Monday, May 28, 2018

BMO and CIBC drops the ball and is found bent over trying to pick it up.



I know eh!  Catchy title!




So get this, they have a security breach and they figure it is a great idea to pump out a press release immediately (according to their own statements).

Now who would do that ......  who would advise the media hours after a breach is discovered.

CBC news article: 

BMO Press release:

CIBC - Simplii Press release:

The answer is simple.  Someone who has awesome security, and awesome security folks, and awesome security tools (that they seemingly had forgotten to turn on it seems) !

The last part is sarcasm.  

So lets break down the press release into three main parts

1) They found out about the breach when the bad guys (apparently from another country) called them on Sunday and let them know.

2) They immediately stepped up security (added "enhanced security" .... their term)

3) They are now confident that everything is 100% cool....

Wow..... all within a few hours.

They should shut down the bank and start a security company.  

It is like they didn't have anybody re-read this press release that had both hemisphere working.

Whats wrong with #1
If the bad guys actually called them up on a Sunday (which by itself is a miracle since I couldn't dream of reaching someone at a banks head office on a Sunday), then doesn't this mean it is a hostage situation... they must have called up to ask for something.... where is the beef!

Whats wrong with #2
It implies that they had a lot of security systems turned off at the time of the attack (or had no one tasked at looking at the security systems) since they instantly activated "enhanced security mode" within a few hours of being told of the breach.  Why wouldn't this "enhanced security mode" be on all the time?

Anyone who works in security knows that adding "enhanced security" takes months and sometimes years, yet they pulled it off in a few hours.  Simply amazing!

Whats wrong with #3
I keep telling senior managers and students the same thing..... if any idiot tells you that something is 100% secure or 100% certain.... back away slow, they are dangerously incompetent.

Nice job in the press release / damage control department!  I now have yet another example to use in my teachings with regards to the value of keeping your big mouth shut until you have something of value to throw out there.

In the meantime, no one knows what was exposed and what they should do about it.

Once again... nice job... and no.... not cool.

I was interviewed by CBC (in French) and had a hard time holding back the sarcasm.

Link:  https://vimeo.com/272250062/ad0ef65ba4

So to summarize, either they had a lot of security turned off with no one watching and now they are looking, or they added a lot of security overnight.. I mean...or they lied.

So to summarize further, they are either incompetent or liars.

Great start to the week !


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com



Thursday, May 3, 2018

Equifax finally admits that they had no security...



In a huge turn of events today, Equifax and myself are trying something new.

Equifax is trying to include security within their ecosystem.


I'm trying a catchy title with half truths like all the newspapers keep using.

Only problem is that my title isn't actually a half truth, it is more of a mostly true.

Equifax seems very proud to announce to share holders and to the world that they have just poured 100's of million of dollars on security.

The catchy phrase that got me going for this end-of-week post is this gem from their last quarter financial reports as reported by SC Media:

$ 242.7 million overall breach cost:  


This included $45.7 million in IT and security costs to transform the company's IT infrastructure and improve application, network, and data security. 


The thing with traded companies is that we KNOW.  We know that you only spend money when you absolutely must.

So this $45.7 million was needed.  As in, was always needed.

To be clear, this means that their "secure" ecosystem was behind by $45.7 million.

Yet, they always claimed that they met all the compliance requirements both legal and of their partners.

So keep that in mind next time you are doing business with a publicly traded company who by the way had a 125 million dollar cyber insurance policy with a 7.5 million deductible.  

In my humble opinion, a 6% deductible sounds like the insurance company was trying to manage their risk and perhaps had doubts about the quality of the Equifax ecosystem.  But that is pure speculation, just like thinking that "the Equifax clients" are their priority.   And ultimately, it is a traded company, so higher deductible means lower monthly premiums, better short term for the share holders, so basically a win win. And since senior executives have done their "duty" and do have insurance, then the fact that the share holders will suffer the financial hit IF (when) a security breach takes form is a very common board room stance.

The "shirt term, bottom line" is always the only true priority for a traded company.   Until the laws evolve to include stiff financial penalties for willful blindness by senior executives (personal liability) and jail time, things will not change.


_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

www.eva-technologies.com




Wednesday, May 2, 2018

Will your DNA become a liability



A very interesting news article was published this week about the Golden State Serial killer being tracked down with Genetic Testing DNA information.




Turns out that law enforcement had a solid lead that required getting a genetic testing lab to cough up the goods.  Ultimately the information was actually used to clear an innocent person that was on the suspect list.... so really.. a good ending.

In case you aren't aware, numerous Genetic DNA labs exists that help identify your hereditary diseases, ancestry details and many other pretty cool things.

Take a look at 23andme and you can get a good idea on the cool things you too can find out about with just a spit sample.

The problem is how the information is handled, and more importantly, how it could be accessed in the futur.

If your raw DNA results get deleted and can't possibly be pulled back it would be less of an issue, but the nature of genetic DNA testing is that it requires a lot of information for the purpose of correlation.  So in short, they cannot delete anything, the strength of the entire analysis is based on raw numbers.

So in this case, we have a happy ending.  A serial killer was identified.  I doubt that anyone is going to complain about that.

But it does open the door to various abuses by law enforcement, and causes a major ethical ripple in the world of Genetic DNA testing.

I propose to you the following very simple problem.

You order a simple DNA test for $200.

It highlights you're are likely to have a certain disease.

You contract a new life insurance policy and you didn't mention the DNA testing results.

You have probably just broken the law, as most insurance forms will ask "are you aware of anything else we should know about", or something along those lines.

What if you even forgot that the 10 page report mentioned your predisposition to a disease name you didn't even recognize or understand....... your insurance is still technically invalid.

So if the genetic DNA lab suffered a data breach or was purchased by an insurance company and you had dropped dead of that unlucky disease.... the insurance company would not have to pay up since after all, you lied on the insurance form.

Now the likelihood of any of this taking place in our lifetime is maybe nil.

Ask a conspiracy theorist and you will get an ear full about how citizens are voluntarily paying to get genetic testing done and giving up their DNA information to the government.

What if big corporations have access to genetic information?  Could this information be used to their advantage?   If one thing has been proven time and time again, is that information is power, and power involves abuses.

Time will tell.

So from a security professionals point of view, I would recommend that anyone getting genetic testing stick to one basic rule.  Do not provide your real name and birthdate.  It simply isn't required for the DNA testing.

However.... you did pay for the test with that credit card..... so don't go killing anyone and expecting your entire DNA thing to be air tight  ;-)


If you want the full details about the case, this Buzzfeed article really covers it to a good degree.
_______________________________________________

Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies



www.eva-technologies.com




Banning TP-LINK..... the correct strategy?

OBJECTIVE:  Something to think about.  This type of news comes around frequently over the last decade.   Should we ban a Chinese manufacture...