#CyberFLASH: Should police see your data? Think about it says Goodale

goodale.jpg.size.custom.crop.1086x713OTTAWA—Canadians need to think about how far police should be allowed to go in accessing their electronic devices and communications, the federal public safety minister says.

A federal review of cybersecurity will provide a chance to discuss a proposal from Canada’s police chiefs for a new law that would compel people to hand over passwords with a judge’s consent, Ralph Goodale said Wednesday.

The Canadian Association of Chiefs of Police says the measure is needed to fight criminals in cyberspace who increasingly use tools to hide their identities and communications.

In the United States, there are literally thousands of smartphones and other digital devices “sitting on shelves” because authorities can’t get into them, said Terrence Cunningham, a police chief in Massachusetts and president of the International Association of Chiefs of Police.

“And we know that those devices hold the answers to the questions that we need so that we can hold people accountable and prosecute some of these cases,” Cunningham said during the Canadian chiefs’ annual conference this week.

After a speech Wednesday to the gathering, Goodale acknowledged that smartphones contain a wealth of personal data and can reveal much more about a person than an ordinary physical search might.

But he added that while Canadians value their privacy, they also want police to have the necessary tools to investigate crimes. “I think Canadians recognize the imperatives on both sides.”

Read more here

#CyberFLASH: Public Safety Canada launches public consultation on cybersecurity landscape

image-2Public Safety Canada (PSC) has launched a public consultation on the “evolving cybersecurity landscape.”

On Tuesday, the federal government launched the Consultation on Cyber Security to help identify gaps and opportunities, bring forward new ideas to shape Canada’s renewed approach to cybersecurity and capitalize on the advantages of new technology and the digital economy, PSC said in a statement.

From now until Oct. 15, PSC will be leading the consultation by engaging stakeholders and Canadians on the trends and challenges of cybersecurity, as well as on new initiatives under consideration which will strive to build Canada’s resilience, capability and innovation in cybersecurity, the department said. Topics of the consultation include: the evolution of the cyber threat; the increasing economic significance of cybersecurity; the expanding frontiers of cybersecurity; and Canada’s way forward on cybersecurity.

The statement said that approximately 70% of Canadian businesses have been victim of cyberattacks, with an average cost of $15,000 per incident. In addition, the current global market for cybersecurity products and services is expected to grow to over $170 billion by 2020, and the job market for “cyber pros” is expected to rise by six million in the next four years, PSC reported.

Canada also has more computers per capita than any other country (129 devices per 100 people) and Canadians are the heaviest Internet users in the world, spending more than 40 hours online per person per month.

Read more here

CyberFLASH: The Internet of Things moving us toward connected homes

images-126It’s lunchtime at race car driver Alex Tagliani’s house, and there are no fewer than a dozen people buzzing around. Landscapers are putting in a new front yard, a curtain company employee is up on a ladder, wrestling with the motorized drapes for a product photo shoot and a toddler is running around, demanding to be fed.

Tagliani has made a name for himself on the Indy and NASCAR circuits. But, after years of living in Las Vegas and Indianapolis, he has returned to his native Quebec, settling down in an impressive $1.4(ish)-million home nestled in the scenic suburbs of Lorraine with his wife, Bronte, and their daughter Eva-Rose.

The house was custom built according to Tagliani’s vision of a modern smart home. He was the general contractor on the project, coordinating the architect, interior designers and a small army of independent contractors, including a home-automation team.

“I spent a year and a half messing around with the build,” Tagliani says.

From the moment he considered building a house, Tagliani knew he wanted it to be “smart” — a connected home that learns from and syncs to his family’s behaviours. He hired HomeSync, a Montreal-based home-automation installer that he’d previously worked with when customizing his last place, a condo in Laval. (HomeSync doesn’t manufacture its own hardware, but rather connects other companies’ components.)

Privacy concerns

Earlier this year, design flaws in Samsung’s SmartThings allowed people to remotely hack a front-door lock. There’s very little to stop a determined and tech-savvy criminal or mischief-maker to glean what your devices have learned about you and use it against you.

Gobi enjoys the convenience and novelty of the technology, but he is concerned about the SmartThings hack. He’s considering switching to Apple’s recently launched HomeKit because it offers high-security encryption. “The encryption they’re asking for is really, really high. If we think more about Big Brother issues with the Internet of Things and the smart home, I would be more comfortable to use high-security devices and I’m happy that Apple is now fighting a battle for privacy,” Gobi says.

Still, training connected devices to recognize your habits also means opting in to having an unprecedented amount of your deeply personal data compiled and kept on file by someone, somewhere, without knowing exactly if and how it’s used.

In 2016, Canada’s privacy commission published a guide on connected devices and IoT and concerns related to them, particularly as it pertains to data harvesting. “The full impact of the Internet of Things for our privacy may become more evident when its capabilities are combined with other innovations shaping our world today that track not only our activities, movements, behaviours and preferences, but our emotions and our thoughts,” the report concludes.

Read more here

#CyberFLASH: Protect yourself and your organization in cyberspace

article_largeEarlier this year, hackers stole nearly 15 gigabytes of company information, including payroll and bank account data, from Goldcorp Inc., one of Canada’s largest mining companies.

Last summer, the hactivist group Anonymous struck the federal government, shutting down a number of key websites.

The speed, severity and scope of hacker activity, and other malicious threats to organizations, nations and individuals online, continues to rise. According to the Global Risk Institute, cyberattacks have increased globally by 38 per cent since 2014, with the annual cost estimate at up to US$1 trillion.

That’s why the Ontario College of Management and Technology is hosting the first-of-its-kind International Cyber Security and Intelligence Conference (ICSIC), Sept. 7 to 8, in Toronto.

“Issues of cyber security are critically important to all of us,” said Yomi Olalere, Founder and President of the Ontario College of Management and Technology. “It’s crucial for professionals to come forward and discuss a way forward with best practices, and to hear from renowned experts about how an organization can secure their vital digital assets, how a nation can secure its critical infrastructure, and how an individual can protect themselves in cyberspace.”

Read more here

#CyberFLASH: Study finds dozens of Canadian firms have paid ransoms to regain control of data

imageTORONTO — A new report has revealed dozens of Canadian organizations were forced to pay attackers over the past year to regain access to computer files and IT systems infected with ransomware.

The finding is part of an international study conducted on behalf of a Silicon Valley company that fights ransomware, which typically locks legitimate users out of a system and sends a message requiring a payment to get a software code or key.

The Osterman Research study published by Malwarebytes found 44 of the 125 Canadian respondents, all of whom were anonymous, reported having a ransomware attack on their organization in the previous 12 months.

A majority of the victims, 33 of the respondents, said they’d paid ransoms with costs ranging from $1,000 to $50,000.

They study also found 11 of the 44 organizations targeted by ransomware had to shut down their business for a time to deal with the attack and devote an average of nine person-hours to recover.

Five of the victim respondents, all identified as working in the health-care industry, said they believed lives were at risk.

Read more here

#CyberFLASH: Privacy Commissioner’s office weighs in on proposed data breach regulations

1297658073661_ORIGINALCanadian businesses that fall victim to data breaches will soon be required to notify users that their personal data has been compromised, if Canada’s privacy commissioner has his way.

The commissioner’s office recently submitted an official response to the Ministry of Innovation, Science and Economic Development regarding the new data breach notification and reporting regulations proposed for the Personal Information Protection and Electronic Documents Act (PIPEDA).

In the June 10 document, Barbara Bucknell, the director of policy and research for the privacy commissioner’s office, wrote that “during his appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU), Privacy Commissioner Daniel Therrien expressed support for the new measures, indicating that mandatory breach notification will bring enhanced transparency and accountability to the way private sector organizations manage personal information.”

While the amendment’s final version has not yet been publicly released and will require government approval to become law, a draft version has been posted online since March, and companies and users alike were invited to comment until May 31.

Of course, the commissioner’s office had a few thoughts of its own regarding five key elements of the proposed regulations, and the companies facing the brunt of its impact might want to take note of them.

Read more here

#CyberFLASH: Privacy commissioner to investigate data breach of public servants’ personal info

hi-istock-computers-852Canada’s privacy commissioner is launching a formal investigation into one of two data breaches linked to the federal government’s troubled computerized payroll program, called Phoenix.

The decision comes as new details are made public about the scope of both incidents involving sensitive information belonging to federal government employees.

The commissioner will probe the second breach, which took place earlier this year, and involved managers having access to information belonging to employees who did not work for them.

The number of employees who had their data exposed during this incident is not known.

“The information that could be seen included an employee’s name and personal record identifier (PRI) — the employee number assigned under the federal government’s human resources management system,” said Valerie Lawton, a spokesperson for the privacy commissioner’s office. “According to PSPC [Public Services and Procurement Canada], no other personal information could be viewed.”

In an email to CBC News, Lawton said news coverage of the breach led to a number of complaints, which prompted the commissioner to investigate.

The first breach involves highly sensitive data for 10,000 public servants that was “inadvertently transmitted” to the private contractor building the federal government’s Phoenix payroll system, according to the department responsible for the troubled program.

That incident happened sometime between March and July of 2015, when Phoenix was in the testing phase, and the department was not aware of the transfer of personal data until IBM alerted the government.

“The contractor alerted PSPC of the breach in June of 2015 and subsequently removed all of the sensitive data from its database,” Lawton said.

Read more here

#CyberFLASH: Government knew of Phoenix privacy breach issue more than a year ago

national-capital-commission-ceo-marie-lemay-announces-detaIn an open letter to public servants posted online Thursday afternoon, Public Services and Procurement Canada deputy minister Marie Lemay said that in both instances, “There was no evidence that employee personal information ever left the hands of federal employees or government contractors.”

The first privacy breach issues surfaced between March and July 2015. The latest, as widely reported earlier this week, occurred between February and April of this year.

Lemay said the privacy breach situations arose during the testing and early implementation of Phoenix, and that “system adjustments and fixes were quickly implemented to prevent further breaches.”

The open letter was published in the wake of media reports outlining the latest privacy breach, in which personal information of all 300,000 civil servants enrolled in the Phoenix pay system could be accessed by as many as 70,000 federal employees.

“I understand that employees may be concerned about this, and I want to assure you that we take the safeguarding of employee personal information very seriously,” Lemay wrote, saying the government followed a “systematic approach … to assess and address causes and consequences.”

According to a CBC News report, documents released this week show officials were warned as early as Jan. 18 of the flaw that allowed the privacy breach.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.