as possible.

Irrelevant stuff like references to your own or others ‘green’ credentials etc will also go in the big round file.

Don’t feel compelled to comment, I’ll keep comments open for a day orso then close them to ease the moderation. After that if you want to comment just email me and I’ll add it.

Have fun… (and play nice)



Next Monday: D Day for SOX gravy train

Saturday, 5th December, 2009

It seems some legal beagles in the US are taking the organisation behind Sarbanes Oxley to court on the basis that the way it is set up is unconstitutional.

Whilst mainstream IT think about that from a security industry POV there is the infant spreadsheet management industry to consider too.

SOX, and section 404 in particular have been used to encourage organisations to take some responsibility for their crappy spreadsheets. Ideally they would de-crappify them, but in my experience companies prefer just to list them and claim they are now ‘managing them’.

It will be interesting to see what, if any, impact this legal challenge has, I think the current mood is for more legislation and control (Certainly in the UK!). But maybe those that claim SarBox has damaged US business competitiveness will hold sway.

I have seen a few remediation/migration type roles on Jobserve recently so maybe orgs are taking this seriously now. There are a lot of ingrained habits to change though.

Are you getting much SOX/Remediation business?