Friday, October 29, 2021

Municipal elections, your data once again exposed

Some big news in the last 24 hours. An entire new minister for cybersecurity!


I can’t wait to see what my colleagues will be saying about this news.


I do see some issues.  After all, that is what security professionals do, we look, we find weaknesses and we talk about these weaknesses hoping that someone will listen and take charge. 


Overall, this is hopefully great news.  Having an entire minister assigned to cyber should change some things. 


The current changes target only government entities, and the depth still needs some work.


I have two concrete issues following my analysis of the 28 page document.


MUNICIPAL ELECTIONS

Quebec is entering an election period across all municipalities.  Historically, elections bring out some unethical people.  People that will go door to door making up stories and lies to gather support and votes to push out the other candidates.  These ethically and morally challenged individuals only require 5 signatures to get their names on the list for most municipalities across Quebec (for example Cities of less then 10,000) and guess what they all get…. a full list of all registered voteres INCLUDING their full birthdates !


Wait…. did you just read that correctly….. the same issue with data leakage that we blame everyone for is taking place again at the end of 2021 across all cities in the province !  YES !  

Groundhog day version 2.0


So in Montreal, an excel spreadsheet of over 1 million names is being shared by various candidates, staff and interns and it holds your full birthdate even though there really is no use or need for it.


I think this should be looked at by a futur minister of cybersecurity


IDENTITY THEFT

The second example is the banking, Equifax and finance sector that remains clearly out of scope since this initiative targets government entities only.


Banks and their senior managers need to be personally liable if they give credit or open an account to the wrong person.  Relying on birthdates and social insurance numbers that have literally fallen from the sky over the last few years is ludicrous. 


We need a digital ID for all important services and that means banking and finance should be a priority.  This is where identify theft strikes the most.


The cyber security industry has proven that we can get the ear of the government, we need to keep pushing.  As it stands, this new announcement does not actually change much since most things that impact the citizen is related to identity theft and this is not addressed outside of the government entities covered in the current announcement.


A part of me feels more like this 4 billion dollar investment is more a cleanup of the current disaster that is Information Technology within the government.  Regardless, it needs to get done, the government does need to clean their information technology hygiene 


Minister Eric Caire, excellent first step, do not stop now.


Related interviews (French):

RADIO CANADA: https://ici.radio-canada.ca/util/postier/suggerer-go.asp?nID=4733866

QUB RADIO: https://www.qub.ca/radio/balado/genevieve-pettersen?track=1059632448

_______________________________________________


Eric Parent is a senior security expert, specialized in coaching senior executives.  He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies


Élections municipales, vos données à nouveau exposées

Une grande announce !   Un tout nouveau ministre pour la cybersécurité !


J'ai hâte de voir ce que mes collègues vont dire de cette nouvelle.


Je vois quelques problèmes.  Après tout, c'est ce que font les professionnels de la sécurité, nous regardons, nous trouvons des faiblesses et nous parlons de ces faiblesses en espérant que quelqu'un écoutera et prendra les choses en main. 


Dans l'ensemble, j'espère que c'est une bonne nouvelle.  Le fait qu'un ministre entier soit affecté à la cybersécurité devrait changer certaines choses. 


Les changements actuels ne visent que les entités gouvernementales, mais la profondeur a encore besoin d'être travaillée.


J'ai deux commentaires à faire après avoir analysé le document de 28 pages.


ÉLECTION MUNICIPALE

Le Québec entre dans une période électorale dans toutes les municipalités.  Historiquement, les élections font ressortir certaines personnes malhonnêtes. Des gens qui vont faire du porte-à-porte en inventant des histoires et des mensonges pour obtenir des appuis et des votes afin d'écarter les autres candidats.   Ces personnes qui ont des problèmes d'éthique et de moralité n'ont besoin que de 5 signatures pour faire inscrire leur nom sur la liste de la plupart des municipalités du Québec (par exemple les villes de moins de 10 000 habitants) et devinez ce qu'elles obtiennent toutes : .... une liste complète de tous les électeurs inscrits, y compris leur date de naissance complète !

Attendez.... est-ce que vous venez de lire ça correctement..... le même problème de fuite de données pour lequel nous blâmons tout le monde a lieu en 2021 dans toutes les villes de la province !  OUI !  



Le jour de la marmotte 2.0

Ainsi, à Montréal, un chiffrier Excel contenant plus d'un million de noms est partagé par divers candidats, membres du personnel et stagiaires, et il contient votre date de naissance complète alors qu'elle n'est ni utile ni nécessaire.

Je pense que cela devrait être examiné par un futur ministre de la cybersécurité.


VOL D'IDENTITÉ

Le deuxième exemple est le secteur bancaire, Equiflop et financier qui reste clairement hors de portée puisque cette initiative ne vise que les entités gouvernementales.


Les banques et leurs cadres supérieurs doivent être personnellement responsables s'ils accordent un crédit ou ouvrent un compte à la mauvaise personne.  Il est ridicule de se fier aux dates de naissance et aux numéros d'assurance sociale qui sont littéralement tombés du ciel au cours des dernières années. 

Nous avons besoin d'une identité numérique pour tous les services importants et cela signifie que les banques et le secteur financier doivent être une priorité.  C'est là que le vol d'identité frappe le plus.

Le secteur de la cybersécurité a prouvé que nous pouvions obtenir l'oreille du gouvernement, nous devons continuer à faire pression.  En l'état actuel des choses, cette nouvelle annonce ne change pas grand-chose puisque la plupart des choses qui ont un impact sur le citoyen sont liées à l'usurpation d'identité et que cela n'est pas abordé en dehors des entités gouvernementales couvertes par l'annonce actuelle.

Une partie de moi pense que cet investissement de 4 milliards de dollars est plutôt un nettoyage du désastre actuel qu'est la technologie de l'information au sein du gouvernement.  Quoi qu'il en soit, il faut que cela soit fait, le gouvernement a besoin de nettoyer son hygiène informatique. 

Ministre Eric Caire, excellent premier pas, ne vous arrêtez pas maintenant.


Discussions et entrevues

RADIO CANADA: https://ici.radio-canada.ca/util/postier/suggerer-go.asp?nID=4733866

QUB RADIO: https://www.qub.ca/radio/balado/genevieve-pettersen?track=1059632448

-------------

Eric Parent est un expert en sécurité, spécialisé dans le coaching de cadres supérieurs.  Il enseigne occasionnellement la cybersécurité à l'Ecole Polytechnique et aux HEC à Montréal, et est PDG de Logicnet/EVA-Technologies, l'une des plus anciennes sociétés privées de sécurité au Canada.


Suivez Eric sur :

Twitter : @ericparent

LinkedIn : EVA-Technologies

Friday, August 13, 2021

The vaccin passport is a failure - Our government should really talk with some experts

The Quebec vaccin passport project was doomed from the start.




Clearly no security expert was consulted or listened too prior to launching this eminent failure.


The system deployed builds on the governments failure to provide any form of digital ID and limit the damages of identity theft.  After all, today, your birthday remains a very confidential piece of information…. that everyone knows.


Security experts are supposed to look at the entire process and assist a project so that the overall results are favourable based on calculated risks at each step.


Here is what should have been considered as an alternative.


First, let's understand that the current system involves an application used by businesses that does not talk to a central system.  Let's put aside that it is possible to obtain a false QR code (based on falsified vaccination paperwork), the QR codes contain sensitive information such as birthdates that we now accept will be "scanned".  This approach also transfers the burden of authentication to every business operator, as they now MUST ask everyone for ID so that they can check that the QR code matches the individual.  Let's put aside that If I recall it is not even legal or acceptable to ask for a drivers license and that there is no way to check with a central system if the code is for the person in front of you.  Pushing the authentication of the person and the validity of the QR code down to the business owner is literally the stupidness thing an expected secure system could do and expecting it to work is even more ridiculous.


The system could have been this:


1) A QR Code that is a fully random key

2) An application that reads the code and consults a central database to validate that this code is valid

3) The application then displays the photo of the individual taken from the RAMQ system since almost everyone has their photo already in that system.


Voila!   The business owner no longer has to ask people for ID and the if the person in front of them matches the picture, then that person is vaccinated and compliant.


The only issue left to resolve would be how to handle the people who are not in the RAMQ system, and sending these folks to the SAAQ with their proof of vaccination so they can have their photo taken does not seem that complex.  If it is, then having a few regional offices that offer the service certainly is attainable.


Bottom line, this system is a failure and unless some changes are made, will be a major pain in the ass for all business owners.


Let's hope that the Canadian and international versions learn from these mistakes and do not continue in this direction.


_______________________________________________


Eric Parent is a senior security expert, specialized in coaching senior executives.  He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies



Le passeport-vaccin est un échec - Notre gouvernement devrait vraiment discuter avec des experts.

Le projet de passeport vaccinal du Québec était voué à l'échec dès le départ.



Il est clair qu'aucun expert en sécurité n'a été consulté ou écouté avant de lancer ce projet défaillant.

Le système déployé s'appuie sur l'incapacité du gouvernement à fournir une quelconque forme d'identification numérique et à limiter les dommages liés au vol d'identité.  Après tout, aujourd'hui, votre date de naissance reste une information très confidentielle.... que tout le monde connaît.


Les experts en sécurité sont censés examiner l'ensemble du processus et assister un projet de manière à ce que les résultats globaux soient favorables, en fonction des risques calculés à chaque étape.


Voici ce qui aurait dû être considéré comme une alternative.


Tout d'abord, comprenons que le système actuel implique une application utilisée par les entreprises qui ne communique pas avec un système central.  Laissons de côté le fait que l'obtention d'un faux code QR est possible (par le biais de documents de vaccination falsifiés), les codes QR contiennent des informations sensibles comme les dates de naissance, et il sera désormais acceptable que les gens "scannent" ces informations.  Cette approche transfère également la charge de l'authentification à chaque opérateur commercial, puisqu'il DOIT désormais demander à chacun une pièce d'identité afin de pouvoir vérifier que le code QR correspond à la personne.  Mettons de côté le fait que, si je me souviens bien, il n'est même pas légal ou acceptable de demander un permis de conduire, et que le code QR est a aucun moyen de vérifier avec un système central si le code est le bon.  Pousser l'authentification de la personne et la validité du code QR vers le propriétaire de l'entreprise est littéralement la chose la plus stupide qu'un système censé être sécurisé puisse faire et s'attendre à ce que cela fonctionne est encore plus ridicule.


Le système aurait pu être le suivant :


1) Un QR Code qui est une clé totalement aléatoire.

2) Une application qui lit le code et consulte une base de données centrale pour valider que ce code est valide.

3) L'application affiche alors la photo de l'individu prise dans le système de la RAMQ puisque presque tout le monde a déjà sa photo dans ce système.


Voilà !   Le propriétaire du commerce n'a plus à demander aux gens une pièce d'identité et si la personne devant lui correspond à la photo, alors cette personne est vaccinée et conforme.


La seule question à résoudre serait de savoir comment traiter les personnes qui ne sont pas dans le système de la RAMQ, et envoyer ces personnes à la SAAQ avec leur preuve de vaccination pour qu'elles puissent se faire photographier ne semble pas si complexe.  Si c'est le cas, il est certainement possible d'avoir quelques bureaux régionaux qui offrent ce service.


En fin de compte, ce système est un échec et, à moins que des changements ne soient apportés, il sera une véritable plaie pour tous les propriétaires d'entreprises.


Espérons que les versions canadienne et internationale apprennent de ces erreurs et ne continuent pas dans cette direction.

_______________________________________________


Eric Parent est un expert en sécurité, spécialisé dans le coaching de cadres supérieurs.  Il enseigne occasionnellement la cybersécurité à l'Ecole Polytechnique et aux HEC à Montréal, et est PDG de Logicnet/EVA-Technologies, l'une des plus anciennes sociétés privées de sécurité au Canada.


Suivez Eric sur :

Twitter : @ericparent

LinkedIn : EVA-Technologies


Friday, July 23, 2021

The obvious and predictable failure of QR code vaccin evidence

 I haven't written in a long time, and it is Friday with plenty of subjects to explore!


I have given a few interviews about the QR code idea that the government was floating and that has now become reality.  I called it from the start, the government was going to mess it up to the max.

PREUVE VACCINALE ET CODE QR (FRENCH)



Well, guess what folks, the government didn't just deliver the Hindenburg, some are actually surprised that people are faking the QR codes !

Holy shit folks, the children running the country are surprised that the system they delivered with ZERO security and ZERO controls to prevent abuse is being abused !

https://globalnews.ca/news/8039873/winnipeg-restaurant-phony-vaccine-qr-code/




CONCLUSION: The entire process that they put in place is irresponsible and foolish.


A QR code that actually has confidential information imbedded in the code was a bad idea from the start.

A QR code that will basically allow a business owner to scan and display the persons name and other "pertinent information" without a means of validating the information was building on a terrible foundation.


This means that the business owner would have to ask you for government issued ID to attempt to match the QR code data to the person that stands in front of them.   

What could go wrong with deputizing the business owner, entrusting them with sensitive information and imposing that they start asking for ID at the door!


The solution was actually so much easier, at least in Quebec.  Not sur about all the other provinces, but in Quebec the QR system is based on your medicare card number.  Which miraculously is attached to a photo they have on file!  

How simple would it have been to generate a fully random QR code with no sensitive data, and when this code is scanned using the government approved application.... the central system pops your photo up on the screen.   The business owner looks at your ugly face and looks at the photo... if both are as repulsive... it must be a match and all is good.  Simple.


But there is no money in simple... and more money in complexe and pointless systems.  Where is version 2.0 ! 


I know some critics will whine and cry that not everyone has a medicare card or not everyone has a photo on file (such as young children).   And you my friend are part of the problem that imposes terrible systems because of exceptions.  There are concrete ways to manage exceptions that would work.  But instead, the gouvernement spent our tax dollars on a system that was doomed right from the start.  A system that has no security, and that actually exposes sensitive information for no valid or functional reason.


Any descent first year security student would have assembled a more robust and worthy ecosystem.


As seems to always be the case with IT and government projects.... a big bravo is in order.


Other positive news this week:


KASEYA FINDS DECRYPTION KEY UNDER A REDISH ROCK IN THE NEVADA DESERT

https://www.databreachtoday.com/kaseya-obtains-decryption-tool-after-revil-ransomware-hit-a-17129

Check out the guys face, he hasn't slept in a while ;-)

Their press release stipulates that they cannot deny or confirm if they paid the ransom.  Either way.... a key is now miraculously available!   Great news!


INTERNET GOES DARK FOR 2 HOURS

Banks, airlines, cloud services, all went dark for a few hours due to a minor issue at Akamai. Seems someone used their thumb instead the their fingers and made a small mistake.

https://www.cbc.ca/news/business/akamai-internet-outage-1.6112954

How is this good news you ask?  Simple, if this had an impact on your operations, it identified key systems that you have in place that should not have been placed in the cloud on services that call the issue minor if it was critical to you.  Great news again!


I'm off to the restaurant with my newly printed QR code.


Have a great weekend !


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies




www.eva-technologies.com

Saturday, January 2, 2021

Videotron Breach ? Welcome to 2021

UPDATE JAN 2nd 2020 - 13:45. The 37 gig file contains email addresses used in phishing attacks. The emails contained are a complete mix of domains. 22977 of them are @videotron.ca emails. No other conclusions as to the correlation between this list and the Videotron passwords found in another directory can be made at this time.


Was Videotron breached? A list of 60,000 accounts (email and passwords) was just leaked. This would be a small subset of their entire client base, but remains interesting.

Since most of the media tend to avoid touching Videotron and the Quebecor empire, I doubt we will see much ink on this breach.


A list containing Videotron account information totalling 226084 items, all Videotron email usernames with their passwords was published.






FILE LINE COUNT

wc -l videotron33.txt

    5743 videotron33.txt


wc -l videotron34.txt

   14560 videotron34.txt


wc -l videotron35.txt

   21059 videotron35.txt


wc -l videotron36.txt

   39264 videotron36.txt


wc -l videotron37.txt

   47859 videotron37.txt


wc -l videotron38.txt

   40817 videotron38.txt


wc -l videotron39.txt

   49565 videotron39.txt


wc -l videotron40.txt

    7217 videotron40.txt

Not much details about the source was provided with the leak data, maybe some real journalists will dig through this and get to the bottom of it.


Overall, some duplicates exists, so when you remove duplicates, you are left with 60314 unique items.

sort videotron-full.txt | uniq -d | wc -l

   60314


You can download the list of emails here 

(passwords have been removed for security) and see if your email is in the list 


NOW KEEP IN MIND that this does not mean that Videotron has been breached.  There are a lot of fraudsters out there that try to target companies to make them look bad.

Imagine if somewhere, a list of 50 million usernames had been compromised, and someone sorted them out looking for @videotron.ca... they could generate a list that looks like "only" Videotron yet has nothing to do with Videotron.

Some Montreal based companies do EXACTLY this to try and generate business and sell security related services.  Going one step further, the data could also all be fake or old data... until Videotron comments, we simply cannot know for sure.


Either way, someone is targeting Videotron...   And we should all change our passwords... again...

>> End of warning ;-)

 

The list, totalling 60,000 unique entries could indicate a specific leak from a specific system or division since it does not encompass the entire client base of Videotron.


Number of customers subscribed to Videotron from 2012 to 2019, by segment

SOURCE: https://www.statista.com/statistics/797458/number-of-videotron-subscribers/

The system hosting the leaked data is interesting, as it has other evil looking content, including a 37 gigabyte file of email addresses (with no other information, and no passwords).  I am downloading this file now and will further analyse it once downloaded.




The site also hosts what is clearly phishing attack content such as fake PayPal login pages.  This means that the Videotron data, could also be someone preparing an attack that is targeting Videotron users, and the passwords could be for another service like PayPal.



_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies




www.eva-technologies.com

 

Wednesday, December 16, 2020

Who really got hacked. Air Canada? Vancouver international?

News is flowing that Everest hacking group hacked Vancouver Airport and Air Canada, but this appears false.



When you visit the Everest Ransomware groups darkweb site, the information published looks to be a contractors data with regards to construction projects @ Vancouver International, that includes the Air Canada Lounge and various other enterprises across Canada including Pomerleau.


At first glance, it looks more like a contractor got hit and the files have been broken down into the various subjects since every leak on the Everest site has the exact same type of data (architecture diagrams, electrical diagrams, demolition plans, etc.)




Everyone is reaming on Air Canada/Vancouver airport today without looking at the data, and this looks more like a consultant got hit.



Now, since we have the plans for Vancouver International Airport (or partial plans), and the Annex Skywalk that leads to the Air Canada Lounge, should we now expect John McClane to kill off Colonel Stuart's mercenaries with his Beretta 92?


After all, we are certainly in the Christmas period and a nice Die Hard scenario would certainly spice things up.





Wednesday, December 9, 2020

FireEye piraté, une occasion manquée de se taire

Grande nouvelle cette semaine : FireEye fait les gros titres avec un nouvel incident cybernétique très médiatisé.


On dirait que leur boîte à outils d'exploits militarisés qui utilise des vulnérabilités connues a été levée.


https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html


En entendant et en lisant ceci, j'ai pensé... oui ... et alors...  Tout le monde peut se faire pirater, c'est juste un avant l'autre.

Cependant, ils semblent mettre tellement l'accent sur "leurs outils militarisés", presque comme s'ils voulaient avoir l'air cool en se vantant que leur boîte à outils est si géniale.


Jetons un coup d'œil à cela....  Si vous aviez une arme nucléaire... la sécuriseriez-vous avec :


1) Une surveillance 24 heures sur 24, 7 jours sur 7.

2) Un registre détaillé de toutes les personnes qui s'en approchent.

3) Des alertes et alarmes et toutes sortes de trucs sympas pour le protéger.


Je suppose donc qu'ils ont échoué sur quelques points.


Mais en voici quelques autres.  Ces exploits semblent faire appel à des CVE pour la plupart documentés


Donc rien qui soit vraiment un ZERO DAY dans le sens où il serait totalement inconnu.  Ils en ont probablement des juteux dont ils ne parlent pas encore....



Voici le véritable coup de pied... ils ont publiquement révélé qu'ils mettraient désormais à la disposition de leurs clients des outils pour détecter ces attaques.


C'est mon moment WTF.   Pourquoi ne pas avoir mis cela à la disposition de leurs clients avant cette brèche.

Pensent-ils vraiment que personne sur la planète n'aurait trouvé ces vulnérabilités "connues" ?


ou bien veulent-ils simplement continuer à exploiter ces vulnérabilités avec leurs propres clients lorsqu'ils font des tests de pénétration pour pouvoir obtenir des résultats garantis.


Peut-être n'auraient-ils pas dû révéler tout cela pour être ouvertement critiqués


Ce que j'appelle une occasion manquée de se taire.   Non pas à propos de la brèche, mais à propos de leur excellente offre de protéger désormais leurs clients.....


De tout cela peuvent surgir d'importantes questions d'éthique.


De quoi alimenter une bonne réflexion.


_______________________________________________


Eric Parent est un expert en sécurité (et un pilote chevronné), spécialisé dans le coaching de cadres supérieurs.  Il enseigne la cyber-sécurité à l'École Polytechnique et aux HEC de Montréal, et est le PDG de Logicnet/EVA-Technologies, l'une des plus anciennes sociétés de sécurité privées du Canada.


Suivez Eric :

Twitter @ericparent

LinkedIn : EVA-Technologies



www.eva-technologies.com



FireEye Hacked, missed opportunity to shut up

Big news this week as FireEye makes the charts with yet another high profile cyber incident.


Looks like their toolkit of weaponized exploits that makes use of mostly known vulnerabilities was lifted.


https://www.nytimes.com/2020/12/08/technology/fireeye-hacked-russians.html


As I heard and read this, I thought... yeah .. so what...  Everyone can get hacked, this is just the one before the next one.


However, they seem to put so much emphasis on "their weaponized tools" almost like they want to seem all cool by bragging that their toolkit is so awesome.


Lets take a look at that....  If you had a nuclear weapon... wouldn't you:


1) Have it watched 24x7.

2) Have detailed logging of everyone who comes near it.

3) Have alerts and alarms and all sorts of cool stuff to protect it.


So I guess they failed on a few things.


But here are a few more.  These exploits appear to be making use of mostly documented CVE's


So nothing that is truly a zero day in the sense that it would be fully unknown.  They probably have some juicy ones that they are not yet talking about....



Here is the real kicker... they publicly disclosed that they would now make tools available to their clients to detect these attacks.


This is my WTF moment.   Why not have made this available to their clients before this breach.


Do they really think that no one on the planet would have found these "known" vulnerabilities?


or did they simply want to continue milking these vulnerabilities with their own clients when they do penetration tests so they can score.


Perhaps they shouldn't have tossed that out there to be torn apart ;-)

What I call a missed opportunity to shut up.   Not about the breach, but about their great offer to now protect their clients.....


Some serious ethics questions can surface from all this.


Food for thought.


_______________________________________________


Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies



www.eva-technologies.com





Do we really want to stop cheating

Cheating in colleges and universities.   This may be news to the normal citizen, but for people who have been in the education field, this is another Monday morning.


If you have "feelings", you might want to stop reading now.




Many news articles have been written over the last weeks, because final exams are taking place, and with COVID this means finding new ways to do exams, and control cheating.


Here is a reality, plagiarism and cheating cannot be successfully subdued with marketing campaigns.


This is much more a PR (public relations) stunt, to save face, and inspire students and employeurs that the universities take this so so seriously.


I call bullshit.


Here is why.


After teaching in a dozen different establishments over the last two decades:

  • I have seen them ignore it internally
  • I have seen them take a purely political stance at enforcing punishment
  • I have seen them protect the student because the student is a "paying client"


Why will  the marketing campaign not really change anything...Simple...


They let in students that would NEVER pass without cheating.

Think about that for a minute.


YOU WILL NEVER PASS.... why wouldn't you risk cheating or copying since it is the only way you WILL pass.


Our education system tends to shovel a lot of shit in my opinion.


They will tell you that they want to produce the best students.  They will not tell you that this is a secondary objective.  


Of course, who would offer to sell you a car and tell you the engineers can't count to 20 without an iPhone.


And our schooling system relies on money..... lots and lots of money... and for every student that is enrolled, a large financial incentive is present that goes well beyond what the student is paying.


So in other words, the motivation to enrol students is larger than the desire to kick them out when they cheat.  Of course, we cannot say this, so what we do is put in place complexe political processes that protects the poor innocent student in case the bad bad teacher doesn't like them.  And then throw in any other excuse such as "I'm too short", "I had a bad cough last week", "the teacher doesn't like me", or the race or gender card and you have yourself the entire recipe for a system that will continue to fail, and continue to produce sub quality students.  


Here is the reality, I do not know your name.  I have 60 students, they all have a number, I correct everything without even knowing your name.  I do not care what your sexual orientation is, or your hair colour, I am a professional, I do my job.  You are a student, why don't you do yours.   


I have had a case that even accused me of discrimination because the individual wasn't a minority.  As a society, we have become weak, spineless imbeciles who refuse to take responsibility for our lack of effort.  It is a classic case off finding an angle that make you look good, and makes you the poor helpless victim.


Think about that if you have open heart surgery... Did my doctor graduate because he took the class 11 times or cheated consistently through his educational career?  Was he lucky enough to always be sitting near the "smart" asian kid.


Yeah yeah, I know, that is cultural appropriation.  Yet another term for all the losers who need to have their feelings protected.  We all know that asian kids rock because THEY READ THE FUCKING BOOK and show up in class prepared you whiny ass losers.


Obviously, medical studies have other safeguards in place.  Yet we still get shit doctors.


What about all the other fields that are not regulated or controlled for quality, aside from trusting that beautiful certificate from a prestigious establishment.


Things will have to get worst before they get better.


Obviously, when management is looking at the short term, these are the results you get and should expect.

 

Will we ever see the quality we once had along with long term vision and values?


Since society is going to hell in a hand basket, and since the people in power are in it for their yearly bonus....   I will not hold my breath.


In the mean time, perhaps a good safe guard is to ask for a PhD for any position, this way you know that person has gone through a long process of refining their political skills ;-).  Instead of getting a normal cheater, you will get a professional who has demonstrated mastery of multiple domains combined with patience and perseverance!


In closing, most students I have had demonstrated good values, good competency, and I would hire them.  My point is simply that by tolerating the 5% who are beyond shit, the image of an entire industry can be impacted, and the trust over time will erode.  This will result in people like me not being able to simply "recommend" someone because they went to XYZ academy.  My response will always be... let us interview the candidate and determine what the quality is on our own.


End of rant.


Wednesday, April 1, 2020

Zoom is being blamed for a Windows bug.

Journalist often paint outside of the lines looking for a punchy story.

Zoom this week is being targeted by what almost looks like a coordinated smear campaign with an overwhelming amount of bad press with regards to exposed credentials.

As a security veteran I do clearly get upset when security stories are blown way out of proportion.

Especially when it appears that someone is trying to manipulate the public opinion and bash a specific product.  Even more so, when the issue is actually a Windows OS issue.

Journalists are irresponsibly claiming that using zoom sends off you username and passwords and allows attackers to connect to your computer.

THIS IS FALSE.

First off, this issue only manifests itself if someone in your meeting sends you a link to click via a chat session and you click on it.

Secondly, your username and password is not just sent out in clear, it is still hashed (protected with some cryptography).  So this applies to you if your password sucks and not if you use a good quality and length password.

Thirdly, inbound connections are blocked by your home router/firewall and your enterprise firewalls. This means an attacker can't just reconnect to your computer.  And remember number 1, the attacker would be someone you invited into your meeting.

So if your meetings have passwords and you don't just let everybody in, how would the attacker even know your meeting is happening and get in there......

Also, simple fix.... turn off the chat function in your meetings until this gets fixed.

Wow... simply fix eh!  The sky is not falling after all.

Second thing of high importance as pointed out by a colleague.  Don't click on Zoom links that come into your email unless you are expecting it.  

Another attack vector currently in play is that a malicious link sent to you, could open your zoom client and trigger this vulnerability.  So the old rule still stands, don't click on links that you don't trust.  If you are expecting a meeting invite, all good.

Some technical changes can be made to your Windows workstation so that it no longer sends off NTLM outbound, and this would be the ideal scenario, however, not everyone is technically tooled to do this.

What would be ideal is if Microsoft would patch this and change the default forcing Windows to NOT send out NTLM to the Internet.

keep in mind that if your password is of good quality (a long and complex password), this vulnerability fails since the attacker cannot break your password.

So lets all calm the hell down.  Yes you can keep using Zoom.  This risk is LOW.

Until these articles, I had not created a Zoom account.  Well, I just did, and I actually really like the thing.  It allows me to change my background to a beach, and with all the self isolation we are going through during this Covid crisis....  I think I really like that option.



In closing, Zoom has had numerous security shortcomings in the last months and years.  They certainly do not appear to be perfect in any sense.  Lets just keep the over exaggeration of security findings down to a minimum. 

There currently is a significant increase in malicious meeting invites and the bad guys are targeting the most common tools like Zoom.  

So this means that we will see breaches attributed when all these factors are combined.  

Keep in mind that some of these tools (like Zoom) are free, and that means that you are the product in some way.

_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies









Municipal elections, your data once again exposed

Some big news in the last 24 hours. An entire new minister for cybersecurity! I can’t wait to see what my colleagues will be saying about th...