#CyberFLASH: Hackers say the Canadian government doesn’t want their help


The U.S. Department of Defence has turned to well-intentioned hackers and independent security researchers to help the government agency find software bugs and vulnerabilities in its computer systems.

But in Canada, the government appears to still have no formal policy or public guidelines, which makes it difficult for those who do find flaws to know what to do, or how the government might respond.

“There’s no formal process,” says Imran Ahmad, a partner at the law firm Miller Thomson who works with clients on cybersecurity related issues. In the absence of such a process, he says, those who find flaws “just don’t know how the government’s going to react, and they just want to protect themselves.”

“My advice to anyone who finds a flaw in a government website at this time would be to forget they ever saw it,” wrote web developer and security researcher Kevin McArthur in an email.

In the past, companies and governments often threatened security researchers and coders who found and published details about vulnerabilities in software with litigation, prompting the adoption of an informal process called “responsible disclosure.”

Read more here

#CyberFLASH: Hackers are finding Canada

NYBZ120-15_2013_124926_highWe like to think that Canada is a country serious hackers aren’t interested in. But the latest figures from security vendor Trend Micro show we aren’t invisible to them.

Among the findings of its research collected in the first quarter, Canada was among the top countries that posted the highest number of point of sale RAM scraper infections. It placed seventh in the top 10 affected countries, with four per cent of the total number of infections.

Relative to other countries, four per cent isn’t big. But it does suggest attackers are figuring out that there are potentially lucrative targets north of the U.S.

Other figures show that Canada was in the top 10 countries affected by ransomware, sitting in ninth place with two per cent of all infections.

That’s part of a global increase in ransomware that started in the last quarter of 2014 and is continuing, the report notes. Also, crypto-ransomware — which encrypts files in network shares — jumped to account for nearly half of all ransomware infections and marked a four-fold increase in infections compared to the first quarter of 2014.

Perhaps most alarmingly, the numbers show Canada ranks ninth among the countries that posted the highest number of users who clicked malicious URLs in the first quarter of 2015.

Read more here

#CyberFLASH: Stark consequences of a single failure illustrate importance of new era cyber protections

10712553The significant impact a single failure can have in an environment of quickly advancing interconnectedness and interdependency on the Internet demands a new way of thinking about cyber security, argues Ray Boisvert, president and CEO of I-Sec Integrated Strategies.

Speaking at the ARC Group Canada Spring Seminar 2015 in Toronto Thursday, Boisvert, a former assistant director, intelligence with the Canadian Security Intelligence Service (CSIS), cited an industry estimate that the number of devices connected to the Internet would soon be north of the 60-billion mark.

“The Internet of Things is everything connected in our homes, our offices, everything that transforms our lives daily and increasingly becomes interconnected and, more important to you, interdependent,” he told attendees. “One failure can have really stark consequences for your personal lives and for your professional existence.”

The challenge is everyone is living in an environment where the threat surface keeps on growing. Why? Because of the Internet of Things, Boisvert said.

“We have more things that are connected to the networks and we have deeper supply chains. We have a big global network. We have more partners and alliances that work together, but they are part of your network without having to meet the same standard,” he pointed out. “No matter how much you may invest, others may not be equal to the task and that’s a very, very common gap.”

Boisvert suggested that “any kind of business in any kind of environment, whether you’re in a law firm or you’re selling insurance or manufacturing widgets, you are first and foremost an IT company.”

Read more here

#CyberFLASH: Many private companies in the dark about cybersecurity vulnerabilities

imageWhile 88% of private companies in Canada “agreed or strongly agreed” that cybersecurity is an important issue for their organization, firms are in the dark about what they need to do, where their vulnerabilities lie and what to do about them, suggests a new report from PwC Canada released this week.

The study, PwC Canada’s 10th annual Business Insights Survey of Canadian private companies, titled Balancing digital opportunity with cybersecurity risk, found that 42% of respondents said that they’ve never conducted formal cybersecurity employee training. A total of 52% of respondents also said that “employee training related to cybersecurity is not a priority for their business.”

Respondents cited hackers (66%), former employees (41%) and competitors (32%) as their most likely sources of cyberattacks. “Today’s cybercriminals often target companies that have been slower to invest in security as a platform to launch an attack on other organizations,” said Jason Green, director in PwC’s Cyber Resilience team, in a statement. “Private companies need to assume a stronger security posture. When clients hire us to conduct security testing, we can bypass their technical security controls nearly every time.”

The cost to a business that is hacked may be measured by loss of customers, lawsuit payouts, interruption to business or reputational damage, the statement notes. “Investing in cybersecurity will pale in comparison to the costs associated with being in the middle of a large scale breach,” added David Craig, leader of PwC’s Risk Assurance Services Cybersecurity and Privacy practice.

The report suggests that companies look at a “customized and scalable solution” that addresses a company’s specific vulnerabilities and critical information protection requirements, rather than investing in “off-the-shelf” packages. Companies should also:

Read more here

Is Canada sleepwalking into a cyberwar?


The next 9/11-scale attack on North America likely won’t be launched by terrorists wielding box-cutter knives, hijacking airplanes to fly them into buildings. Nothing so dramatic.

It could come quietly, through the fiber-optic network that invisibly knits together the modern world. Imagine a highly-orchestrated series of online attacks on our critical infrastructure — oil and gas pipelines, nuclear power plants, electricity grids, critical comunications systems, even our banking system.

Such an attack could shut down key sectors of the North American economy. It could kill many, many people.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.