Friday, October 29, 2021

Municipal elections, your data once again exposed

Some big news in the last 24 hours. An entire new minister for cybersecurity!


I can’t wait to see what my colleagues will be saying about this news.


I do see some issues.  After all, that is what security professionals do, we look, we find weaknesses and we talk about these weaknesses hoping that someone will listen and take charge. 


Overall, this is hopefully great news.  Having an entire minister assigned to cyber should change some things. 


The current changes target only government entities, and the depth still needs some work.


I have two concrete issues following my analysis of the 28 page document.


MUNICIPAL ELECTIONS

Quebec is entering an election period across all municipalities.  Historically, elections bring out some unethical people.  People that will go door to door making up stories and lies to gather support and votes to push out the other candidates.  These ethically and morally challenged individuals only require 5 signatures to get their names on the list for most municipalities across Quebec (for example Cities of less then 10,000) and guess what they all get…. a full list of all registered voteres INCLUDING their full birthdates !


Wait…. did you just read that correctly….. the same issue with data leakage that we blame everyone for is taking place again at the end of 2021 across all cities in the province !  YES !  

Groundhog day version 2.0


So in Montreal, an excel spreadsheet of over 1 million names is being shared by various candidates, staff and interns and it holds your full birthdate even though there really is no use or need for it.


I think this should be looked at by a futur minister of cybersecurity


IDENTITY THEFT

The second example is the banking, Equifax and finance sector that remains clearly out of scope since this initiative targets government entities only.


Banks and their senior managers need to be personally liable if they give credit or open an account to the wrong person.  Relying on birthdates and social insurance numbers that have literally fallen from the sky over the last few years is ludicrous. 


We need a digital ID for all important services and that means banking and finance should be a priority.  This is where identify theft strikes the most.


The cyber security industry has proven that we can get the ear of the government, we need to keep pushing.  As it stands, this new announcement does not actually change much since most things that impact the citizen is related to identity theft and this is not addressed outside of the government entities covered in the current announcement.


A part of me feels more like this 4 billion dollar investment is more a cleanup of the current disaster that is Information Technology within the government.  Regardless, it needs to get done, the government does need to clean their information technology hygiene 


Minister Eric Caire, excellent first step, do not stop now.


Related interviews (French):

RADIO CANADA: https://ici.radio-canada.ca/util/postier/suggerer-go.asp?nID=4733866

QUB RADIO: https://www.qub.ca/radio/balado/genevieve-pettersen?track=1059632448

_______________________________________________


Eric Parent is a senior security expert, specialized in coaching senior executives.  He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies


Élections municipales, vos données à nouveau exposées

Une grande announce !   Un tout nouveau ministre pour la cybersécurité !


J'ai hâte de voir ce que mes collègues vont dire de cette nouvelle.


Je vois quelques problèmes.  Après tout, c'est ce que font les professionnels de la sécurité, nous regardons, nous trouvons des faiblesses et nous parlons de ces faiblesses en espérant que quelqu'un écoutera et prendra les choses en main. 


Dans l'ensemble, j'espère que c'est une bonne nouvelle.  Le fait qu'un ministre entier soit affecté à la cybersécurité devrait changer certaines choses. 


Les changements actuels ne visent que les entités gouvernementales, mais la profondeur a encore besoin d'être travaillée.


J'ai deux commentaires à faire après avoir analysé le document de 28 pages.


ÉLECTION MUNICIPALE

Le Québec entre dans une période électorale dans toutes les municipalités.  Historiquement, les élections font ressortir certaines personnes malhonnêtes. Des gens qui vont faire du porte-à-porte en inventant des histoires et des mensonges pour obtenir des appuis et des votes afin d'écarter les autres candidats.   Ces personnes qui ont des problèmes d'éthique et de moralité n'ont besoin que de 5 signatures pour faire inscrire leur nom sur la liste de la plupart des municipalités du Québec (par exemple les villes de moins de 10 000 habitants) et devinez ce qu'elles obtiennent toutes : .... une liste complète de tous les électeurs inscrits, y compris leur date de naissance complète !

Attendez.... est-ce que vous venez de lire ça correctement..... le même problème de fuite de données pour lequel nous blâmons tout le monde a lieu en 2021 dans toutes les villes de la province !  OUI !  



Le jour de la marmotte 2.0

Ainsi, à Montréal, un chiffrier Excel contenant plus d'un million de noms est partagé par divers candidats, membres du personnel et stagiaires, et il contient votre date de naissance complète alors qu'elle n'est ni utile ni nécessaire.

Je pense que cela devrait être examiné par un futur ministre de la cybersécurité.


VOL D'IDENTITÉ

Le deuxième exemple est le secteur bancaire, Equiflop et financier qui reste clairement hors de portée puisque cette initiative ne vise que les entités gouvernementales.


Les banques et leurs cadres supérieurs doivent être personnellement responsables s'ils accordent un crédit ou ouvrent un compte à la mauvaise personne.  Il est ridicule de se fier aux dates de naissance et aux numéros d'assurance sociale qui sont littéralement tombés du ciel au cours des dernières années. 

Nous avons besoin d'une identité numérique pour tous les services importants et cela signifie que les banques et le secteur financier doivent être une priorité.  C'est là que le vol d'identité frappe le plus.

Le secteur de la cybersécurité a prouvé que nous pouvions obtenir l'oreille du gouvernement, nous devons continuer à faire pression.  En l'état actuel des choses, cette nouvelle annonce ne change pas grand-chose puisque la plupart des choses qui ont un impact sur le citoyen sont liées à l'usurpation d'identité et que cela n'est pas abordé en dehors des entités gouvernementales couvertes par l'annonce actuelle.

Une partie de moi pense que cet investissement de 4 milliards de dollars est plutôt un nettoyage du désastre actuel qu'est la technologie de l'information au sein du gouvernement.  Quoi qu'il en soit, il faut que cela soit fait, le gouvernement a besoin de nettoyer son hygiène informatique. 

Ministre Eric Caire, excellent premier pas, ne vous arrêtez pas maintenant.


Discussions et entrevues

RADIO CANADA: https://ici.radio-canada.ca/util/postier/suggerer-go.asp?nID=4733866

QUB RADIO: https://www.qub.ca/radio/balado/genevieve-pettersen?track=1059632448

-------------

Eric Parent est un expert en sécurité, spécialisé dans le coaching de cadres supérieurs.  Il enseigne occasionnellement la cybersécurité à l'Ecole Polytechnique et aux HEC à Montréal, et est PDG de Logicnet/EVA-Technologies, l'une des plus anciennes sociétés privées de sécurité au Canada.


Suivez Eric sur :

Twitter : @ericparent

LinkedIn : EVA-Technologies

Friday, August 13, 2021

The vaccin passport is a failure - Our government should really talk with some experts

The Quebec vaccin passport project was doomed from the start.




Clearly no security expert was consulted or listened too prior to launching this eminent failure.


The system deployed builds on the governments failure to provide any form of digital ID and limit the damages of identity theft.  After all, today, your birthday remains a very confidential piece of information…. that everyone knows.


Security experts are supposed to look at the entire process and assist a project so that the overall results are favourable based on calculated risks at each step.


Here is what should have been considered as an alternative.


First, let's understand that the current system involves an application used by businesses that does not talk to a central system.  Let's put aside that it is possible to obtain a false QR code (based on falsified vaccination paperwork), the QR codes contain sensitive information such as birthdates that we now accept will be "scanned".  This approach also transfers the burden of authentication to every business operator, as they now MUST ask everyone for ID so that they can check that the QR code matches the individual.  Let's put aside that If I recall it is not even legal or acceptable to ask for a drivers license and that there is no way to check with a central system if the code is for the person in front of you.  Pushing the authentication of the person and the validity of the QR code down to the business owner is literally the stupidness thing an expected secure system could do and expecting it to work is even more ridiculous.


The system could have been this:


1) A QR Code that is a fully random key

2) An application that reads the code and consults a central database to validate that this code is valid

3) The application then displays the photo of the individual taken from the RAMQ system since almost everyone has their photo already in that system.


Voila!   The business owner no longer has to ask people for ID and the if the person in front of them matches the picture, then that person is vaccinated and compliant.


The only issue left to resolve would be how to handle the people who are not in the RAMQ system, and sending these folks to the SAAQ with their proof of vaccination so they can have their photo taken does not seem that complex.  If it is, then having a few regional offices that offer the service certainly is attainable.


Bottom line, this system is a failure and unless some changes are made, will be a major pain in the ass for all business owners.


Let's hope that the Canadian and international versions learn from these mistakes and do not continue in this direction.


_______________________________________________


Eric Parent is a senior security expert, specialized in coaching senior executives.  He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.


Follow Eric on:

Twitter @ericparent

LinkedIn :  EVA-Technologies



Le passeport-vaccin est un échec - Notre gouvernement devrait vraiment discuter avec des experts.

Le projet de passeport vaccinal du Québec était voué à l'échec dès le départ.



Il est clair qu'aucun expert en sécurité n'a été consulté ou écouté avant de lancer ce projet défaillant.

Le système déployé s'appuie sur l'incapacité du gouvernement à fournir une quelconque forme d'identification numérique et à limiter les dommages liés au vol d'identité.  Après tout, aujourd'hui, votre date de naissance reste une information très confidentielle.... que tout le monde connaît.


Les experts en sécurité sont censés examiner l'ensemble du processus et assister un projet de manière à ce que les résultats globaux soient favorables, en fonction des risques calculés à chaque étape.


Voici ce qui aurait dû être considéré comme une alternative.


Tout d'abord, comprenons que le système actuel implique une application utilisée par les entreprises qui ne communique pas avec un système central.  Laissons de côté le fait que l'obtention d'un faux code QR est possible (par le biais de documents de vaccination falsifiés), les codes QR contiennent des informations sensibles comme les dates de naissance, et il sera désormais acceptable que les gens "scannent" ces informations.  Cette approche transfère également la charge de l'authentification à chaque opérateur commercial, puisqu'il DOIT désormais demander à chacun une pièce d'identité afin de pouvoir vérifier que le code QR correspond à la personne.  Mettons de côté le fait que, si je me souviens bien, il n'est même pas légal ou acceptable de demander un permis de conduire, et que le code QR est a aucun moyen de vérifier avec un système central si le code est le bon.  Pousser l'authentification de la personne et la validité du code QR vers le propriétaire de l'entreprise est littéralement la chose la plus stupide qu'un système censé être sécurisé puisse faire et s'attendre à ce que cela fonctionne est encore plus ridicule.


Le système aurait pu être le suivant :


1) Un QR Code qui est une clé totalement aléatoire.

2) Une application qui lit le code et consulte une base de données centrale pour valider que ce code est valide.

3) L'application affiche alors la photo de l'individu prise dans le système de la RAMQ puisque presque tout le monde a déjà sa photo dans ce système.


Voilà !   Le propriétaire du commerce n'a plus à demander aux gens une pièce d'identité et si la personne devant lui correspond à la photo, alors cette personne est vaccinée et conforme.


La seule question à résoudre serait de savoir comment traiter les personnes qui ne sont pas dans le système de la RAMQ, et envoyer ces personnes à la SAAQ avec leur preuve de vaccination pour qu'elles puissent se faire photographier ne semble pas si complexe.  Si c'est le cas, il est certainement possible d'avoir quelques bureaux régionaux qui offrent ce service.


En fin de compte, ce système est un échec et, à moins que des changements ne soient apportés, il sera une véritable plaie pour tous les propriétaires d'entreprises.


Espérons que les versions canadienne et internationale apprennent de ces erreurs et ne continuent pas dans cette direction.

_______________________________________________


Eric Parent est un expert en sécurité, spécialisé dans le coaching de cadres supérieurs.  Il enseigne occasionnellement la cybersécurité à l'Ecole Polytechnique et aux HEC à Montréal, et est PDG de Logicnet/EVA-Technologies, l'une des plus anciennes sociétés privées de sécurité au Canada.


Suivez Eric sur :

Twitter : @ericparent

LinkedIn : EVA-Technologies


Friday, July 23, 2021

The obvious and predictable failure of QR code vaccin evidence

 I haven't written in a long time, and it is Friday with plenty of subjects to explore!


I have given a few interviews about the QR code idea that the government was floating and that has now become reality.  I called it from the start, the government was going to mess it up to the max.

PREUVE VACCINALE ET CODE QR (FRENCH)



Well, guess what folks, the government didn't just deliver the Hindenburg, some are actually surprised that people are faking the QR codes !

Holy shit folks, the children running the country are surprised that the system they delivered with ZERO security and ZERO controls to prevent abuse is being abused !

https://globalnews.ca/news/8039873/winnipeg-restaurant-phony-vaccine-qr-code/




CONCLUSION: The entire process that they put in place is irresponsible and foolish.


A QR code that actually has confidential information imbedded in the code was a bad idea from the start.

A QR code that will basically allow a business owner to scan and display the persons name and other "pertinent information" without a means of validating the information was building on a terrible foundation.


This means that the business owner would have to ask you for government issued ID to attempt to match the QR code data to the person that stands in front of them.   

What could go wrong with deputizing the business owner, entrusting them with sensitive information and imposing that they start asking for ID at the door!


The solution was actually so much easier, at least in Quebec.  Not sur about all the other provinces, but in Quebec the QR system is based on your medicare card number.  Which miraculously is attached to a photo they have on file!  

How simple would it have been to generate a fully random QR code with no sensitive data, and when this code is scanned using the government approved application.... the central system pops your photo up on the screen.   The business owner looks at your ugly face and looks at the photo... if both are as repulsive... it must be a match and all is good.  Simple.


But there is no money in simple... and more money in complexe and pointless systems.  Where is version 2.0 ! 


I know some critics will whine and cry that not everyone has a medicare card or not everyone has a photo on file (such as young children).   And you my friend are part of the problem that imposes terrible systems because of exceptions.  There are concrete ways to manage exceptions that would work.  But instead, the gouvernement spent our tax dollars on a system that was doomed right from the start.  A system that has no security, and that actually exposes sensitive information for no valid or functional reason.


Any descent first year security student would have assembled a more robust and worthy ecosystem.


As seems to always be the case with IT and government projects.... a big bravo is in order.


Other positive news this week:


KASEYA FINDS DECRYPTION KEY UNDER A REDISH ROCK IN THE NEVADA DESERT

https://www.databreachtoday.com/kaseya-obtains-decryption-tool-after-revil-ransomware-hit-a-17129

Check out the guys face, he hasn't slept in a while ;-)

Their press release stipulates that they cannot deny or confirm if they paid the ransom.  Either way.... a key is now miraculously available!   Great news!


INTERNET GOES DARK FOR 2 HOURS

Banks, airlines, cloud services, all went dark for a few hours due to a minor issue at Akamai. Seems someone used their thumb instead the their fingers and made a small mistake.

https://www.cbc.ca/news/business/akamai-internet-outage-1.6112954

How is this good news you ask?  Simple, if this had an impact on your operations, it identified key systems that you have in place that should not have been placed in the cloud on services that call the issue minor if it was critical to you.  Great news again!


I'm off to the restaurant with my newly printed QR code.


Have a great weekend !


_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He occasionally teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies




www.eva-technologies.com

Saturday, January 2, 2021

Videotron Breach ? Welcome to 2021

UPDATE JAN 2nd 2020 - 13:45. The 37 gig file contains email addresses used in phishing attacks. The emails contained are a complete mix of domains. 22977 of them are @videotron.ca emails. No other conclusions as to the correlation between this list and the Videotron passwords found in another directory can be made at this time.


Was Videotron breached? A list of 60,000 accounts (email and passwords) was just leaked. This would be a small subset of their entire client base, but remains interesting.

Since most of the media tend to avoid touching Videotron and the Quebecor empire, I doubt we will see much ink on this breach.


A list containing Videotron account information totalling 226084 items, all Videotron email usernames with their passwords was published.






FILE LINE COUNT

wc -l videotron33.txt

    5743 videotron33.txt


wc -l videotron34.txt

   14560 videotron34.txt


wc -l videotron35.txt

   21059 videotron35.txt


wc -l videotron36.txt

   39264 videotron36.txt


wc -l videotron37.txt

   47859 videotron37.txt


wc -l videotron38.txt

   40817 videotron38.txt


wc -l videotron39.txt

   49565 videotron39.txt


wc -l videotron40.txt

    7217 videotron40.txt

Not much details about the source was provided with the leak data, maybe some real journalists will dig through this and get to the bottom of it.


Overall, some duplicates exists, so when you remove duplicates, you are left with 60314 unique items.

sort videotron-full.txt | uniq -d | wc -l

   60314


You can download the list of emails here 

(passwords have been removed for security) and see if your email is in the list 


NOW KEEP IN MIND that this does not mean that Videotron has been breached.  There are a lot of fraudsters out there that try to target companies to make them look bad.

Imagine if somewhere, a list of 50 million usernames had been compromised, and someone sorted them out looking for @videotron.ca... they could generate a list that looks like "only" Videotron yet has nothing to do with Videotron.

Some Montreal based companies do EXACTLY this to try and generate business and sell security related services.  Going one step further, the data could also all be fake or old data... until Videotron comments, we simply cannot know for sure.


Either way, someone is targeting Videotron...   And we should all change our passwords... again...

>> End of warning ;-)

 

The list, totalling 60,000 unique entries could indicate a specific leak from a specific system or division since it does not encompass the entire client base of Videotron.


Number of customers subscribed to Videotron from 2012 to 2019, by segment

SOURCE: https://www.statista.com/statistics/797458/number-of-videotron-subscribers/

The system hosting the leaked data is interesting, as it has other evil looking content, including a 37 gigabyte file of email addresses (with no other information, and no passwords).  I am downloading this file now and will further analyse it once downloaded.




The site also hosts what is clearly phishing attack content such as fake PayPal login pages.  This means that the Videotron data, could also be someone preparing an attack that is targeting Videotron users, and the passwords could be for another service like PayPal.



_______________________________________________

Eric Parent is a senior security expert (and seasoned pilot), specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies




www.eva-technologies.com

 

Imagine a Vulnerability Testing tool that defaults to showing you partial results

Well, to my surprise, Tenable.IO has added a new setting that defaults to NOT showing you everything. So when creating a new scan, you are f...