Category Archives: Privacy & Security

MISA Ontario 2020: Raise cyber awareness by targeted training, expert says

With human error being a leading cause of data breaches, organizations are putting more emphasis than ever on security awareness training.

But Canadian municipal infosec leaders were warned Tuesday that scaring employees into obedience won’t work.

In fact, argued James Norrie, CEO of CyberconIQ, a Pennsylvania-based threat awareness learning platform, CISOs need to understand human nature and the things that trigger the seemingly irresistible urge to click on a link or open that attachment.

“You have to make it OK to be vulnerable around cybersecurity in your organization,” he told the annual security conference of the Ontario wing of the Municipal Information Systems Association (MISA), being held this year online.

“To do that, you don’t want to sling fear and the fear of consequences,” he said in the keynote address. Phishing tests aim to catch people doing something wrong, he argued, which doesn’t help the mindset of staff. “So instead of reporting failure rates, report pass rates and talk about how you’re going to use this (training) to bolster people’s understanding of cybersecurity as a team sport.”

Most organizations have technology that will catch up to 92 per cent of cyber threats, he said. Of the remaining eight per cent or so, no amount of technology will improve that. But if employees can be taught to not execute on the attack, “then you can’t be compromised.”

Norrie, who also teaches cybersecurity at York College in Pennsylvania, argues awareness training has to be customized to employees rather than be generic. People can be broken down into four types, he said:

  • “Risk Breakers,” who are happy following rules. But that makes them vulnerable to what Norrie called “deep fake” attacks seemingly from someone in authority who asks them to break the rules, like change the bank account money is sent to. Fortunately, because much of generic awareness training involves following a set of rules, they are the easiest group to train. Broadly they represent 38 to 40 per cent of employees;
  • “Risk-Takers,” who represent 12 to 15 per cent of employees, want to comply with company rules but are more risk-tolerant and will make selective exceptions to rules. They may be vulnerable to cons involving fake “emergency or urgency” pleas;
  • “Risk Shakers,” who like the freedom of choosing when to break the rules;
  • “Risk Makers,” who trust their judgment, so rule-based training doesn’t work as well for them. They are likely to be fooled by what Norrie called “affiliated attacks,” such as from fake people on LinkedIn.

An effective awareness program will be tailored to offer specific training to these groups explaining why they are vulnerable to certain threats, Norrie said, by showing the context of a vulnerability. What it doesn’t involve, he stressed, is knowledge about technology.



Tips to improve awareness training


Infosec pros enjoy the challenges of technology because it’s largely controllable, predictable and outcomes can be predicted, he said. However, he added, they need to understand human factors are much less predictable.

The COVID pandemic and the increase in staff working from home has made this work, Norrie argued. When working in the office staff may be more cyber-aware than when working from home, with all its distractions.

“The entire public sector needs to be aware that everything they do has to reduce the probability of a successful cyberattack, reduce the total cost of a successful attack when it occurs” including everything from having cyber-secure policies and an incident response plan to cyber insurance. The goal is to build a cyber aware culture. “We have to make good cyber behaviour as natural as ‘Look both ways before we cross the street.'”

But CISOs “have to stop slinging fear,” Norrie maintained.

The post MISA Ontario 2020: Raise cyber awareness by targeted training, expert says first appeared on IT World Canada.

Cyber Security Today – Default password hole almost drowns an irrigation app, Nitro PDF hack and more ransomware

Today's podcast reports on a vulnerability that left over 100 irrigation apps open on the Internet, a hack at a PDF creation and conversion app supplier and more reports of ransomware

The post Cyber Security Today - Default password hole almost drowns an irrigation app, Nitro PDF hack and more ransomware first appeared on IT World Canada.

Why storing data in the cloud could be your strongest security measure yet

By Frank Attaie, VP Cloud, IBM Canada Over the course of our 100+ year history IBM has put the business needs of clients first. In an era of disinformation and data breaches, this means making smart decisions to store data securely – mitigating risks, satisfying compliance requirements and most importantly – protecting our client’s personal…

The post Why storing data in the cloud could be your strongest security measure yet first appeared on IT World Canada.

Canadian steelmaker Stelco hit by cyberattack

One of Canada’s oldest steel manufacturing firms says it has been hit with an undefined cyberattack.

In a statement released Sunday afternoon, Stelco said it was “subject to a criminal attack on its information systems.”

“In response, Stelco immediately implemented countermeasures in accordance with established cybersecurity procedures and policies that have been developed in collaboration with expert external advisors,” the statement reads. “The countermeasures taken were effective and limited the scope of the attack. Certain operations, including steel production, were temporarily suspended as a precautionary measure but have since resumed operations.”

The release also said Stelco is working with police to investigate the attack.

Stelco has facilities located in Hamilton and Nanticoke, Ont. that produce high-quality value-added hot rolled, cold rolled and coated sheet steel products used in the construction, automotive and energy industries across North America. Its parent company, Stelco Holdings Inc. is listed on the Toronto Stock Exchange.

Asked for comment, vice-president of corporate affairs Trevor Harris said the company had nothing more to say beyond what was in the release.

The statement said that Stelco continues to investigate the incident and the extent of the impact on its systems. Its backup and recovery plans were being implemented Sunday to fully re-establish its systems as quickly as possible. However, it added, some business functions may be adversely affected during this recovery process.

In its annual results released Feb. 18, the parent company Stelco Holdings Inc. said for the calendar year 2019 net earnings were $10 million on $1.8 billion of revenue, compared to net earnings of $253 million for 2018. During the year it shipped 2.4 million tons of steel products compared to 2.6 million tons for 2018.

The company suffered a net loss of $24 million on revenue of $435 million in the fourth quarter of 2019, in part due to what it called “an unprecedented drop” in average steel prices. In the first quarter of this year it lost another $24 million, while net income was zero in the second quarter.

The post Canadian steelmaker Stelco hit by cyberattack first appeared on IT World Canada.

Quebec firm gets $160,000 to develop ICS risk framework for energy sector

A Quebec-based consulting engineering firm has been awarded $160,000 to develop a model to help protect industrial control systems (ICS) of Canadian energy companies from cyber attacks.

The post Quebec firm gets 0,000 to develop ICS risk framework for energy sector first appeared on IT World Canada.

SecTor 2020: The blonde, the smile, and the hack

An attractive blonde follows a man onto an office elevator. “Nice to see you again,” she says to him.

He pauses. She must be right, he figures, so he smiles back. Then she compliments him on his scent.

The elevator arrives at his floor, which is security controlled. He inserts his access card into a slot in the elevator panel, and when the doors open, he turns to the woman and says, “Ladies first.”

The blonde is Paula Januszkiewicz, CEO of Cqure Inc., a Polish-based penetration testing and auditing company, who has just accomplished the first part of her assignment: Get unauthorized access to a customer’s office.

It’s lunchtime at the office she just entered. Staff are leaving their desks. Company policy is employees should make sure PCs are logged off the network before leaving computers unattended to prevent what is about to happen. Even if they forget, machines are configured to log off after five minutes. One staffer leaves his computer on. Januszkiewicz sits at his desk. She yawns or coughs, enough so other staff see a stranger sitting at someone’s desk. No one comes over to ask who she is.

So Januszkiewicz is free to insert a specially created USB key and hacks into the system.

The lesson

There’s a lesson from this incident, Januszkiewicz told the SecTor 2020 virtual conference on Wednesday: If an attacker does things with confidence, they may get through anything from physical security to anti-phishing filters.

As the keynote speaker for this year’s conference, Januszkiewicz emphasized the importance of understanding how cyber attackers your infrastructure: As an object to be manipulated by knowing human behaviour.

Behaviour like being lazy in picking passwords. On assignment to penetrate an energy company Januszkiewicz found no problem guessing some employee passwords. She assumed at least one person would use the firm’s name and just add “2020.” She was right. Twenty-nine of 6,000 employees had that password.

Bad behaviours

Other bad user behaviours hackers take advantage of include:

  • Falling for dropped USB scams. One study showed 90 per cent of people who find USB drives with a company logo in a parking lot will plug it into a company computer to find out who it belongs to. In fact, 60 per cent will do it even if there is no logo. Infected USB devices could run unapproved code. One solution is a whitelisting policy that prevents unapproved code from executing;
  • Falling for phishing and clicking on infected attachments. There’s no shortage of examples, but Januszkiewicz spoke of a new one: A seemingly empty Excel spreadsheet with an infected picture hiding behind an empty cell. If an employee clicks on a cell trying to see if the spreadsheet has hidden information, the malware executes. One solution is strict access management to prevent admin accounts from being taken over by malware;
  • Hacking lost smartphones. Seventy per cent of smartphone owners don’t password-protect their devices, one study shows. One solution: A strict company policy of reporting the loss of company or personal devices that access corporate data;
  • Careless use of public Wi-Fi with devices that access corporate data—one solution: Better user awareness training.

Thinking like a hacker, Januszkiewicz said, will allow organizations to design successful cybersecurity strategies.

The post SecTor 2020: The blonde, the smile, and the hack first appeared on IT World Canada.

People-centred approach to cybersecurity needed as Canadians shift to an increasingly digital economy

By Ireen Birungi, Chief Information Security Officer, Interac Corp. For too long the cybersecurity world has viewed people as the weakest link and biggest point of vulnerability when it comes to risk. However, post COVID-19 we are starting to see a shift in this mentality – a shift that sees people as the greatest asset…

The post People-centred approach to cybersecurity needed as Canadians shift to an increasingly digital economy first appeared on IT World Canada.

Solid security in the new normal a matter of the right provider

Today’s threat landscape is constantly shifting, which makes company security like a game of whack-a-mole. Full marks go to cyber-professionals for their effort and ingenuity in trying to keep hackers at bay. Unfortunately, the problem is not around effort levels but around a level of security complexity that continues to rise. Overnight, the pandemic and…

The post Solid security in the new normal a matter of the right provider first appeared on IT World Canada.

Forewarned is forearmed: The critical importance of threat Intelligence

Botnets, malspam, zero-day vulnerabilities, and remote access trojans: as COVID-19 continues to ramp up the cyber threatscape, and work-from-home vulnerabilities raise new demands, it’s tempting to bury our heads in the sand. The smarter move, however, is to invest in reliable and actionable threat intelligence. The world may have changed dramatically, but knowledge is still…

The post Forewarned is forearmed: The critical importance of threat Intelligence first appeared on IT World Canada.

Cyber Security Today – Twitter criticized by regulator, NSA ranks vulnerabilities, cybercrooks pretend to be good guys, and more

Today's podcast reports on a regulator's report on the Twitter celebrity account hack, the NSA ranks vulnerabilities Chinese attackers favour, a ransomware gang tries to give stolen money to charity and more

The post Cyber Security Today - Twitter criticized by regulator, NSA ranks vulnerabilities, cybercrooks pretend to be good guys, and more first appeared on IT World Canada.

Twitter slammed by U.S. regulator over bitcoin scam

A New York state regulator has slammed Twitter for poor cybersecurity protection that allowed young hackers to seize control of several celebrities’ accounts in July to run a  “double your bitcoin” scam.

“Given that Twitter is a publicly-traded, US$37 billion technology company, it was surprising how easily the hackers were able to penetrate Twitter’s network and gain access to internal tools allowing them to take over any Twitter user’s account,” said the report by the Department of Financial Services.

“Indeed, the hackers used basic techniques more akin to those of a traditional scam artist: phone calls where they pretended to be from Twitter’s Information Technology department. The extraordinary access the Hackers obtained with this simple technique underscores Twitter’s cybersecurity vulnerability and the potential for devastating consequences. Notably, the Twitter Hack did not involve any of the high-tech or sophisticated techniques often used in cyberattacks–no malware, no exploits, and no backdoors.”

In particular, it slammed the company for not having a CISO for seven months before the attack. “A lack of a CISO sends the message that cybersecurity is not a top priority from senior leadership,” says the report.

The hackers — who are facing criminal charges — took over the Twitter accounts of politicians, celebrities, and entrepreneurs, including Barack Obama, Kim Kardashian West, Jeff Bezos, and Elon Musk, as well as Twitter accounts of several cryptocurrency companies regulated by the New York State Department of Financial Services.

What worries the regulator is there are well-documented examples of social media being used to manipulate markets and interfere with elections, often with the simple use of a single compromised account or a group of fake accounts.

“The Twitter Hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies. But our public institutions have not caught up to the new challenges posed by social media. While policymakers focus on antitrust and content moderation problems with large social media companies, their cybersecurity is also critical. In other industries that are deemed critical infrastructure, such as telecommunications, utilities, and finance, we have established regulators and regulations to ensure that the public interest is protected. With respect to cybersecurity, that is what is needed for large, systemically important social media companies.”


Twitter attack shows need to better protect admin accounts [Full story]


The attack started on the afternoon of July 14 when one or more hackers called several Twitter employees and claimed to be from the company’s help desk responding to a reported problem the staffer was having with Twitter’s virtual private network. Since switching to remote working, VPN problems were common at Twitter. The hackers then tried to direct the employee to a phishing website that looked identical to the real Twitter VPN website and was hosted by a similarly named domain. As the employee entered their credentials into the phishing website, they would simultaneously enter the information into the real Twitter website.

For protection, Twitter strengthens logins by making employees use multi-factor authentication. However, because the hackers were logging into the real site, if a staffer entered their MFA code on the fake site, the attackers could copy it into the real site.

To aid the attack, the hackers used personal information about the employees to convince them that the callers were real Twitter staff and could, therefore, be trusted. The report doesn’t say how the attackers got this information other than speculating it did research to identify staffers and their titles.

Some were suspicious

While some employees were suspicious and reported the calls to Twitter’s internal fraud monitoring team, at least one employee fell for the scam. Getting into this person’s corporate account didn’t get the attackers what they wanted, which was the ability to take over celebrity Twitter accounts. They took the time to wander around Twitter’s internal websites and learn more about the company’s systems. That gained them information about how to access other internal applications.

On July 15, the hackers targeted Twitter employees who had access to certain internal tools to help take over accounts. Some of them were part of the department responsible, in part, for responding to sensitive global legal requests, such as court orders or content removal requests, as well as for developing and enforcing policies to prohibit abusive online behaviour.

Initially, the hackers went after valuable so-called “original gangster” (“OG”) Twitter usernames, which are usually designated by a single word, letter, or number and adopted by Twitter’s early users.  Access to a hijacked OG account could be resold for bitcoin. To show off their prowess, the hackers tweeted screenshots of one of the internal tools from some of the accounts.

Next, the hackers upped their game, going after “verified” accounts of well-known people who want the blue verified badge as a source of authenticity. But a hacked verified account would make fraudulent demands for bitcoin appear more legitimate. The first hijacked verified account belonged to a cryptocurrency trader—direct messages sent from that account asking for 0.01 bitcoin for trading information. After hijacking Twitter accounts of cryptocurrency exchanges, the hackers sent tweets suggesting a bitcoin giveaway, with a link to a scam address. Finally, the attackers gained access to verified accounts of celebrities and fired tweets with the scam offer to millions of their followers.

Exchanges moved quickly

Overall, 130 Twitter user accounts were compromised. Of those, 45 accounts were used to send tweets. Hackers also downloaded data from seven of those accounts through Twitter’s “Your Twitter Data” (“YTD”) tool, which provides a summary of a Twitter account’s details and activity.

The report says the hackers stole approximately US$118,000 worth of bitcoin through the scam.

The report credits cryptocurrency exchanges whose Twitter accounts were hacked with responding quickly to block impacted addresses after being notified by the regulator. Still, Gemini, Square, and Coinbase said that a handful of customers fell for the scam and transferred $22,000 in bitcoin to the hackers’ accounts.

But it came down hard on Twitter, particularly for not having a CISO for seven months before the hack. “A lack of strong leadership and senior-level engagement is a common source of cybersecurity weaknesses. Strong leadership is especially needed in 2020 when the COVID-19 pandemic has created a host of new challenges for IT and cybersecurity. Like many organizations, in March, Twitter transitioned to remote working due to the pandemic. This transition made Twitter more vulnerable to a cyberattack and compounded existing weaknesses.”

‘Didn’t implement significant compensating controls”

Early in the year, the department issued guidance to its regulated firms to identify and assess the new security risks created by remote working because of the pandemic, the report indicated. But Twitter was dragging its heels.

“Twitter did not implement any significant compensating controls after March to mitigate this heightened risk to its remote workforce, and the hackers took advantage.

“To its credit, Twitter has advised the Department that it is now implementing additional security controls to prevent similar attacks in the future, such as improved MFA and additional training on cybersecurity awareness, and in late September 2020, it announced the hire of a new CISO. But the consequences of the Twitter Hack show why it is critical for Twitter and other social media companies to implement robust controls before they experience a cyber incident, not after.”

Among the report’s recommendations are that cryptocurrency exchanges have to proactively identify and quickly block addresses known to be used by fraudsters. It also says that — where possible — some companies are restricting cryptocurrency asset transfers only to addresses that have already been approved. However, adding a new address can take a day or more.

“Twitter’s access management and authentication failed to prevent unsophisticated hackers from getting to the powerful internal tools,” the report notes. While Twitter limit access to the internal tools, over 1,000 employees still had access to them for job functions, user account maintenance and support, content review, and responses to reports of Twitter Rules violations. Since the hack, Twitter has further limited the number of employees with access to internal tools, even though it caused a slowdown of some job functions.

The report also says Twitter has abandoned application-based MFA in favour of a physical security key.

Finally, the report suggests a U.S. federal regulator be created to oversee social media platforms. “The risks posed by social media to our consumers, economy, and democracy are no less grave than the risks posed by large financial institutions,” it argues. “The scale and reach of these companies, combined with the ability of adversarial actors who can manipulate these systems, require a similarly bold and assertive regulatory approach.”

The post Twitter slammed by U.S. regulator over bitcoin scam first appeared on IT World Canada.

Six Russian military officers indicted by U.S. grand jury for huge cyber attacks

Six members of Russia’s military intelligence unit have been accused of being behind some of the biggest known cyberattacks, including the NotPetya wiper, which caused over $1 billion in losses around the world, and malware that twice knocked out power to large parts of Ukraine.

The U.S. Justice Department said Monday that a federal grand jury in Pittsburg returned an indictment accusing the hackers and their co-conspirators of conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name.

The alleged purpose of the attacks was to support Russian government efforts to undermine, retaliate against, or destabilize:

  • The neighbouring countries of Ukraine and Georgia;
  • The 2017 elections in France. It’s alleged the conspiracy included spearphishing campaigns and related hack-and-leak efforts targeting French President Macron’s “La République En Marche!” (En Marche!) political party, French politicians, and local French governments;
  • Efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, in the U.K. This relates to April 2018 spearphishing campaigns targeting investigations by the Organisation for the Prohibition of Chemical Weapons (OPCW) and the United Kingdom’s Defence Science and Technology Laboratory (DSTL) into the nerve agent poisoning of Sergei Skripal, his daughter, and several U.K. citizens;
  • The 2018 PyeongChang Winter Olympic Games in South Korea after Russian athletes were banned from participating under their nation’s flag as a consequence of Russian government-sponsored doping effort. This refers to cyberattacks, which culminated in the Feb. 9, 2018, destructive malware attack against the opening ceremony, spearphishing campaigns and malicious mobile applications targeting South Korean citizens and officials, Olympic athletes, and partners and visitors, and International Olympic Committee (IOC) officials.

The New York Times quoted the Russian Embassy in Washington as strongly denying the allegations. “It is absolutely obvious that such news breaks have no bearing on reality and are aimed at whipping up Russophobic sentiments in American society, at launching a ‘witch hunt’ and spy mania, which have been a distinctive feature of the political life in Washington for several years,” the embassy’s press office said.

The six allegedly were behind the KillDisk and Industroyer malware, which caused blackouts in Ukraine in December 2015 and December 2016; the NotPetya wiper worm, which caused nearly $1 billion in losses to three companies along; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics.

All are alleged to be officers in Unit 74455 of the Russian Main Intelligence Directorate of the Russian army (GRU). They are believed to be in Russia and unlikely to ever face trial in the U.S.

Released in 2017, NotPetya is believed to have been originally aimed at people in Ukraine because those behind it began by compromising the update mechanism for a Ukrainian tax software called MEDoc. But experts believe it escaped to infect computers in 65 countries that hadn’t installed a Windows patch Microsoft had recently released. That led to many infosec pros arguing that good patch management could have stopped the spread of the worm.

Among the companies whose IT systems were badly battered by the worm were shipping company Maersk, FedEx’s TNT division in Europe and pharmaceuticals manufacturer Merck. Merck was quoted as initially estimating recovery costs would hit US$175 million, plus another $135 million in lost sales. FedEx initially claimed it lost US$400 million due to lost business.

Merck made a cyber insurance claim for US$1.3 billion to cover restoring or replacing servers and PCs and loss of business. However, its insurers have refused to pay, arguing the incident was an act of war. The dispute is still before U.S. courts.

Less than a year later, U.K. government cyber analysts pointed the finger at Russia, a conclusion Canada agreed with.

Cybersecurity researchers have the gang behind these attacks by various names, including “Sandworm Team,” “Telebots,” “Voodoo Bear,” and “Iron Viking.”

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” National Security Assistant Attorney General John Demers said in a statement. “Today the department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.  No nation will recapture greatness while behaving in this way.”

“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” said FBI deputy director David Bowdich.  “But this indictment also highlights the FBI’s capabilities. We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.  As demonstrated today, we will relentlessly pursue those who threaten the United States and its citizens.”

U.S. authorities thanked the governments of the U.K., Ukraine, Georgia, New Zealand and South Korea for their help, as well as Google, Cisco Systems, Facebook and Twitter.

The post Six Russian military officers indicted by U.S. grand jury for huge cyber attacks first appeared on IT World Canada.

Proposed new body may break UN logjam over cyberspace governance

For more than 20 years, countries have been trying to negotiate some way to bring order over cyberspace. During those years cyberattacks have only increased.

In fact, for the past three years, two United Nations bodies — the Group of Governmental Experts (GGE) and the Open-Ended Working Group on security (OEWG) — have separately been working on the same governance issues, with little progress to show. This is often portrayed as fighting between Western and authoritarian governments.

However, some experts, including Josh Gold, a former research assistant at the University of Toronto’s Citizen Lab who specializes in cyber governance, think a quiet proposal by France and Egypt earlier this month may pave the way to getting something done.

Called a Programme of Action on Advancing Responsible State Behaviour in Cyberspace (PoA for short), it suggests creating a new body that can split governance into several issues to be dealt with individually. Where there is consensus, countries will start acting. Where there isn’t, those issues will be left alone.

A problem with both the GGE and OWEG is they both rely on consensus. If one country objects, resolutions fail. A cyber PoA gets around that. Its goal would be urging countries to implement cyber principles they agreed to in 2015.

It’s one of several suggestions for ending the dual-track GGE and OWEG talks on norms for cyberspace and moving to a single body. The future of the OWEG will be discussed in December.

If there is unanimous approval the PoA proposal could be part of the OEWG’s final report, which is scheduled for release in March 2021.


Canada among countries calling for rules-based control over cyberspace


A cyber PoA “could eliminate redundancy, duplication, and the added cost of having two bodies dealing with essentially the same thing,” Gold, who just left Citizen Lab, said in an interview last week.

Gold said the proposal hasn’t even been finalized or officially made public. Among diplomats, it’s called a “Food for Thought” document. However, it is getting notice.

Earlier this month a blog by two French researchers argued that a cyber PoA “allows for concrete discussions and progress within working groups devoted to specific issues.” In that sense, they wrote, it could combine the best of the Group of Experts and the Open-Ended Working Group.

Gold also said Australia recently released an informal discussion paper outlining the pros and cons of the proposal.

Meanwhile, Russia, which insisted in 2018 on creating the OEWG on security, is now proposing creating a new Working Group with a five-year mandate. To some that essentially would keep countries just talking.

By contrast, the cyber PoA, which is based on a 20-year-old UN program for limiting the international distribution of small arms, is aimed at accomplishing goals. The suggestion is it would start with a “political declaration” reaffirming that international law applies in cyberspace and the 11 norms of responsible state behaviour in cyberspace agreed by consensus in the 2013 and 2015 GGE sessions. Crucially, the 2015 agreement was adopted by the entire UN. After that, the goal of the PoA would be getting countries to implementing what has already been agreed to.

Briefly, the 2015 GGE:

  • Recognizes the principle of state sovereignty, the settlement of disputes by peaceful means, and non-intervention in the internal affairs of other States, applies to cyberspace.
  • Recognizes that states must comply with their obligations under international law to respect and protect human rights and fundamental freedoms.
  • Agrees that UN should play a leading role in developing common understandings on the application of international law and norms, rules and principles for responsible State behaviour.
  • Agrees with other norms, rules, and principles on the responsible behaviour of States. One was that countries should not conduct cyber activity that intentionally damages critical infrastructure. Another is that states should not harm authorized computer emergency response teams (CERTS).

A cyber PoA would focus on how countries are implementing these principles. The suggestion is it would meet every year, with nations publicly presenting their progress. The world would see who isn’t progressing. Every five years there would be a consensus-based review conference, which would potentially allow the introduction of new norms or resolutions.

So far 40 countries have signed on to the proposal including Egypt, Singapore, Japan, Norway, Ecuador, Gabon, the United Kingdom and the European Union. Canada and the U.S. aren’t among them.

In response to a question from IT World Canada, Global Affairs Canada said the government is interested in the Programme of Action proposal. “The proposal offers a way forward that would allow the UN and the international community to focus on implementing the acquis of previous UN Groups of Governmental Experts when it comes to norms of State behaviour, confidence-building measures and the applicability of international law in cyberspace.

“Canada welcomes the broad and diverse support that this proposal has received among UN member States and looks forward to discussing this proposal in more detail at the December 1-3 OEWG informal meeting, which will focus on the future UN cyber mechanism.”

A separate UN body is also looking at possible rules to smother cybercrime. Called the ad hoc committee of experts on cybercrime, it was created in December 2019. Before COVID-19, it had been scheduled to meet in New York in August 2020. So far, Russia has support for a resolution proposing the creation of a global cybercrime treaty. However, Global Affairs Canada says Canada and others believe nations should use existing tools. One of them is the 2004 Budapest Convention, which sets out common procedures for law enforcement co-operation in cybercrime cases. One expert says Russia’s attempt to get a treaty advances its long-standing goal of replacing the Budapest Convention.

The GGE approach had been showing promise until 2017 when countries failed to reach a consensus on a final report.

Gold was watching the OWEG as part of his work for Citizen Lab, even attending three sessions as an observer in New York before the pandemic shut down in-person meetings. In a column for the Council on Foreign Relations, he summarized proposals made to the OWEG in April.

About 120 countries have either joined statements of others or given statements, he said. “That’s been really valuable for different countries to hear what others are thinking, and it helps with the back and forth. A lot of countries understand things better. Not every country has diplomats who have been dealing with cybersecurity issues for decades, so this [discussion] helps get other countries on the same level. The whole group serves as a confidence-building measure in that when things are tense or when views are misunderstood there’s a forum where countries can get together and speak.”

At the moment the second draft of a final resolution is circulating. Canada is among the countries proposing changing certain wording of the draft including guidance on implementing the norms agreed to by the 2015 GGE.

Since physical meetings of the OEWG have been replaced with phone calls it’s hard to assess the mood, Gold said. There are new proposals from the informal September meetings, but he says the movement is “stagnating.” There are also meeting proposed for November and December.

Asked if at this point there is a movement to the necessary consensus, Gold said, “based on what I’ve heard from diplomats they give it a one out of three or 50/50 chance of a [final] report.”

The post Proposed new body may break UN logjam over cyberspace governance first appeared on IT World Canada.

Cyber Security Today Week in Review for October 16, 2020

The Weekend version of the podcast takes a look at the top stories for the past seven days with analysis by Dinah Davis of Arctic Wolf Networks. On the agenda: The value of Cybersecurity Awareness Month and how to stop phishing attacks

The post Cyber Security Today Week in Review for October 16, 2020 first appeared on IT World Canada.

Cyber Security Today – Dickey’s Barbecue chain hacked, Barnes and Noble notifies customers and beware of this Windows Update scam

Today's podcast reports on customer payment card data of a US restaurant chain for sale, a bookseller warns customers their data may have been hacked and a warning about the latest Windows Update scam

The post Cyber Security Today - Dickey's Barbecue chain hacked, Barnes and Noble notifies customers and beware of this Windows Update scam first appeared on IT World Canada.

Why a unified view of threats strengthens your cybersecurity posture

A shift in 2020 to employees working from home has changed how companies operate. In particular, the rush to work-from-home has given rise to elevated security threats. While companies are now spending significant amounts on cybersecurity, threats are still outpacing corporate outlay. As tech leaders have weighed their options on how to harden their security…

The post Why a unified view of threats strengthens your cybersecurity posture first appeared on IT World Canada.

Cyber Security Today – A new version of Android ransomware, ransomware hits international law firm and cruise line gives more detail about cyberattack

Today's podcast looks at a new way ransomware is leveraging Android, and Carnival gives some information about its ransomware attack

The post Cyber Security Today - A new version of Android ransomware, ransomware hits international law firm and cruise line gives more detail about cyberattack first appeared on IT World Canada.

Trickbot botnet disrupted by Microsoft and alliance of tech companies

Microsoft says it, and several tech companies, have at least temporarily taken down the Trickbot botnet, a Russian-based network of devices that has infected more than a million computers since 2016 and is behind scores of ransomware attacks.

“We disrupted Trickbot through a [U.S.] court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world,” Microsoft said in a statement Monday. “We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped into computer systems.”

Other tech companies involved in the effort included ESETLumen’s Black Lotus LabsNTT and Symantec. Also involved was the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Microsoft says these moves represent a legal approach that its Digital Crimes Unit is using for the first time to get the court order: Copyright claims against Trickbot’s malicious use of its software code. “This approach is an important development in our efforts to stop the spread of malware, allowing us to take civil action to protect customers in the large number of countries around the world that have these laws in place.”

Criminals being well-funded and with the ability to find other systems to host their malware, it isn’t clear how long Trickbot will be out of commission. In fact, Microsoft took care to say it has “disrupted” the botnet. “We fully anticipate Trickbot’s operators will make efforts to revive their operations,” Microsoft acknowledged, adding, “we will work with our partners to monitor their activities and take additional legal and technical steps to stop them.”

Cyber criminals are tenacious. The re-birth of the Emotet botnet in 2019 is a recent example. It was down for four months after its command and control (C&C) servers had been shut down — either by law enforcement or a security researcher. But operators may have shut it down to rebuild the infrastructure.

UPDATE: ZDNet reports that the Trickbot operators have replaced the seized domains and command and control servers with new infrastructure.

In a statement, ESET said that over the years Trickbot compromises have been reported in a steady manner, making it one of the largest and longest-lived botnets. “Trickbot is one of the most prevalent banking malware families, and this malware strain represents a threat for internet users globally,” said Jean-Ian Boutin, the company’s head of threat research.

“Throughout its existence, this malware has been distributed in a number of ways. Recently, a chain we observed frequently is Trickbot being dropped on systems already compromised by Emotet, another large botnet. In the past, Trickbot malware was leveraged by its operators mostly as a banking trojan, stealing credentials from online bank accounts and trying to perform fraudulent transfers.”

What makes Trickbot so dangerous, says Microsoft, is its modular capabilities that constantly evolve, infecting victims through a “malware-as-a-service” model. “Its operators could provide their customers access to infected machines and offer them a delivery mechanism for many forms of malware, including ransomware. Beyond infecting end-user computers, Trickbot has also infected a number of “Internet of Things” devices, such as routers, which has extended Trickbot’s reach into households and organizations.”

Trickbot’s operators can also quickly tailor its spam and spear-phishing campaigns. Recent messaging topics have included Black Lives Matter and COVID-19. Microsoft believes Trickbot has been the most prolific malware operation using COVID-19 themed lures.

Trickbot is also known to deliver the Ryuk crypto-ransomware.

The post Trickbot botnet disrupted by Microsoft and alliance of tech companies first appeared on IT World Canada.

Five Eyes countries press for back doors into applications, again

Canada has again joined its partners in the Five Eyes intelligence co-operative and is calling on tech companies to work with governments to find a legal way around their end-to-end encryption.

In a news release over the weekend, senior cabinet officials from Canada, the U.S., the United Kingdom, Australia and New Zealand, as well as the governments of India and Japan, urged the industry to address concerns that encryption in their products helps criminals by precluding any legal access to unlawful communications.

“Particular implementations of encryption technology … pose significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children,” officials wrote.

The governments are asking industry to help find “reasonable, technically feasible solutions” that do the following:

  • Embed the safety of the public in system designs, thereby enabling companies to act against illegal content and activity effectively with no reduction to safety, and facilitating the investigation and prosecution of offences and safeguarding the vulnerable.
  • Enable law enforcement access to content in a readable and usable format where a (court) authorization is lawfully issued, is necessary and proportionate, and is subject to strong safeguards and oversight.
  • Engage in consultation with governments and other stakeholders to facilitate legal access in a way that is substantive and genuinely influences design decisions.

The demand by governments and law enforcement agencies for lawful access to encrypted communications has been going on for years, and been resisted by privacy experts for just as long.

It’s being raised again, says the statement, because of proposals to apply end-to-end encryption across major messaging services. Many services including WhatsApp and Telegram already offer it. Zoom has been testing it since July.

The issue last hit headlines in the summer of 2019 when the University of Toronto’s Citizen Lab condemned then-Public Safety Minister Ralph Goodale for changing Canada’s policy on lawful access. Before then, Canada said it favoured strong encryption in products to protect citizens. However, after Goodale signed a Five Eyes communique urging tech companies to include “mechanisms in the design of their encrypted products and services whereby governments, acting with appropriate legal authority, can obtain access to data in a readable and usable format.”

Citizen Lab hit back. “In advancing an irresponsible encryption policy that would deny individuals and businesses access to strong encryption, [Ralph Goodale, Minister of Public Safety] and the Government of Canada have failed to publicly acknowledge and present the range of serious harms that would follow should companies voluntarily, or under compulsion, adopt the government’s current policy,” it said.

Briefly, privacy and many encryption experts argue that what governments want is a back door into systems so they can read communications of crooks and nation-states. However, they say even if any back door system needs judicial approval a hole is a hole, and it can be exploited by any skilled attacker. There is no such thing, they argue as a process that can only be used by governments. As a result, such back doors or processes end personal privacy.

The weekend communique acknowledges that technology companies use encryption to protect their users. But, the release also says, law enforcement must find a way to respond to “illegal content, child sexual exploitation and abuse, violent crime, terrorist propaganda and attack planning.” In fact, the Five Eyes argue, end to end encryption hobbles tech companies own efforts to fight these threats.

All that is being asked, according to the Five Eyes community, is for law enforcement agencies to access content “in limited circumstances where necessary and proportionate to investigate serious crimes and protect national security.”

“We challenge the assertion that public safety cannot be protected without compromising privacy or cybersecurity,” the statement reads.  “We strongly believe that approaches protecting each of these important values are possible and strive to work with industry to collaborate on mutually agreeable solutions.”

Suggestions include creating master decryption keys that, in theory, only law enforcement agencies can access with a court order; giving police the ability to get a court order to compel suspects to decrypt their conversations; or creating a way that allows third parties to lawfully listen in to encrypted conversations or messages.

The post Five Eyes countries press for back doors into applications, again first appeared on IT World Canada.

Cyber Security Today – Tips for avoiding Amazon Prime Day scams, and Software AG under attack

Today's episode offers tips for not losing money during this week's Amazon Prime Day scams, reports on a bad hack of children's information and a ransomware attack at Software AG

The post Cyber Security Today - Tips for avoiding Amazon Prime Day scams, and Software AG under attack first appeared on IT World Canada.

Understanding Canadian cybersecurity laws: Peer-to-peer privacy protection — “Intrusion upon seclusion” and the protection of intimate images (Article 6)

By Melissa Lukings, JD Candidate, Faculty of Law, University of New Brunswick (UNB) AND Dr. Arash Habibi Lashkari, Assistant Professor and Research Coordinator, Canadian Institute for Cybersecurity (CIC), University of New Brunswick (UNB) Introduction The prevalence of digital communication has created nearly limitless possibilities for the rapid, large-scale sharing of private communications, intimate images, and personal…

The post Understanding Canadian cybersecurity laws: Peer-to-peer privacy protection — “Intrusion upon seclusion” and the protection of intimate images (Article 6) first appeared on IT World Canada.

Cyber Security Today – Company loses $15 million, Chowbus food service hacked and a database of a women’s retailer is exposed

Today's podcast reports on a company victimized by an email scam, a hack of the Chowbus food app and another unprotected database found

The post Cyber Security Today - Company loses million, Chowbus food service hacked and a database of a women's retailer is exposed first appeared on IT World Canada.