#CyberFLASH: EQAO says ‘intentional, malicious’ cyberattack led to literacy test system crash

computer-gimbalThe Ontario agency tasked with administering the first online literacy test to tens of thousands of high school students in the province last week says it was forced to pull the plug by an “intentional, malicious and sustained” cyberattack.

The Education Quality and Accountability Office said Monday the network hosting the “voluntary” online test was targeted by an “extremely large volume of traffic from a vast set of IP addresses around the globe.”

It said the impact of the distributed denial of service attack carried out by “an unknown entity or entities” was to block
legitimate users such as school boards and students from accessing the test.

Most of the province’s 900 secondary schools — representing a maximum of 147,000 students — had signed up to participate in the test, which was a technical trial run before the first official test scheduled next year.

The EQAO’s director of assessment said some 15,000 students appeared to have managed to complete the test, and the agency is currently reviewing the data to see whether the results can later be released. However, there will not be time for another trial test before the spring, Richard Jones said.

There is no evidence at this time that the incident was linked to a similar cyberattack that affected websites such as Twitter and Netflix on Friday, Jones said.

Read more here

#CyberFLASH: Uber should investigate own databases after more claims of bogus fares, privacy experts say

volvo-uber

A string of complaints by customers charged for Uber trips they say they never took has security experts calling on the ride-hailing company to launch a formal investigation to make sure its databases haven’t been breached.

After CBC News reported on the story of Laura Hesp, who lives in Toronto but was billed for an Uber ride taken on her account by someone in Poland, several others came forward to report similar experiences. Uber has warned customers incidents like this may be the result of phishing scams, but experts CBC News spoke to think the company should investigate to rule out the possibility that its own databases have been hacked.

The stories begin the same way. A person receives an unexpected email confirming an Uber cab is minutes away — except the customer hasn’t ordered one and the trip is thousands of kilometres away in another country.

George Sfeir, a 49-year-old Toronto man, says he was in his car on the way to his cottage in rural Ontario in July when he got a bill for an Uber ride he never ordered.

It was one of six bills he would receive over the span of two days for trips taken in Las Vegas, Des Plaines, Ill., and other American cities that Sfeir says he never visited.

Most of the trips ranged in price from $10 to $100. But when he received a bill for a whopping $982 rung up for an Uber trip in Chicago, Sfeir says he began to panic.

“That was really scary,” he says, adding that at first, even his credit card company didn’t believe his story.

Read more here

#CyberFLASH: Canada ‘very concerned’ about Russian hacking

969aa503044b3c70a7775bceb41564d54d07b628

Montreal (AFP) – Canadian Foreign Minister Stephane Dion said Monday he is very concerned about possible Russian hacking, following US accusations against the Kremlin.

The nation’s top diplomat did not comment on the specific US allegations, but said he is “very concerned” about the possibility of Canada becoming the next target of Russian cyber attacks, and called for a “safe and free cyberspace.”

Dion, however, offered no evidence of a specific threat.

His comments follow Washington’s accusations that the Kremlin had tried to interfere in the 20016 White House race through cyber attacks on American political institutions, which Russia has rejected.

Canadian Public Safety Minister Ralph Goodale said the government is reviewing its cyber capabilities to protect critical systems, such as banking, noting that “there have been incidents in Canada in the past where systems have been breached.”

“Canadians per capita are online more than any other population group in the world,” he said. “So this is important to Canadians.”

Canada’s ties with Russia became strained during the previous administration, with Ottawa criticizing the Kremlin over its support for the regime of Syrian President Bashar al-Assad and its annexation of Crimea.

Read more here

#CyberFLASH: One in five risk managers surveyed not sure whether their cyber insurance policy covers data in cloud servers

keyboard

Four in five risk managers surveyed said their company has a stand-alone cyber insurance policy, though only three in four reported their policy covers network/business interruption, Risk and Insurance Management Society Inc. said in the 2016 RIMS Cyber Survey, released Monday.

There were 272 respondents to the survey, which was distributed to RIMS members via an Internet link, and was “in field between August 8 and September 9, 2016.”

When asked whether their company has a “stand-alone cyber insurance policy,” 80% of respondents said yes, 19.5% said no and 0.5% said they were not sure.

Respondents were asked whether their organization’s cyber insurance extends to data stored in cloud servers. More than two-thirds (69%) said yes, 9% said no and 22% said they were not sure.

RIMS also asked members which losses were included in their cyber insurance policies. More than nine in 10 (91%) said breach notification costs. About one in four (27%) said theft of trade secrets; 80% said data recovery; 50% said professional liability; 76% said network/business interruption; 78% cyber extortion and 63% said fines and penalties.

Read more here

#CyberFLASH: National Cyber Security Awareness Month: 10 Tips For Businesses

148650499-e1416334498678

In a world that is more connected and accessible than ever, the declaration of October as national Cyber Security Awareness Month by governments and business leaders in several countries including Canada, the United States and Australia, is a strong statement that cybersecurity is an international safety concern.

The campaign aims to bring awareness to the wide scope of concerns that the term cybersecurity covers, including internet security, privacy, mobile safety, distributed denial-of-service (DDoS) attacks, botnets, hacking, data breaches, malware, pharming and phishing to name a few.

Now is a good time for businesses to review their cybersecurity practices. It is tempting to think that “it can’t happen to me”, but in the wake of Yahoo’s recent admission that personal data was hacked, it is clear that this can happen to anyone.

Of course, technological safeguards are critical to security, however operations and policy play a crucial role as well. The steps outlined below focus on tips that involve measures that go beyond technology.

  1. Plan on a Prudent Response. In a 2015 study commissioned by the Office of the Privacy Commissioner of Canada, only 41% of surveyed companies stated that they had policies or procedures in place that dealt with data breaches where there was a compromise of customer personal information. If an Incident Response Plan is made ahead of time in order to deal with a cybersecurity breach, a company will be in a position to respond quickly in a manner that mitigates harm to the business and to third parties (such as customers). Companies who do not make such a Plan are often caught flat-footed and fumble through an incident, and increase the risk of complaints to regulators and class action or other lawsuits.
  2. Build an Effective and Safe Cybersecurity Workforce. Robust recruitment processes that properly vet candidates will help ensure that the hiring of problematic employees is avoided. Unfortunately, many attacks come from inside an organization. Background checks are an important tool in the screening process. Employees play a key role in helping to prevent cybersecurity incidents. Proper training is key, and will enable employees to spot suspicious activities and events, and report them to the appropriate personnel. Employees are the single most important group of people who can help to reduce unintentional errors and technological vulnerabilities.

Read more here

#CyberFLASH: Protecting yourself from cyberattacks challenging, says IT expert

computer-passwordsDermot Williams says hackers are creating new tricks to mount cyberattacks all the time making it more challenging to protect against them.

Williams, the chief executive officer of the information technology security firm Threatscape in Ireland spoke to Shift New Brunswick host Vanessa Vander Valk.

He said New Brunswick has all the technology skills necessary to help in the fight against cyber crime.

“If you build a better solution on the cybersecurity world people will absolutely beat a path to your door cause they need to stay ahead of the bad guys and they will be looking for the innovation coming out of smaller companies to produce solutions to challenges.”

Williams, who will be taking part in a discussion called Cybersecurity in a Dangerous Time at the University of New Brunswick Saturday, said what is most concerning about the hacks is the rewards the hackers are reaping.

In the past week, hackers were able to target election systems in 20 states in the United States, infect cameras and DVRs for massive internet attacks and steal 500 million user accounts after a hack at Yahoo.

“That’s only encouraging them to keep on doing it and become more persistent. They’re making money or if they are cyber activists, they are making a point. Or if they are politically motivated they are making wins for their side. All of these things will just keep them coming back.”

Read more here

#CyberFLASH: Buyer Beware . . . Lessons Learned From The Ashley Madison Hack

internet-privacy.jpg.size.xxlarge.letterbox“Life is short. Have an affair®.” This is the (in)famous marketing slogan used by Ashley Madison, a Canadian web site founded in 2008 and operated by Avid Life Media Inc. with the explicit mission statement of helping married individuals chat, connect and ultimately have affairs with one another. The site assured users that use of its services would be “anonymous” and “100 per cent discreet,” but, unfortunately, this was not to be the case.

Between July 15 and Aug. 20, 2015, a person/group identifying itself as “The Impact Team” hacked ALM and published details, initially on the Darkweb and eventually on the open web, of approximately 36 million user accounts. Leaked data included profile information (user names, addresses, passwords, phone numbers, the types of experiences they were looking for on the site, gender, height, weight, ethnicity, body type); account information used to facilitate access to the Ashley Madison service (e-mail addresses, security questions, hashed passwords); and billing information (billing addresses and the last four digits of credit card numbers); in addition to ALM internal documents and the CEO’s private e-mail messages. User information was quickly disseminated through several public web sites. Despite the best efforts of ALM’s counsel to quickly shut down the spread of data using DMCA copyright notices after the material appeared on Twitter and other social media sites, the breached information continued to be publicly searchable.

The fallout was swift. Reports of suicides in Canada and the U.S., myriad job resignations and marital breakups surfaced, arising from the data exposure and related public shaming. In Alabama, editors at one newspaper decided to print all the names of people from the region who appeared on the Ashley Madison database. Scammers and extortionists have also targeted Ashley Madison’s users (and alleged users) on a global basis, falsely claiming they could remove a user’s information from published data or threatening to publicly shame users online unless they sent a ransom payoff in Bitcoins to the blackmailers. Malware may have also been delivered through web sites offering to scrub user information from stolen data lists.

Read more here

#CyberFLASH: Infrastructure sectors face potentially crippling ‘insider’ cyberthreat, feds warn

electrical-grids-jpg-size-custom-crop-1086x706OTTAWA—Federal officials have quietly warned operators of electrical grids, transportation hubs and other key infrastructure of the cyberthreat from insiders who could unleash devastating viruses and cripple systems, internal government notes reveal.

Crucial networks that Canadians rely on for everyday needs face a “substantial threat” from rogue employees out to wreak digital havoc, warn the Public Safety Canada briefing notes.

“The insider threat is difficult to detect and can cause real damage.”

No special hacking skills are required, just a portable memory key loaded with a malicious code. As a result, it is important that organizations have the right security protocols and procedures, “for example by limiting access to systems only to those who genuinely need it.”

A federal briefing on the insider threat was delivered last December to leaders of the 10 most crucial infrastructure sectors, the notes say.

They point out that over 90 per cent of critical infrastructure — key to delivering everything from food and clean water to banking and health services — is controlled by the private sector and all of it is dependent in one way or another on information technology to operate. Many critical infrastructure sectors are interdependent, meaning a problem in one could have a “cascading impact” in others.

The notes, prepared earlier this year for Monik Beauregard, a senior assistant deputy minister at Public Safety Canada, were obtained by The Canadian Press under the Access to Information Act.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.