Thursday, April 26, 2018

Fail of the week: Quebec Revenu Agency... but don't worry, they won an award!



I was especially unimpressed by the response to a news investigation performed for an event hosted by the Quebec revenu agency.   

You see, they seem to think it is a good idea to use public, group live chat sessions to interact with their clients that are hosted on Facebook.

It is understandable for them to wish to have a Facebook presence.  No issues with that.

It is understandable to want to do cool and modern things.  Almost no issues with that.

Why almost.  They are tax collectors.  I fail to see the business need to be cool.

That is like when Hydro Quebec says that their image is the most important thing.  Calm down.  Your the only source of electricity we have, no one is getting a dozen hamsters and telling you to F-Off.

As for this genius Facebook idea, I was misquoted (well... partially quoted) in the paper this morning as saying "Why?", my statement was actually two parts and a little bit deeper: 

- "What is the actual business need being addressed?".

- "Why, do they not host the actual group chat session on a private system that they control instead of Facebook?".  You see, the entire public chat session on Facebook remains available for review long after the event.  On a private system, you can clean the information or simply remove all of it.  Not so on Facebook.  You have no control and anything anyone typed is not just accessible to the attendees at the moment of the event, but remain accessible afterwards.

So what motivated me to blog about this is the response from the revenu agencies PR person, which in my view should take an early retirement.

She stated at least two things that are dead wrong.

Stupid rebuttal #1  "We ensure that no private or sensitive information is disclosed"

WRONG:  The journalists that contacted you told you that the group chat session contained numerous private details such as "I'm going bankrupt.  My revenu this year is $x.  I declared $x in RRSP's.  I just had my bank account seized.

So how exactly do you ENSURE that NO PRIVATE INFORMATION IS EXPOSED ?

Stupid rebuttal #2 We even won an award for our excellent public relations.

WHO CARES:  I love any rebuttal that starts with "we even won an award".  Sensitive information is being exposed.  It is a bad idea, and I challenge you to find a security expert that says it isn't.  The fact you won an award just pisses me off because you are using my taxes to boost your ego with bad ideas.  



If a kid in school hands out free Redbull to all his friends, he might win the award for best public relations.... doesn't mean what he is doing is a good idea.  How can you say something this stupid as your rebuttal....

Baffling.

And she goes on to say "you know. we have a code of ethics and we asked our lawyers....".  Another pointless piece of bullshit.

The lawyers protect your interest first.  They told you to advise everyone participating that "we will not answer personal questions".  That certainly doesn't stop someone from asking one, as is proven in the group chat logs. And how exactly do you prevent personal questions on a group chat designed to ask questions with regards to the Quebec Revenu agency !!!!

Are the participants only there to ask what your mailing address is ?????

What kind of crack cocaine are these people smoking.

Your code of ethics is a failure.  You should include a portion that talks about your duty as a higher power to preach good cyber security practices you single celled amoeba inbreed idiots.

In light of all the bad press around Facebook this month, you certainly picked the right time to continue using Facebook as a group chat system, after all, it is not like we know that Facebook uses ALL available data as their business model since the service is free.

Now here is a tip.  If you want to actually have good customer experiences, try answering the phone when someone calls and needs to talk to you.   

I know it is a lot cooler on Facebook, but I hear a lot of people bitching that they can never get any assistance when they need it.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Wednesday, April 25, 2018

GDPR is about to bite us in the ass, and it is going to hurt




Call this a fiction piece.  Or maybe even a conspiracy theory.


This way opinions are better managed and no one's overly sensitive feelings get hurt.

PCI and SOX had been the last culprits to impose security for compliance within the modern digital world.

This started a terrible trend of doing security for the sake of compliance instead of for the sake of security.  Actually nothing is wrong with the essence of PCI or SOX... in fact the rules outlined in both these kinda makes sense across all information systems.  But that is not what happens when a compliance issue comes down the pipe.  All hands on deck to figure out what can be excluded out of scope, and only address the strictest minimums to get someone, anyone, to rubber stamp or compliant state.

Here comes GDPR (due May 25th 2018 for everyone who is late to the party) (GDPR-wikipedia)

The large auditing firms are rubbing their greedy little hands in anticipation of the hell that is about to create.

Lawyers are also right there with saliva dripping from their hungry mouths.

The latest news on the technical front for GDPR is that "whois" domain name data is in scope and must be protected.

This means that criminals can now easily register a .COM domain (or any domain name) such as National-BankOfCanada.com and have the protection of GDPR on their side to hide any information they would have provided.

This isn't a new issue, since you could always through various providers hide the publication of your domain registration information through a proxy service.

Investigations need every little piece of information in order to figure things out when things go bad.  

A typical example:  Your network is getting attacked and it is coming from somewhere on the internet (obviously).  More then likely the system attacking you is only a pawn in a much larger game.  It is a system that has been compromised and is now being used to attack others.

As the security actor in this scenario, you look up the IP address and domain registration information and find out that the system in questions belongs to company XYZ and their technical contact is named John and his email is John@xyz.com and his phone number is 555-1212.  So you email or call John and let him know that his system is attacking yours and that he needs to take action.

This is where it gets really weird.

Talks this week are about web server logs.

According to GDPR, keeping the IP address within your system logs of a website visitor (or any network connection) is a violation.  They recommend that if you REALLY REALLY need to keep this information, it should be for just a few days.

This is absolutely bat shit crazy ass nonsense.




Average breach time detection is currently measured in months not days.  And in fact, sometimes it is more like 6 months not 6 weeks.

This is like saying that you can no longer have a surveillance camera protecting your jewelry store that is able to record.

Entire SIEM solutions would now be crippled and investigations almost impossible unless detected immediately and acted on immediately.  But with the lack of adjacent information, you soon won't be able to tell which country it is coming from, so why bother.

Complete horse shit.

We are once again putting in place laws that are stupid, unenforceable or goes against common sense.

Like the stupid anti-spam law in Canada which will severally punish the legitimate business owner who sent off an email to a potential client and leaves the other 99% of the "enlarge your penis" spams get into my mailbox.   Or is that just me.  Unlike Donald Trump, my hands are normal sized, so no issues there.  

That law did not change the level of spam I get.  In fact I get even more from services that I clearly don't want, from companies in other countries and I get no more from potential business partners that are local to me.

Why is GDPR stupid.... well... the basis of it is fine.  In fact it rests on several laws that are already present in most European countries, it sort of duct tapes it all together.  What is stupid is when it extends to things that we absolutely need to continue having a functional international internet.  

It is like if law makers always forget that criminals do not follow the law.

Making it easier for criminals to hide themselves and conceal themselves is NOT going in the right direction.  And now, we will have another wave that lasts almost 10 years of poorly educated cybersecurity players making a ton of cash fixing your GDPR issues.  The ones you might not even have, or shouldn't even care about.  It is now going to be priority numero uno.  There is an old saying that there is some money in fixing a problem, but way more money in prolonging it.  This applies here.  Focusing on the wrong thing takes away precious ressources from areas that greatly needs these ressources.

The criminals are going to continue getting better, and they are already way better then the majority of cybersecurity entities within enterprises for the simple reason that this is ALL THEY HAVE TO DO in their daily lives.

We have to protect ourselves against every possible attack scenario and they only have to find one way in.

So thank you GDPR for taking tools away from the good guys and making sure the bad guys get more "privacy".

I know what is going to happen over time.  Things are going to get worst.

Just like in airports when some cunning business person wanted to sell full body scanners at the tune of $800k a pop.  Each International airport should have several.  It is for National Security after all!  Lets start a new agency and call it HomeLand Security.

How do we get acceptance.  Easy.  Start taking peoples nail clippers away at the airport, and their water bottles, and having them take out all their food items and candies (this just happened to me in Texas a few months ago).  Because lets face it, we have all seen that video on YouTube where that dude rams a handful of candies into that innocent victims mouth and proceeds to killing him with nail clippers.  It was a long gruelling 5 hour video, a real nail biter.

So as things get worst, society will become more tolerant to government oversight.  Because the government can come in and save us you see.  Clearly you must see the light.

This is why, over the course of a few decades things are going to turn to shit, the government will gain even more "power" (read here spying and controlling abilities).  All in the guise of protecting our privacy.


In the meantime, most companies are now going to be focusing on these "REAL" issues since we must be GDPR ready, yet they can't even manage having quality passwords used by their most senior executives.

People are eager to run to the front with a weapon without any training just because it looks good on paper.

We are going to hell in a hand basket.

This is a certitude.

Another interesting event this week.   The US SEC fines Altaba (formerly Yahoo) $35 million in penalties for not disclosing the breach they had in 2014.   If you are paying attention, you should know that the senior executives don't get a penalty.  It's the shareholders money, who cares, move on.

https://www.sec.gov/news/press-release/2018-71

The ones with the power never get penalties....not REAL penalties, so don't bother writing me telling me some immature sob story about how one senior executive lost his job, because we all know they get a sweet ass golden package and just move on to the next place to screw them up while being payed a shit ton of money to do their thing.

When it comes to power, once you have it, you want to keep it.  And the best way to keep it is to follow these basic rules with your sheep... I mean citizens:

1) Keep em misinformed / uneducated / stupid

2) Keep em under watch (so you can tune your strategy or adopt the right attitude / new laws)

3) Keep em frightened.  Remember, lots more money in FUD and over complicating the problem.

4) Fine the shit out of the small guys because we don't want anymore people sitting at the big boy table.  People in power do not like competition.

And boy oh boy are we on track.

Kim Jong-un, like I said before, is a smart nut job.  He managed to get invited to the big boy table.  But he had to pull some crazy ass shit to get there.

Good luck pulling off anything that will get you at big boy table.  As a regular (yet smart) citizen, your only entitled to pay taxes and fines and licenses to do things that you should be able to do as a basic right.

Hell in a hand basket, but carried across the finish line painfully slowly.

So, for all the enterprises freaking out over GDPR.  Take a deep breath and remember that someone will be ready to take your money and "help you" with all your GDPR compliance issues.

And a long series of commercial products, are being very well marketed to remind you of how all your compliance issues can be resolved by buying this fine high quality piece of software or cloud based service.

Yet in reality no such thing exists.  GDPR like all compliance initiatives will be long, boring, and painful and yield a very limited true gain on the cyber security front.

Hell, we could write a novel on the conflicts between GDPR and SOX alone.   Doesn't Sarbanes Oxley kinda want you to keep everything for 7 years and GDPR doesn't want us to keep IP addresses ?

I'm getting my popcorn out and am going to sit back and enjoy the show.

And since I get to play psychologist / coach to senior executives, I will certainly get to hear my faire share of horror stories to blog about.



_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com




Monday, April 23, 2018

Naive, stupid or maliciously negligent..... you decide.

The last few weeks have been a roller coaster ride for security with all the discussions about Facebook being evil and Mark Zuckerberg being the reincarnation of Stalin.



People in general are way too loose on their data sharing and when a FREE service like Facebook makes the news because they are making money on your data..... the surprise that people feel is mind boggling.

I'm not debating that there are abuses.  I'm stunned that people are this stupid and actually thought that Facebook was "free".

How many of your friends have taken one of them silly surveys that pops up and then you get to see the survey results of 'how' they scored an 87% on the hotness scale if you too take the survey!  What exactly do you think happens to all the personal information you are handing out like it's free....  

What is of great frustration to me as a security specialist isn't really Facebook.   It is the sigh of relief that Equifax let out when Facebook news brook out.

Just like the American president who keeps jiggling his left hand with a shinny object of meaningless bullshit to occupy the weak cerebral cortex of the masses while the other hand is firmly jammed into big business and big dollars.

The Equifax story shouldn't be dead.

In fact, if their is a real story of an entire system gone bad, this is it.

The bad partnerships


So the banks give all your information to a third party, who then sells you access to your information online, so you can check your credit and make sure the data collected on you is accurate.

I'm no genius, but I can tell when I'm getting screwed.

The lack of a quality security audit by your banks towards their "partners" is an insult.

There are so many things that surfaced that are wrong with the lack of maturity at Equifax, that it is clear that a quality audit was never performed by their business partners.  Now isn't that alarming, thinking that the banks just hand off your data to a third part without actually checking the state of their security!?

Now I know for a fact that they sent off security questionnaires and that someone at Equifax provided very formal and valid sounding answers.   So the banks feel like they have done their best.  This is complete crap.   Just because you put in place a contract with security requirements does not automatically wash your hands of the responsibility of handing over sensitive data to an incompetent partner.  How respectful is that of our data?  It isn't.


The lack of followup and penalties (reward instead)

Why hasn't a formal plan been produced and made known to the public about how the banks are going to address this with Equifax (and TransUnion, the other very similar third party)?

As a citizen impacted by these issues, we should be demanding that a formal plan be made, be publicly published, and reviewed by a qualified and independent security entity (not one of them business friends scratching each others back).

No real penalties here... in fact, Equifax shares went up!   They are after all selling a lot of them "identity theft" protection packages so the breach actually helped them make more money.

This is purely criminal behaviour.  Just because our laws don't spell it out, and our elected officials don't care (because they are all friends....), does not make it legal.  This is criminally wrong.

Lets take a moment to look up the word CRIME in a dictionary, this is a worthy mission....

crime

http://www.dictionary.com/browse/crime







noun

1.
an action or an instance of negligence that is deemed injurious to the public wel-fare or morals or to the interests of the state and that is legally prohibited.
4.     any offense, serious wrongdoing, or sin.
5.
a foolish, senseless, or shameful act:
Now Item #1 sounds good until the last words that stipulate "is legally prohibited"  but #4 and #5 remain very clear.

What is going on with our personal data within banks and companies like Equifax is a CRIME.

Our privacy commissioner is asleep

I continue to be amazed that we, as a society agree to be spoon fed bullshit about privacy being important by significant entities like the privacy commissioner (constantly bitching about Facebook), but when it comes to fixing a real problem, involving a real failure across the entire system, nothing gets done.  

There will be some bitching at Equifax, yet no one mentions the banks role in criminally mishandling our information, and then life goes on.  Nothing really changes.

So to all the journalists awaiting that next big breach..... how about you finish up on the really important ones instead of hunting for the next mostly insignificant one.   As much as it is fun to watch Facebook get slapped around, we all gave up that data willingly.   What the banks and Equifax are doing is NOT THE SAME THING.  New enterprises get breached every day, but not all of them have the impact that Equifax has. 

It is always easy to blame someone else for your stupidity.   This week, journalists pointed out that an anonymous jury was being identified by Facebook.  NO !   The jury is being identified by completely lax and incompetent security around an anonymous jury.  Who is running these juries!   

No one instructed the jury to leave their cell phones off (or turning data off) prior to arriving at the court house ?

No one instructed the jury to NOT post selfies at the court house?

Big surprise that Facebook is suggesting "New friends" at the court house!

That is what happens when no one cares enough about security.  Don't blame Facebook, blame human ignorance.

Oh my, we can't ask people to turn off "data" on their phones while they are here, it is "their right" to communicate electronically.   

Ok, then it is their decision to expose themselves and potentially no longer be an anonymous jury.

You can't have it both ways.

As a society we are a whiny ass bunch of losers always saying it is someones "right" to do something stupid, and it's always OK to blame someone else for our lack of common sense.

And in doing so, we forget that we have the "right" to impose common sense into certain processes like this case of an anonymous jury.

But hey.... lets just blame Facebook because Mark Zuckerberg has that smug rich look.  It's all his fault.

Now, just to be clear.  We cannot expect normal users to understand that they are being very foolish when posting too much information to Facebook, Instagram, etc.   

Facebook is indeed "Evil" because their position has changed into a global information processing demon.

Doesn't change that we continue to act foolishly.

Doesn't change that Equifax is a major issue that will not get the attention it should because it is protected by big business and we, as a society, get really distracted easily with shinny objects.

Doesn't change that Banks are not handling us like "clients", we are simply their products and they do not actually care.

Doesn't change that our privacy commissioner isn't living up to expectations.


And, until senior executives are held personally accountable, nothing will change.

Big fines that are paid by the corporation are just the cost of doing business.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com



Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...