Tag: Security

Categories
Links

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison | Toronto Star

Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison:

Canada’s Digital Privacy Act, passed by Parliament in June, will require companies to report breaches once regulations are prepared. But experts say it is essentially toothless because it contains few financial penalties.

The Act will introduce fines up to $100,000 for deliberately not reporting a breach.

“There’s the obligation to report, which is, of course, positive,” said Christopher Parsons, managing director of the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.

“But without any sort of punitive consequences you run into the question of how useful is the notification itself.”

There is little data on how secure corporate Canada truly is partly because of a lack of breach notification laws, Parsons said.

Without a financial imperative to beef up security, companies are unlikely to shell out the millions of dollars required to identify and prevent them, Parsons said.

“For most companies, security is a drag,” Parsons said, adding that executives tend to reject investment in cybersecurity, where concerns tend to lead to IT professionals saying “no” to a lot of ideas, while also eating up company time, money and resources.

“All those no’s either inhibit fast fluid business, or they increase the cost and the friction of anything a company wants to do.”
Meanwhile, hackers are getting more sophisticated, but they don’t even need to because the defence systems are so weak, Parsons said.

“If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time.”

 

Categories
Links

So your name is in the Ashley Madison database … are you a cheater? | Metro News

So your name is in the Ashley Madison database … are you a cheater?:

“There was no requirement for verification prior to being added to their database,” said Christopher Parsons, a post-doctoral researcher and cyber-security expert at the University of Toronto’s Citizen Lab.

“It’s entirely possible that people’s email addresses were added by friends or co-workers as a prank.”

But, he said, the likelihood of that “is somewhat low.”

Just because someone’s email address can be found in the database doesn’t mean they were active users who committed adultery. They could have just been curious about the site, Parsons said.

While those who registered for the site using their official, government-issued email addresses may be naïve, Parsons said some of them may have done so intentionally.

“Perhaps they share a personal email account with their spouse or partner,” he said. “Using their government account might have been seen as safer.”

Although there have been larger data breaches in the past, Parsons said the Ashley Madison hack is worrying because government officials found using the site could become victims of blackmail.

It’s happened after data breaches in the U.S. and could happen just as easily in Canada, he said.

 

Categories
Aside Links

U.S. Cyber Command investment ensures hackers targeting America face retribution

U.S. Cyber Command investment ensures hackers targeting America face retribution :

Later that summer, Marine Lt. Gen. Richard P. Mills bluntly told a conference in Baltimore that commanders under his control in Afghanistan routinely used cyberwarfare tactics to attack and disable al Qaeda and Taliban enemies.

“I can tell you that as a commander in Afghanistan in the year 2010, I was able to use my cyberoperations against my adversary with great impact,” Gen. Mills was quoted at the time as saying. “I was able to get inside his nets, infect his command and control, and in fact defend myself against his almost constant incursions to get inside my wire, to affect my operations.

While the military is developing the capability, the political and policy realm is struggling with the right parlance.

If that’s the language that US generals are using to explain what ‘cyber’ is then I think that the executive-class is clueless about the things that their ‘cyberwarriors’ are up to. And if they’re this clueless then how can they be relied on (or quoted in anything other than a mocking way?) to provide expert advice to policy makers, politicians, or the public?

Categories
Links

Cyber-security in 2014: What we learned from the Heartbleed bug

Cyber-security in 2014: What we learned from the Heartbleed bug:

Parsons warned that the fallout from Heartbleed may not be over for web users.

We still don’t know just how much information was stolen or accessed as a result of the bug. Stolen login credentials and user information is likely to be leaked by hackers, putting users at risk for additional hacks.

The problem is hackers could leak this information at any time.

“If logins and passwords were successfully extracted – and I’m willing to say 99.9 per cent of people haven’t changed all of their passwords – people still could be affected,” he said.

“Always expect at some point, possibly through no fault of your own, you will be compromised,” Parsons warned.

“Then think, ‘What would I do if my personal information was leaked?’ Thinking before these things happen can help you come up with a recovery strategy.”

 

Categories
Links

Is Uber’s rider database a sitting duck for hackers?

Is Uber’s rider database a sitting duck for hackers?:

Imagine for a second that your job is to gather intelligence on government officials in Washington, or financiers in London, or entrepreneurs in San Francisco. Imagine further that there existed a database that collected daily travel information on such people with GPS-quality precision– where they went, when they went there and who else went to those same places at the same times.

Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.

“It’s a huge trove of data that could be used for a whole number of uses,” said Christopher Parsons, a digital privacy expert at Citizen Lab, a research center at the University of Toronto.

 

Categories
Links

Advancing Encryption for the Masses

Advancing Encryption for the Masses:

The work of WhatsApp, Facebook, Open Whisper Systems, the Electronic Frontier Foundation, and that other members of the ‘Let’s Encrypt’ initiative can massively reduce the challenges people face when trying to communicate more responsibly. And the initiatives demonstrate how the cryptographic and communications landscape is shifting in the wake of Snowden’s revelations concerning the reality of global-scale surveillance. While encryption was ultimately thrown out of the original design specifications for the Internet it’s great to see that cryptography is starting to get bolted onto the existing Internet in earnest.

 

Categories
Aside

German spy agency seeks millions to monitor social networks outside Germany

The BND also wants to spend €4.5 million to crack and monitor HTTPS (Hypertext Transfer Protocol Secure) encrypted Internet traffic. By 2020 some of that money may be spent the black market to buy zero day exploits, unpublicized vulnerabilities that can be exploited by hackers. That program, called “Nitidezza”, should also provide better protection for government networks, German weekly Der Spiegel said in a separate report on BND’s budget requests.

Moreover, a plan to monitor Internet exchanges outside Germany is also in the works. Next year, the agency wants to spend €4.5 million on a program called “Swop” to provide additional hidden access to a non-German exchange, the newspaper report said.

Because the solution to the ‘cybersecurity problem’ is to undermine the capacity for secure communications rather than working to strengthen what we have…

Categories
Writing

Sadness and Fury Call for Enhanced Democracy, Not Enhanced Security

Today was deeply disturbing for me: what should have been a routine day of presenting at a conference panel turned into a day where I (and other conference members) were placed into lockdown (along with thousands of others in downtown Ottawa and government offices) in the wake of a serious crimes event.

The panel was for the IIC-Canada, and we were to discuss the topic of telecommunications transparency reporting. Immediately prior to the panel, however, a gunman shot and killed a reserve soldier standing guard at the National War Memorial in Ottawa. The gunman then proceeded to Parliament where he was ultimately shot dead. He was killed inside the central block.

Shortly after the panel, and just as lunch began, the second floor of the convention centre was cleared and we were moved to the third floor. It was a bit strange, truth be told: we moved using cargo elevators so as to keep people away from the building’s exterior windows. Then, after several hours under lockdown we were all freed to leave.

We were never in any particular danger. The lockdown was just a precaution for safety’s sake.

Nevertheless I’m sad. And furious. Absolutely furious that a reservist was killed at a war memorial. Enraged that someone had the audacity to enter the Parliament with the intent to cause serious harm and death to those within. Sickened that bad legislation may follow from the attack, an attack which targeted people who have committed themselves to protecting and advocating for Canadians. Public service is an honourable calling and the criminal targeted exactly those who had heard the call.

Thus far the Canadian media has generally been balanced. And I think my reaction – sadness and anger – is in common with many Canadians. We’re not terrified. We’re righteously pissed off at the individual or individuals who choose to attack the symbolic heart of our democracy.

No matter how problematic the laws passed, however dysfunctional the party politics, and regardless of the bad-behaviours in Parliament, our MPs are there to peacefully and verbally resolve and address the issues of the day. Words are the way that problems are addressed and dealt with; they are not solved using violence involving martial weaponry.

The solution to the attack today is not more weapons and less public access to Parliament or more constrained or secured debate but the opposite: equivalent parliamentary security and access to Parliament, and even more robust and transparent parliamentary debate. We can choose to seek vengeance or simply carry on in the face of this attack. I, like many or most Canadian, pray that the latter approach is adopted over the former.

Categories
Links

Obama signs “BuySecure” initiative to speed EMV adoption in the US | Ars Technica

It’s always nice to see the US racing to catch up to where the rest of the world’s been at for many, many years. And all it’s taken have been a serious of catastrophic data breaches!

Categories
Links

Crypto certificates impersonating Google and Yahoo pose threat to Windows users

Crypto certificates impersonating Google and Yahoo pose threat to Windows users:

OS currently has no reliable way to detect bogus credentials released into the wild.

Yet another reason why (a) the certificate authority system is broken; (b) Microsoft is stuck trying to fix problems that it (partially) brings upon itself; © Chrome is arguably the most secure – if not privacy protective – of the major Web browsers.