#CyberFLASH: Tax time 2015: How safe is your data with CRA?


Security at the Canada Revenue Agency certainly isn’t perfect.

Last year, someone — allegedly a 19-year-old student at the University of Western Ontario — hacked into its servers by using the much-publicized Heartbleed security flaw and made off with the social insurance numbers of more than 900 taxpayers.

A few months later, the taxman accidentally sent CBC News confidential details about prominent Canadians, including former prime minister Jean Chrétien and author Margaret Atwood, such as their home addresses and the value of certain tax credits they were granted.

And in 2013 a report from the federal privacy commissioner warned of “marked weaknesses” in CRA’s privacy and security habits, finding, among other things, that thousands of taxpayers’ files had been inappropriately accessed by employees for reasons including “personal gain, preferential treatment and fraud.”

All of which raises the question, how secure is the CRA? How concerned should Canadians be that their financial data might end up somewhere else entirely, used for who-knows-what nefarious purposes?

Read more here

#CyberFLASH: CRA data breach should be the final straw

image-12If heads don’t roll after the latest security debacle at the Canada Revenue Agency, they should.

The tax agency revealed yesterday that a spreadsheet containing detailed information on a number of high-profile Canadians, including former PM Jean Chretien, author Margaret Atwood, ex drug czar Richard Pound and media mogul Moses Znaimer, had been sent to the CBC. The 18-page file included names, home addresses, and details of donations made to Canadian museums and galleries.

In a statement released late yesterday, CRA Commissioner Andrew Treusch attributed the accidental release of the personal information to human error, and said it “constitutes a serious breach of privacy.”

The CBC said it received the file electronically in response to an Access to Information Request. In a move that surprises no one, Treusch said the agency “has launched an internal investigation into the privacy breach and its security protocols.”

Read more here

#CyberFLASH: Heartbleed Virus Causes Heartburn: Information Security Implications

cra-passwords-security_211076204-e1402005190177News reports regarding the so-called Heartbleed computer virus sparked concerns regarding cyber security and digitally-stored personal information. The Canada Revenue Agency announced that the virus caused a security breach involving the compromise of the social insurance numbers of hundreds of individuals. Other high profile payment system breaches have also been reported.

Although it makes for interesting news, it is not always the effect of a computer virus or the actions of a computer hacker that can lead to a breach of personal information. Human error or systems errors also lead to reported privacy breaches (see our previous article ” Alberta Privacy Commissioner Issues Report on Privacy Breaches”).

Nevertheless, the security of digitally-stored personal information is a key part of securing all of the personal information held by your organization. What can your organization do?

Read more here

#CyberFLASH: How to hack the hackers: IT pro train to counter attacks


When hackers attack your computer systems, and your best defences don’t keep them out, the only thing that can be done is to track down the crooks, find out who they are, retrieve the stolen data and shut them down. That’s what the RCMP did when the Canada Revenue Agency was hacked through the Heartbleed bug, and although the culprit in that case seems to have been a curious student, the technology and techniques they used were the same as those they’d employ to hunt down an international crime ring.

But, as with any skill – and cyber defence is a skill, and a complex one – investigators need to hone their techniques in a safe environment. A misstep in a real case could warn the criminals, or compromise the evidence. That’s where simulations come in, and they’re not photogenic ones with scary AIs like those we see in the movies.

There was no creepy computer voice providing play-by-play at the Symantec Cyber Readiness Challenge. But there was plenty of mischief afoot at the High Technology Crime Investigation Association (HTCIA) conference in Halifax last week, as a room full of law enforcement and corporate security folks took part in a simulation of a cybercrime. The bonus: participation gave them credits towards the continuing education requirements for security certifications such as Certified Information Systems Security Professional (CISSP) and Certified Information Systems Auditor (CISA).

Read more here


#CyberFLASH: Heartbleed remains serious threat to enterprise


It is believed to have infected nearly half a million of the Internet’s secure Web servers and just two weeks before the tax filing deadline in April, it forced Canada Revenue Agency (CRA) to shut down its Web site.

The OpenSSL cryptography vulnerability known as the Heartbleed bug which enables hackers to grab data from from computer systems by just communicating with a host server, caused a widespread scare around the globe just five months ago. Now, after many corporations and government agencies are supposed to patched their systems, a security firm is saying that Heartbleed remains a serious threat.

In a recent report, Venafi Inc., a Salt Lake City-based cyber security software company, said its survey of 1,639 Global 2000 companies that many such firms “have not completely remediated Heartbleed.”

This means as much as 97 per cent of external servers of global 2000 companies remain vulnerable to cyber attacks through Heartbleed.

Read more here

#CyberFLASH: Study estimates 36% of Canadian businesses know they’ve been hit by cyber attack


TORONTO — More than one-third of Canada’s IT professionals know — for sure — that they’d had a significant data breach over the previous 12 months that could put their clients or their organizations at risk, a cybersecurity study suggests.

And as startling as that statistic may be, the actual number of breaches could be higher since the same international study found 56 per cent of the 236 Canadian respondents said they believed threats sometimes fall through the cracks.

“Even the best-protected networks have regular security incidents,” says Jeff Debrosse, director of security research for Websense, a U.S.-based security company that commissioned the study.

“It’s a 24-7 onslaught. It’s a barrage of attacks and attempts to penetrate the defences.”

Debrosse says it’s a real challenge for organizations to understand their vulnerabilities, let alone prevent breaches. Technology is improving, he adds, but it’s more important to share information about attacks within and among organizations.

Read more here

#CyberFLASH: Act now to protect government departments from cyberattacks


Federal bureaucrats are once again warning that Canada’s government departments and agencies are vulnerable to cyberattacks.

Internal documents obtained by the Star’s Alex Boutilier this past week reveal a number of issues that put Canada at risk.

They include an IT “incident management plan” that is too complex and unclear on who is responsible for what. A lack of co-ordination between that plan and Ottawa’s overall Federal Emergency Response Plan. And a number of departments and agencies failing to use the government’s secure network.

That last point is particularly troubling after Canada accused China last week of carrying out a cyberattack on the National Research Council of Canada. The NRC had reportedly resisted joining the government’s secure Shared Services network, preferring its own.

Read more here

#CyberFLASH: Ottawa warned about its vulnerability to hackers, lack of strategy


OTTAWA—Federal bureaucrats are warning that some departments and agencies lack sufficient network security and that Ottawa needs a more coherent plan to address large-scale cyber attacks, according to internal documents obtained by Torstar News Service.

The documents reveal that even as the government accused Chinese-backed hackers of infiltrating the National Research Council’s network on Tuesday, senior bureaucrats warned of deficiencies in Ottawa’s response to threats to federal networks.

The documents — part of a presentation to the chief information officer on Monday — state control of the government’s IT “incident management plan” was too complex, with overlapping roles and unclear “accountabilities.”

The plan is not aligned with the larger Federal Emergency Response Plan, which co-ordinates response efforts between different levels of government and does not include a consideration of “wide-spread government cyber (incidents).”

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.