Tuesday, June 19, 2018

Cross your fingers "security" the current gold standard.

It's mid week, not even a Friday and things are heating up.

Headline: "Enterprises take huge risks with our personal data".   Please.

Not a big surprise to security professionals as we are constantly "fighting" for adequate security.

By adequate, I mean normal, sensible, security.

I was contacted by several journalists this morning with regards to a services portal that operates in the municipal space as an SAAS provider. 

This "service" manages something to do with leisure activities.  I don't want to name them since I like my enemas handled by qualified doctors and not legal teams with an absence of comprehension of security hygiene means.

So this portal supports 100's of municipalities and has 100's of thousands of users, yet security was never addressed.

Why do I say "never addressed", simple.... I cannot say never reviewed, because I do not know if these things where simply ignored or judged not important at the time, or if they simply did not know.

I'm actually still on the fence with which I like best, someone who lies to me or someone who is incompetent.

The issue is simple (and multiple issues should have been identified by a qualified security expert).

For one, the site uses a sequential ID in the calling URL.  This means (you guessed it), changing the ID means accessing someone else's file.




That alone is already an issue, but it gets worst.

You don't need credentials to get to it.  Anyone can create an account without any email validation, so once you have created your fake account, you can read everyones file.

But wait !  There is more!

The personal data includes home address, phone number, birthdate, medical conditions and allergies !

But wait !  There is yet more!

Social insurance numbers are not only stored non hashed within the database but it is returned to your browser when you view your file (or anyone's file since you can change the ID number to "see" someone else's file).

Here is the awesome protection on that one field..... it is return with the awesome html type = "HIDDEN" so it doesn't display on your screen  ;-)




So what is the lessons learnt here....

1) Municipalities (and private sector) should not trust an SAAS provider just because they say "everything is fine.  "These are not the drones you are looking for" is not a security approach.

2) If the SAAS provider tells you they have awesome security because they are hosted as a CLASS 1 datacenter called AZURE, AWS, GOOGLE, etc.   run !  The means they do not grasp that the security of their hosting provider is only the plumbing section and it means nothing as far as the "quality" application that the provider is throwing on top of the certified infrastructure.

3) Security testing is a MUST and it must be performed by someone qualified.  

4) Account creation should be limited to valid email addresses

5) Authentication mechanisms should limit the sessions visibility into data (certainly no client side security)

6) Being a small unknown company in the wild and huge world we call the Internet doesn't mean you do not need security.  Crossing your fingers and hoping for the best is also not the best approach.

7) Logging and alerting when someone is leaching your entire client database is probably a good idea.

I'm going to stop, because I'm getting sarcastic again.  I really do need therapy.

On a very serious note.  When dealing with sensitive, regulated PIPEDA type data, perhaps some security is a fair expectation and a reasonable minimum.

From a GDPR perspective, everyone involved here is a potential winner of a multimillion euro grand prize.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Thursday, June 14, 2018

When the girl is too good to be true.... dive right in !


So I get a friend request on Instagram.

She is too cute and too young for me to not feel so so special.

I was ready to buy a plane ticket and jump onboard.

Her name is Caren A Lewis.  And this is the story of how I played with her all week.



So being the security pro that I am, I immediately started chatting with her/him/it because I need more friends like her.

I wanted to get to know her.  The real her ;-) 

Well turns out she is from Helena, Montana.  Far enough away that I can't just stop by for a visit.  And turns out what cute young girls want today are online relationships and money to buy a new iPhone because it is her birthday in a few days.  Poor thing, using an old samsung!

After many days of chatting and exchanging, we finally got down to making a deal ;-)



As you can see from this segment of the exchange, she was being a little pushy as her money hungry fangs felt the proximity of potential cash.   Except I finally revealed what I called something kinda kinky... who I was, and that I actually had a good buddy of mine at Instagram online working with me to fry that sausage for good. 

I won't show that part of the message, because I used a lot of military language that my commanding officer warned me about not using in public.


SAFETY TIPS 101

Here are some tips for anyone foolish enough to fall for one of these scams.....

Do yourself a favour and do these two things :

1) Upload some of the pictures to google IMAGE SEARCH.  Google will find all the pictures that look like your new imaginary lover and you may notice that the pictures come from either other fine young ladies or have been identified as pictures used by scammers (as is the case with this one).





2) This one is important, since your blood flow may be ill-routed.  If you still have doubts or are plain delusional that a random sexy young lady picked YOU....  ask her, by her, I mean the hairy dude behind the keyboard... ask her to send you a picture of herself holding the local paper.     Trust me, the conversation will dry up almost as fast as that blood flow issue will resolve.

Important Internet Safety Tip #4931:  Don't be a dumb ass

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


When a security vendor ignores security - What could go wrong.

Another week, another embarrassing security issue.

I'm going for something light this week, to end the week smoothly.

So many news items to pick from, my eyes and heart landed on a highly secure digital padlock.




What could go wrong

Well, it seems, everything could go wrong since this padlock has a list of transgressions longer then Donald Trump.

Note that their selling points include ZAMAK 3 Zinc Alloy metal body with cut-resistant stainless steel shackle.  Double layered design with anti-shim and anti-pry..bla bla bla...

Pretty solid lock right !    Well.....If you loose access to the padlock, no worries, just get a GoPro sticky mount pad, stick it to the back and twist the back open. Once it's popped open, pretty easy to physically unlock it.  That's right... the back twists and pops off... you know... for maintenance and oil changes!



Twist and pop !



And on the digital front, the claim military grade security.  AES128 isn't really military grade, but we can let that one slide.  What is interesting is the fact that the communications from the cloud with the lock are all done over the very secure HTTP protocol.  That's right folks, no S on the HTTP.

The blue tooth low energy:  Vulnerable to replay attack (easy hack)

Quote from the research article:  


Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.

I could go on and on, but the following two articles do a much better job providing something to laugh at and giving you something to avoid in your own projects.

Walk through of all the issues:
https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/

SC MAGAZINE article about it all:

https://www.scmagazine.com/tapplock-smart-locks-found-to-be-physically-and-digitally-vulnerable/article/773348/


LESSONS LEARNED

Having a "qualified" security person in any of these architecture and design meetings would certainly have made these issues float to the surface.   Instead, the only thing that floated to the surface, was a genuine sh*t product.

So to be fair, they may have had a security person in these meetings.  So they either had someone with inadequate qualifications or they did like most startups (and cough cough large enterprises) and said shut up with all these issues, we need to push this to market to get our first round of financing pushed through.  

Kids, this is why we can't have nice things.  

If Gordon Ramsey would have been in this kitchen, he would have told their CEO that he is either blind, incompetent or stupid, or a mix of all three.

Nothing wrong with making money but it kinda stinks when you can't make "honest" money and produce "quality" products, especially when the product is a "security" product.

Do we really need more landfill ?

**** (EOR) END OF RANT


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


www.eva-technologies.com

Wednesday, June 6, 2018

INTACT Insurance fails GDPR compliance logic check



It is no secret that every enterprise will claim to be onboard for GDPR compliance.

It is also no secret that no one is GDPR compliant.  However to what degree and how much will they declare remains to be seen.   And some are going out of their way to prove they lack either competence or desire.

Many "normal" citizens feel that large multinational corporations actually care about them.  They love the points programs, and they love the perks.  They also fail to see that these "programs" are meant to keep you as a customer through the illusion that you are special.  You are not.  You are a requirement for doing business, and corporations love taking your money while delivering the most cost effective service possible.  This is a polite way of saying they deliver the least possible costly service while balancing the illusion that what they lay are only golden eggs.

One of the main parts of GDPR (and many would say common sense) is Article 25.

Article 25 is all about "Data Protection By Design and By Default".  It means build something that doesn't get you fired.  Build something that is reasonable and respectful of the data you are processing.

So lets take a look at INTACT INSURANCE TODAY.




They have a great app that they advertise with a catch phrase that translates into "reap the benefit of secure remote access to your data".  I didn't bother going to see the English version because hackers are lazy.  But it turns out, large corporations too.... read on....




Would it be any surprise that they are not GDPR compliant or it seems actually compliant to anything significant when it comes to security ?

Take a look at the User Agreement section on security:





How good do you feel as a customer now? 
Do you still feel valued?   
Do you still feel special?

If you do, contact me immediately, I have a new cryptocurrency to "sell" you at an amazing rate!

So as far as compliance to GDPR, they are failing in many areas way beyond "Secure Design".

It is fascinating to see how a legal department pumps out these gems to "protect" the enterprise and "protect" the share holders while letting everyone know that they will take no responsibility for pushing out bad software to their customers mobile phones and potentially exposing sensitive information or allowing identity theft.

Now what if this was actually all a magic trick and what they are actually doing is full out spying on their customers.   I didn't think of this one, my friend Eric (not the voice in my head) had this genius idea.   A mobile phone certainly knows what locations you visit, how fast you drive, and probably a bunch of other interesting things that they could always claim was done by spyware since "we do not guarantee" anything!

Maybe Facebook and Google have a lot to learn because this is actually pretty clever.  Build a contract that says we don't guarantee anything, hide it in a lot of legal terms, and your golden.  Oh... wait... GDPR actually says you cannot do that.  darn it.  

One thing remains certain is that large corporations have very large legal budgets and will work hard to ensure they take as little responsibility as possible

This is only Mid-Week.  So many breaches can come out before the weekend giving us all many other examples of GDPR failures, this one just happens to come before the breach.

Ultimately, if you read the small print or pay close attention, most enterprises already radiate their GDPR failure through their daily actions as is this example.

If someone takes the time to read through GDPR it all makes sense, but it relies on people knowing what they are doing and doing a good job across the board.  Not something most large enterprises are awesome at.

I'm really eager to see what the end of week breaches will be.  I always feel like Christmas day when Friday is just around the corner !

_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com

Friday, June 1, 2018

When praise hides incompetence. How BMO and others are failing their “customers”




We all have to start realizing that we are not really their customers.  That we are their product.  We are an annoyance that is required for them to make money.

If we indeed where their customers, then they wouldn’t be handing over all our personal information to third parties like Equifax without actually doing a quality due diligence.

So this weeks blunder on the BMO and CIBC side shows us just how much big enterprises care, and how big enterprises are actually prepared to deal with major data breaches.  They aren't.

Several “customers” who happen to be friends of mine sent me the messages they received from the banks.  One friend who happens to be at the top of the “security” food chain actually called BMO after receiving the notice that his information had not been exposed and he requested a written confirmation that his information was all safe.  The response……. Sir we cannot do that, if you get a call from us, then your information is involved, if you don’t get a call then you are all good.

Awesome maturity!  Awesome process.   How proud they must all be.

This is unacceptable for many reasons.  The most important one is the fact that waiting for a call that may never come isn’t really a way to manage data breaches.  What if they call the wrong number.  What if I miss the call.  I may never officially know that my information has been exposed.

Then we have the warm feeling some of us got when they announced the breach publicly, it seems, hours after the breach was exposed.

Many (rightfully so) praised the quick “customer” notification.  The reality however is not as awesome.  Turns out I was right…. It was a hostage situation.   A sample set of customer data had been posted on PasteBin. 

Somehow the banks managed to shovel shit down our throats by telling us that they instantly put in place “enhanced security” and that the breach point was identified and closed and everything is now fine.

This alone for any security professional should cause concern.  If someone breaches your system and then asks for a ransom, chances are things aren’t fine.  It could be that they also put in a backdoor, but it is 100% certain that all 90,000 leaked accounts HAVE LOST THEIR INFORMATION TO CYBER CRIMINALS.  The 90,000 can’t change their dates of births or their social insurance numbers. 

So instructing your clients to change their passwords and offering credit watch services for one year is 100% BULLSHIT, 100% SECURITY THEATRE and 100% NOT TREATING YOUR CUSTOMERS LIKE VALUED CUSTOMERS.  After you loose all my shit, you should legally be forced to provide credit monitoring services until I drop dead.

Cyber criminals don’t use stolen personal information for identify theft immediately.  They assemble information into a higher value profile and then use it.  The repercussions of all these data breaches will be felt for many years, not just 12 months.

This is where I like GDPR.   Chances are out of the 90,000 people exposed, some may have dual citizenship (European citizens).  This would mean that BMO and CIBC have just been proven to be NON-COMPLIANT.  This means they are exposed to a significant penalty.  It’s basically 20 million euros or 4% of their numbers, which ever is bigger.  Guess what.... it's way more then 20 million!

But this won’t change anything.

Here is why.

Financial penalties impact the bottom line of the enterprise temporarily.  

Watch the stock fluctuations of any breached traded company and generally they bounce back really quick.

Heck, Equifax MADE MONEY selling their credit protection services!  
Talk about screwing the citizen!

The CEO’s and senior executives will come and go.  They all get paid LARGE sums regardless of their failures, and they never have any real penalties for non-compliance or major failures under their management.

Bottom line, they have NO REAL MOTIVATION to change anything and no real need to do so.

What we need, is a set of laws that includes personal liability for senior managers.

Hey…. We are all allowed to have a dream.

Or, alternatively, we need a NEW system that makes these personal pieced of information irrelevant.  Enter blockchain technologies perhaps.

Things must change because it is simply NOT TRUE that my name, address, DOB, and SIN are actually confidential.  These have all been breached numerous times and should NOT be personally identifiable information.

Something to think about....


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com


Monday, May 28, 2018

BMO and CIBC drops the ball and is found bent over trying to pick it up.



I know eh!  Catchy title!




So get this, they have a security breach and they figure it is a great idea to pump out a press release immediately (according to their own statements).

Now who would do that ......  who would advise the media hours after a breach is discovered.

CBC news article: 

BMO Press release:

CIBC - Simplii Press release:

The answer is simple.  Someone who has awesome security, and awesome security folks, and awesome security tools (that they seemingly had forgotten to turn on it seems) !

The last part is sarcasm.  

So lets break down the press release into three main parts

1) They found out about the breach when the bad guys (apparently from another country) called them on Sunday and let them know.

2) They immediately stepped up security (added "enhanced security" .... their term)

3) They are now confident that everything is 100% cool....

Wow..... all within a few hours.

They should shut down the bank and start a security company.  

It is like they didn't have anybody re-read this press release that had both hemisphere working.

Whats wrong with #1
If the bad guys actually called them up on a Sunday (which by itself is a miracle since I couldn't dream of reaching someone at a banks head office on a Sunday), then doesn't this mean it is a hostage situation... they must have called up to ask for something.... where is the beef!

Whats wrong with #2
It implies that they had a lot of security systems turned off at the time of the attack (or had no one tasked at looking at the security systems) since they instantly activated "enhanced security mode" within a few hours of being told of the breach.  Why wouldn't this "enhanced security mode" be on all the time?

Anyone who works in security knows that adding "enhanced security" takes months and sometimes years, yet they pulled it off in a few hours.  Simply amazing!

Whats wrong with #3
I keep telling senior managers and students the same thing..... if any idiot tells you that something is 100% secure or 100% certain.... back away slow, they are dangerously incompetent.

Nice job in the press release / damage control department!  I now have yet another example to use in my teachings with regards to the value of keeping your big mouth shut until you have something of value to throw out there.

In the meantime, no one knows what was exposed and what they should do about it.

Once again... nice job... and no.... not cool.

I was interviewed by CBC (in French) and had a hard time holding back the sarcasm.

Link:  https://vimeo.com/272250062/ad0ef65ba4

So to summarize, either they had a lot of security turned off with no one watching and now they are looking, or they added a lot of security overnight.. I mean...or they lied.

So to summarize further, they are either incompetent or liars.

Great start to the week !


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Thursday, May 3, 2018

Equifax finally admits that they had no security...



In a huge turn of events today, Equifax and myself are trying something new.

Equifax is trying to include security within their ecosystem.


I'm trying a catchy title with half truths like all the newspapers keep using.

Only problem is that my title isn't actually a half truth, it is more of a mostly true.

Equifax seems very proud to announce to share holders and to the world that they have just poured 100's of million of dollars on security.

The catchy phrase that got me going for this end-of-week post is this gem from their last quarter financial reports as reported by SC Media:

$ 242.7 million overall breach cost:  


This included $45.7 million in IT and security costs to transform the company's IT infrastructure and improve application, network, and data security. 


The thing with traded companies is that we KNOW.  We know that you only spend money when you absolutely must.

So this $45.7 million was needed.  As in, was always needed.

To be clear, this means that their "secure" ecosystem was behind by $45.7 million.

Yet, they always claimed that they met all the compliance requirements both legal and of their partners.

So keep that in mind next time you are doing business with a publicly traded company who by the way had a 125 million dollar cyber insurance policy with a 7.5 million deductible.  

In my humble opinion, a 6% deductible sounds like the insurance company was trying to manage their risk and perhaps had doubts about the quality of the Equifax ecosystem.  But that is pure speculation, just like thinking that "the Equifax clients" are their priority.   And ultimately, it is a traded company, so higher deductible means lower monthly premiums, better short term for the share holders, so basically a win win. And since senior executives have done their "duty" and do have insurance, then the fact that the share holders will suffer the financial hit IF (when) a security breach takes form is a very common board room stance.

The "shirt term, bottom line" is always the only true priority for a traded company.   Until the laws evolve to include stiff financial penalties for willful blindness by senior executives (personal liability) and jail time, things will not change.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com




Wednesday, May 2, 2018

Will your DNA become a liability



A very interesting news article was published this week about the Golden State Serial killer being tracked down with Genetic Testing DNA information.




Turns out that law enforcement had a solid lead that required getting a genetic testing lab to cough up the goods.  Ultimately the information was actually used to clear an innocent person that was on the suspect list.... so really.. a good ending.

In case you aren't aware, numerous Genetic DNA labs exists that help identify your hereditary diseases, ancestry details and many other pretty cool things.

Take a look at 23andme and you can get a good idea on the cool things you too can find out about with just a spit sample.

The problem is how the information is handled, and more importantly, how it could be accessed in the futur.

If your raw DNA results get deleted and can't possibly be pulled back it would be less of an issue, but the nature of genetic DNA testing is that it requires a lot of information for the purpose of correlation.  So in short, they cannot delete anything, the strength of the entire analysis is based on raw numbers.

So in this case, we have a happy ending.  A serial killer was identified.  I doubt that anyone is going to complain about that.

But it does open the door to various abuses by law enforcement, and causes a major ethical ripple in the world of Genetic DNA testing.

I propose to you the following very simple problem.

You order a simple DNA test for $200.

It highlights you're are likely to have a certain disease.

You contract a new life insurance policy and you didn't mention the DNA testing results.

You have probably just broken the law, as most insurance forms will ask "are you aware of anything else we should know about", or something along those lines.

What if you even forgot that the 10 page report mentioned your predisposition to a disease name you didn't even recognize or understand....... your insurance is still technically invalid.

So if the genetic DNA lab suffered a data breach or was purchased by an insurance company and you had dropped dead of that unlucky disease.... the insurance company would not have to pay up since after all, you lied on the insurance form.

Now the likelihood of any of this taking place in our lifetime is maybe nil.

Ask a conspiracy theorist and you will get an ear full about how citizens are voluntarily paying to get genetic testing done and giving up their DNA information to the government.

What if big corporations have access to genetic information?  Could this information be used to their advantage?   If one thing has been proven time and time again, is that information is power, and power involves abuses.

Time will tell.

So from a security professionals point of view, I would recommend that anyone getting genetic testing stick to one basic rule.  Do not provide your real name and birthdate.  It simply isn't required for the DNA testing.

However.... you did pay for the test with that credit card..... so don't go killing anyone and expecting your entire DNA thing to be air tight  ;-)


If you want the full details about the case, this Buzzfeed article really covers it to a good degree.
_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com




Thursday, April 26, 2018

Fail of the week: Quebec Revenu Agency... but don't worry, they won an award!



I was especially unimpressed by the response to a news investigation performed for an event hosted by the Quebec revenu agency.   

You see, they seem to think it is a good idea to use public, group live chat sessions to interact with their clients that are hosted on Facebook.

It is understandable for them to wish to have a Facebook presence.  No issues with that.

It is understandable to want to do cool and modern things.  Almost no issues with that.

Why almost.  They are tax collectors.  I fail to see the business need to be cool.

That is like when Hydro Quebec says that their image is the most important thing.  Calm down.  Your the only source of electricity we have, no one is getting a dozen hamsters and telling you to F-Off.

As for this genius Facebook idea, I was misquoted (well... partially quoted) in the paper this morning as saying "Why?", my statement was actually two parts and a little bit deeper: 

- "What is the actual business need being addressed?".

- "Why, do they not host the actual group chat session on a private system that they control instead of Facebook?".  You see, the entire public chat session on Facebook remains available for review long after the event.  On a private system, you can clean the information or simply remove all of it.  Not so on Facebook.  You have no control and anything anyone typed is not just accessible to the attendees at the moment of the event, but remain accessible afterwards.

So what motivated me to blog about this is the response from the revenu agencies PR person, which in my view should take an early retirement.

She stated at least two things that are dead wrong.

Stupid rebuttal #1  "We ensure that no private or sensitive information is disclosed"

WRONG:  The journalists that contacted you told you that the group chat session contained numerous private details such as "I'm going bankrupt.  My revenu this year is $x.  I declared $x in RRSP's.  I just had my bank account seized.

So how exactly do you ENSURE that NO PRIVATE INFORMATION IS EXPOSED ?

Stupid rebuttal #2 We even won an award for our excellent public relations.

WHO CARES:  I love any rebuttal that starts with "we even won an award".  Sensitive information is being exposed.  It is a bad idea, and I challenge you to find a security expert that says it isn't.  The fact you won an award just pisses me off because you are using my taxes to boost your ego with bad ideas.  



If a kid in school hands out free Redbull to all his friends, he might win the award for best public relations.... doesn't mean what he is doing is a good idea.  How can you say something this stupid as your rebuttal....

Baffling.

And she goes on to say "you know. we have a code of ethics and we asked our lawyers....".  Another pointless piece of bullshit.

The lawyers protect your interest first.  They told you to advise everyone participating that "we will not answer personal questions".  That certainly doesn't stop someone from asking one, as is proven in the group chat logs. And how exactly do you prevent personal questions on a group chat designed to ask questions with regards to the Quebec Revenu agency !!!!

Are the participants only there to ask what your mailing address is ?????

What kind of crack cocaine are these people smoking.

Your code of ethics is a failure.  You should include a portion that talks about your duty as a higher power to preach good cyber security practices you single celled amoeba inbreed idiots.

In light of all the bad press around Facebook this month, you certainly picked the right time to continue using Facebook as a group chat system, after all, it is not like we know that Facebook uses ALL available data as their business model since the service is free.

Now here is a tip.  If you want to actually have good customer experiences, try answering the phone when someone calls and needs to talk to you.   

I know it is a lot cooler on Facebook, but I hear a lot of people bitching that they can never get any assistance when they need it.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Cross your fingers "security" the current gold standard.

It's mid week, not even a Friday and things are heating up. Headline: "Enterprises take huge risks with our personal data". ...