Bell Canada alert prompts RCMP, privacy watchdog to investigate data breach

By David Paddon

THE CANADIAN PRESS

TORONTO _ The RCMP has launched an investigation into a data breach at Bell Canada that appears to have compromised customer names and email addresses, but no credit card or banking information.

Media reports put the number at about 100,000 but RCMP spokeswoman Stephanie Dumoulin, at the police force’s national division in Ottawa, and the Office of the Privacy Commissioner said that they couldn’t disclose details.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.

Bell Canada’s representatives have alerted customers who were affected, but didn’t answer questions about how many customers were impacted, when the breach occurred, or if the data release was related to an earlier breach last year.

Bell also told customers that additional security, authentication and identification requirements have been implemented.

“When discussing your account with our service representatives, you will be asked for this additional information to verify your identity,” its emailed notice to customers said.

Katy Anderson, a Calgary-based digital rights advocate with OpenMedia, said she’s glad Bell is implementing additional security checks.

“However, this is the second time the company has been hit by hackers in eight months,” Anderson said in a phone interview.

Bell Canada revealed in May that an anonymous hacker had obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.

Anderson said that the public should realize that centralized data is vulnerable, by its nature.

“When a breach like this happens, which we’re seeing more and more, it’s always a good reminder to change your passwords, update your security questions with things only you would know, and consider using a password manager,” Anderson said.

Bell’s latest data breach follows several other high-profile hacks, including at credit monitoring company Equifax and car-hailing service Uber, though those companies did not immediately disclose the breaches.

The federal government is in the process of reviewing changes to the Personal Information Protection and Electronic Documents Act that would require companies to notify people in the event of a serious data breach.

But until those come into force, Alberta is the only province in Canada that has mandatory reporting requirements for private-sector companies.

Making a point: Aon says airlines, retailers need to criminal proof loyalty points

By David Paddon

THE CANADIAN PRESS

TORONTO _ A new report on cybersecurity trends says several industries will be on the defensive as criminals increasingly target gift cards, loyalty points and other non-cash transactions.

The 2018 Aon cybersecurity report said that airline, retailer and hospitality sectors will be under pressure to adopt more innovative ways to protect themselves and customers from points theft.

The theft of loyalty points creates a dilemma because it’s not yet clear how they’re covered by business insurance policies, Aon Canada’s Brian Rosenbaum said Tuesday.

“The question is: Who are they stealing from? And what are they stealing?” Rosenbaum said.

If the theft is considered a loss of something owned by the points provider, it might be covered by a fairly standard commercial crime policy.

However, if the theft is considered the loss of confidential information entrusted to the company by customers or business partners, it might be covered by a cybersecurity policy _ a newer but increasingly common insurance.

“And maybe it’s neither, depending on how the policies are worded,” Rosenbaum said.

The multinational advisory firm said in its 2018 cybersecurity report that many industries _ including those with points programs _ will be expected to prove they’ve taken every reasonable precaution to address the risk of breaches.

In Canada, that’s a very elusive standard because it’s not yet clear what needs to be done.

“Do you have to have IT continually patching your system? Do you have to have monitoring and auditing in a very significant way? … Do we need to have a bug bounty program?”

So-called bug bounties  a way to reward ethical hackers who find bugs so they can be exterminated have been used to good effect by tech companies.

Aon’s global report predicts that airlines, retailers and hospitality companies will also add bug bounties to their arsenal of cyber defences following the lead of tech companies and financial services providers.

Rosenbaum said Canadian companies have begun making inquiries but he doesn’t think bug bounties will become common in this country yet and for good reason:  “I think there’s bugs in the bug bounty program.”

One impediment, Rosenbaum said, is that many companies don’t want to publicize their vulnerabilities but one of the motivations for ethical hackers is getting recognition for their accomplishment.

“My sense of it is that there has to be a better understanding of what the individuals get and the companies have to be clear about what they’re prepared to give … in order for these to be viable working relationships.”

Here are some of the trends, challenges and threats that await us all in 2018

By Joey | Security Boulevard 

We had an interesting year in 2017. If any trend is obvious, it’s that 2018 will continue to be interesting for the cybersec industry. How interesting? Here is are the 18 trends that we think will be making the headlines and should be on your radar for 2018.

The Return of the Spam

In 2004 Bill Gates said that spam would be dead in 2 years. Over a decade later, things are still pretty bad. While we can stop greater than 99.95% of spam email, it’s the very few that do get through that are increasingly sophisticated and preying on user vulnerability. You used to get emails focused on Viagra and reclaiming lost fortunes. Now, the spammer is more interested in having you click a malicious link and getting your password or triggering a ransomware and then doing the real damage from there.

Are we getting more spam today than ever before? We are the highest in a few years. However the spam we are getting, and the tiny amount getting through, is much more dangerous.

Continued Growth of Socially Engineered Threats

We talk a lot about this one. Social engineering is the fastest growing area in cyber crime. From Q2 to Q3 2017, there was a 74% increase in phishing attacks.

As Roger Grimes suggests that nearly 100% of attacks can be attributed to unpatched software and social engineering. “A single unpatched software program has at times accounted for over 90 percent of the web-based exploits” and the rest, save perhaps a single percent, goes to social engineering. There are predictions that Business Email Compromise (BEC) will hit $9 billion in 2018. It’s hard to know how accurate of a prediction it is, but BEC is a very serious and growing threat.

The Growth in Cloud and BYOD

An interesting trend in 2017 was a shift from urgency and fear in spam messaging to more social and rewards-focused scams. With the proliferation of BYOD, mobile and remote work, scammers realize that the value is in accessing the work network, rather than an immediate smaller payoff from an individual. And by enticing you with an e-card or mail order bride, they can arouse enough curiosity via your private email to get into your business network. Watch for email and cyber security measures that will protect devices and cloud networks, not only inboxes

In a similar vein, as businesses continue the shift to the cloud, and the traditional idea of a firewall falls, businesses will look for new ways to secure their IT networks, such as Email Archiving SolutionsEncryptionURL DefenseMobile Defenseand….training! With the growing diversity in how and where employees are accessing networks precludes strong awareness and training with a people-first approach.

Ransomware

The last year saw several big ransomware attacks make headlines. Most of their damage was in reputation, legal cost and confidence to the institutions (though the scammers made their own pay). 2 Interesting drivers of this growth are RaaS (ransomware as a service) where unskilled cybercriminals can launch attacks and a growing underground economy.

Ransomware is also growing in concert with Phishing and social engineering, both big trends we are watching in 2018. It will also be interesting to see how cryptocurrency valuations impact ransomware growth.

Blockchain Security

Speaking of cryptocurrency, there has already been significant investment in blockchain as security technology. Guardtime, out of Estonia, claims to be the largest blockchain company by revenues (perhaps before the most recent sharp surge in cryptocurrency valuations), and has secured all of Estonia’s medical records using blockchain tech. Blockchain has the potential to eliminate passwords, provide advanced encryption, and create tamper proof infrastructure. This will be a fascinating area to watch in 2018.

Legislation

The government should play a big role in the internet in 2018. Besides net neutrality and data privacy rights, in the EU GDPR comes into effect in 2018. This will dramatically have an impact data policies on multinationals operating in the EU.

After Uber’s second data breach and lengthy delay in disclosure, it is only fair to expect the US to follow suit at some point and create a national legal framework. Then again, they have a lot on their plate at the moment (and it looks only to be getting busier). National legislation will help companies react more sensibly after attacks.

AI in Response to Social Engineering Attacks

A lot of the hope in curbing some of the email and cyber risk is being placed on AI and Machine Learning. Ideally, we can reach a “singularity-like moment” where our algorithms get so advanced that any attempted scam or attack is known well in advance. It’s very challenging – because social engineering and targeted phishing are where the challenge lies. Human error is probably the biggest source of risk today. Can AI stop human error? Here’s hoping.

Domain Spoofing and Suspicious Domain Registrations

In ProofPoint’s 2017 Q3 threat report they noticed an alarming 20 to 1 ratio of Suspicious domain registrations to defensive registrations. This as suspicious domain registrations grew by 20%. There are a lot of frightening numbers in there. They found malicious URLs up 2,200% Q3, year over year.

There’s a lot in there to be frightened about, perhaps brands believe they are have covered their defensive bases. Perhaps as detection of malicious and spoofed URLs becomes faster and are taken offline earlier, scammers are being forced to do more work (or find more ways to effectively automate it). Either way, spoofing and malicious URLs will be a serious threat for those unprotected – and will certainly make headlines in 2018 for the wrong reasons.

Data borders: Kaspersky, China, GDPR

2017 was an interesting year in cross border cyber security. Kaspersky got banned from UK government systems where sensitive information is present. And then late in the year Trump approved a federal ban on Kaspersky.

There are questions as to whether they worked with or were compromised by the Russian government – at the bare minimum it appears that sensitive data, such as from the NSA was being stored in Russia.

Along with other legislation, we expect more governments to begin looking at companies who are exporting your data out of country of origin. “Data Localism” or keeping data in local data centers is already in place in Russia, China and Brazil.

Breach disclosure and other local requirements are also going to be a big concern in 2018. While data protection is a fast growing concern for many enterprises, the way in which disclosure requirements, “rights to be forgotten” and other legal requirements around data evolve will most likely be determined in 2018.

Cyber Warfare

We probably haven’t seen anything yet. Between apparent Russian meddling overseas, an expanding Chinese sphere of influence, and constant media reporting that the United States is on the brink of war with North Korea, who knows what kind of Cyber Warfare may break out, or what role it will play in more “kinetic” conflicts featuring drones, advanced missile systems, naval warfare and more. Of course, we could already be in the midst of this, with WannaCry apparently being sourced to North Korea.

Industry Specific Attacks

Scammers are increasingly targeting their attacks based on where the largest payout lies. These payouts are two-fold. The first on the single payout, finding large and accessible financial transactions. The second is in value of data.

The financial industry and heavy industrials have the large payout and transfers of funds. The Health industry has very valuable data. These industries will continue to see increasing amounts of attacks.

We’ve written extensively on health and security in 2017. We expect this trend to continue through 2018. One group purported that the majority of email addressed as from a healthcare provide were fraud! All the while, with companies with over $1 Billion in revenue, DMARC was properly used by 2% of companies!

Speaking of DMARC

While it might not be perfect, it is going to see mainstream adoption in 2018. It still has seen very low adoption rates in industries like banking, and when it is implemented, there are still often errors in implementation.

Quantum Computing

Long shot here, but could quantum computing be the savior of the industry? The simplest way that I see this, if you could make many times the calculations, wouldn’t that mean more attacks would be caught sooner? This will dramatically impact the development of AI (machine learning) and also speed up blockchain capabilities, all linked closely to the future of cybersecurity.

Hacked Therapy

Being hacked is a form of abuse. The trauma can serious negative impacts on its victims. Leaked private pictures. Destroyed credit ratings. All kinds of privacy invasion. 2017 saw what might have been the first conference “supporting victims of cyber crime”.  The trauma is enduring. Expect this conversation around cyber crime and mental health to become more prominent.

IoT Botnet Strike Disaster Looming?

IOT has long been discussed as being a risk. Now it seems that Botnets could be hiding on your connected devices. Mirai was one such example – a big reason being the use of default settings. It doesn’t appear that botnets are going anywhere just yet.

Biometric Authentication Compromise

Could the trend to biometric authentication results in a major breach? With iPhone and Samsung both experimenting and launching biometric authentication tools, there’s a lot of risk to be explored. Your partner or the person sitting next to you during a flight may not gain information relevant to your employer, but what are the limits? Could a major breach occur if a socially engineered attack was able to work beyond the constraints of biometric authentication? We might find out soon.

Simplifying Security

The complex technical environment that the security industry has known can make it seem pretty serious. While security skill ares no longer specialists, much of the available information about security is dense and technical, possibly putting off many of the users who organizations need to “know their stuff”. The reality of training and awareness is that we have to find the weakest links in the security chain and upgrade (no pun intended) their stack (no pun intended). People need plain-english information on security. It’s an imperative as an industry we can communicate in plain english and ensure awareness – to avoid human error as much as possible.

The Clearer Business Case.

It’s not always clear how to calculate a cost benefit on email security. “while 85 percent of firms believe that the economic costs from cyber attacks will increase in the coming year, only 23 percent have adopted a strategic plan to address business risks”. In the near future, any BCDR or security contingency will be based on a risk assessment, much like an insurance policy.

That’s the gist of it.

We aren’t going to bold in our predictions. Though perhaps one last bonus one is in order. We’ll go out on a limb and say if you are reading this, your company is better off. You’ll probably take steps to invest in your cyber and email security – if you haven’t already. The fact that you’ve read to this point makes you aware. And for that, we believe that your 2018 will be a safe and happy year!

 

Read more great articles like this one at: Security Boulevard 

Uber hack latest example of why vigilance required to keep your wallet safe

By Craig Wong

THE CANADIAN PRESS

OTTAWA _ When Doug Hoyes had his credit card information stolen, fraudsters used it to pay for three taxi rides in Toronto.

He wasn’t in that city, but discovered the charges while routinely checking his card transactions online and notified his bank, which cancelled the card.

Hoyes, a licensed insolvency trustee, says the incident illustrates the importance for individuals to keep a watchful eye on their statements in a world where financial information can be stolen in a myriad of ways.

“I realize that the bank will probably cover you anyways, so you’re not going to lose any money, but do you really want to wait until they’ve used up your credit limit and you’re trying to put gas in your car and you can’t because you’re over your limit?”

Earlier this week, ride-hailing company Uber came clean about a year-old hack that compromised the data of 57 million Uber riders. The information stolen included names, email addresses and mobile phone numbers. The number of Canadians affected was not immediately known.

News of the security breach comes just two months after Equifax Inc. said some 145 million consumers _including roughly 8,000 Canadians _ had personal data, and in some cases credit card details, stolen by hackers in a massive data breach earlier this year.

The thefts were the latest in what has become a regular occurrence of hackers breaking into systems and stealing customer information.

While individual pieces of information like the email addresses and mobile phone numbers that were taken in the Uber theft may seem innocuous on their own, when thieves combine it with other information that may be available elsewhere, it can spell trouble.

But even if you weren’t affected by the Uber or Equifax data breaches _or any others so far _ you need to be vigilant because hacks are going to happen, he added.

“If you weren’t impacted by this one, you probably will be impacted by the next one.”

If your information is hacked, you need to change your passwords and your PINs to something that is not easily guessed, advises Lynne Santerre, a spokeswoman for the Financial Consumer Agency of Canada.

Santerre added that if you’ve been compromised you should also contact the major credit bureaus and ask for a fraud alert to be placed on your file.

“That tells lenders to contact you before approving any application for credit in your name,” she said.

“So if anyone is trying to take out credit in your name, you’ll get a phone call and you’ll be able to confirm whether that application was yours.”

Hoyes noted that much of the job of securing your information online isn’t up to you, but rather the companies storing it. But, he added, there are still things you can do such as reviewing credit card transactions and cancelling any credit you don’t need.

Both Hoyes and Santerre recommend regularly checking your credit report with the two major agencies in Canada _ Equifax and TransUnion.

Checking your credit report can tip you off if your information was stolen because you will see if there are any accounts you don’t know about that may have been opened fraudulently.

Hoyes also advised against giving out your social insurance number unless required because the more information that is out there, the more at risk you become.

If your card issuer offers you an alert service that sends you a message when your card is used, it can be a great way to keep an eye on charges. But, Hoyes added, it’s not enough to rely on the fraud protection systems at your bank.

“You’ve got to be in charge,” he said. “You’ve got to take responsibility here and be looking at these things on a regular basis.”

Cybersecurity: How Safe Is Your Workforce?

Article by Davids Blackmore

In mid-May 2017 unprecedented global hacks brought organisations including the NHS, Telefónica and FedEx to a standstill.   Incidents such as this ensure that the public focus is firmly fixed on attacks by faceless criminal third parties.  However when it comes to the protection of vital corporate and client data organisations must also recognise the risks much closer to home, posed by their own personnel.  IBM’s “2016 Cyber Security Intelligence Index” found that 60% of all attacks were carried out by insiders.  Three quarters of these attacks were malicious, with the remainder involving reckless or inadvertent breaches by employees.  It may be necessary to think again about how we tackle cybercrime, given the potential business ramifications, financial, reputational and operational.

Employee risk

Cyber risk isn’t just a matter for an organisation’s IT department or about having the most-up-to-date software.  Employees need to be trained to understand cyber risk and given the tools to identify and deal with such risk appropriately.  This can only be done effectively if the whole organisation buys into the process.  This is fundamentally a governance issue: as with any other area of risk, it must be managed coherently with arrangements covering all of those who can access organisational information, including directors, employees and contractors.

Human error and malicious intent

Not all data breaches are deliberate or malicious: many are down to simple human error.  It may involve a lost memory stick, an email inadvertently sent to an incorrect email address or papers being left in a public place.  For example a mis-sent email sent from a London NHS Clinic in May 2016 attracted a £180,000 fine from the UK Information Commissioner after it revealed the email addresses of 700 users of an HIV clinic, the sender having typed the addresses into the “To” box rather than using the “Bcc” (blind copy) option.  Similarly, dating website Guardian Soulmates saw the email addresses of its subscribers made publicly available as a result of human error on the part of a third party contractor.

Breaches frequently involve individuals sending confidential data out of secure work systems to personal email addresses, including to “bank” information in the event of a future dispute or for the purposes of new employment.  For their “End-User Security Survey 2017” Dell commissioned a global survey of 2,608 professionals who handled confidential data at companies with 250+ employees in order “to find out how widespread the unsafe sharing of confidential data has become”.  Dell’s results showed that “72% of employees are willing to share sensitive, confidential or regulated company information”.

Data breaches can have a catastrophic impact.  A good example is the 2015 Panama Papers case involving the offshore law firm Mossack Fonseca.  An anonymous source leaked more than 11.5 million client files, going back four decades, to the German newspaper Süddeutsche Zeitungi.  When news of the leak broke, the firm vehemently denied that there was anything wrong with the integrity of its IT systems, stating that it had been the victim of a hack by an outside third party.  It ultimately transpired however, that the data had been disclosed by an employee of the firm, a disgruntled IT worker who systematically uploaded large amounts of client data over a prolonged period of time – purportedly because of moral concerns around worldwide income inequality.

According to the International Consortium of Investigative Journalists, an estimated $135 billion was wiped off the value of nearly 400 companies after the Panama Papers.  Like the hacks affecting the NHS and others, the case demonstrates the extraordinary power of modern technology to stop business dead in its tracks.

What can you do to minimise the risk to your organisation?

The Cyberedge Group’s “2017 Cyberthreat Defence Report” says that “once again, respondents cited users as the greatest obstacle to their organization’s establishing effective defences, as “low security awareness among employees” topped the chart for a remarkable fourth consecutive year…”

So what can be done to address this problem?

There is no absolutely failsafe method of protecting your company data: an organisation is only as strong as its weakest link.  However businesses can be alert to the risks, put in place appropriate plans to minimise the likelihood of a breach and have a breach response plan in place.  This will ensure that if there is a breach the situation can be managed and damage minimised.  Insurance policies should be reviewed, as the right policy may provide specialist external support in the event of cybersecurity incidents.

Education, education, education.

Equipping employees with the skills to recognise and manage cyber and information security risks, raising awareness of cybersecurity issues and instilling a culture of good data management will help build an organisation that appreciates the importance and value of the data that it holds.  In particular a business should:

  1. Identify and understand the information held by the organisation, who it belongs to and why it is important.
  2. Identify the cyber risks that exist and the assets you are trying to protect.
  3. Put in place a robust (but workable and easy to understand) cybersecurity policy so your staff understand the risks faced by the organisation, how they must deal with information and what they must do if the integrity of the organisation’s systems is breached.
  4. Educate your workforce to recognise and respond to security issues which arise.

So are employees a risk to the integrity of your business?  Yes.  But they can also be your first line of defence.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Source: Mondaq

Ed Dubrovsky appointed Managing Director of Cyber Breach Response by Cytelligence Inc.

Ed Dubrovsky, a 24-year veteran of information security, has been appointed Managing Director, Cyber Breach Response, by Cytelligence CEO Daniel Tobok.

Mr. Dubrovsky will manage Cytelligence’s cyber security teams assigned to respond to client emergencies, to deal with the range of cyber threat actors from independent hackers, to industrial spies, to organized crime rings, and state-sponsored threat actors. Read Mr. Dubrovsky’s bio here.

“Cyber security is now one of the top risks for all organizations. I believe that cyber security must be strategic, resilient, scalable, and cost-effective for organizations to achieve their business goals,” said Mr. Dubrovsky.

His areas of expertise include: incident response; strategic information security planning; securing enterprise infrastructure; application security; penetration and vulnerability testing; and research and education.

Cytelligence, the elite force of global cyber security, now employs over 60 cyber security experts including investigators, security specialists, forensic specialists, and ransomware specialists. Cytelligence also has a number of “white hat” hackers with very advanced cyber skills that help companies to proactively test their security using so-called “penetration testing.”

“Cyber security has exploded as a critical service, both as an emergency service and a proactive service for companies to secure their information and web infrastructure, for one very simple reason: the number of cyber criminals has exploded, too,” said Mr. Tobok.

“Ransomware and phishing are the attack vector of choice for cyber criminals. Ransomware is the perfect crime. It is anonymous, decentralized, digital, scalable, and uses cryptocurrency which is heavily encrypted,” said Mr. Tobok. Read his bio here.

The range of Cytelligence clients in critical industries includes:  financial institutions, including banks, brokerage, and insurance firms; law firms; oil & gas facilities; refineries & petrochemical industry; power generation and transmission; research and development; software and technology companies; telecommunications; airports, seaports, trucking and transportation hubs; defense & homeland security; and water utilities.

Cytelligence is headquartered in Toronto and serves clients in Canada, the U.S., and Europe.

SOURCE Cytelligence Inc.

Page 1 of 1012345...10...Last »

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest