Tuesday, July 9, 2019

Desjardins part deux: Wow.... do we actually want to fix this problem?

We are not scoring high on the smart scale this month.  

On the right track ?   Sadly... no...

The problem is that banks practically hand out credit blindly and senior executives have ZERO accountability or personal liability when they screw up your credit file.  They then team up with their "buddies" at the credit bureau to make you feel like they are helping you while you are left with a nightmare to solve that can take years.


New laws fall from the sky, always missing the point.  New York, now has a new disclosure law that is aiming to ensure that we are told when our data is breached.  But what about when our data is used ?  Nothing yet.  We are way too busy making ourselves look good because we are putting in very strict laws to tell you when your data has walked out the door.  Silly data.  Data that has walked out repeatedly over time.  

Hey, heads up, it is too late.

When your information is used to create ANY form of credit application, you should be advised.

And when a bank gives credit to the wrong "you", you should be fully protected.

Since big banks have all the power, you, the "customer" have no such protection nor will you anytime soon.  

The banks have all power, and they have the last say.  They also really want to hand out credit because well... they are kinda loan sharkish, and sharks like fresh meat.

Every bank to ever exist...

So it is totally normal for banks to hand out credit cards and loans like cotton candy at a county fair.

How crazy is this:  Credit applications handed out while you wait in line to pay at a department store.  Offering you (or anyone who says they are you) instant credit and a generous 10% discount on all todays purchases if you sign up for a new credit card that will be approved on the spot ! How is this legal...

And, lets face it, someone who is hired to get credit applications filled out and whose salary is directly attached to how many credit applications they push out.... is most certainly the highest quality of authentication. 

The fact is these credit applications all rely on using identification data, never really authenticating the person since our current credit system has no digital ID or other modern means to do so.  So, granting someone credit is easy, charging their current purchases to this new credit card is common, and out the door they go because the banks do not care, and will not be held liable past the fraudulent transactions.   Two weeks later, the real person gets their new credit card along with a welcome letter and a $3000 bill for things they never bought and they are left with a near impossible task.... clearing their credit file of this mess, and not paying the $3000....which can take a very very long time.

Desjardins pointed 2.7 million souls to a disfunctional service called Equifax who predictably failed.  In the meantime, no one thought it would be a good idea to freeze the credit files for all 2.7 million until they figure this out.  Once again, push the problem down the road.

Equifax is a "for profit" organisation.  So are banks.  They shouldn't be trusted with the information they have.  And all this is done unwillingly by citizens since the banks send all your sensitive information to these credit bureau's.  

So in short, as far as crisis management goes, it was written in stone that this wouldn't work, but crisis management calls for a Teflon™ approach and someone needs to appear to be doing something.

Well, big surprise, what is being done remains mostly wrong in the long run.

The difference between a cybersecurity professional and a Good cybersecurity professional is root cause analysis combined with taking actions that actually reduce the risk.  Not security theatre, or putting in place yet more alerting mechanisms when your data is exposed.  We know... that ship has sailed... repeatedly.

Society has all their panties in a bunch over a trusted employee leaving with what is essentially a client list.  This happens way more than you think.

Yes, this is terrible news.  Yes Desjardins shouldn't allow people to export entire segments of databases that include entire birthdays and entire social insurance numbers.....

But.....  we shouldn't rely on these meaningless artefacts that date back to the Cold War in order to award credit unless the issuer is willing to take full responsibility.

News agencies are hitting Desjardins again with news that another employee defrauded Desjardins of over $300,000.  This is almost business as usual for a bank.  Most banks fire someone every week because they did something unacceptable.  This doesn't mean they lose $300,000 every week, this case alone was spread over 8 years.  Employees who abuse their power in banks is way more common than most think.  It also has nothing to do with data exposure, so why are news agencies riding the bus and hitting Desjardins yet again with meaningless news stories.  Just to try and make them look bad?   All banks have this issue.  And while they are writing about this, they are not actually putting pressure on the right things.

So back to identity theft...

The reason this is so grave is directly attached to the fact that WHEN you get your identity stolen (used), you are left with a mess and no means to fix it without grave consequences and a task worst than assembling an IKEA kitchen in a dark room with no instructions and your wife and three kids asking "is it done yet" every 5 minutes.  

The problem is two fold.

#1 We have no concrete, modern and secure way of attaching obtained credit to a biological human being.

#2 We have no way to clean up the mess that is caused when someone creates falsified credit under your name (and this shouldn't happen in the first place).

Make banks accountable.  Make senior management accountable.

Accountable = penalties payed out of their pockets, not the share holders.

So I really wish we would stop referring to us as the banks clients, since we are not, and we simply pawns used as leverage to play a financial game for them.

I would ask our current government to make drastic changes to our banking regulations.  I would ask the privacy commissionner to be right behind this:

If ANY credit institution grants credit to someone who is not me and puts it on my file, they should be held FULLY liable and I should not only get my entire credit profile cleaned up, I should get a huge check in compensation for their error, and while we are at it, they should be fined significant penalties directly to their senior management, not the share holders.

Lets face it, ALL traded companies are in it for the cash, and ALL of management is focused on short term gains with short term objectives and short term bonus structures that work directly against protecting your credit.

HIPAA applied in US health care is a gold mine of wisdom in this area.  They wrote the law expecting people to lie and built in the penalties based on your level of competence versus honesty.

Three scales are applied when it comes to penalties (which can include jail time for executives).

Level 1:  You had no way of knowing (yes, you still get a fine)

Level 2:  You should have known if you did your job with reasonable competency (bigger fine).

Level 3:  You knew and didn't take action, or worst, you clearly covered it up, etc. (huge fine and potential jail time)

They wrote it right into the law !

So what gives with our privacy laws.

We need banks to take responsibilities for their interactions with their credit bureau's because these bureau's certainly are not "our" credit bureau's.

So here is the call to arms that we should all be forcing our government to impose in reverse order of importance:

3) Better digital ID (blockchain enabled, with mechanisms to prevent oppression, etc.)

2) Replacement of "for profit" enabled credit bureau's (an obvious and complete failure as it stands today)

1) Severe penalties including personal liabilities for senior management (including criminal penalties targeting executives when willfully blindness is in play) for any screw up to a persons credit file, including imposed clean up of such screw ups without the citizen having to suffer for months or years.

So dear media, dear government, and dear privacy commissioner, stop talking about Desjardins and their evil malicious employee (they got the memo), start talking about the real issues and start addressing them.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Wednesday, June 26, 2019

Desjardins: We are all missing the train.

The last week has been an interesting one from a socio-psychological angle.

I am very pleased with the lessons to be learned from this security event, and I can state firmly that the next classes I teach, and the next conferences I speak at, will include some of these juicy tidbits.

After the first round of press releases, news articles and "interviewed specialists" I can firmly say that we are missing the big picture.

Only a few hours after the week started, class action lawsuits already surfaced claiming 8 billion dollars in damages for the Desjardins members.

This is totally absurd.  It would be nice if everyone involved including the high quality bottom feeding lawyers would wait for the corpse to be carried out before circling above like a vulture tasting blood which will never drip out.

Desjardins was a victim of our failing government.  A government that focuses on doing what is popular and what gets them votes and keeps their "sponsors" sponsoring.

You read that right.

In 2019, birthdates and social insurance numbers are still the central nervous system used to buy property, mortgage a house, get a loan, or get a credit card.

This is a complete failure to understand security and understand risk.

We, as a society, allow government and banks to pawn off our most vital information to companies like Equifax without our consent yet when we consent to give our information to a bank, we take offense if an employee leaves with our birthdate.

Sure, Desjardins needs to review how they let staff extract data.  Why for example would a marketing person need your full birthdate.  Why not just a year, or a range of ages.  So certainly some things can be optimized IN ALL BANKS.  So before we raise or voices with Desjardins, remember that this can happen to any bank and any company.

The big picture remains that our financial ecosystem relies on a VERY broken system of authentication that leaves the citizen scrambling when something goes wrong.  

The system offers NO protection for the innocent, and the innocent must live with the painful consequences when something goes wrong with no wrong doings from their part.  Once their identities have been used to create false loans or mortgages, they live the nightmare with no support.  Unless they subscribe to a credit monitoring and alerting service from lets say... Equifax.  How insulting.  How completely absurd that we allow an entire ecosystem to milk us and treat us like this.  How absurd that the banks hold hands in supporting this sick ecosystem.

This should not be acceptable.

Equifax should not exist.  Minimally, it should be a government run service.  

Now I am chocking as I write this.  Saying the government should take charge of something is rarely my pitch.  Because to be frank, the government always runs things so well ;-)

In this case, the government should not only abolish Equifax and take charge of the credit bureau, but they should actually walk into the 21st century and put in place a digital ID.  They should replace the dependency on birthdates and social insurance numbers since these pieces of information have been leaked and exposed for decades.  Banks use your social insurance number as a primary index key in a slew of their systems because it was convenient 30 years ago when the systems came to life.  In other words, this piece of information is all over the place.

People even post their birthdates on Facebook for all there thousands of friends to see.  And by friends I also include scrapper bots from Russia and China that harvest everything you drop.

So what should be a digital ID.  Simple, a smart card that could include a digital certificate, be fully authenticated when produced (like when you get your passport created), include digital magic like your drivers license and medicare card on the same piece of plastic, and provide vetted identification when opening a bank account, when mortgaging your house, when contracting a loan.

Now do the banks want this..... actually probably not.   It is much easier to have a marketing group signing off new credit card applications in convention center lobbies or airport lounges and relying on paper applications that fall from the sky.

So who wants this?   The citizens want this.  Because it makes sense.

The question remains, why is our birthdate and social insurance number still a critical asset, and what are we going to do about it?


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Friday, June 21, 2019

Desjardins: Round two - The truth comes out, do banks really care?

This Friday post is all about commitment.  

I'm going to float an idea and commit to it for the next 72 hours.

FIRM STATEMENT:  The Desjardins data exposure was not performed by IT staff.

Lets review some facts.

  • The CEO stated clearly that he felt completely violated.  He didn't use words that sound more appalled, but used words that really showed he was vigorously violated. 
  • He states without doubt that the information is not for sale on the Dark Web....
  • He states without doubt that passwords, PIN numbers and secret questions have not been exposed...
  • And he stated that this was all performed by an EX employee.
  • The LAVAL police is investigating and not the Provincial Police....
  • The plot thickens....


So here is my stab at the million dollar question:  Who did it.

Someone trusted by the enterprise, working in a department that could obtain this information.  To summarize, names and addresses, birthdates, social insurance numbers, purchasing habits and which products you have with Desjardins.

The social insurance number is often the unique database key used to represent the person, so this piece may even be irrelevant and is irrelevant for my scenario.

So someone trusted who worked with this type of information and someone we fired a few months ago.  So if we fired him, he must have done something wrong, perhaps he had already been loose with the data.

And when banks fire someone they have them sign an agreement that both parties do not talk about each other, and both parties move on.  Hence the reason why Desjardins is not naming him at this point.

So enter round two....   The now unemployed person (who kept a ton of sensitive information even though he declared in his exit interview that he would retain no such data), is now sitting at home starting a new business with this stolen data.  Perhaps something that could be used in conjunction with the type of data collected.   Purchasing habits, banking and insurance adherence data.  

Perhaps this not too wise person approached various people to leverage the data in some way, and eventually someone ratted them out.

This then becomes a breach of contract based on the employee having promised not to keep or use Desjardins data after they got themselves terminated.

It all makes sense with these variables.

Bottom line, Desjardins did not have controls in place to allow for the detection and the accumulation of vaste quantities of data and never knew that their data had left the building.  Or did they..... "but he promised he deleted it".

Wouldn't this scenario make you as the CEO feel violated.

After all, someone you paid to do a job didn't respect you or your semi-binding agreements and now you are faced with the angry public and the ever so inquisitive press.


When someone internally defrauds a bank, the bank is much more stressed about their reputation than the wrong that was done to them.

So if John (taken from a true fraud case I worked) defrauds the bank for $500,000, the banks gets John to sign an agreement, that John is fired and neither party talks about each other going forward and the bank doesn't owe John anything, etc.

So John, crosses the street and goes to work at the next bank and performs the same types of malicious actions, but this time... he does it even better based on the lessons learnt from his first dismissal.... or was it really his first....

Banks need to start pressing charges and publicly exposing these people so that they do not go on to the next victims.

Banks do not care about the big picture or the citizens, they care about their clients perception.

So back to Desjardins, they probably fired him because he was accessing systems without cause and he was exhibiting behaviour that violated policies, or he literally access tons of data and got caught months ago.  Then he promisses to not keep any data, and now we all know why the CEO feels violated.

Desjardins and Equiflop

Initially, Desjardins offered 1 year of credit monitoring but you had to agree to the disclaimer, which was the same disclaimer Equifax tried to push down peoples throats last year.  ** If you agree to the free credit monitoring service you agree not to sue us.

Maybe someone is reading my blog, because they moved the 1 year up to 5 now, and someone seems to have removed the disclaimer.  Guess we will see when the physical letter gets mailed out next week.

Banks, please commit to being a better digital citizen.  Impose strict rules, AND enforced strict penalties.  Don't let your shit employees go to work somewhere else doing the same thing they did to you.  I know your lawyers disagree, maybe they are part of the problem.

Happy long weekend to all my friends in Quebec, and remember the old security moto:



Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Thursday, June 20, 2019

When the banks drop the ball - Desjardins leaks all their clients data.

CBC NEWS - Personal data of 2.9 million people leaked from Desjardins

Often, so many things are wrong with these press releases that it is easy for me to critique them and sometimes laugh.  In fact it is almost a guilty pleasure for me.

The news headlines state that 2.9 million Desjardins clients have been exposed.  
It should simply say that all Desjardins clients have been exposed and remove the ambiguity since that is the actual fact.

Why is the number important?  It is not.  Desjardins is the biggest credit union type bank in North American, and a subset of all their client data has left the building.   This could happen to ANY bank, so I am not getting on the bandwagon that Desjardins did or does a poor job.  This is far from the truth as they are often a reference in cybersecurity practices.  Like everyone, they have weaknesses the can sometimes be leveraged.  A malicious employee is near impossible to totally contain.   But I can still poke fun at the news articles....

So... they also use the word SHARE, as in a former employee shared the data.  Who the hell did they share the data with!  They stole the data.  Stop using soft words that make it sound like they hit the wrong button on Facebook!  Also, at this point, it isn't someone they fired, I hope it is someone they are pushing for criminal charges for.

A big piece remains, I fail to see anything in these articles that tell the consumer what to expect as far as repercussions down the road.  I don't want to steal the punchline from them, but you may end up owning a mortgage or a credit card that you never asked for ;-)

Data Loss Prevention (DLP)

Enterprises are constantly faced with the desire to deploy a DLP.  In fact, since the cybersecurity industry has an acronym for it, this means that it is a big problem, and big money is involved.

Not a week goes by that someone isn't talking to me about deploying the latest and greatest DLP solution.

The fact is, these solutions reduce risks involving accidental exposure but hardly make a dent in someone internal wanting to actually steal your data.  These solutions rely on many factors and ingredients to yield benefits and almost every enterprise I visit is missing most of the required ingredients for a DLP project to be a success.

Now take Desjardins.  They are big (by Canadian standards), and they invest significant sums in everything relating to security.  They don't a a security person, they have security teams (with an S).

When a rogue technology person decides to pain outside of the lines, you are in for an enlightening and embarrassing experience.

In this case, it was not Desjardins that realized they had been violated.... the cops called Desjardins to tell them they had been had.  This is an upgrade from the more common scenario when a television crew or journalist calls you and tells you the bad news, so maybe this part is a positive.    However it is more of a negative for one simple reason, if the police are involved, chances are it is a much bigger deal than when a journalist calls you.  

You see, journalists call you when someone blows the whistle.  This someone generally isn't malicious, they just want something to change.  When the police call you..... well... you do the math.

Now Desjardins is falling into the trap that many fall into and they are trying to tell the public not to panic since PIN numbers, credit card numbers, and secret questions have not been exposed.

First of all, they cannot possibly know this with 100% certainty, but lets continue....

So all the information they have on their client, all the information that can expire and be changed... that information is secure.

However, all the information that you will die with such as your birthdate & Social Insurance Number... that was stolen.

But rest assured, we are working with Equifax, a household name in extremely mature and well rounded cybersecurity practices. That last part is sarcasm, so no hate mail please.  I wrote a series of blogs posts on Equifax and their subpar security (example:  HERE)

Equifax will provide 1 year of identity theft protection payed for by Desjardins! 

Wow.... we are still going with that?

The AMF (lautorite.qc.ca) says that they are happy with the approach that Desjardins is taking in resolving this matter.

Well, AMF.... and my many friends at the AMF.  In my opinion, you are falling short of your duty.

And once again, privacy commissioner of Canada, you are also at the precipice of failure.

You see, large corporations who end up having LARGE security exposures that can screw the lives of millions should own up to the magnitude of the issue.

This means that they should dedicate staff to operating an identity theft service and provide this service until you die since the information that was stolen cannot be changed and you will remain at risk of identity theft until you are dead.  In fact, some might argue that the risk may continue sometime afterwards ;-)

So why offer only one year of "oversight"... simple ... that is how long it takes for people to forget about the issue.  The general public should be made aware however, that identity theft can happen years down the road.

Also.... all the experts being interviewed so far are missing this one important fact....the information stolen included non matching data types.   What the hell is my purchasing history doing anywhere near my social insurance number and birthdate!  What the hell is going on at Desjardins.... will someone investigate this???  ZZzzzzz

When I go to negotiate a new mortgage, does the financial advisor "see" that I buy a lot of flowers ?

Can they then conclude that I apologize a lot to my wife hence the flowers !

Can they conclude that ANYONE who has to apologize three times a month by giving flowers MUST be a higher credit risk...

you get the picture....

As usual, these breaches end up opening the floor to more questions.. many many more questions.

So in closing, to the many enterprises that I have crossed and to all the enterprises that I will cross who have the attitude that their IT is the best, that they have no security exposures, that they are golden in this area... I leave you this thought to ponder:  Desjardins is at the top of the ladder and invests millions in a variety of security controls including non heterogeneous security teams... and they just got screwed over by an employee.  Sure you're 100% safe because your vaste experience in another unrelated domain tells you to feel that way.

Just like an anti-vaxer who reads a few facebook posts and will argue with a triple doctorat with 30 years of research under their belt.

Go in peace my friends and be realistic about your shortcomings and expectations. 

As for Desjardins, they remain a top bank, with top notch people and services.  Be cautious before throwing the first stone since any bank can be victim to this type of attack.  Just try and not keep all your data in a single bucket ;-)


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Thursday, June 13, 2019

BlueKeep.... the new silent killer affects thousands of Canadian Internet facing systems

Surely you must have heard that the next wave of attacks will come through a newly minted and named vulnerability called BlueKeep.  


Lets keep the cool names coming.

So as part of a research project, the 70+ million Canadian IP addresses were scanned by someone I know... cough cough.... for port 3389 which hosts the progressively more famous and exploitable Microsoft RDP service.   

Now keep in mind that many have multiple RDP services scattered across numerous ports, so 3390, 3391,....  but only 3389 was tested.  It is a certainty that many move RDP services are exposed on the Internet

For RDP3389: 102,434 systems responded and are facing the Internet today.

Just sitting there, handing over valuable information.

As an example, just grabbing an RDP screenshot can give you pictures, but more importantly usernames and OS versions.


So obviously giving away your OS version along with usernames isn't ideal, but having an exploitable operating system that has not been patched sitting on the Internet is even less ideal. 

So I asked my "friend" to test out the 102 thousand IP addresses to see how many would be exploitable.....

Drum roll please

Over 10,000 Internet facing systems in the Canadian IP range remain exploitable even after significant media coverage.

These devices will more than likely be hit by malware in the coming weeks since finding them does not require ANY real technical skill, and the exploits for BlueKeep are being weaponized as we speak.

Here are the actual statistics:

            IP ADDRESSES IN CANADA: 71.9 Million
            PORT 3389 IN CANADA: 102,434    
            * Note:  RDP can be found on other ports, we only tested 3389
            SAFE: 66,758 
            * But still shouldn't be open on port 3389 facing the Internet
            UNKNOWN: 17,116
            * Tests did not conclude
            VULNERABLE: 10,351

Even the NSA is pushing news articles about how bad these attacks will be.  After all, they don't want everyone using the exploit now that they can't be the exclusive user of the attack.

And Microsoft, who knows that many enterprises are still using aging systems like Windows XP actually pushed out updates for systems that haven't been supported in years.  That should be a sign that this update is worth investigating and acting on.  They even published numerous warnings.

So once again we are faced with the same age old issue of patching.

But keep in mind that when I tested Heartbleed in 2014, I found over 40,000 systems unpatched and exploitable within the Canadian IP range.  When I tested in 2018 about 10,000 remained.  This was for a vulnerability that literally spat out confidential information in 64k blocks.

So using this trend, BlueKeep will be around for awhile.

And also, corporate "America" is going to focus on patching the external facing systems while ignoring the internal ones which means that when Jenny the new less than bright CSO that was put in place to give that traded company plausible deniability clicks on that juicy phishing email, the lateral movement across the internal network is going to be easy for years to come.

So, once again, two lessons to learn here:

1) Patch all your systems for critical exploits

2) Know your inventory so you get them all

3) Place RDP behind a VPN, because password guessing and other attacks on RDP still exists or will surface!

4) Don't hire fake paper security experts to fill in a role and help shovel IT risks under the rug so that the shareholders feel all cozy

Wait.... that was four.... damned Thursday morning Jello shots.

I have to go, my phone is ringing with yet another Ransomeware victim who had to find $60,000 in bitcoins before midnight ;-)


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Wednesday, June 12, 2019

Will the CBP have to report to the Canadian Privacy Commissioner?

I haven't written in awhile, not for lack of options or subjects, mostly lack of time.

The last few months have been riddled with new business relations who are being hit with advanced Ransomwares.

Something has changed in the last year, and these attacks have clearly gone from fully automated to hybrid and manual.

So be warned, the bad guys will outsmart you.  They will figure out how your backups work and remove them.  They will take their time to figure you out and find the weakest link.  One attack replaced the backup systems DLL file and continued writing backups... with all zero bits.... which compared correctly at verification so the backups seemed to work fine.  The attackers waited over a month to deploy their ransomeware.

But on another subject, Will the US Customs and Border Protection agency (CBP) be above the law?

Will our privacy commissioner impose our new disclosure law on the CBP?

You see, turns out the CBP has been tracking our vehicles and our faces at border crossings.  Also turns out that security was weak and hackers got into all that information and left with it.

Since November 1st 2018, Canadian law dictates that breaches impacting privacy be reported to the privacy commissioner and that EVERY affected person be notified if there is a risk of harm to the individual.

The key thing, is that they worded the law in a way that gives a lot of room for wiggling out.  They used the term "significant harm".

Now it gets worst (or at least more interesting), it was actually a subcontractor who had the breach, but the CBP doesn't want to name the contractor.   Well not to worry, it looks like the friendly hacker community is taking care of that and it is a company called Perceptics

Turns out:  "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," CBP said in a statement.

So back to my overwhelming ransomeware events.  When someone calls me in the middle of a panic because of a ransomeware, I already know what the bad news is:

1) Turns out our backups didn't work since last June... 2018
2) Turns out our malware detection system was not configured correctly
3) Turns out we have to pay the ransom and have no idea what a Bitcoin is

But here is the kicker, 9 out of 10 times, it was a subcontractor that had the most contributed to the breach and failure of IT systems.

a) We thought the backups were good

b) We thought the backups were running

c) We thought our systems didn't have 6000 Shekels of exploitable vulnerabilities

d) We didn't know that a Shekel was an ancient measure of mass equally as old as our IT infrastructure and capacity to be resilient to failure

e) We didn't realize that we opened up our network across all protocols to a third party because management pushed the IT guys to open up the firewall because the F'n project must be delivered on time

f) We didn't realize that our really good IT guys are actually really good IT guys based on the perception that they keep the lights on and as far as security goes they do not have the knowledge or luxury to handle security adequately

Anyways, you get the point.   Everyone is always surprised when they get hit by a Ransomeware but the security experts are certainly not surprised and often your own IT staff aren't either because it dawns on them that their technology debt equates to a security debt which therefor results in large security exposures.

So lessons learnt here.....
1) Trust but verify your third parties

2) Do not blindly prioritize projects and ensure you have security oversight and firm checkpoints

3) Have VERIFIED and OFFLINE backups

4) Have storage technologies that are not integrated at the OS level (no AD integration, completely isolated like iSCSI) and ensure that snapshotting features are in place (with adequate storage you cheap bastards)

5) And while we are at it, make sure your security countermeasures have all their features turned on, because that my friends is really really embarrassing.

Now, I'm still curious.... and would certainly love to hear our privacy commissioner on this CBP breach of data.

Silence......  crickets......  and soon forgotten data breach....

Visit databreachtoday.com 
It isn't called data breach this month folks !


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Friday, December 21, 2018

For Christmas, don't be Equifax or Donald Trump

All I want for Christmas is to not be an Equifax.  That should be the chant of any VP of IT or even any CEO.

But in the current period of humanity we are in, where diehard claimed christians support an orange lunatic that builds walls instead of protecting refugees, feeding the homeless, or taking care of the countries veterans pretty much violating anything that any version of any bible says.  We must obviously face the facts that humans are mostly hypocrites.   

The Donald after all has been confirmed to have made over 6000 false claims over the last 600 days (link here) including locking down the government because he is not getting the funding to pay for that great wall the Mexicans where supposed to pay for.  Yet the diehard Trump supporters are all behind him, because no one needs to be telling the truth, no one needs to be accountable, and no one needs to be a decent human being because America is great, we are all hypocrites and only care about ourselves.    After all, almost not a week goes by that I cross a company that mentions security a dozen times yet have absolutely no security in place.  So lies are now the golden standard.


Take a look at the latest claim from Equifax:



They are blaming a single person for every single one of their failures !

We should call this the Donald from this point forward.  It is a pretty bold move to blame that one IT guy for a long list of failures that cannot possibly be attached to this one poor soul.

Sure, a patch was mis-applied...  but the architecture still remains terrible, nothing is checking their systems for exposed and exploitable vulnerabilities, no lateral movement detection or advanced threat detection is in place, and for this single security issue... no one noticed for months.....

Lets not mention that some of the other divisions of Equifax had open databases visible on the Internet that a chimpanzee could access and see PII data for an entire countries population.

And here is the real kicker, after the breach, Equifax reviewed their security posture and immediately made changes and added technology to the tune of over 100 million dollars to bring their current cyber security posture to what they declared as "modern" and "Acceptable".  

What this means is that they realized that everything they had in place was far behind and needed to have 100 million $ injected to bring it up to "acceptable".

How the heck can that be blamed on that one IT guy.

Equifax, you continue to prove that you are a terrible company and that you only exist because of the strong lobby that is in place combined with the lack of spine from both your corporate customers (The banks) and our government.

So in this holiday period, am I disappointed in Equifax, indeed however the failure remains bigger for the banks and our government including our privacy commissioners who play the big boy game of politics and look the other way.

That is my holiday gift to you, the sad realization that our banks and government suck more then Equifax.  As for all my other friends who are not Equifax, the ones who provides quality and secure systems, I wish you all a merry Christmas.

And for 2019, may we see less Equifax, and lets remain wishful that senior executives who act willfully blind get some real fines that are paid out of their own pockets and not their share holders, and some jail time to serve as an attitude adjustment.

Hey, we can all wish for things under the tree.

Now for some positive comments ;-)

The private sector is booming and much more secure.  I have on-boarded several new clients, all privately owned and all of them listen to suggestions of optimisation based on risks.  So faith in human kind is restored.

So I guess my real wish for Christmas is simple.  Lets all work together to accurately describe risks in business terms and getting risk acceptance performed at the appropriate management level.  Lets call fat...fat... lets call something blue... blue.... stick to the facts, and work to be better as each day goes by.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies


Desjardins part deux: Wow.... do we actually want to fix this problem?

We are not scoring high on the smart scale this month.   On the right track ?   Sadly... no... EXECUTIVE SUMMARY: The proble...