The IT Nerd

The College of Nurses of Ontario (CNO) is still trying to figure out if the personal information of its 300 employees and 195,500 members has been compromised more than ten days following a ransomware attack. CBC News has the details:

“We are aware of a claim on the dark web regarding data theft from CNO,” the nursing regulatory body told CBC News in a statement.

“While we are not able to confirm at this time, through a comprehensive forensic investigation, CNO is seeking to determine whether personal information was compromised as result of the incident that may require notification to individuals. Although CNO was affected by ransomware, the organization is implementing a range of approaches to resume operations safely and securely, including restoring from backups.”

Hackers have posted some of the information they claim to have obtained online, including folders marked “Human Resources” and “Human Rights Matters.” Among the information posted are photos of small claims and Superior Court settlements, which include the full names, addresses and phone numbers of people. 

Lovely. This isn’t a trivial attack as clearly someone has information that they shouldn’t have. And it will be interesting to see what The College of Nurses of Ontario does to remedy this situation. You should likely stay tuned for updates.

David Masson, Director of Enterprise Security at Darktrace had this to say:

This latest news follows a number of intensifying ransomware attacks globally – just last week a woman’s death in Germany has been directly linked to a cyber-attack. Threat actors no longer simply lock up data until the ransom is paid; instead they steal it and threaten exposure until they receive payment. This ransomware technique has been a developing trend since the end of 2019 in Canada. When attackers are able to target data, we can assume they have been lying dormant in the infrastructure for some time before they launch a full blown attack.

This is common amongst organizations around the world who struggle to get visibility over their increasingly disparate and dynamic workforces. CNO may now pay a price in loss of trust through not having disclosed to their clients as soon as possible that they suffered a compromise. In situations like this it is best practice to have a disclosure plan and to disclose as soon as possible otherwise it is likely that someone else will make the story public and it won’t be on the company’s terms.

Ransomware is evolving but the key to preventing attacks remains the same. It is clearer than ever before that the status quo is not good enough. Organizations need to ensure they are using the best technologies available to them, like AI, to automatically stop fast-moving attacks in their tracks.

Well, this is a wee bit alarming.

The Canada Revenue Agency or CRA for short now says a mind blowing 48500 accounts were affected by the credential stuffing attack that happened in August that forced the CRA website offline for a few days and affected a number of government departments in the process while security was improved. CTV News has the details:

In a major update to the impact of a series of credential stuffing attacks on government websites including the Canada Revenue Agency, the country’s top information officer now says that “suspicious activities” have been found on 48,500 CRA user accounts.

And:

While it was initially reported that 5,500 CRA account users had their personal information accessed, officials then updated that number, saying a total of 11,200 accounts across Government of Canada services were compromised in the attacks. These included cyberattacks directly targeting both CRA accounts as well as “GCKey” accounts, which can be used by 30 government departments and agencies to access other online portals such as veterans’ benefits and immigration applications.

Every Canadian should be running to the CRA website and doing the following right now:

1. Log in and see if you can still do so. If you cannot, you may have a problem.
2. If you can log in, check to see if you applied for the Canada Emergency Response Benefit. If you haven’t but the CRA website says you have, you have a problem.
3. Check to see if your address or banking information has changed. If it has you have a problem.

Now if any of the above falls under the “you have a problem” category, you should do what is recommended in this release from the CRA, which is to call 1-800-959-8281 (English) or 1-800-959-7383 (French) immediately.

If all is well with your CRA account, I would instantly change your password to something is at least 8 characters long, contains an uppercase letter, a number, and for bonus points a special character (!@#$%^&* for example). And I would enable email notifications on your account so that you can get notified of any changes. Especially ones that you didn’t make.

The bottom line is that the Government of Canada has now seriously dropped the ball here. To have about 4 times as many people affected by this hack is appalling. And they are beyond due to answer some serious questions about why this happened and why they should be trusted to protect the personal information of Canadians going forward.

Given how easily hackers appear to have used the personal information of Canadians to get their hands on COVID-19 benefits and how shambolic the response has been, as well as how lame the security measures that were put in place after this hack, I am not at all surprised that there’s now a class action lawsuit over this whole affair. CBC News has the details:

The lawsuit alleges that a series of “failings” by the government and the Canada Revenue Agency (CRA) allowed at least three cyberattacks between mid-March and mid-August, but the public wasn’t alerted until CBC News broke the story on Aug. 15.

The Treasury Board and the CRA held a news briefing to confirm the security breaches Aug. 17.

The proposed class proceeding claims the delayed detection of the hacks caused the number of victims to balloon to at least 14,500.

“The actions of the [CRA] are reprehensible,” states the claim, “and showed a callous disregard for the rights of [victims].” 

It alleges the agency’s conduct was “a deliberate … departure from ordinary standards of decent behaviour, and as such merits punishment.”

The CRA has blamed “a vulnerability in security software” for the online breaches, and has said it wasn’t aware of the first cyberattack until Aug. 7.

The agency and the federal government have yet to file a legal response.

And what’s really interesting is the fact that the lawsuit alleges that the government was hasty in implementing COVID-19 benefits and didn’t take the time and effort to make sure that they could be securely delivered:

The legal action alleges the CERB and CESB were “implemented hastily,” without adequate security measures.

As a result, it claims hackers were able to steal the personal information of applicants — including social insurance numbers, home addresses, bank account details and tax information — and use the stolen data to impersonate victims, change addresses and direct deposit information and file fraudulent claims under the emergency programs.

The lawsuit alleges the victims have been hit with a double whammy: their aid applications have been frozen while the breaches are investigated, causing financial strain, plus they will have to guard against identity theft for the rest of their lives.

I’ve said before that people within the government need to be held accountable for this mess. A class action lawsuit is a great way to do that because assuming that the government doesn’t settle out of court first, all the facts will come out in court under oath. That’s not going to look good for those in the government who were responsible for this fiasco. I for one hope that the government loses big as protecting the personal information of Canadians needs to be their number one priority 100% of the time.

Today the online services related to the Canadian Revenue Agency are back online for the most part. They were taken down after they were pwned by hackers using a technique called credential stuffing. Now during a news conference the Canadian Government said that they were going to mitigate this. I’ve had a look at their mitigation strategy, and I am not impressed. But I am getting ahead of myself here. Let me explain what credential stuffing is using this Wikipedia article:

Credential stuffing is a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application.

Since the attack is automated, you have to stop the automation from being effective. The way that the Canada Revenue Agency has chosen to do this is to use a CAPTCHA like system. In short, when you log in, you’ll be required to recognize shapes or objects. Something that humans excel at, but computers suck at. Which is why this is a way of stopping an automatic attack such as credential stuffing. Here’s what I saw when I logged into the Canada Revenue Agency:

In this case, I had to pick out all the buses on this screen. There were 9 pictures of which I only had to pick out the correct three pictures. I logged in a few times and I only had to pick out three pictures every time. Which seems kind of low to me.

Here’s my main problem with this. This is not the best way to stop this kind of attack. What the Canada Revenue Agency should be doing is using multi-factor authentication. In short, multi-factor authentication requires multiple factors to verify your identity. For example, a password and a code from an app installed on your smart phone. The reason why this is better is that CAPTCHA like systems can be defeated by machine learning attacks, cheap human labor, or services on the dark web that specialize in defeating CAPTCHA like systems. Multi-factor authentication systems on the other hand requires the attacker to have all the factors in hand, or to simulate them to make an attack successful. That’s possible to do, but is way harder to pull off. Especially if a system like Microsoft Authenticator or Google Authenticator is used. Another plus is that if you out of the blue get a request to authenticate a login, and you are not logging into anything, then you know that you are potentially being hacked. Think of it of being a canary in the coal mine.

Given that the Canada Revenue Agency has been hacked multiple times, they have to do much better to protect Canadians. And I do not believe that what they have done is enough to stop the next attack. Hopefully, they improve the security of their infrastructure over time.

One other thing. If you are a Canadian with a Canada Revenue agency account, I would strongly suggest that you log in and do the following:

• Change your password to something that is at least 8 characters long, contains upper and lower case character, and has at least one numeric character in it. And it should not be something that is used in whole or in part on another website.
• Make sure you have an email address entered so that if your personal information is changed, you will get an email alert. That will alert you to a possible hack. You can get more info on that here here.
• Check your account to make sure that your personal information such as baking info and address info has not been changed.

Yesterday I reported on a significant hack on the Canada Revenue Agency. Today, more details have been revealed by the Canadian Government. Apparently attackers used a technique called credential stuffing, along with bugs in the Canada Revenue Agency online services gained access to Canada Revenue Agency accounts. Which in turn allowed the attackers to apply for and get the Canada Emergency Response Benefit.

In total, at least 5600 accounts out of 15 million CRA accounts were affected. And affected accounts have been taken offline. And those affected will get a letter from the Canada Revenue that they were pwned, and how to fix this. Another 9,000 or so accounts were affected by a attack on the Government’s GCKey system. In total 24 different Government departments were affected by this.

I watched the news conference related to this, and while they were handing out important and valid information, and giving a cursory overview of what happened and how they are responding to it, there was a bit of “blame the victim” at play here by the Government. Yes you should use unique passwords, update your OS, and use multi-factor authentication as well as being aware of spear phishing attacks. But there were issues that the Government has addressed that led to this hack. Such as not having the means to defeat credential stuffing. So to heavily push the narrative that it is all the fault of Canadians is a bit of a #fail. Another problem is that that the RCMP was called in on August 11th, but Canadians didn’t find out about this until the weekend. And the systems weren’t taken down until the weekend after multiple attacks occurred. That’s a #fail as well.

Serious questions need to be asked to the Government about this. Especially since the Canada Revenue Agency has been pwned before. Canadians need to hold the Canadian Government accountable for this and for making sure these online systems are actually secure.

UPDATE: David Masson, Director of Enterprise Security at Darktrace had this to say on this hack:

Threat actors will always look to exploit a crisis. During the ongoing pandemic, we have seen attackers capitalize on the fear, uncertainty and doubt surrounding COVID-19, particularly by increasing spear phishing attacks. Since the public is desperate for information, successful attacks are able to take advantage of their desperation by getting victims to click on links, view attachments, visit fake websites and even give up personal information. 

Many pre-pandemic spear phishing attacks were successful, and continue to be successful, since this method leads to a treasure trove of personal information. Threat actors may use this information in a variety of ways – some may sell passwords on the dark web, while others may use this information for “credential stuffing” attacks. During these attacks, bad actors simply try to use known passwords to get into a system, and since many people continue to use the same password for several applications and websites, threat actors can end up being lucky. In the case of these attacks against the CRA – the bad guys have been lucky over five thousand times!

Any individual can avoid such an attack by using different passwords for every login. It is simple – if you use a strong, unique password for every application, you will massively reduce the risk of compromised credentials. 

For businesses and organizations, prevention is a bit trickier. Only security solutions that leverage artificial intelligence can really prevent these sorts of threats before damage is done, since AI is able to provide full visibility of an entire digital infrastructure.

Yesterday it was revealed that the Canada Revenue Agency has been hacked.Though there had been indications for some time that they were hacked. The CBC has the details:

Earlier this month, Canadians began reporting online that email addresses associated with their CRA accounts had been changed, that their direct deposit information was altered and that CERB payments had been issued in their name even though they had not applied for the COVID-19 benefit.

Most reported that they were first alerted to the suspicious activity after receiving legitimate emails from the CRA confirming that their email addresses had been discontinued.

CERB for those outside of Canada is the Canada Emergency Response Benefit which is an income support for those who lost their jobs because of the COVID-19 Pandemic. You use your CRA account to apply for this, which is why they are a target for hackers. Here’s how they got in:

The incidents are a type of attack known as “credential stuffing,” the Treasury Board’s Office of the Chief Information Officer shared in a statement.

“These attacks, which used passwords and usernames collected from previous hacks of accounts worldwide, took advantage of the fact that many people reuse passwords and usernames across multiple accounts.”

Aside from CRA accounts, thousands of others linked to GCKey — a secure portal that allows Canadians to access government services online — were also affected.

“Of the roughly 12 million active GCKey accounts in Canada, the passwords and usernames of 9,041 users were acquired fraudulently and used to try and access government services, a third of which accessed such services and are being further examined for suspicious activity,” the statement read.

Compromised accounts connected to that platform, which is used by about 30 federal departments, were shut down when the threat was first discovered. 

The thing is that this isn’t the first time that the Canada Revenue Agency has been hacked. Though the person behind that hack was ultimately tracked down and arrested. While credential stuffing isn’t entirely the fault of the Canada Revenue Agency, you would think that the Canada Revenue Agency should have done more to stop this attack from being successful. Hopefully they decide to harden their environment so that Canadians are safe.