#CyberFLASH: Encryption actually protects law-abiding Canadians

malware-hacking-cybersecurityWhen it comes to policing and national security, far too often Canadians are asked to let fear trump their rights.

Recently, the front page of the Toronto Star featured the headline, “Encryption creating a barrier for police …,” potentially convincing some readers that the technology’s only purpose is to aid criminals. Rarely do we see headlines such as, “Encryption protects thousands of Canadians’ credit card information,” or “Encryption enables secure communications for every Canadian.” or even the aspirational, “Canada leads the way in cybersecurity for its citizens.”

Increasingly, when we hear about encryption in the media, or from public safety officials, it’s presented as a danger — something that prevents those whose job it is to keep us safe from fulfilling their role. However, in the vast majority of transactions online by ordinary, law-abiding citizens, encryption is a good thing that makes personal, sensitive data harder to capture and decipher. Indeed, if more data were stored in encrypted form, sensational breaches of privacy — like the one that drove some Ashley Madison users to suicide — could be avoided.

Acknowledging that encryption can be a good thing for society doesn’t erase police concerns about data access; it contextualizes them. We at the Canadian Civil Liberties Association (CCLA) have long been supporters of warrants, the process by which police can go before a judge to demonstrate that their need to intercept a suspect’s private communications is reasonable and proportionate.

While we understand that warrants aren’t helpful if data can’t be decrypted, reports indicate police now have the tools, and are working with technology companies, to gain access to even the most complex of encrypted data. For example, as we learned from the Project Clemenza investigation, police can now decrypt BlackBerry communications and are making extensive use of Stingray technology, which allows for the mass interception of cellphone data.

Read more here

#CyberFLASH: CSE can assist in ‘threat reduction’ without a warrant, documents show

csis.jpg.size.xxlarge.letterboxOTTAWA—Canada’s electronic spies can assist CSIS with the agency’s new mandate to disrupt security threats with little oversight from politicians or the courts, documents obtained by the Star show.

The Communications Security Establishment told Defence Minister Harjit Sajjan last November they can aid CSIS with new “threat reduction” efforts — a power granted to the agency under Bill C-51.

It’s not unusual for CSE to lend a hand to police or intelligence agencies; in addition to electronic espionage and cyber defence, assistance to law enforcement is one of the agency’s core mandates. But that assistance often requires a warrant.

But under C-51, CSIS can take action to reduce threats to national security without a warrant — so long as the agency’s efforts don’t violate Canadian law or charter rights. CSE confirmed that they do not necessarily need a court’s approval to assist CSIS in threat reduction.

The new power has opened the door for CSE to act as a “virtuous hacker” for CSIS, according to national security researcher Craig Forcese.

“This was the sleeper in C-51, because CSE is barely mentioned in C-51,” said Forcese, a vocal critic of the new terrorism law.

“CSE has been a watcher . . . . It has not been able to do things kinetically to people. But under the umbrella of CSIS assistance, it can now go kinetic.”

The power to reduce or “disrupt” threats to Canada’s national security was one of the most controversial aspects of the previous Conservative government’s anti-terrorism law.

Read more here

#CyberFLASH: When it comes to cyberspace, should national security trump user security?

Apple Hosts Event At Company's Town HallRon Deibert is the director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs.

Imagine if the government had knowledge of a critical vulnerability in a heart pacemaker, but decided to keep the information secret in order to exploit it as a weapon. Would that be okay? What about flaws in the electronic controls of a 747 that could be manipulated remotely to cause the plane to crash? Or a nuclear enrichment facility? Should they publicly disclose these vulnerabilities in the interests of user safety? Or should they keep them classified in case they provide comparative advantage in matters of national intelligence or warfare?

Whatever each of us may think about these questions, it appears the world’s most powerful spy agencies have already resolved on an answer: for them, national security trumps user security.

Today, the University of Toronto’s Citizen Lab is publishing a report documenting major security and privacy vulnerabilities in one of the world’s most widely used mobile applications: UC Browser. Chances are if you are a North American reading this, you have never heard of UC Browser. But if you live in China or India, it’s probably as familiar as Microsoft Explorer. In fact, UC Browser is used by over 500 million people, and is the fourth most popular mobile browser in the world.

Popularity aside, UC Browser has fundamental problems (problems the company is working to repair after our notification): it leaks a huge torrent of highly detailed personally identifiable data about its users. Those leaks include the unique identification number hard-baked into the device (IMEI), personal registration data on the user’s SIM card (IMSI), any queries sent over the browser’s search engine, a list of the names of any WiFi networks to which the device has recently connected, and the geolocation of the device. Some of this data is sent entirely “in the clear” without encryption; others are sent using weak encryption that could be easily decrypted. Some of it is sent the moment the application is turned on, in an “idle state.” None of it is sent with the explicit permission of its users.

Read more here

#CyberFLASH: LEGER: Pull back veil on national security

1327675873067_ORIGINAL

The mere mention of the term “royal commission” is enough to trigger eye-rolling cynicism in many Canadians, even the public-spirited. It conjures an image of paper gathering dust in archives across the country.

Maybe it’s the word “royal” in the phrase that connotes irrelevance or a certain lack of rigour. Perhaps it’s because commissions take so long to do their work and produce so few concrete results. Royal commissions have an image problem.

They are usually set up because some public problem has flummoxed the sitting government. Not know what else to do, governments often use them to park unsettling issues out of the glare of day-to-day politics.

When commissions do report, prime ministers have the option of ignoring inconvenient conclusions. In fact, many such panels are established precisely so they can be ignored by the government of the day.

Read more here

#CyberFLASH: Canada to battle cyber attacks

1297236821813_ORIGINAL

Canada needs to step up its fight against cyber attacks that increasingly threaten national security, Industry Minister James Moore said in Calgary Monday.

Ottawa plans to do just that as part of a wide-ranging, $900 million upgrade and expansion of Canada’s digital capacity, he said.

“It’s a serious threat to our networks, to our security,” Moore told the University of Calgary’s School of Public Policy.

He said 150,000 pieces of malware attack Canadian computer systems daily in actions that include espionage

In recent meetings with a diversity of world leaders, Moore said he’s heard a common refrain.

“With every single one of them, the subject comes up,” he said.

Some of those targeting Canada’s public and private networks are state actors, others non-governmental

Read more here

#CyberFLASH: Canada – China’s Lenovo raises security fears with possible bid for BlackBerry

national-security-blackberry

Lenovo Group Ltd. is joining the list of suitors considering a bid for BlackBerry Ltd., raising concerns that the Canadian company’s ultra-secure communications network for the global elite might end up owned by a firm based in China.

BlackBerry provides mobile phones and an encrypted wireless network to many of the world’s largest corporations and most Western governments, including top officials in the United States and the country’s military – and would likely draw scrutiny in Washington and Ottawa.

If Lenovo’s reported interest resulted in a deal, the takeover attempt would be subject to a tough regulatory review in Canada. The federal government has killed several foreign takeovers under the Investment Canada Act.

That act permits reviews of deals worth more than $344-million. The government has also granted itself broader powers to halt takeovers of Canadian firms by foreign state-owned companies, particularly those from China. And Ottawa recently barred a bid for Winnipeg-based telecom company MTS Allstream by an Egyptian-led group on national security grounds.

“If the Egyptian company raised some red flags for the Canadian government, we should have red fireworks going off if a Chinese company wants to buy BlackBerry,” said Michel Juneau-Katsuya, the former head of Asia-Pacific at the Canadian Security Intelligence Service (CSIS) and chief executive of the Northgate Group, an Ottawa-based cyber-security firm. “BlackBerry is the prime phone used by all government officials and top officials… For that reason alone, it shall not and could not be sold to a foreign entity that is not within the realm of [our] close network of friends.”

Read more on Globe and Mail 

Media Advisory – CADSI presents SecureTech 2012, Canada’s National Security and Public Safety Event By Canadian Association of Defence and Security Industries (CADSI)

OTTAWA – Cyber Security and Perimeter Security are critical components to our public safety and national security interests. It is not surprising, therefore, that these two issues are the priority topics for this year’s SecureTech Conference and Trade Show taking place in Ottawa, October 30-31, 2012.

SecureTech 2012 is presented by the Canadian Association of Defence and Security Industries (CADSI). Media must register in advance for accreditation. Visit the SecureTech 2012 website for accreditation.

WHEN: October 30 & 31, 2012
WHERE:  Ottawa Convention Centre Ottawa, Canada

Read more here

CSIS Suspensions: Two Employees Reprimanded For Security Lapses, Records Show

 OTTAWA – Two security breaches at Canada’s spy agency prompted employee suspensions last year, newly released documents show.

In the most serious case, a Canadian Security Intelligence Service employee was suspended for five days without pay following an incident involving information that “must be kept in the strictest of confidence and in full compliance with the need to know principle.”

The CSIS employee was found to be in violation of several aspects of the spy agency’s conduct policy, including provisions on security, performance of duties, integrity and compliance with direction.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.