Archive for Canada

Canadian Centre for Cyber Security’s Cyber Threat Assessment Released….. It Says That Foreign Actors Are A Major Threat

Posted in Commentary with tags on November 23, 2020 by itnerd

Last week, the Canadian Centre for Cyber Security’s Cyber released their Threat Assessment to the public.

Findings from the report identified state-sponsored programs in China, Russia, Iran and North Korea as major cyber-crime threats and said it feared foreign actors could try to disrupt power supplies. The Communications Security Establishment (CSE) signals intelligence agency, equivalent to the U.S. National Security Agency, said the four nations’ programs posed the greatest strategic threat to Canada. What this basically says to me is that companies need to up their cybersecurity defenses so that they aren’t victims of these foreign actors.

Here’s some more facts:

  • The state-sponsored cyber programs of China, Russia, Iran, and North Korea pose the greatest strategic threats to Canada.
  • They have assessed that state-sponsored actors will almost certainly continue to attempt to steal Canadian intellectual property and proprietary information, especially related to COVID-19.
  • Online foreign influence campaigns are the new normal, and no longer limited to key political events such as election periods.
  • Adversaries now look to influence discourse on both domestic and international current events. 

David Masson, Director of Enterprise Security for Darktrace had this to say about the report:

This report is a welcome refresher. Many times, organizations wait to take security precautions after a cyber-attack has already caused damage. However, this is a call to action, sounding the alarm for organizations to listen up and take action now before it’s too late. By outlining the cyber threats that Canada faces, the Canadian Cyber Security Centre has brought companies’ and organizations’ attention to the scope and scale of the 21st century threats they face. Companies should take this time to reevaluate their own security solutions and strategies and pay close to attention to how they can improve. 

Some of the most concerning notes in the report are the convergence of IT and OT systems and the increase in ransomware attacks. It also draws attention to the fact that state-sponsored actors will continue to attempt to steal Canadian intellectual property and proprietary information, especially related to COVID-19. Cybercriminals have always been inherently opportunistic – they are constantly innovating and looking for new, creative ways to take advantage, disrupt and make as much money as possible. 

As cyber threats begin to outpace human abilities, this report reminds us that combatting the rising threats will be a combined effort between Government, the private sector, and individual Canadian citizens.

Those who are responsible for defending their IT infrastructure should give the report a read and act accordingly.

Canadian Government Commits To Connecting Most Canadians To Broadband Internet

Posted in Commentary with tags on November 10, 2020 by itnerd

Canadian Prime Minister Justin Trudeau says its government is now on track to connect 98% of Canadians to high-speed internet by 2026:

Prime Minister Justin Trudeau and a handful of cabinet ministers held a news conference in Ottawa to launch the $1.75 billion universal broadband fund — a program unveiled in the federal government’s 2019 budget and highlighted on the campaign trail and in September’s throne speech. Most of the money was announced in last year’s budget. “We were ready to go in March with the new Universal Broadband Fund and then the pandemic hit,” Rural Economic Development Minister Maryam Monsef told reporters. The prime minister said the government is now on track to connect 98 per cent of Canadians to high-speed by 2026 — an increase over the previously promised 95 per cent benchmark — and to link up the rest by 2030. 

About $150 million from the fund will be freed up to fund projects aimed at getting communities connected by next fall. Senior officials with the department of Innovation, Science and Economic Development said applications will be reviewed on an ongoing basis until Jan. 15, 2021, with a goal of having projects completed by mid-November, 2021. Deciding who gets upgraded connectivity first will depend on the service providers applying, they said. The prime minister said the government also has reached a $600 million agreement with Telesat for satellite capacity to improve broadband service in remote areas and in the North.

This is good news as simply getting Internet access is an issue for many Canadians. Not to mention that a lot of Canadians only have access to crappy Internet. But that doesn’t solve the fact Internet access costs way more than it should in Canada. I’d really like to see the Canadian government do something about that. But beggars can’t be choosers I suppose.

Hyundai Canada & Kia Canada Owners…. You Can Get Updates For Your Infotainment System For FREE

Posted in Tips with tags , , on October 1, 2020 by itnerd

Long time readers know that I have been covering Hyundai Canada’s struggles to get Apple CarPlay and Android Auto to their fleet of cars. They eventually did get there in terms of newly purchased cars and the ability to upgrade some of their existing cars. And they did that for free for a while. But that program ended some time ago.

Now As of this year, numerous KIA and Hyundai models in Canada have access to map updates for free. And if you don’t presently have Android Auto or Apple CarPlay, you can get that for free as well. Here’s how you do it:

  • First, you need to have a 32GB class 10 SD card handy. If you don’t have one, they’re cheap enough to source on Amazon or on B&H Photo.
  • Next, surf to the Mapnsoft website and choose your brand.
  • If you don’t have an account create one. Otherwise log in with your account details.
  • Pick your country, model year, and model.

This will (hopefully) take you to a screen like this:

You can view the instructions in terms of updating it as well as read about the features that you can get with this update. While you can order it for $30 and have it shipped to you on an SD card (Which is way cheaper than it has been in the past). But you really want to click “download it to free” to go that route.

Now I won’t walk through the entire process to update your infotainment system as that’s very well documented. But here’s the highlights. It takes a while to do as you have to download software for your PC or Mac to download, which will in turn download the software for your infotainment system and put it on your SD card. But having done this myself, I started this at 7PM. By 7:20PM it had downloaded the update and started the process of putting out on the SD card. But by 10PM it still wasn’t done. I left it overnight and when I woke up to it having completed the process. So I don’t know how long it actually takes, but it wasn’t quick. Then you take the SD card to your car and use it to update your infotainment system. That takes about 45 minutes and you need the engine running to do it. My suggestion would be to take a drive until it is done. But this part is completely in line with other updates that I have done.

Gripes? The Mac version of this software isn’t notarized by Apple. Which means you have to hop through a few hoops to get this to run as it sets off Gatekeeper because it thinks its a virus. Mapnsoft should really fix that as those hoops won’t be able to be bypassed.

This is a very good development for Hyundai and Kia owners in Canada as those owners can keep their maps and infotainment systems up to day. If you’ve held off on updating your infotainment system, you don’t need to hold off anymore as you can update your infotainment system with your only investment being time.

College Of Nurses Of Ontario Pwned In Ransomware Attack

Posted in Commentary with tags , on September 22, 2020 by itnerd

The College of Nurses of Ontario (CNO) is still trying to figure out if the personal information of its 300 employees and 195,500 members has been compromised more than ten days following a ransomware attack. CBC News has the details:

“We are aware of a claim on the dark web regarding data theft from CNO,” the nursing regulatory body told CBC News in a statement.

“While we are not able to confirm at this time, through a comprehensive forensic investigation, CNO is seeking to determine whether personal information was compromised as result of the incident that may require notification to individuals. Although CNO was affected by ransomware, the organization is implementing a range of approaches to resume operations safely and securely, including restoring from backups.”

Hackers have posted some of the information they claim to have obtained online, including folders marked “Human Resources” and “Human Rights Matters.” Among the information posted are photos of small claims and Superior Court settlements, which include the full names, addresses and phone numbers of people. 

Lovely. This isn’t a trivial attack as clearly someone has information that they shouldn’t have. And it will be interesting to see what The College of Nurses of Ontario does to remedy this situation. You should likely stay tuned for updates.

David Masson, Director of Enterprise Security at Darktrace had this to say:

This latest news follows a number of intensifying ransomware attacks globally – just last week a woman’s death in Germany has been directly linked to a cyber-attack. Threat actors no longer simply lock up data until the ransom is paid; instead they steal it and threaten exposure until they receive payment. This ransomware technique has been a developing trend since the end of 2019 in Canada. When attackers are able to target data, we can assume they have been lying dormant in the infrastructure for some time before they launch a full blown attack.

This is common amongst organizations around the world who struggle to get visibility over their increasingly disparate and dynamic workforces. CNO may now pay a price in loss of trust through not having disclosed to their clients as soon as possible that they suffered a compromise. In situations like this it is best practice to have a disclosure plan and to disclose as soon as possible otherwise it is likely that someone else will make the story public and it won’t be on the company’s terms.

Ransomware is evolving but the key to preventing attacks remains the same. It is clearer than ever before that the status quo is not good enough. Organizations need to ensure they are using the best technologies available to them, like AI, to automatically stop fast-moving attacks in their tracks.

BREAKING: Canada Revenue Agency Now Says 48500 Accounts Affected By Credential Stuffing Attack

Posted in Commentary with tags , on September 17, 2020 by itnerd

Well, this is a wee bit alarming.

The Canada Revenue Agency or CRA for short now says a mind blowing 48500 accounts were affected by the credential stuffing attack that happened in August that forced the CRA website offline for a few days and affected a number of government departments in the process while security was improved. CTV News has the details:

In a major update to the impact of a series of credential stuffing attacks on government websites including the Canada Revenue Agency, the country’s top information officer now says that “suspicious activities” have been found on 48,500 CRA user accounts.

And:

While it was initially reported that 5,500 CRA account users had their personal information accessed, officials then updated that number, saying a total of 11,200 accounts across Government of Canada services were compromised in the attacks. These included cyberattacks directly targeting both CRA accounts as well as “GCKey” accounts, which can be used by 30 government departments and agencies to access other online portals such as veterans’ benefits and immigration applications.

Every Canadian should be running to the CRA website and doing the following right now:

  1. Log in and see if you can still do so. If you cannot, you may have a problem.
  2. If you can log in, check to see if you applied for the Canada Emergency Response Benefit. If you haven’t but the CRA website says you have, you have a problem.
  3. Check to see if your address or banking information has changed. If it has you have a problem.

Now if any of the above falls under the “you have a problem” category, you should do what is recommended in this release from the CRA, which is to call 1-800-959-8281 (English) or 1-800-959-7383 (French) immediately.

If all is well with your CRA account, I would instantly change your password to something is at least 8 characters long, contains an uppercase letter, a number, and for bonus points a special character (!@#$%^&* for example). And I would enable email notifications on your account so that you can get notified of any changes. Especially ones that you didn’t make.

The bottom line is that the Government of Canada has now seriously dropped the ball here. To have about 4 times as many people affected by this hack is appalling. And they are beyond due to answer some serious questions about why this happened and why they should be trusted to protect the personal information of Canadians going forward.

Class Action Lawsuit Filed Over CRA Hack

Posted in Commentary with tags , on August 31, 2020 by itnerd

Given how easily hackers appear to have used the personal information of Canadians to get their hands on COVID-19 benefits and how shambolic the response has been, as well as how lame the security measures that were put in place after this hack, I am not at all surprised that there’s now a class action lawsuit over this whole affair. CBC News has the details:

The lawsuit alleges that a series of “failings” by the government and the Canada Revenue Agency (CRA) allowed at least three cyberattacks between mid-March and mid-August, but the public wasn’t alerted until CBC News broke the story on Aug. 15.

The Treasury Board and the CRA held a news briefing to confirm the security breaches Aug. 17.

The proposed class proceeding claims the delayed detection of the hacks caused the number of victims to balloon to at least 14,500.

“The actions of the [CRA] are reprehensible,” states the claim, “and showed a callous disregard for the rights of [victims].” 

It alleges the agency’s conduct was “a deliberate … departure from ordinary standards of decent behaviour, and as such merits punishment.”

The CRA has blamed “a vulnerability in security software” for the online breaches, and has said it wasn’t aware of the first cyberattack until Aug. 7.

The agency and the federal government have yet to file a legal response.

And what’s really interesting is the fact that the lawsuit alleges that the government was hasty in implementing COVID-19 benefits and didn’t take the time and effort to make sure that they could be securely delivered:

The legal action alleges the CERB and CESB were “implemented hastily,” without adequate security measures.

As a result, it claims hackers were able to steal the personal information of applicants — including social insurance numbers, home addresses, bank account details and tax information — and use the stolen data to impersonate victims, change addresses and direct deposit information and file fraudulent claims under the emergency programs.

The lawsuit alleges the victims have been hit with a double whammy: their aid applications have been frozen while the breaches are investigated, causing financial strain, plus they will have to guard against identity theft for the rest of their lives.

I’ve said before that people within the government need to be held accountable for this mess. A class action lawsuit is a great way to do that because assuming that the government doesn’t settle out of court first, all the facts will come out in court under oath. That’s not going to look good for those in the government who were responsible for this fiasco. I for one hope that the government loses big as protecting the personal information of Canadians needs to be their number one priority 100% of the time.

The Canada Revenue Agency Site Is Back Online…. And I Believe Their New Security Measures Are A #Fail

Posted in Commentary with tags , on August 20, 2020 by itnerd

Today the online services related to the Canadian Revenue Agency are back online for the most part. They were taken down after they were pwned by hackers using a technique called credential stuffing. Now during a news conference the Canadian Government said that they were going to mitigate this. I’ve had a look at their mitigation strategy, and I am not impressed. But I am getting ahead of myself here. Let me explain what credential stuffing is using this Wikipedia article:

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

Since the attack is automated, you have to stop the automation from being effective. The way that the Canada Revenue Agency has chosen to do this is to use a CAPTCHA like system. In short, when you log in, you’ll be required to recognize shapes or objects. Something that humans excel at, but computers suck at. Which is why this is a way of stopping an automatic attack such as credential stuffing. Here’s what I saw when I logged into the Canada Revenue Agency:

In this case, I had to pick out all the buses on this screen. There were 9 pictures of which I only had to pick out the correct three pictures. I logged in a few times and I only had to pick out three pictures every time. Which seems kind of low to me.

Here’s my main problem with this. This is not the best way to stop this kind of attack. What the Canada Revenue Agency should be doing is using multi-factor authentication. In short, multi-factor authentication requires multiple factors to verify your identity. For example, a password and a code from an app installed on your smart phone. The reason why this is better is that CAPTCHA like systems can be defeated by machine learning attacks, cheap human labor, or services on the dark web that specialize in defeating CAPTCHA like systems. Multi-factor authentication systems on the other hand requires the attacker to have all the factors in hand, or to simulate them to make an attack successful. That’s possible to do, but is way harder to pull off. Especially if a system like Microsoft Authenticator or Google Authenticator is used. Another plus is that if you out of the blue get a request to authenticate a login, and you are not logging into anything, then you know that you are potentially being hacked. Think of it of being a canary in the coal mine.

Given that the Canada Revenue Agency has been hacked multiple times, they have to do much better to protect Canadians. And I do not believe that what they have done is enough to stop the next attack. Hopefully, they improve the security of their infrastructure over time.

One other thing. If you are a Canadian with a Canada Revenue agency account, I would strongly suggest that you log in and do the following:

  • Change your password to something that is at least 8 characters long, contains upper and lower case character, and has at least one numeric character in it. And it should not be something that is used in whole or in part on another website.
  • Make sure you have an email address entered so that if your personal information is changed, you will get an email alert. That will alert you to a possible hack. You can get more info on that here here.
  • Check your account to make sure that your personal information such as baking info and address info has not been changed.

The Canada Revenue Agency Hacks Affects 24 Different Government Agencies…. Some Serious Questions Need To Be Asked About This Incident

Posted in Commentary with tags , on August 17, 2020 by itnerd

Yesterday I reported on a significant hack on the Canada Revenue Agency. Today, more details have been revealed by the Canadian Government. Apparently attackers used a technique called credential stuffing, along with bugs in the Canada Revenue Agency online services gained access to Canada Revenue Agency accounts. Which in turn allowed the attackers to apply for and get the Canada Emergency Response Benefit.

In total, at least 5600 accounts out of 15 million CRA accounts were affected. And affected accounts have been taken offline. And those affected will get a letter from the Canada Revenue that they were pwned, and how to fix this. Another 9,000 or so accounts were affected by a attack on the Government’s GCKey system. In total 24 different Government departments were affected by this.

I watched the news conference related to this, and while they were handing out important and valid information, and giving a cursory overview of what happened and how they are responding to it, there was a bit of “blame the victim” at play here by the Government. Yes you should use unique passwords, update your OS, and use multi-factor authentication as well as being aware of spear phishing attacks. But there were issues that the Government has addressed that led to this hack. Such as not having the means to defeat credential stuffing. So to heavily push the narrative that it is all the fault of Canadians is a bit of a #fail. Another problem is that that the RCMP was called in on August 11th, but Canadians didn’t find out about this until the weekend. And the systems weren’t taken down until the weekend after multiple attacks occurred. That’s a #fail as well.

Serious questions need to be asked to the Government about this. Especially since the Canada Revenue Agency has been pwned before. Canadians need to hold the Canadian Government accountable for this and for making sure these online systems are actually secure.

UPDATE: David Masson, Director of Enterprise Security at Darktrace had this to say on this hack:

Threat actors will always look to exploit a crisis. During the ongoing pandemic, we have seen attackers capitalize on the fear, uncertainty and doubt surrounding COVID-19, particularly by increasing spear phishing attacks. Since the public is desperate for information, successful attacks are able to take advantage of their desperation by getting victims to click on links, view attachments, visit fake websites and even give up personal information. 

Many pre-pandemic spear phishing attacks were successful, and continue to be successful, since this method leads to a treasure trove of personal information. Threat actors may use this information in a variety of ways – some may sell passwords on the dark web, while others may use this information for “credential stuffing” attacks. During these attacks, bad actors simply try to use known passwords to get into a system, and since many people continue to use the same password for several applications and websites, threat actors can end up being lucky. In the case of these attacks against the CRA – the bad guys have been lucky over five thousand times!

Any individual can avoid such an attack by using different passwords for every login. It is simple – if you use a strong, unique password for every application, you will massively reduce the risk of compromised credentials. 

For businesses and organizations, prevention is a bit trickier. Only security solutions that leverage artificial intelligence can really prevent these sorts of threats before damage is done, since AI is able to provide full visibility of an entire digital infrastructure.

Canada Revenue Agency Pwned By Hackers….. Again

Posted in Commentary with tags , on August 16, 2020 by itnerd

Yesterday it was revealed that the Canada Revenue Agency has been hacked.Though there had been indications for some time that they were hacked. The CBC has the details:

Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB payments had been issued in their name even though they had not applied for the COVID-19 benefit.

Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA confirming that their email addresses had been discontinued.

CERB for those outside of Canada is the Canada Emergency Response Benefit which is an income support for those who lost their jobs because of the COVID-19 Pandemic. You use your CRA account to apply for this, which is why they are a target for hackers. Here’s how they got in:

The incidents are a type of attack known as “credential stuffing,” the Treasury Board’s Office of the Chief Information Officer shared in a statement.

“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”

Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” the statement read.

Compromised accounts connected to that platform, which is used by about 30 federal departments, were shut down when the threat was first discovered. 

The thing is that this isn’t the first time that the Canada Revenue Agency has been hacked. Though the person behind that hack was ultimately tracked down and arrested. While credential stuffing isn’t entirely the fault of the Canada Revenue Agency, you would think that the Canada Revenue Agency should have done more to stop this attack from being successful. Hopefully they decide to harden their environment so that Canadians are safe.

BREAKING: Canada Releases COVID-19 Tracing App

Posted in Commentary with tags , on July 31, 2020 by itnerd

The Government of Canada has just released its COVID-19 tracing app today. Called COVID Alert, the app is now available for download for iOS and Android users. It uses the Exposure Notification API developed by Apple and Google which you can read about here. And it was built by Shopify and BlackBerry.

The whole point of the app is that if enough people download it, like 60% or more, then the app will alert you if you have been potentially exposed to someone who has tested positive COVID-19. The app doesn’t use GPS to determine this. Instead it uses Bluetooth to keep track of users of the app that you come across and it is completely anonymous.

For Android, you need to have Android 6 or higher, and for iOS you need iOS 13.5 or later. I’ve downloaded it and it looks simple and easy to use. It also does a good job of explaining the purpose of the app and how it works. I for one hope that as many people across Canada download and use the app so that it will help Canada to flatten the curve and keep it flat.

UPDATE: Here’s a video about the app: