Clearly the Canada Revenue Agency has a serious IT security problem as two days ago an unknown number of accounts were locked as a precaution. Though the CRA wouldn’t provide details. Now we have those details. Apparently around 100000 accounts were locked because leaked login info was found on the dark web. Which of course is not good:
If you received an unexpected and cryptic email on Feb. 16 from CRA warning you that your email had been deleted from the agency’s web platform, MyCRA, do not worry: your account has not been breached.
In fact, the agency says it means that their new early cyber security issue detection system is working (though the communication strategy will be reviewed and it “regrets the inconvenience.”)
But that also means your login data has probably been compromised through a third-party breach and you will need to contact CRA in order to regain access to your online account, particularly if you plan on filing your 2020 taxes online starting next week.
“To be clear, these accounts were not impacted by a cyber attack at the CRA. These accounts have not been compromised and the action taken to lock the accounts was a preventative measure,” agency spokesperson Christopher Doody said in an emailed statement.
Steps on how to regain access to their online account will be sent to affected taxpayers by mail, he added.
I’m sorry, but this is a #fail on so many levels. First, simply sending an email out saying that your Canada Revenue Agency account has been locked is going to freak people out. That’s because the history of the Canada Revenue Agency when it comes to IT security quite frankly sucks as they have been repeatedly pwned by hackers. Thus if you get one of these emails, you are going to assume that hackers have pwned them again. It also doesn’t inspire confidence. I get that the Canada Revenue Agency was trying to act in the best interest of Canadians, but they way that they did it really isn’t fit for purpose. Hopefully they not only provide details about how these 100000 or so accounts were compromised, but they also rethink their communication strategy.
NurseryCam Pwned After Security Shortcomings Reported To The Register
Posted in Commentary with tags Hacked on February 22, 2021 by itnerdThis is a bit complicated so hang with me in a bit.
Daycare camera product NurseryCam was apparently hacked late last week. The BBC reported the news on the weekend and the company has shut the service down to lock it down. But here’s where things get interesting. The company was contacted by a security researcher who discovered flaws in the service. And according to The Register….. :
El Reg reported on the company’s security shortcomings last week after its inappropriate attempts to strongarm an infosec researcher into deleting a Twitter thread detailing vulnerabilities in its FootfallCam product.
When companies do that sort of thing, it never ends well. This incident was no exception:
A hacker contacted El Reg on Friday to say they had obtained real names, usernames, what appeared to be SHA-1 hashed passwords, and email addresses for 12,000 NurseryCam users’ accounts – and had then dumped them online.
Although this person claimed to have “redacted” those details, the redaction was so poor it was trivial to figure out the real names and contact details of NurseryCam’s parent users. El Reg, together with IoT security expert Andrew Tierney, verified that the credentials were genuine before notifying NurseryCam of the breach. The company began emailing parents the following day after taking its cameras offline.
This is likely now under investigation by the Information Commissioner’s Office and this might not end well for the company behinds this service. Especially since warnings about the lax security of this service have been floating around for years. It sucks to be the company behind this product.
Leave a comment »