Archive for Canada

Is It Time To Make The Internet An Essential Service And Hold Canadian Telcos Accountable For Providing That Service?

Posted in Commentary with tags , on May 18, 2022 by itnerd

Back in 2016, the CRTC said that high speed Internet was “essential”. This is what they meant by that at the time:

As part of declaring broadband a “basic” or essential service, the CRTC has also set new goals for download and upload speeds. For fixed broadband services, all citizens should have the option of unlimited data with speeds of at least 50 megabits per second for downloads and 10 megabits per second for uploads — a tenfold increase of previous targets set in 2011. The goals for mobile coverage are less ambitious, and simply call for “access to the latest mobile wireless technology” in cities and major transport corridors.

The CRTC estimates that some two million Canadian households, or 18 percent of the population, do not currently have access to their desired speeds. The $750 million government fund will help to pay for infrastructure to remedy this. The money will be distributed over five years, with the CRTC expecting 90 percent of Canadians to access the new speeds by 2021. 

The new digital plan also touches on accessibility problems, with CRTC mandating that wireless service providers will have to offer platforms that address the needs of people with hearing or speech disabilities within six months. Blais said this timeline was necessary, as the country “can’t depend on market forces to address these issues.”

Fast forward to 2022 and this really doesn’t go far enough to address what I think “essential” means to Canadians. Given that a lot of us still work from home, and the Internet is the difference between earning a paycheque and not earning one, or learning and not learning, I think that this needs to change. Now Public Safety Canada has a list of what it defines as “Essential Services” which it defines as this:

Canada’s National Strategy for Critical Infrastructure defines critical infrastructure as the processes, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security or economic well-being of Canadians and the effective functioning of government. 

And while this list does list “Information and Communication Technologies” as part of this, I think it needs to go further to include not only the Internet specifically, but it should also include telcos like Rogers, Bell, and Telus so that they are responsible for maintaining and resolving issues to a high standard. As in resolving issues within hours and not days. And having a minimum uptime guarantee that said telcos are held accountable to. Now I know that Rogers, Bell, Telus and others would say that this isn’t required and they go above and beyond for their customers. But while I agree that these telcos do the best that they can to resolve customer issues in what they consider to be a timely manner, I don’t think that’s good enough. When the Internet goes out for a single home or a group of homes, even for a few hours, there are people who aren’t learning or making a living. That affects the economy. That alone makes it worthwhile to explore this idea and to take action to make it reality. And perhaps if something like this came into effect, telcos would spend a lot more time and effort to ensure that their networks were resilient enough so that outages became corner cases. That would be good for all Canadians.

What do you think? Should Canada do more to make the Internet an “essential service” as I’ve described above? Please leave a comment and share your thoughts.

2022 Canadian Federal Budget Includes Spending On Cybersecurity

Posted in Commentary with tags on April 8, 2022 by itnerd

Yesterday’s Federal Budget had a lot in it for people to pick apart. But being an IT Nerd, I am focused on the new spending for cybersecurity:

Announced this afternoon, Budget 2022 also proposes to provide $238.2 million per year after the initial five year period for additional measures to address the rapidly evolving cyber threat landscape. The budget still has to be passed by Parliament.

The spending will include:
–$263.9 million over five years, starting in 2022-23, and $96.5 million annually ongoing to enhance the Communications Security Establishment’s (CSE’s) abilities to launch offensive cyber operations to prevent and defend against cyber attacks. The CSE is a division within the Defence Department that is responsible for protecting federal IT networks;
–$180.3 million over five years, starting in 2022-23, and $40.6 million per year ongoing to enhance CSE’s abilities to prevent and respond to cyberattacks on critical infrastructure;
–$178.7 million over five years, starting in 2022-23, and $39.5 million annually ongoing to expand cyber security protection for small departments, agencies, and Crown corporations; and,
–$252.3 million over five years, starting in 2022-23, and $61.7 million per year ongoing for CSE to make critical government systems more resilient to cyber incidents.

There would also be extra money to help cybersecurity researchers in fields such as quantum computing and artificial intelligence.

Those are big numbers. Thus this must be good. Right? I reached out to an expert to answer this question. Specifically David Masson, Director of Enterprise Security at cybersecurity AI firm, Darktrace:

“The Canadian Centre for Cyber Security, the public-facing arm of the CSE, has issued several cyber threat bulletins and advisories warning Canadian organizations operating critical infrastructure (CI) of the threat of cyber-attacks from Russia and Russian sponsored-proxies. It is no surprise that the Canadian Government underscores this priority with the allotment of $180 million to protect these increasingly vulnerable organizations and an additional $252 million to build government cyber-resilience in the face of incoming cyber-threats.  

 In addition to protecting CI and strengthening government defences, the vast majority of the announced budget will support the CSE in boosting its cyber capabilities, including launching offensive cyber operations against malicious actors. This shift to offensive cyber operations to succinctly combat cyber-attacks may indicate troubling intelligence surrounding impending cyber-threats. Overall, the new budget emphasizes cyber “defence,” where the strategic advantage will be with those who can defend most successfully and quickly – not focused on attacking their enemy. This funding is an essential step in ensuring that Canadian organizations do not get left behind in the global cyber war.”

It seems that Mr. Masson thinks this is positive. So I will go with that. Hopefully the Federal Government spends this money wisely so that Canadians are protected from cyber threats of all sorts.

CRTC Takes Out A Dark Web Marketplace Called Canadian HeadQuarters ….. For Now

Posted in Commentary with tags , on February 1, 2022 by itnerd

In all the Spotify related news, I forgot to do a post on the CRTC taking out Canadian HeadQuarters. This was a Dark Web marketplace and the four people behind it have been slapped with fines:

Before shutting down, CanadianHQ was one of the largest Dark Web marketplaces in the world and significantly contributed to harmful cyber activity in Canada. It specialized in the sale of goods and services, including spamming services, phishing kits, stolen credentials and access to compromised computers, which were used by purchasers to engage in a variety of malicious activities.

The CRTC’s investigation focused on four individuals who allegedly sent emails mimicking well-known brands in order to obtain personal data including credit card numbers, banking credentials and other sensitive information. The following individuals have been issued penalties for sending commercial electronic messages without consent in violation of Canada’s anti-spam legislation (CASL):

  • Chris Tyrone Dracos (a.k.a. Poseidon) – $150,000
  • Marc Anthony Younes (a.k.a CASHOUT00 and Masteratm) – $50,000
  • Souial Amarak (a.k.a Wealtyman and Supreme) – $50,000
  • Moustapha Sabir (a.k.a La3sa) – $50,000

As the creator and administrator of the marketplace, a higher penalty is being issued to Mr. Dracos for allegedly aiding in the commission of numerous violations of CASL by the platform’s vendors and customers.

As part of this investigation, a number of other vendors have been identified and enforcement actions will be taken against them in the near future.

That’s great. But experts say that this may be a short term victory:

“Like Silk Road and more recently the White House marketplace takedown, it’s probable that another Canadian-specific marketplace for illicit goods will likely re-appear,” Ryan Westman, manager of threat intelligence team at eSentire, said in an interview.

“Individuals who are harvesting personally identifiable information to sell for the purposes of fraud will have to find a new marketplaces to do business … As long as there’s demand there’s going to be individuals who are interested in fulfilling it.”

To get another perspective, I reached out to Darktrace’s David Masson and here’s what he said:

Despite occasional news items about the arrests and, even rarer, the convictions of cyber-attackers, most people would be forgiven for thinking that bad actors almost always get away with it. It can be challenging to find those responsible and hold them accountable, thanks to the anonymity of the internet and a host of sophisticated applications designed to cloak offenders’ identities. 

In terms of getting an arrest and a subsequent legal trial, knowing “who done it” is not the same as being able to prove it in a Court of Law. It is also difficult to prove what was done. While it may be clear that attackers stole money or identities, how it happened and who is to blame can be more challenging to prove with evidence. Nevertheless, legal mitigations can still occur with more creativity and bigger thinking.

With the above in mind, we should congratulate the Canadian Radio-Television and Telecommunications Commission (CRTC) for recently issuing penalties to four individuals in Canada for their involvement in the Dark Web marketplace Canadian HeadQuarters (also known as CanadianHQ). According to a CRTC statement, “The CRTC’s investigation focused on four individuals who allegedly sent emails mimicking well-known brands to obtain personal data including credit card numbers, banking credentials and other sensitive information.” 

In actuality, the CRTC issued the penalties “for sending commercial electronic messages without consent in violation of Canada’s anti-spam legislation (CASL).” We should remember, it was an inability to pay his taxes that took down Al Capone, not his other much more malicious activities. Still a result nonetheless, but both secured via more nuanced means.

It will be interesting to see how long it takes for this operation to reappear on the Dark Web. Because in my view, fines are great. But jail time would have been better. But given how hard these crimes are to prosecute, I’ll take anything that I can get in terms of punishing those behind these operations.

Canada’s Foreign Affairs Ministry Pwned By Hackers…. Russia Suspected

Posted in Commentary with tags , on January 25, 2022 by itnerd

Late yesterday it came to light that Foreign Affairs Canada had been hit by some sort of cyberattack with pretty serious consequences according to Reuters:

The incident was detected last Wednesday, a day before Canada’s signals intelligence agency said network operators of critical infrastructure should boost their defenses against Russian state-sponsored threats.

“Critical services … are currently functioning. Some access to internet and internet-based services are currently not working,” said a statement from the Treasury Board, which has overall responsibility for government operations.

As you can tell from that statement, the suspicion is that Russia is behind this. Which isn’t a surprise with their actions against Ukraine and the tensions that it created. Canada doesn’t typically comment on these sorts of things. But I suspect that we’ll hear more about this in the coming days.

UPDATE: Chris Olson, CEO of The Media Trust, had this comment:

“As highlighted by recent events, the ability to disrupt digital channels has become a strategic weapon in today’s geopolitical environment. Shutting off or redirecting websites/mobile apps harms not only consumers looking to access those services but also revenue and communication channels for business and government entities. Avoiding this scenario requires continuous monitoring of client-side experience to detect anomalous activity (domains, vendors) before it propagates and causes extensive damage. Establishing and maintaining digital trust and safety is a priority in 2022.”

UPDATE #2: Saryu Nayyar, CEO and Founder, Gurucul had this comment:

“As Canada’s own intelligence agencies have recommended just prior to the attack, organizations need to upgrade their security capabilities in lieu of potential Russian attacks. Outside of even nation state threats, threat actor groups continue to evolve their campaigns. However, despite existing investments in perimeter and defensive solutions, endpoint, XDR, and SIEM, threat actors are still evading these tools successfully. With stolen credentials and phishing attacks being used to get inside networks easily, upgraded solutions that offer behavioral based threat detection along with adaptable machine learning (ML), not rule-based, and true artificial intelligence models found in a small set of next generation SIEMs are critical to stop these multi-staged attack campaigns.”

BREAKING: Governor General’s Internal Network Pwned

Posted in Commentary with tags , on December 2, 2021 by itnerd

For those of you who aren’t in Canada, the Governor General is the representative of the Queen Elizabeth II in Canada. If you want to find out what responsibility that this position entails, you can click here. But with that out of the way, news is breaking that the internal network of the Governor General has had ‘unauthorized access to its internal network’ which is code for saying that their network got pwned. Here’s a snippet from the statement that the Governor General’s office put out:

The Office of the Secretary to the Governor General (OSGG) confirms that there was an unauthorized access to its internal network. The OSGG is working with the Canadian Centre for Cyber Security on the investigation and took immediate action to strengthen its network.

The CSE who are the people who are responsible for providing the Government of Canada with information technology security and foreign signals intelligence put out a statement on this as well:

CSE and its Canadian Centre for Cyber Security (Cyber Centre) can confirm we are working with the Office of the Secretary of the Governor General (OSGG) in response to a recent cyber incident. We are unable to comment further on any specific details regarding this incident.

Although this investigation is ongoing we can assure you that we are working closely with OSGG to ensure there are robust systems and tools in place to monitor, detect, and investigate potential threats, and to neutralize threats when they occur.

While there’s no word on the extent of the breach. Any breach of any network for any government is not trivial. Thus you can fully expect that there will be a lot of work over the coming days to figure out what happened and what was done. I also expect to see over the coming days commentary from the Canadian government on this. Especially since Revenue Canada has been pwned in the past. Thus you should watch this space for more on this story.

Canadian Government Announces Funding To Bolster Cyberdefenses Related To Canada’s Energy Infrastructure

Posted in Commentary with tags on August 12, 2021 by itnerd

A few days ago, Seamus O’Regan Jr., Minister of Natural Resources announced $407,000 in funding to protect at Canada’s critical energy infrastructure. That doesn’t sound like a lot, but it’s a start. Because we have seen cyber attacks earlier in the year aimed at US energy infrastructure that caused significant disruptions.

David Masson who is the Director of Enterprise Security at Darktrace had this to say:

Critical national infrastructure (CNI) supports the economic well-being of Canada. I am thrilled by the recent announcement of $407,000 in new funding dedicated to supporting the research and development of a cyber security system to protect Canada’s critical energy infrastructure. Securing CNI is one of the top priorities for any government to protect against increasingly sophisticated and fast-moving cyber threats. Friday’s announcement bythe Canadian Minister of Natural Resources underscores this key priority. 

The recently announced funding also includes a $104,000 investment in the Canadian Gas Association (CGA) to strengthen the cybersecurity of Canada’s natural gas delivery systems. This funding area is particularly interesting because it provides further evidence that the Canadian government is taking the necessary steps to protect energy infrastructure. 

We must focus on securing critical infrastructure against growing the growing threat landscape – and fast. While public funding and research can help identify threats, Canadian organizations need to leverage innovative security tools for total visibility into their network and increased understanding of their complicated digital infrastructure. Humans can no longer defend against machine-scale attacks alone. Self-learning artificial intelligence (AI) tools can support lightening the burden on security teams by allowing them to see and stop threats at their earliest stages before hackers can do any harm.

Hopefully the Canadian Government is listening and directs this money to get the results that David Masson is speaking of.

A Pair Of Student Aid Websites In BC Possibly Pwned By Hackers

Posted in Commentary with tags , on May 5, 2021 by itnerd

A pair of websites in BC related to student aid have apparently been pwned by hackers. CBC News has the details:

The Ministry of Advanced Education and Skills Training says it has temporarily shut down two British Columbia websites after both appear to have been compromised.

The home pages of StudentAid B.C. and LearnLive B.C. were altered Sunday and replaced with a statement allegedly from a hacker group.

The affected sites offer application assistance or details about scholarships, grants, bursaries, loans and other financial programs for post-secondary students.

A statement from the ministry says it has been alerted to the problem and is investigating, along with the Office of the Chief Information Officer.

Needless to say, this is not good. And it isn’t clear at this point if any information has been leaked. Which is also not good. David Masson, Director of Enterprise Security for Darktrace had this to say:

Threat actors seek to cause maximum disruption, regardless of the victim or organization. In taking down the StudentAid B.C. website right at the beginning of the summer semester, cyber criminals are intending to inflict as much harm as possible to a vulnerable part of the B.C. population. Little has been disclosed about the nature of the attack, and this lack of information will only be causing more concern for organizations who are keen to avoid the same fate.

With machine-speed, novel attacks on the rise throughout Canada, traditional signature and rules-based security systems are simply not able to match the pace of attacker ingenuity. In addition, with security teams still struggling with the fallout from mass and sudden digital transformation, more and more Canadian organizations are turning to AI to identify attacks as they happen and autonomously respond to stop them from causing damage. AI is also capable of automatically investigating incidents such as those that happened on the StudentAid B.C. website, which drastically reduces time spent triaging and reporting, empowering human teams to disclose, reassure quickly, and most critically, to react before the damage is done. 

Hopefully, companies take heed of this warning and do what is required to stop this sort of thing from happening in the future.

Conservative Party Of Canada Calls For Investigation Into Rogers-Shaw Deal

Posted in Commentary with tags on March 17, 2021 by itnerd

This didn’t take long. And it’s bad news if you’re Rogers.

The Conservative party is calling for a house of commons committee study into the Rogers deal to acquire Shaw. MP Pierre Poilievre says his party will trigger hearings into the deal to ensure that it will benefit all Canadians. Here’s what he had to say:

Poilievre noted that the Conservative party continues to believe that having four competitors is better than three and that the committee will try to determine if there are ways to ensure that four competitors will remain. This is a good move for Canadians as more competition is good for consumers. And this deal if it goes ahead will result in less competition and likely higher prices.

BREAKING: 800K Canadians To Be Locked Out Of Their CRA Accounts Tomorrow

Posted in Commentary with tags , on March 12, 2021 by itnerd

From the “this does not inspire confidence” department comes news that 800,000 Canadians will be locked out of their Canada Revenue Agency accounts tomorrow due to “cybersecurity risks”. This sounds similar to what happened less than a month ago where 100,000 other Canadians had their accounts locked as their credentials were allegedly floating around the dark web. Those who are affected by this will get instructions as to how to unlock their accounts.

I’m sorry, but this is once again a #fail on so many levels.

  1. Simply sending an email out saying that your Canada Revenue Agency account has been locked is going to freak people out. That’s because the history of the Canada Revenue Agency when it comes to IT security quite frankly sucks as they have been repeatedly pwned by hackers.
  2. Clearly their defenses are so poor that they clearly have to resort to locking out accounts. That’s pretty poor.

The fact is that the Canada Revenue Agency needs to really explain this. They can’t keep resorting to locking to accounts to solve what is clearly a larger IT security issue. So they need to step up their game otherwise they will not be trusted by Canadians.

Supreme Court Refuses To Hear Appeal From Canada’s Big Telcos In Relation To Being Ordered By The CRTC To Lower Wholesale Rates [UPDATED]

Posted in Commentary with tags on February 25, 2021 by itnerd

In good news for small wholesale-based ISP’s, the Supreme Court has today said that it won’t hear an appeal by Canada’s biggest telecoms of the wholesale rates the CRTC lowered back in August 2019. Those are the rates that are charged to independent ISP’s that use the infrastructure of big telcos. This decision not to hear the case basically puts an end to this case.

I asked for a comment from independent ISP Distributel in relation to this development and got this back:

“This is a positive development,” says Matt Stein, CEO of Distributel. “We support our court system and we trust in the system, and we’re very glad to see an end to this case. Canadians deserve affordable internet access, especially now when so much of our lives has moved online by necessity. Connectivity is so important right now– our average customer has increased their internet usage by 24 per cent since the pandemic hit – yet for many Canadians it’s just not affordable, especially given the global crisis we’re in.”

One thing that Distributel pointed out to me is that when the CRTC released its original rate decision in August of 2019, Distributel immediately passed the benefits on to Canadians. The company also moved to increase internet speeds for the majority of its customers at no extra cost, and launched competitive new retail pricing for bundled and stand-alone products and services.

Now I fully expect the big telcos to come up with some new way to avoid having to do what they should have done in 2019. Which is to lower wholesale rates as per the CRTC decision. I see scenarios where they use stalling tactics or threats to get their way because the big three have proven that they are unwilling to do what is right by Canadians.

UPDATE: I just received a statement from independent ISP Teksavvy. Unsurprisingly they are happy with the decision. Here is their statement in full:

TekSavvy Solutions Inc. (TekSavvy) welcomed today’s decision from the Supreme Court of Canada declining to hear appeals by Canada’s largest telecom and cable companies (such as Bell Canada and Rogers), who seek to overturn a key 2019 CRTC decision lowering the wholesale Internet rates the large carriers charge smaller competitors.

The Supreme Court’s ruling ordered the large carriers to pay TekSavvy’s legal costs, following an earlier, unanimous decision from the Federal Court of Appeal rejecting the large carriers’ appeals with costs, noting the large carriers’ arguments were of “dubious merit”. The Supreme Court’s decision was issued amid growing frustration and demands by Canadian consumers for federal action on affordable internet. 

The CRTC’s August 2019 Final Rates Order is the result of an extensive four-year regulatory proceeding that confirmed the large carriers systematically deviated from the CRTC’s rate-setting rules to grossly inflate their costs of providing wholesale access to their networks. The CRTC condemned the large carriers’ rate-fixing as “very disturbing” because it would drive smaller competitors out of business. The large carriers appealed the 2019 Final Rates Order to the courts, the Federal Cabinet and the CRTC itself.

Even after the Federal Court of Appeal’s complete rejection of the incumbents appeals, the CRTC issued a new decision declining to implement its own order. The CRTC instead allowed the large carriers to continue charging grossly inflated rates until the CRTC decides on Bell and Rogers’ further requests to raise prices and keep the overcharged amounts. TekSavvy is challenging the CRTC’s stay decision, calling it “flawed and unreasonable”.

Denied rate relief and refunds for overcharged amounts, TekSavvy was forced to raise its prices. In addition to the prospect of further price hikes, TekSavvy warned that the CRTC’s failure to act is hostile to independent investment, warning “the single greatest threat to TekSavvy’s quarter billion dollar investment plan is the CRTC’s delay in implementing its 2019 final wholesale rate order”. The company said it is currently reviewing its business plans in light of the continuing climate of extreme regulatory uncertainty.