#CyberFLASH: Hackers say the Canadian government doesn’t want their help

cybersecurity-casino-rama

The U.S. Department of Defence has turned to well-intentioned hackers and independent security researchers to help the government agency find software bugs and vulnerabilities in its computer systems.

But in Canada, the government appears to still have no formal policy or public guidelines, which makes it difficult for those who do find flaws to know what to do, or how the government might respond.

“There’s no formal process,” says Imran Ahmad, a partner at the law firm Miller Thomson who works with clients on cybersecurity related issues. In the absence of such a process, he says, those who find flaws “just don’t know how the government’s going to react, and they just want to protect themselves.”

“My advice to anyone who finds a flaw in a government website at this time would be to forget they ever saw it,” wrote web developer and security researcher Kevin McArthur in an email.

In the past, companies and governments often threatened security researchers and coders who found and published details about vulnerabilities in software with litigation, prompting the adoption of an informal process called “responsible disclosure.”

Read more here

#CyberFLASH: Hacked Canadian Forces website taken down after redirecting to Chinese state portal

screen-e1479413222153

Canadians trying to learn about career opportunities with the military instead found themselves staring at the landing page of the Chinese central government’s official web portal after the website forces.ca was apparently hacked Thursday to redirect users to the gov.cn domain.

The recruiting website, registered by the Department of National Defence (DND) in February 2001, redirected users to the Chinese government’s homepage until the error was spotted by DND officials, who took the site offline.

Canadians trying to learn about career opportunities with the military instead found themselves staring at the landing page of the Chinese central government’s official web portal after the website forces.ca was apparently hacked Thursday to redirect users to the gov.cn domain.

The recruiting website, registered by the Department of National Defence (DND) in February 2001, redirected users to the Chinese government’s homepage until the error was spotted by DND officials, who took the site offline.

Public Safety Minister Ralph Goodale said the incident was being investigated, but stopped short of labeling it a security breach.

“When something of this nature happens we treat it with real gravity, and we’ll investigate it,” he said according to the Canadian Press. “That process is underway right now, and as soon as we know the facts, we’ll be commenting further on that.”

Read more here

#CyberFLASH: Military hard drive containing personal information found by Halifax man

11-1A hard drive containing information believed to belong to the Canadian military is sitting in the closet of a Halifax man.

“It seemed to me like some of the documents contained information on personnel that I probably, or nobody, should be able to access unless they had the proper clearance,” Pete Stevens told Global News Friday.

Stevens found the hard drive at a recycling depot in Dartmouth almost a year ago. When he finally went to use it, he was surprised by what he found.

“I ran a recovery software and I basically saw some files that, basically, should have been deleted from the previous owner.”

The hard drive contains hundreds, if not thousands of pages of information. According to Stevens, he was able to locate encrypted emails, training manuals and blueprints within minutes of searching the drive.

Most of the information appears to be from the years 1999-2006 and deals with HMCS Halifax.

David Fraser, a privacy lawyer in Halifax, says no matter how old the information is, it’s not supposed to wind up in the hands of someone without proper clearance.

Read more here

#CyberFLASH: Car hacker sought by Canadian military

car-hackerThe Canadian military is looking for a car hacker to hack into its vehicles to test how vulnerable they are to cyberattacks.

A tender notice posted Tuesday on the Canadian government’s procurement site says the Department of National Defence is looking for bidders who can assess a vehicle, find vulnerabilities and develop and demonstrate attacks on the vehicle.

Earlier this year, security hackers showed that they could kill the engine of a moving Jeep on the highway over the internet via the car’s Fiat Chrysler telematics system. That prompted Fiat Chrysler to recall 1.4 million cars and trucks in the U.S. A month later, Tesla delivered a software patch to its customers after cybersecurity researchers said they had taken control of a Tesla Model S and turned it off at low speed.

The Department of National Defence said while other kinds of cyberattacks can lead to the theft of money or information or the disruption of operations, those involving vehicles are “a more important concern since the safety of their users or the other users on the road might be at stake.”

It noted that a car built in 2014 may include up to 100 computers exchanging up to 25 gigabytes of data every hour via the vehicle’s internal communications system as they run 60 million lines of code managing 145 actuators and 75 sensors. That internal communications system called a Controller Area Network (CAN) bus is the target of cybersecurity hackers’ attacks. Besides being used for internal communications, it may interact with entertainment, GPS and communications systems that are connected to the outside world, allowing for remote attacks.

Read more here

#CyberFLASH: Federal government privacy breaches soar to record high

0925 DND payments

The federal government reported breaching the privacy of individuals more than 5,000 times last year — an all-time high, according to new figures.

The data are only for six departments, so the 5,237 privacy breaches they reported in 2014 are likely just a glimpse at what happened across government. Even so, the figure is almost as many as had been reported in the previous 11-year period, including instances where a taxpayer’s or organization’s information was incorrectly released, lost or compromised.

Figures provided to Parliament last year showed federal departments and agencies reported 3,763 breaches of data between April 1, 2013 and Jan. 29, 2014. During the previous 10-year period, the government reported slightly more than 3,000 breaches.

Those numbers, however, didn’t include the Department of National Defence, which had said it couldn’t release the information for national security reasons. The current crop of figures is the first time DND has publicly reported the number of privacy breaches within its department, giving Canadians a more fulsome picture of how their government handles sensitive information.

Read more here

Data-collection program got green light from MacKay in 2011

CANADA-POLITICS_-1

Defence Minister Peter MacKay approved a secret electronic eavesdropping program that scours global telephone records and Internet data trails – including those of Canadians – for patterns of suspicious activity.

Mr. MacKay signed a ministerial directive formally renewing the government’s “metadata” surveillance program on Nov. 21, 2011, according to records obtained by The Globe and Mail. The program had been placed on a lengthy hiatus, according to the documents, after a federal watchdog agency raised concerns that it could lead to warrantless surveillance of Canadians.

Read more here

National Defence took ‘insufficient action’ to address security concerns before spy case: Documents

8441184

OTTAWA — New questions are being raised over whether National Defence’s failure to heed internal audits and better secure itself from threats and breaches contributed to the high-profile spy case involving Jeffrey Delisle.

Documents obtained by Postmedia News show auditors repeatedly called on the Defence Department over the years to bolster its security systems, but were largely ignored.

The department has now launched a review of its ability to deter threats and prevent breaches, which is expected to result in “fundamental changes.”

Read more here

Canada’s cyber-spooks network CSEC is all grown up — but who watches the watchers?

OTTAWA — Following a decade of explosive growth, the super-secret Communications Security Establishment Canada has emerged from the Defence Department to become a stand-alone federal agency, a change that will force it, for the first time, to inform Canadians of at least some of its activities.

 CSEC, whose powers include the ability to sometimes eavesdrop on Canadians without their knowing, has largely escaped the axe as the federal government chops budgets. Where some departments face cuts of 10 per cent, CSEC will be pinched by just two per cent this year and the agency will see no layoffs.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.