#CyberFLASH: Why 2017 will be a make-or-break year for Internet freedom

internet_freedom

2017 is here, and it’s clear it will be a make-or-break year for Internet freedom. Around the world, our digital rights are under threat as never before. Let’s take a look at some of the big challenges ahead.

In Canada, the federal government will soon be publishing its response to the national security consultation that closed in December. It’s abundantly clear that Canadians want the government to repeal Bill C-51 and deliver strong privacy rules to make us safe — but will the government listen, especially against the backdrop of a full-on RCMP propaganda campaign calling for even more invasive spy powers?

Also in Canada, the government is under pressure from industry lobbyists pushing a costly new Internet tax, a proposal that expert Michael Geist has called a “digital tax on everything.” This is a terrible idea that will deepen the digital divide, and force even more Canadians offline, in a country where low-income and rural residents are already struggling to stay connected. If the government pursues this, expect a big fight ahead.

South of the border, we’re now just weeks away from Donald Trump’s inauguration on January 20. On that day, Trump will secure not just the keys to the Oval Office, but also sweeping new powers to shape the future of the Internet for generations to come.

Based on Trump’s statements, we can expect to see a dramatic expansion of NSA and FBI spying powers. Worryingly, there are very few oversight mechanisms or limitations on what Trump can do with this power. And, given that so much surveillance activity takes place under a veil of near-total secrecy, it will be extremely difficult for citizens to hold Trump effectively to account.

Read more here

#CyberFLASH: Flight booking systems lack basic privacy safeguards, researchers say

GettyImages-556421117Major travel booking systems lack a proper way to authenticate air travelers, making it easy to hack the short code used on many boarding passes to alter flight details or steal sensitive personal data, security researchers warned on Tuesday.

Passenger Name Records (PNR) are used to store reservations with links to a traveler’s name, travel dates, itinerary, ticket details, phone and email contacts, travel agent, credit card numbers, seat number and baggage information.

The six-digit codes act as pincodes for locating travel records, albeit with vital differences that make them highly insecure compared with even the simple usernames and passwords that consumers use to access email or websites, the researchers said.

The world’s three major global distribution systems (GDS) – Amadeus, Sabre and Travelport – manage a majority of travel reservations but face growing competition from airlines and corporate travel and online booking sites.

“While the rest of the Internet is debating which second and third factors to use, GDSs do not offer a first authentication factor,” researchers at Berlin-based Security Research Labs said in a statement.

Read more here

#CyberFLASH: Next year’s Ontario literacy test will be paper-only as investigation into cyber attack continues

gv_20140408_biv0108_140409938.jpg__0x400_q95_autocrop_crop-smart_subsampling-2_upscaleAfter widespread technical issues forced the cancellation of the first-ever online Ontario literacy test earlier this year, the agency tasked with administering the exam says next year’s version will be paper only.

The Education Quality and Accountability Office (EQAO) said Friday it would be temporarily shelving the online version of the test after its October launch was marred by a cyberattack. The organization said it still hasn’t successfully completed a large enough trial of the system since the attack and doesn’t know when the online version will be ready to use.

“Given the considerable frustration and anxiety that resulted from the cyberattack, EQAO feels that it would be irresponsible to put students at risk of any further issues without having completed a successful large-scale online trial,” the agency said in a news release.

The announcement comes after a brand new system for administering the test online crashed in October, leaving many students unable to complete the test.

The EQAO said the network was the target of an “intentional, malicious and sustained” cyberattack involving a “vast set of IP addresses around the globe.”

Most of the province’s 900 secondary schools — representing some 147,000 students — had signed up to participate in the test, which was a technical trial run before the first official test scheduled next year.

Read more here

#CyberFLASH: Canadian Cyber Threat Exchange ready to start membership push

computer-passwords

After months of planning the country’s first national IT threat service has issued its first threat report to a few early members and is ready to launch a campaign to expand its numbers, including lowering its fee for small businesses.

”We didn’t want cost to be a barrier to people being able to get in,” Robert Gordon, executive director of the Canadian Cyber Threat Exchange (CCTX) said Wednesday in explaining why the introductory fee for a small business was cut from $5,000 to $2,000 a year.

“Part of this is to raise cyber resiliency [among Canadian firms] as broad as we can.”

For the lower fee members will still get threat reports, but won’t be allowed to download electronic data feeds into their systems. Gordon said it was felt small companies wouldn’t benefit from that service. The exchange will discuss with these companies if there are other services that can be added.

Mid-size businesses can join for $20,000 a year and will be allowed to exchange threat data electronically (when it goes live early next year) and named access to the exchange’s proprietary knowledge database.

Gordon also said the exchange’s first monthly report was shown Wednesday at a closed symposium in Toronto for companies that have already signed up or are in the process of becoming paying members. Eventually that report will be issued weekly to members. Also, by the second week in February the exchange will have a portal the sharing of electronic threat data and an online collaboration space for members.

Read more here

#CyberFLASH: Carleton University says it didn’t pay hacker’s ransom after cyberattack

hi-istock-computers-852

Carleton University confirms its IT network was attacked by ransomware — a type of computer virus that uses encryption to effectively hold files hostage in exchange for payment — but said it didn’t pay any ransom.

Systems are coming back online little by little after the problem appeared Tuesday morning, Roseann O’Reilly Runte told CBC News on Wednesday.

Classes are happening as regularly scheduled and Wi-Fi is available on campus, she said.

No ransom was paid, according to university spokesperson Don Cumming.

The university is expected to make a statement at 4 p.m. ET.

A graduate student at the university emailed CBC Tuesday to say the attackers asked for payment in bitcoin, a digital currency that is difficult to trace. According to a message he saw on a school computer, the attackers are asking for either two bitcoin per machine, or 39 bitcoin total to release the encrypted files — the latter equalling nearly $38,941 at today’s rate on the popular Bitcoin exchange Coinbase.

Students, employees warned Tuesday

On Tuesday morning, students and employees were warned that any Windows-based system accessible from the main network may have been compromised after an external group apparently attempted to hack the school’s IT network.

“To reduce traffic on the network, it is recommended that users refrain from using Microsoft Windows systems at the current time and shut down your computer,” the school warned in a message posted on its website and Facebook page.

On Wednesday, the university’s IT department said work is continuing to restore email services.

Read more here

#CyberFLASH: Hackers say the Canadian government doesn’t want their help

cybersecurity-casino-rama

The U.S. Department of Defence has turned to well-intentioned hackers and independent security researchers to help the government agency find software bugs and vulnerabilities in its computer systems.

But in Canada, the government appears to still have no formal policy or public guidelines, which makes it difficult for those who do find flaws to know what to do, or how the government might respond.

“There’s no formal process,” says Imran Ahmad, a partner at the law firm Miller Thomson who works with clients on cybersecurity related issues. In the absence of such a process, he says, those who find flaws “just don’t know how the government’s going to react, and they just want to protect themselves.”

“My advice to anyone who finds a flaw in a government website at this time would be to forget they ever saw it,” wrote web developer and security researcher Kevin McArthur in an email.

In the past, companies and governments often threatened security researchers and coders who found and published details about vulnerabilities in software with litigation, prompting the adoption of an informal process called “responsible disclosure.”

Read more here

#CyberFLASH: Carleton U warns students of hacker attack on IT network

gv_20140408_biv0108_140409938.jpg__0x400_q95_autocrop_crop-smart_subsampling-2_upscale

Carleton University is warning students and employees after an external group apparently attempted to hack the school’s IT network.

The school warned that any system accessible from the main network that is Windows-based may have been compromised.

The school’s IT security unit is attempting to secure the network from further attacks.

“To reduce traffic on the network, it is recommended that users refrain from using Microsoft Windows systems at the current time and shut down your computer,” the school warned in a message posted on its website and its Facebook page.

Ransomware messages demand bitcoin payments

The school said people may see ransomware messages appear on their screens, demanding payments in bitcoins.

“Users are asked to ignore all messages seeking a payment and are encouraged to report these messages to the CCS Help Desk at ext. 3700 or ccs.service.desk@carleton.ca,” the school said in a statement.

David Kenyi, a volunteer at the International Students Service Office, said he got a push notification on his phone of the system shutdown.

Read more here

#CyberFLASH: Hacked Canadian Forces website taken down after redirecting to Chinese state portal

screen-e1479413222153

Canadians trying to learn about career opportunities with the military instead found themselves staring at the landing page of the Chinese central government’s official web portal after the website forces.ca was apparently hacked Thursday to redirect users to the gov.cn domain.

The recruiting website, registered by the Department of National Defence (DND) in February 2001, redirected users to the Chinese government’s homepage until the error was spotted by DND officials, who took the site offline.

Canadians trying to learn about career opportunities with the military instead found themselves staring at the landing page of the Chinese central government’s official web portal after the website forces.ca was apparently hacked Thursday to redirect users to the gov.cn domain.

The recruiting website, registered by the Department of National Defence (DND) in February 2001, redirected users to the Chinese government’s homepage until the error was spotted by DND officials, who took the site offline.

Public Safety Minister Ralph Goodale said the incident was being investigated, but stopped short of labeling it a security breach.

“When something of this nature happens we treat it with real gravity, and we’ll investigate it,” he said according to the Canadian Press. “That process is underway right now, and as soon as we know the facts, we’ll be commenting further on that.”

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.