#CyberFLASH: Hackers say the Canadian government doesn’t want their help

cybersecurity-casino-rama

The U.S. Department of Defence has turned to well-intentioned hackers and independent security researchers to help the government agency find software bugs and vulnerabilities in its computer systems.

But in Canada, the government appears to still have no formal policy or public guidelines, which makes it difficult for those who do find flaws to know what to do, or how the government might respond.

“There’s no formal process,” says Imran Ahmad, a partner at the law firm Miller Thomson who works with clients on cybersecurity related issues. In the absence of such a process, he says, those who find flaws “just don’t know how the government’s going to react, and they just want to protect themselves.”

“My advice to anyone who finds a flaw in a government website at this time would be to forget they ever saw it,” wrote web developer and security researcher Kevin McArthur in an email.

In the past, companies and governments often threatened security researchers and coders who found and published details about vulnerabilities in software with litigation, prompting the adoption of an informal process called “responsible disclosure.”

Read more here

#CyberFLASH: Carleton U warns students of hacker attack on IT network

gv_20140408_biv0108_140409938.jpg__0x400_q95_autocrop_crop-smart_subsampling-2_upscale

Carleton University is warning students and employees after an external group apparently attempted to hack the school’s IT network.

The school warned that any system accessible from the main network that is Windows-based may have been compromised.

The school’s IT security unit is attempting to secure the network from further attacks.

“To reduce traffic on the network, it is recommended that users refrain from using Microsoft Windows systems at the current time and shut down your computer,” the school warned in a message posted on its website and its Facebook page.

Ransomware messages demand bitcoin payments

The school said people may see ransomware messages appear on their screens, demanding payments in bitcoins.

“Users are asked to ignore all messages seeking a payment and are encouraged to report these messages to the CCS Help Desk at ext. 3700 or ccs.service.desk@carleton.ca,” the school said in a statement.

David Kenyi, a volunteer at the International Students Service Office, said he got a push notification on his phone of the system shutdown.

Read more here

#CyberFLASH: Ottawa should be careful on expanded police powers: Editorial

bobpaulson-jpg-size-custom-crop-1086x724

Crime, like everything else, has been transformed by the digital age. Fraudsters, child pornographers and terrorists, among others, are becoming ever more expert in using digital technologies to commit their offences and cover their tracks.

Not surprisingly, this has created new challenges for law enforcement. Police chiefs across Canada claim investigators do not have the tools to keep up. Many say concerns about privacy have scuttled their attempts to convince politicians to provide them with the cyber-surveillance powers they need to do their job.

As Bob Paulson, commissioner of the Royal Canadian Mounted Police, puts it, “We’re losing our ability, if we haven’t lost it entirely, to bring the traditional investigative response to technologically facilitated crime because of the misunderstanding, in my view, of the privacy threat.”

This week, Paulson shared with reporters from the Star and CBC News case files he says demonstrate the obstacles his force faces, an attempt to help the public understand the need for new police powers the federal government is currently floating.

The cases are no doubt disturbing, tales of child abusers and wannabe terrorists evading justice. But while they clearly illustrate new and thorny police challenges, they do not establish that the requested powers are necessary or proportionate or to what extent they would endanger privacy or even weaken security.

Read more here

#CyberFLASH: Canada’s energy sector braces for rising threat from activists

web-rb-cd-pipeline-security

Canadian security experts are increasing their vigilance against activists’ threats to the country’s energy infrastructure, as civil-liberties advocates worry about the use of improper surveillance on peaceful opponents to major projects.

In what is billed as a training workshop, Carleton University’s Infrastructure Resilience Research Group is playing host to a closed-door conference on Monday and Tuesday for lawyers, police, regulators and industry representatives on “the challenges of dealing with natural resource development projects and activism.”

One of the organizers, professor emeritus Martin Rudner, said there are significant threats from “domestic extremists” to Canada’s energy infrastructure, including pipelines, generating stations and transmission lines. Prof. Rudner is active on several industry-government-academic networks that consult on protection of critical infrastructure, including the energy and utilities-sector network managed by Natural Resources Canada.

“A lot of these concerns are overblown,” Ottawa lawyer Paul Champ said. He is a board member of the British Columbia Civil Liberties Association that has alleged RCMP and the Canadian Security Intelligence Service (CSIS) engaged in illegal surveillance of Canadians protesting against Enbridge Inc.’s proposed Northern Gateway pipeline.

The lawyer acknowledged there can be serious threats to existing critical infrastructure – both physical and cyber, from both domestic sources and foreign ones – and that they must be monitored and dealt with. But he said police and security agencies should not be involved in gathering intelligence against opponents of specific resource projects.

Read more here

#CyberFLASH: Researchers hack Philips Hue lights via a drone; IoT worm could cause city blackout

philips-hue-100692511-large

Every once in a while, you read about an attack which has the potential for especially concerning consequences. Since reading about an IoT worm that could unleash all sorts of chaos, it’s come to mind again and again. Then it hit the radar of cryptographer and security pro Bruce Schneier. He wrote, “This is exactly the sort of Internet-of-Things attack that has me worried.”

Researchers from the Weizmann Institute of Science in Israel and Dalhousie University in Canada didn’t just theorize about the possibility of an IoT worm; using a few hundred dollars of readily available equipment, they created a proof of concept attack to exploit Philips Hue smart light bulbs.

Researchers have been taking aim at both ZigBee and Z-Wave wireless protocols for years. Hue light bulbs communication via the ZigBee protocol. Any new firmware is delivered via Over The Air (OTA) updates. In the researchers’ attack, the worm replaces the firmware.

In the paper, “IoT Goes Nuclear: Creating a ZigBee Chain Reaction” (pdf), researchers “describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction.”

Read more here

#CyberFLASH: Over Half Of Canadian Execs Say Security Is A Top Concern, But Aren’t Acting On It

cybersecurity2-915x700

A report from Microsoft Canada reveals that Canadian businesses aren’t doing enough to protect their data.

The survey revealed that while three-quarters of Canadians businesses (based upon a sample size of 700) say that implementing a digital strategy is among 2017’s top objectives, over half of them are concerned about security while migrating to the cloud.

However, Canadian executives are still navigating the security concerns that come with managing large amounts of data. Over half of Canadian executives said in a survey that security is their top concern when making the transition to the cloud.

“It’s great to see that the cloud continues to gain momentum and that Canadian businesses recognize its value,” said Janet Kennedy, president of Microsoft Canada, in a statement.

The survey also suggested that only 21 percent of Canadian executives feel fully prepared in case of a data hack or leak. Furthermore, local data residency is important to Canadian executives, as is addressing the growing concern that is cyber criminals and cybersecurity.

“The survey confirmed that business leaders need to feel confident that their data is secure and is being stored here in Canada. This is especially important for businesses with stringent compliance standards, such as government and healthcare organizations,” added Kennedy.

Read more here

#CyberFLASH: Red Deer men targeted by sextortion scam

gv_20140408_biv0108_140409938.jpg__0x400_q95_autocrop_crop-smart_subsampling-2_upscale

RCMP are investigating an extortion scam after two Red Deer men were “lured into compromising online encounters” by strangers on the internet.

Police say both victims were approached online in October by women.

The women lured the men over the internet “and then threatened to post the images online unless they were paid by their victims,” Red Deer RCMP said in a news release Wednesday.

Neither victim was defrauded of money, police said. In both cases, the women halted communication with their targets after the men informed them they were reporting them to police.

RCMP suspect there may be even more cases of this type of extortion happening in the community, but victims “may be too embarrassed to report it.”

Furthermore, investigators say these online profiles are usually fake and the scammers live in different countries, making prosecution impossible.

Read more here

#CyberFLASH: Data-driven defence will best protect enterprises, says expert

hacker-stolen-passwords

Tunnel vision is a phrase that describes looking too narrowly at a problem. To use a cliché, you don’t see the forest for the trees.

Infosec pros suffer from it as well, Roger Grimes, principal security architect in Microsoft’s information security and risk management practice, said at this month’s SecTor cyber security conference in Toronto.

Often all they see is a myriad of threats in front of them every day instead of concentrating on the ones that are most likely to pierce defences.

In short, he argues that what CISOs need to do is create a data-driven defence.

After the conference we caught up with Grimes and asked him to expand.

“I get hired to do penetration testing and in the last 20 years I’ve broken in in an hour or less, except for one company that took me three hours.” he said – and he considers himself an average attacker .”In attacking I’m not that great, but I can break into anything. The reason why is they just don’t do the simple things they should do – the stuff they’ve been told to do for 30 years: Patch, and don’t get tricked into running things they shouldn’t.”

“Most companies for one reason or another really aren’t trying to defend against the right things. The vast majority of corporations could significantly decrease the chance of attacks against their companies by better patching just a few programs and (with the savings) giving their employees better anti social engineering training. Yet companies spend millions of dollars on things that are absolutely not going to work because they don’t fix the two biggest elephants in the room:” Awareness training and patching most commonly exploited programs.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.