Tuesday, December 4, 2018

We've got the best people, the best product

This post is going to be more serious.  cough cough...

So the flower site 1-800-FLOWERS just realized that they got hacked years ago (4 years ago) and everyone that came by and entered their credit card numbers had all their information exposed.

But.... it is only Tuesday!  This is supposed to be Friday stuff!

https://techcrunch.com/2018/12/03/credit-card-stealing-malware-flowers-four-years/

For all we know, 800-Flowers may have been doing a great job and simply been a victim of a numerous list of other issues that led up to this.  What we do know is that they relaunched an entire new website claiming to have added security.  That kind of implies that something was fundamentally bad with the old one, or it could simply mean they want a fresh start from a PR perspective.  Time will tell especially if the actual breach details make it out into the open.

Back when Ashley Madison let themselves be hacked end to end because of a complete absence of anything related to security (see my humorous blog entries on this), 1-800-Flowers actually showed some really witty marketing by offering a special flower arrangement for anyone who got called out for having an account on a cheating website.



I have yet to meet someone who will admit ordering the prestigious "Ashley Madison" flower arrangement, so I still do not know the price.


I had a realization today.  Technology companies have long adopted the DJT (Donald J Trump) approach to cyber security.


"They have the best people, really the best, and the best words."

When a potential vendor I am evaluating gives me this type of response...  I get alert.  nothing focuses my attention more than hearing "we have great developers", or "our dev team is the best",  Both statements are actually dead wrong.

Here is why.  

A dev team is put together to deliver technology on a predetermined set of parameters such as a delivery date and a budget.  Sure "features" and "functions" are in there, but security rarely is present in these items.

When the CEO says his dev team is the best, this means they deliver on-time and within budget.  From a security point of view, this could spell trouble.

So why exactly would a CEO think his dev team is awesome?

I'm looking at it from the point of view of security.  The senior executive is looking at it generally from delivering a product that works, looks good, didn't cost a kidney, a limb or your first born, and was done within a reasonable time.

So the word "Awesome" means two completely separate things.

Here is the generally accepted truth about a software development team.

They rarely get the luxury to include a strict security testing methodology within their SDLC (if they even have an actual software development lifecycle process in place).

So I do not disagree with a CEO that says their dev team is the best.  I just place that information into the correct bin.  Bin #46:  Dev team is nimble and generally delivers what is asked of them within a reasonable amount of time/budget.

However, as the Chief of Security Officer, my questions and my priority Bin is #1 to #10 and all touch security, non of it touches short delivery times and limited budgets.

The fact is that dev teams are not trained to be cyber security testing experts, so obviously security should be integrated somewhere in the process with someone who does master this area of expertise or with a trusted third party who provides guidance, or testing with the maturity required to do it for real.

Keep in mind, that outsourcing security in no way affords you the ability to think everything is fine, because in the "services" area, we find plenty of folks who know how to make a buck yet offer very mediocre services (read here... sub par).

Security is a philosophy that needs to be infused across all players.  This takes the right talent, patience and a reasonable investment.

Outside of this, thinking that the lowest bidder, or the really inexpensive web development company we met last week is doing great security is simply beyond crazy.

Most enterprises simply aren't there.

So here is something to think about.


  • Car manufacturers have great engineers
  • NASA has the "best people"
  • Pharmaceutical companies have bio geniuses 
  • I could go on....


They all have something in common.   Good processes that includes formal testing worthy of the asset they are producing.

So we can learn something from these types of enterprises by realizing that if the technology we are deploying is not critical or does not (cannot) expose sensitive data, then sure, the lowest bidder or whatever service is fine.  However, when the service or data is sensitive, an appropriate amount of testing AND oversight is required to ensure that everyone delivers the quality expected.

One of the biggest dangers in the technology industry is the belief that a big company, or an old company, or a company that says the word security eight times on their website.... delivers quality.

Things in the technology world change at an extremely fast pace.   Security professionals that do "real" testing is a rare commodity.  

This means you have to ask the right questions.

First off, prioritizing your assets or your systems at any level is an important part of the puzzle.  You need to know how critical something is so you can handle it accordingly.

Knowing that you are about to outsource to a SAAS or Cloud provider a piece of your business has to mean knowing what value that piece has for you.

So what are the right questions to ask:

With any service that someone delivers, you want to know that they are delivering something reasonable.

My favourite example, is web application development.  In the last months, I have had to deal with several such providers, who all claim to do a great job, yet cannot answer even basic questions about how they achieve this.

Some examples (and the answers I got from a prestigious company): 1) How is security integrated into your software lifecycle?  We test monthly
2) Who does the testing? Our developers
3) What are their qualifications? Senior developers have worked for us for over 10 years
4) What triggers a retest?  We always test monthly
5) What types of tests are performed (provide a list)? Web tests
6) Are these tests automated or manual? Automated every month
7) Who is vetting the test results? Our senior developer 
8) What secure development training has your dev team received?  They are senior developers and have been trained as such
9) What where the last three significant security issues identified during testing? We have not had any significant security issues

That last one is a real kicker.....  they have to provide you with something, and statistically it should be something real, and juicy.  Yet, nothing.  So they have never event had an XSS on a forgotten form field.  Impressive indeed!

Bottom line, these questions should be like the questions you get asked when clearing customs.  The question itself is not that important, it is the response that we are looking at and gauging the maturity of the answers.  The answers above.... simply suck and show no maturity at even a basic level.

You simply cannot just hand off your critical data to any third party that claims they develop secure applications and assume this is all good.

Once you have identified someone that gives you reasonable answers, you should still perform your own testing (or mandate someone to do quality testing for you) assuming the system in question is valuable to your business.

This is the sanity check to ensure that the wonderful rainbows promised to you have been delivered.

The old adage, TRUST BUT VERIFY always applies. 

One thing you can trust me on, is that statistically, most companies claim to provide the absolute best security, and just like Donald J. Trumps hands, come in a little too short. 


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com





Friday, November 30, 2018

The era of lies - Always vet your vendors

I often am faced with corporations that ignore obvious security issues to favour short term gains and protect their management structures ego.

This week, MARRIOTT surfaced with one of the largest breaches of the year exposing everything from passports to room service preferences.  At first light it seems like a full compromise of just about everything.



https://www.businessinsider.com/marriott-data-breach-500-million-guests-affected-2018-11


This is a large multinational corporation with resources.  The breach appears to have gone on for years.  In the next few weeks we will see the same list of errors that have been made time and time again by all these corporations that get hit hard.  I will take any bets on the presence of some basic fondamental issues being a large contributing factor.  They had some great security in place, but a lot of it was tuned down because they don't understand the technology they bought.  They have a great big security team, so they feel so great about  their security posture yet senior management didn't listen to them.  Some of their partners may even have mentioned some significant issues, but the messenger was shot and the message died a slow death.  You name it, they fit the profile.

In parallel to this, in my role as CSO for one of my clients, I am evaluating two potential vendors for a sensitive data processing service.

I use a single one pager security questionnaire to get the ball going.

I like to give a potential vendor the chance to either lie to me or provide clarity at their lack of competence.

Something I observe overtime is that everyone claims these basic characteristics:

1) They claim to have been doing whatever they are doing.... for ages.....
2) They have the words security dropped on their websites and in their presentations
3) If you ask, they provide secure software, or secure services, or secure anything
4) Of course they test things
5) Of course their developers are qualified and have security experience.

This week, I had the chance to challenge two potential vendors and the delta between the two was shocking, which led to me writing this blog entry.

Generally vendors (especially the ones offering SAAS or cloud based crap) all fit that previous list above and their TRUE reality is that they have negligible security in place since they completely lack cybersecurity competence.

1) Who cares if you have been doing this a long time, who cares if you are a large organization.... have you evolved ?
2) Dropping the word security everywhere does not ensure anything is secure
3) How can you prove you are delivering secure xyz ?
4) They are not testing much if anything
5) Their developers are perhaps great, old, experienced developers, but they do not have security training and no secure SDLC is in place.

So I wanted to talk about TESTING today, because I frequently am faced with evaluating the tests that vendors claim they do with the real world requirement to do a reasonable amount of testing.

THE #1 OBJECTIVE:  When doing security testing, the first objective is not to find bugs, but to find root causes and fix the behaviour that leads to exploitable vulnerabilities.    This way when you come back and test down the road, everything hasn't regressed.

Doing a full set of tests on a web application may require 10 to 15 days of well orchestrated testing.  When management comes back with a comment along the lines that this is expensive, this means they seriously lack comprehension on what delivering a quality service entails.  

Performing quality testing pays large dividends.  The things you identify lead to your operational staff and your development staff learning from their mistakes, they add to their knowledge and start producing better quality systems and code.


ILLUSION OF SECURITY

So if you are doing business with someone who is providing you with a report that something was tested.... you need to know if this is provided as an illusion of security or was something really truly tested with an adequate testing initiative.

That is why I always ask to see the work order, the bill, the number of hours invested.  I especially love asking after a vendor has navigated their ship into the lies that are so typical of incompetence.  We have big clients, look at my client list.  And they never asked us all these questions.  

Well guess what buttercup, the let you assume a level of responsibility based on your bold statements that someone with more maturity and experience (little old me) is not going to let you do.  I do not adhere to the transfer of responsibility trend that traded companies so enjoy.  When something gets violated, I know that my client will look bad, and I will look bad if everyone did not do their job with quality in mind.

So ask your vendors if they deliver quality service, than ask them if they perform quality tests.   Once you have had your bullshit answers for both those questions, ask for the test report and make sure that includes the man hours to perform the tests, or the bill if done externally.  

But brace yourself, you will see a lot of $2500 and $5000 full blown application security tests.

Don't be too insulted when you realize that this quality service that is being presented to you has only invested a few days of security oversight across their entire product line.

Do remember this however, when something goes terribly wrong and a real expert looks under the hood.... that couple days of security is going to make you look like the biggest idiot this side of the white house.

Remember Equiflop.  I mean Equifax.  After they got violated they actually reported that in order to bring their security up to the expected level that it should be... they invested $170 million if I recall.

SOME BASICS

Simply running an automated VA (vulnerability Assessment scan) across a system does not test the application.

Simply running a web application testing tool across an unauthenticated web page does not test the application.

Investing a couple days of security on a system is NOT SECURITY TESTING

If your vendor is telling you that they do great secure work and this is the types of tests they are providing you, than you are being provided a false sense of security, they are not learning from their mistakes, and the application provided has not been tested.

Enterprises frequently try to stay competitive by not increasing their level of service or the quality of the service they provide.  This is extremely dangerous in IT.  Things have changed dramatically in the last decade, and companies who use the word SECURE are starting to get sued when it turns out to have been a gross exaggeration amounting to negligence.

I love my job.  I love being the acting CSO for my clients because I get to ask these really good questions.  And as an added perk, when I walk into a room with a vendor and they have done their homework I can hear their butt cheeks tighten up.  That means I'm doing a great job and they are not.

You should always work with vendors who have relaxed butt cheeks.

So back to my two vendors.  The first one was a disaster of lies and lack of competency.  The second one had stunning responses, had hired a full time security person with adequate credentials and they do real testing using methodologies that actually exist and wasn't simply made up.

Moral of the story is that some vendors are providing quality services and do invest to ensure that this is the case.

Ask questions, don't be the type that assumes that everything is ok just because someone said they test things or that they deliver secure services.

Figure out if your vendor LIES or is INCOMPETENT.  

Huge difference between the two really.  Very hard to work with lies.   Lack of competency however you may be able to work with.  If the vendor is willing to learn and work transparently and continuously getting better.

So it is really your call.  Do you want to be willfully blind, work with liars, work with negligent incompetence or take the time to find the vendor that will actually deliver on their promises of security.

As for Marriott, you can bet that every level of management is pointing the finger at each other, you can also bet that several third parties are in the loop and probably contributed to this failure.  And you can bet that the vetting process was terribly weak, mostly based on inbreed decisions.

What you can also bet on is that you won't hear about them.  All you will remember this time next year is how Marriott got the shit kicked of the them in an embarrassing breach.

Remember that next time you deal with weak vendors that if you fail to vet  them adequately it is your reputation that will pay the price.

Ask questions folks, and choose to work with quality staying far away from illusions of quality.

For now, I'm going to get myself a nice Cognac, throw some wood in the fireplace and watch the Marriott story unfold.  They won't admit it, but they will lie through their teeth for the next month. 

Always a great way to end a week for me.

And yes, I still refuse to participate in the illusion of security.  I don't do 2 day intrusion tests so that some jackass has a report to hand in that says that "something" has been done.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com







Tuesday, July 3, 2018

WTH: We left personal data exposed for months to catch "the" hackers.

I often mention that not a week goes by that someone doesn't give me something juicy to blog about.

Some weeks are just amazing.




So this will be an opinion piece since everyone is entitled to an opinion ;-)

If you want the short version, here it is: 


Short version:  Company exposes personal data of over 130,000 citizens is now considering hiring a security firm to test their sub-par application, says that they knew of the security issue for months and is convinced it was only there for 2 months and confirms they left it open to catch "the" hackers.

Short analysis:  They didn't know. and they couldn't have caught "the" hackers since most are in foreign countries and even law enforcement can't catch them.  Conclusion, they are clueless on security, and the cities who outsourced their services to these clowns is to blame for not doing ANY security due diligence.

The longer funny version: 

I blogged about this issue last week (see previous entry).  What has changed is a newspaper article was written on the subject, and it seems that the company in question has no idea how to handle a security incident (like most companies).  They are just opening their big mouths and the vomit that is coming out is so telling on their security maturity, that I will now be using this example as I teach to my students.

Strike 1:  for months "we left the site vulnerable so we could catch the hackers".

Comment 1: Stupidest thing I heard this month (but in their defence, it is only the first week of the month).  The hackers you could catch are the local ones checking out the vulnerability for the fun of it, and that wouldn't do much as they probably have no criminal intent.  The real ones are smart enough to route from another country or are actually from another country.  The fact that they think they will catch someone proves that their maturity is rock bottom.  The simple idea of leaving REAL data exposed in order to catch someone that they can't possibly do anything about is just wow.  This confirms a complete lack of understanding of both security and privacy regulations.  Also, let's see the police report since you obviously contacted law enforcement as soon as you knew someone was hacking you since you wanted to "catch" them.... oh wait... you didn't know about any of this until the journalist called...


Strike 2: Only a few accounts had Social Security Numbers.

Comment 2:  This seems to imply two things; first not much valuable data was exposed and secondly birthdates, home addresses and medical conditions aren't important.  It is important to note that the video I saw seemed to pick out accounts randomly and they all seemed to have Social Insurance Numbers, so I'm not even conformable with the declaration that only a few accounts have a SIN.  In fact, this entire story is a SIN  ;-)


Strike 3: We are looking into hiring an external security firm to test out our application.

Comment 3: What ?  Out of 200 municipalities, no one put this as a requirement! And why are you only looking at it now?  Haven't you proven without a shadow of a doubt that you desperately need adult supervision!?  When reporters started calling you... this didn't strike you as a great time to do this....


Strike 4:  We know exactly when the "bad code" was introduced and it has only been a few months so we know exactly which account have been breached and we are going to contact them.

Comment 4:  Yeah, you have clearly demonstrated that you are in full control of your ecosystem, and I feel confident that you actually "know" everything, had in place detailed logging that goes back years, that your software development lifecycle is solid to the point of finding other major issues in the past that have been introduced at other revisions.  I also feel very confident that you will take immediate action without a journalist calling you up to point out that your exposing all your customers data.  Is it beer time yet.....

UPDATE !:  La Presse just published an article giving even more ammunition to my rant.....




Strike 5 (Because this is that type of ball game):   They are claiming that only 30 personal records have been accessed.... yet an anonymous source sent me a series of videos containing a number way north of 30.

Comment 5:  This means that they have no clue who has accessed what or when.  For all we know, everything may have been scrapped by a bot and all the data ingested by a malicious actor.   Oh yeah... they could also be lying because that seems to come up a lot!


A recommendation for the company in question:  Next time, shut up and hire a professional to handle your PR/security issue.  Also, stop considering security and actually do it.  And as a final recommendation, stop lying and making it up as you go along.

A recommendation for the municipalities handing our private data to contractors:  According to GDPR and many upcoming privacy regulations you are responsable for handing off business processes to QUALIFIED firms.  This doesn't mean what you think it means.  It means they understand their duties.  For a software development firm, this means training developers on security and including security testing within the SDLC (Software Development LifeCycle).  It also means never level an exposed system... exposed.... so you can look at logs.  Oh wait... that was a lie.... since you had no idea you had a breach until the phone rang.....

I guess that is why I always tell senior executives to SHUT UP and let the qualified folks take the microphone.  Blurting out a bunch of incoherent crap like this only proves that you are either lying or incompetent.  

Big trophy for them this week, because in only a few statements they proved both.  Good job !



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Tuesday, June 19, 2018

Cross your fingers "security" the current gold standard.

It's mid week, not even a Friday and things are heating up.

Headline: "Enterprises take huge risks with our personal data".   Please.

Not a big surprise to security professionals as we are constantly "fighting" for adequate security.

By adequate, I mean normal, sensible, security.

I was contacted by several journalists this morning with regards to a services portal that operates in the municipal space as an SAAS provider. 

This "service" manages something to do with leisure activities.  I don't want to name them since I like my enemas handled by qualified doctors and not legal teams with an absence of comprehension of security hygiene means.

So this portal supports 100's of municipalities and has 100's of thousands of users, yet security was never addressed.

Why do I say "never addressed", simple.... I cannot say never reviewed, because I do not know if these things where simply ignored or judged not important at the time, or if they simply did not know.

I'm actually still on the fence with which I like best, someone who lies to me or someone who is incompetent.

The issue is simple (and multiple issues should have been identified by a qualified security expert).

For one, the site uses a sequential ID in the calling URL.  This means (you guessed it), changing the ID means accessing someone else's file.




That alone is already an issue, but it gets worst.

You don't need credentials to get to it.  Anyone can create an account without any email validation, so once you have created your fake account, you can read everyones file.

But wait !  There is more!

The personal data includes home address, phone number, birthdate, medical conditions and allergies !

But wait !  There is yet more!

Social insurance numbers are not only stored non hashed within the database but it is returned to your browser when you view your file (or anyone's file since you can change the ID number to "see" someone else's file).

Here is the awesome protection on that one field..... it is return with the awesome html type = "HIDDEN" so it doesn't display on your screen  ;-)




So what is the lessons learnt here....

1) Municipalities (and private sector) should not trust an SAAS provider just because they say "everything is fine.  "These are not the drones you are looking for" is not a security approach.

2) If the SAAS provider tells you they have awesome security because they are hosted as a CLASS 1 datacenter called AZURE, AWS, GOOGLE, etc.   run !  The means they do not grasp that the security of their hosting provider is only the plumbing section and it means nothing as far as the "quality" application that the provider is throwing on top of the certified infrastructure.

3) Security testing is a MUST and it must be performed by someone qualified.  

4) Account creation should be limited to valid email addresses

5) Authentication mechanisms should limit the sessions visibility into data (certainly no client side security)

6) Being a small unknown company in the wild and huge world we call the Internet doesn't mean you do not need security.  Crossing your fingers and hoping for the best is also not the best approach.

7) Logging and alerting when someone is leaching your entire client database is probably a good idea.

I'm going to stop, because I'm getting sarcastic again.  I really do need therapy.

On a very serious note.  When dealing with sensitive, regulated PIPEDA type data, perhaps some security is a fair expectation and a reasonable minimum.

From a GDPR perspective, everyone involved here is a potential winner of a multimillion euro grand prize.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Thursday, June 14, 2018

When the girl is too good to be true.... dive right in !


So I get a friend request on Instagram.

She is too cute and too young for me to not feel so so special.

I was ready to buy a plane ticket and jump onboard.

Her name is Caren A Lewis.  And this is the story of how I played with her all week.



So being the security pro that I am, I immediately started chatting with her/him/it because I need more friends like her.

I wanted to get to know her.  The real her ;-) 

Well turns out she is from Helena, Montana.  Far enough away that I can't just stop by for a visit.  And turns out what cute young girls want today are online relationships and money to buy a new iPhone because it is her birthday in a few days.  Poor thing, using an old samsung!

After many days of chatting and exchanging, we finally got down to making a deal ;-)



As you can see from this segment of the exchange, she was being a little pushy as her money hungry fangs felt the proximity of potential cash.   Except I finally revealed what I called something kinda kinky... who I was, and that I actually had a good buddy of mine at Instagram online working with me to fry that sausage for good. 

I won't show that part of the message, because I used a lot of military language that my commanding officer warned me about not using in public.


SAFETY TIPS 101

Here are some tips for anyone foolish enough to fall for one of these scams.....

Do yourself a favour and do these two things :

1) Upload some of the pictures to google IMAGE SEARCH.  Google will find all the pictures that look like your new imaginary lover and you may notice that the pictures come from either other fine young ladies or have been identified as pictures used by scammers (as is the case with this one).





2) This one is important, since your blood flow may be ill-routed.  If you still have doubts or are plain delusional that a random sexy young lady picked YOU....  ask her, by her, I mean the hairy dude behind the keyboard... ask her to send you a picture of herself holding the local paper.     Trust me, the conversation will dry up almost as fast as that blood flow issue will resolve.

Important Internet Safety Tip #4931:  Don't be a dumb ass

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


When a security vendor ignores security - What could go wrong.

Another week, another embarrassing security issue.

I'm going for something light this week, to end the week smoothly.

So many news items to pick from, my eyes and heart landed on a highly secure digital padlock.




What could go wrong

Well, it seems, everything could go wrong since this padlock has a list of transgressions longer then Donald Trump.

Note that their selling points include ZAMAK 3 Zinc Alloy metal body with cut-resistant stainless steel shackle.  Double layered design with anti-shim and anti-pry..bla bla bla...

Pretty solid lock right !    Well.....If you loose access to the padlock, no worries, just get a GoPro sticky mount pad, stick it to the back and twist the back open. Once it's popped open, pretty easy to physically unlock it.  That's right... the back twists and pops off... you know... for maintenance and oil changes!



Twist and pop !



And on the digital front, the claim military grade security.  AES128 isn't really military grade, but we can let that one slide.  What is interesting is the fact that the communications from the cloud with the lock are all done over the very secure HTTP protocol.  That's right folks, no S on the HTTP.

The blue tooth low energy:  Vulnerable to replay attack (easy hack)

Quote from the research article:  


Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.

I could go on and on, but the following two articles do a much better job providing something to laugh at and giving you something to avoid in your own projects.

Walk through of all the issues:
https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/

SC MAGAZINE article about it all:

https://www.scmagazine.com/tapplock-smart-locks-found-to-be-physically-and-digitally-vulnerable/article/773348/


LESSONS LEARNED

Having a "qualified" security person in any of these architecture and design meetings would certainly have made these issues float to the surface.   Instead, the only thing that floated to the surface, was a genuine sh*t product.

So to be fair, they may have had a security person in these meetings.  So they either had someone with inadequate qualifications or they did like most startups (and cough cough large enterprises) and said shut up with all these issues, we need to push this to market to get our first round of financing pushed through.  

Kids, this is why we can't have nice things.  

If Gordon Ramsey would have been in this kitchen, he would have told their CEO that he is either blind, incompetent or stupid, or a mix of all three.

Nothing wrong with making money but it kinda stinks when you can't make "honest" money and produce "quality" products, especially when the product is a "security" product.

Do we really need more landfill ?

**** (EOR) END OF RANT


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


www.eva-technologies.com

Wednesday, June 6, 2018

INTACT Insurance fails GDPR compliance logic check



It is no secret that every enterprise will claim to be onboard for GDPR compliance.

It is also no secret that no one is GDPR compliant.  However to what degree and how much will they declare remains to be seen.   And some are going out of their way to prove they lack either competence or desire.

Many "normal" citizens feel that large multinational corporations actually care about them.  They love the points programs, and they love the perks.  They also fail to see that these "programs" are meant to keep you as a customer through the illusion that you are special.  You are not.  You are a requirement for doing business, and corporations love taking your money while delivering the most cost effective service possible.  This is a polite way of saying they deliver the least possible costly service while balancing the illusion that what they lay are only golden eggs.

One of the main parts of GDPR (and many would say common sense) is Article 25.

Article 25 is all about "Data Protection By Design and By Default".  It means build something that doesn't get you fired.  Build something that is reasonable and respectful of the data you are processing.

So lets take a look at INTACT INSURANCE TODAY.




They have a great app that they advertise with a catch phrase that translates into "reap the benefit of secure remote access to your data".  I didn't bother going to see the English version because hackers are lazy.  But it turns out, large corporations too.... read on....




Would it be any surprise that they are not GDPR compliant or it seems actually compliant to anything significant when it comes to security ?

Take a look at the User Agreement section on security:





How good do you feel as a customer now? 
Do you still feel valued?   
Do you still feel special?

If you do, contact me immediately, I have a new cryptocurrency to "sell" you at an amazing rate!

So as far as compliance to GDPR, they are failing in many areas way beyond "Secure Design".

It is fascinating to see how a legal department pumps out these gems to "protect" the enterprise and "protect" the share holders while letting everyone know that they will take no responsibility for pushing out bad software to their customers mobile phones and potentially exposing sensitive information or allowing identity theft.

Now what if this was actually all a magic trick and what they are actually doing is full out spying on their customers.   I didn't think of this one, my friend Eric (not the voice in my head) had this genius idea.   A mobile phone certainly knows what locations you visit, how fast you drive, and probably a bunch of other interesting things that they could always claim was done by spyware since "we do not guarantee" anything!

Maybe Facebook and Google have a lot to learn because this is actually pretty clever.  Build a contract that says we don't guarantee anything, hide it in a lot of legal terms, and your golden.  Oh... wait... GDPR actually says you cannot do that.  darn it.  

One thing remains certain is that large corporations have very large legal budgets and will work hard to ensure they take as little responsibility as possible

This is only Mid-Week.  So many breaches can come out before the weekend giving us all many other examples of GDPR failures, this one just happens to come before the breach.

Ultimately, if you read the small print or pay close attention, most enterprises already radiate their GDPR failure through their daily actions as is this example.

If someone takes the time to read through GDPR it all makes sense, but it relies on people knowing what they are doing and doing a good job across the board.  Not something most large enterprises are awesome at.

I'm really eager to see what the end of week breaches will be.  I always feel like Christmas day when Friday is just around the corner !

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com

Friday, June 1, 2018

When praise hides incompetence. How BMO and others are failing their “customers”




We all have to start realizing that we are not really their customers.  That we are their product.  We are an annoyance that is required for them to make money.

If we indeed where their customers, then they wouldn’t be handing over all our personal information to third parties like Equifax without actually doing a quality due diligence.

So this weeks blunder on the BMO and CIBC side shows us just how much big enterprises care, and how big enterprises are actually prepared to deal with major data breaches.  They aren't.

Several “customers” who happen to be friends of mine sent me the messages they received from the banks.  One friend who happens to be at the top of the “security” food chain actually called BMO after receiving the notice that his information had not been exposed and he requested a written confirmation that his information was all safe.  The response……. Sir we cannot do that, if you get a call from us, then your information is involved, if you don’t get a call then you are all good.

Awesome maturity!  Awesome process.   How proud they must all be.

This is unacceptable for many reasons.  The most important one is the fact that waiting for a call that may never come isn’t really a way to manage data breaches.  What if they call the wrong number.  What if I miss the call.  I may never officially know that my information has been exposed.

Then we have the warm feeling some of us got when they announced the breach publicly, it seems, hours after the breach was exposed.

Many (rightfully so) praised the quick “customer” notification.  The reality however is not as awesome.  Turns out I was right…. It was a hostage situation.   A sample set of customer data had been posted on PasteBin. 

Somehow the banks managed to shovel shit down our throats by telling us that they instantly put in place “enhanced security” and that the breach point was identified and closed and everything is now fine.

This alone for any security professional should cause concern.  If someone breaches your system and then asks for a ransom, chances are things aren’t fine.  It could be that they also put in a backdoor, but it is 100% certain that all 90,000 leaked accounts HAVE LOST THEIR INFORMATION TO CYBER CRIMINALS.  The 90,000 can’t change their dates of births or their social insurance numbers. 

So instructing your clients to change their passwords and offering credit watch services for one year is 100% BULLSHIT, 100% SECURITY THEATRE and 100% NOT TREATING YOUR CUSTOMERS LIKE VALUED CUSTOMERS.  After you loose all my shit, you should legally be forced to provide credit monitoring services until I drop dead.

Cyber criminals don’t use stolen personal information for identify theft immediately.  They assemble information into a higher value profile and then use it.  The repercussions of all these data breaches will be felt for many years, not just 12 months.

This is where I like GDPR.   Chances are out of the 90,000 people exposed, some may have dual citizenship (European citizens).  This would mean that BMO and CIBC have just been proven to be NON-COMPLIANT.  This means they are exposed to a significant penalty.  It’s basically 20 million euros or 4% of their numbers, which ever is bigger.  Guess what.... it's way more then 20 million!

But this won’t change anything.

Here is why.

Financial penalties impact the bottom line of the enterprise temporarily.  

Watch the stock fluctuations of any breached traded company and generally they bounce back really quick.

Heck, Equifax MADE MONEY selling their credit protection services!  
Talk about screwing the citizen!

The CEO’s and senior executives will come and go.  They all get paid LARGE sums regardless of their failures, and they never have any real penalties for non-compliance or major failures under their management.

Bottom line, they have NO REAL MOTIVATION to change anything and no real need to do so.

What we need, is a set of laws that includes personal liability for senior managers.

Hey…. We are all allowed to have a dream.

Or, alternatively, we need a NEW system that makes these personal pieced of information irrelevant.  Enter blockchain technologies perhaps.

Things must change because it is simply NOT TRUE that my name, address, DOB, and SIN are actually confidential.  These have all been breached numerous times and should NOT be personally identifiable information.

Something to think about....


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


We've got the best people, the best product

This post is going to be more serious.  cough cough... So the flower site 1-800-FLOWERS just realized that they got hacked years ago (4 y...