In the News

CIRA launches D-Zone Cybersecurity Awareness Training platform to help defend Canadian institutions

Partnership with Beauceron Security helps to turn users into defenders

Ottawa – June 18, 2019 – Today, CIRA is proud to add another tool to its growing portfolio of cybersecurity solutions with the introduction of D-Zone Cybersecurity Awareness Training. CIRA has partnered with Beauceron Security to bring Canadian institutions an advanced cybersecurity training and awareness platform to help turn their users into defenders.

While D-Zone DNS Firewall and D-Zone Anycast DNS defend at the DNS layer, CIRA D-Zone Cybersecurity Awareness Training mobilizes any organization’s most critical layer of defense—its users—to add extra vigilance to its security footprint. 

Key facts

  • CIRA’s 2018 Cybersecurity Survey found that 43% of all organizations still suffered business-impacting cyberattacks. As the organization size increased that number increases. This underscores the importance of adding employees to the defensive posture and not just treating them as a risk to be managed with technology.

  • This highly integrated and comprehensive cybersecurity awareness training platform provides user assessments, surveys, training, phishing simulation, and risk management to empower organizations to turn their employees into a robust layer of security.

  • Organizations implementing D-Zone Cybersecurity Awareness Training see an average three-times reduction in users being tricked by phishing emails.

  • D-Zone Cybersecurity Awareness Training includes industry-leading integration testing, simulation and reports to provide a fully automated platform that requires minimal IT management. The platform automatically adjusts the frequency and level of testing and training based on user behavior.

  • D-Zone Cybersecurity Awareness Training makes cybersecurity awareness more engaging through gamification. Personal dashboards accessed via SAML-based identity provide a snapshot and score for users and departments to track their improvement. It also allows organizations to manage and compare against NIST cybersecurity standards.

  • CIRA is adding D-Zone Cybersecurity Awareness Training to its portfolio of cybersecurity products as part of its mission to help Canadian institutions protect their networks, safeguard user data, and do it all with a made in Canada solution.

Executive quotes

“Beauceron is proud to be partnering with an organization that shares our goal of making a more secure online experience accessible to all Canadians. CIRA is a trusted partner with a methodical approach to meeting the needs of their clients and community. We’re excited for what this partnership will bring.”

David Shipley, chief executive officer, Beauceron Security.

“The responsibility for cybersecurity is no longer solely on the IT department; all users have a role to play. Employees who are cyber aware can be a company’s biggest asset in the escalating battle against cybercrime. Beauceron has created a platform that delivers cybersecurity training in a simple and engaging way. We are proud to have them as a partner in our growing suite of cybersecurity services.”

Dave Chiswell,vice president, product development, CIRA.

Additional resources

About the Canadian Internet Registration Authority

The Canadian Internet Registration Authority (CIRA) manages the .CA top-level domain on behalf of all Canadians. CIRA also develops cybersecurity technologies and services—such as D-Zone DNS Firewall—that help support its goal of building a better online Canada. The CIRA team operates one of the fastest-growing country code top-level domains (ccTLD), a high-performance global DNS network, and one of the world’s most advanced back-end registry solutions.

About Beauceron Security                                                                                                                                                     

Beauceron Security empowers behavior change across organizations by providing the right information at the right time, enabling individuals to make better decisions. They accomplish this by providing a unique integrated and highly automated platform that combines phishing simulations, cyber awareness training, surveys, and newsletters with advanced analytics and dashboarding.

Monday, June 17, 2019

Media contact(s)

Spencer Callaghan

Communications Manager, CIRA

U.S. demanding visa applicants' social media details

That Facebook rant about Trump may come back to haunt you should you decide to apply for a visa to the States.  

Whether you or your children aim to travel to the United States for business or education, your social media details could be surrendered to the U.S. State Department. You won’t be notified, but your past posts on Facebook, Twitter, Instagram or any other form of social media may be combed through by authorities and you could be denied entry as a result.  

Why, and why now?

This is an idea the U.S. toyed with in the early days of Trump’s presidency, back when the ban on people from predominantly Muslim countries was imposed. Now they’re going forward with it. The new visa application form has a section listing various social media platforms and asking people to fill in the names of any accounts held on those platforms over the past five years.  

The official reason is that this information can confirm applicants’ identities, and ID online extremism. But intelligence agencies can already access most of this info and have large data sets about you, so in reality, the new legislation may be more about speeding up border agencies’ processing and facilitating identification of people they’d rather not have in the U.S. 

Regardless of the logic behind it, this puts a damper on free speech, and places too much control of individuals’ personal information in the hands of authorities.  

Objective power based on subjective opinions

The truly damaging part of all this is that crossing a border is considered a privilege, meaning there’s now even more power in the hands of border guards themselves, who could react depending on their mood that day, their feelings around their own political affiliations, something you posted on Facebook that was meant to be a joke.  

This kind of data can easily be taken out of context and used to make a decision that could have profound personal or business repercussions on individuals. There's no room for appeal, so the concerns are very real.  

Think before you post

Unfortunately, there continues to be no reasonable expectation of privacy when it comes to social media.  

This has always been the case, but now more than ever it’s a good idea to think before you post that controversial opinion, that sensitive information, or that private comment. Don’t share data using an online tool that you wouldn’t want to be public.  

Freedom of speech laws exist only to prevent criminal prosecution by the state, not to prevent states or businesses from using material you post to make discriminatory decisions. 

So if you’re planning to apply for a visa, it couldn’t hurt to go through your social media accounts and delete old posts, enhance your privacy settings, and remove anything overly political. Of course, you have the right to post what you want, but protecting yourself in this case is about prevention. 

To get the right information at the right time, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

Canada's new digital charter: a step in the right direction

Last week, the Government of Canada announced its new “digital charter,” aimed at emphasizing Canadians’ control over their personal data and penalizing big internet companies that break the law, as well as combating online extremism, hate speech and fake news. 

According to a copy of the charter obtained by the Toronto Star, though, the federal government will not immediately impose regulations on huge transnational companies such as Google, Facebook and Amazon — which practically control life as we know it online.

What is the charter?

The charter is being described as a set of principles against which existing or future Canadian laws will be judged, but at present, with no real action being taken, there’s nothing stopping these companies from going about their business as usual. And letting these companies self-regulate is like letting a five-year-old do your grocery shopping — you'll end up with junk that’s not good for anyone.  

These companies have been allowed to run free and create technologies with no regard for consequences — it's always been about the bottom line. Take Amazon, for example: they will deliver any item almost anywhere in the world. No one has stopped to ask whether this is beneficial to society — it’s just assumed that if the business is profitable, it must be a good thing. Amazon’s Alexa feature has been involved in egregious privacy breaches where voice recordings were compromised and sent to the wrong users, but that fact hasn’t dissuaded many people from having an Echo in their homes. 

Facebook may be the worst offender, with multiple privacy violations; as punishment, they’ve been slapped with fines so minimal the company has had no reason to change their data-collecting and privacy-violating behaviours.   

Anti-trust and digital privacy

Anti-trust laws are a broad category of laws that are meant to keep businesses operating honestly and fairly. In the past, these laws in North America have been around protecting profit rather than data. 

Germany has been using anti-trust laws to limit that data gathering, but North America is at least a decade behind Europe’s GDPR (General Data Protection Regulation), which puts privacy at the forefront and imposes strict fines on companies that collect too much data, that use data in undisclosed ways or without users’ full consent.  

What can we do?

It is a good sign that Canada is starting to take digital privacy issues more seriously. We can certainly maintain hope that the government elected this fall will continue to uphold privacy and regulate the online world in a way that protects our data. As citizens, we need to read the party platforms and consider voting in politicians who understand the importance of digital privacy and who demonstrate a commitment to protecting our sensitive data by reining in these big companies. 

To get the right information at the right time, contact the Beauceron Security Team at info@beauceronsecurity.com or 1-877-516-9245.

Are you being stalked through your phone?

Tech and science publication Motherboard has been trying for weeks to warn a certain stalkerware company that they’ve been hacked. The app’s services are not secured, so hackers are sitting on a gold mine of exposed pictures, videos, messages and more.  

Motherboard has called out spyware providers for their deplorable security practices many times before, but these companies are all about invading privacy, so naturally they don’t care about the privacy of hacking victims.  

Stalking apps are especially vulnerable because their goal is to operate cheaply, not securely; there are hundreds vying for a slice of this business. And their customers are in no position to complain about their data being leaked – more often than not, they're using the software to commit crimes.  

What is stalkerware?

Stalkerware is what it sounds like: apps and services designed to let you track, without a user’s knowledge, things on their laptop or smartphone such as photos, messages, emails, browsing histories and GPS co-ordinates.  

Stalking apps are scarily salable. According to a study from Cornell University, there are roughly 300 apps on the market for android and iPhone.  

They’re also becoming popular with parents who want to know what their kids are up to online, but stalkerware is still mainly used by people who want to track their significant others – to find out whether a partner is cheating. And they’re commonly used by abusive ex-partners who can stalk their victims with relative anonymity. It’s invasive and creepy, and the data tracked is easy to exploit. 

Part of a bigger stalking issue

These apps and services are part of a major problem in this country, which is stalking in general. 

In just the last five years, data from StatsCan show about two million people have reported being the victims of stalking. Of those victims, only two in five report it to the police, and only a quarter of those reports ever result in charges being laid. Part of the reason for under-reporting is that more stalking is happening online, so it’s harder for police to investigate. 

Parental controls and spyware are not the same thing

Stalkerware and parental controls are very different means to the same end, which is keeping your kids safe online. Parental controls restrict the use of devices to safe situations, and block age-inappropriate websites. Stalkerware, by contrast, violates your kids’ trust by outright spying on them. 

The simplest solution is often the best

Never install stalkerware on your kids’ phones. If you’re tempted to do so, think about what that might be teaching them about what’s acceptable from authorities – it’s a slippery slope leading to an indifference about surveillance. 

 And never, ever stalk your boyfriend or girlfriend! If you care about your partner, don’t put their sensitive data in jeopardy by using these insecure apps. 

Combating the stalkerware industry

On a less personal level, payment processors such as PayPal and credit card companies should stop providing services to stalkerware firms. If they’re fined for accepting money from these apps – especially the ones that track cheating spouses – the offenses would be much harder to commit. When the cash is cut off, so is the crime.  

Services such as Find My Friends on Apple iOS devices should be updated to provide reminders to individuals on a daily, weekly or month basis if that feature is enabled on their device and whenever it is being used. GPS trackers built into modern cars should also provide audio and visual cues when they’re being tracked.

In wake of scandal and tragedy, Facebook privacy crackdown needed

It’s been a year – long enough to have forgotten the details of that Cambridge Analytica story that was all over the news last March.  

A refresher: In early 2018, Canadian-born Christopher Wylie went public with allegations that the British consulting firm Cambridge Analytica harvested private information from more than 50 million Facebook users, and shaped that data into social media strategies to support Trump’s 2016 presidential campaign. The scandal was among the first privacy issues involving Facebook, but it certainly hasn’t been the last. 

A+ for promises, D- for action

Though we have seen some efforts from Facebook to promote transparency – such as a new app to be rolled out in June that will show who paid for political ads and whom they’re targeting – Facebook is well known for making big promises about user privacy and keeping none of them. Remember when they promised a “delete your history” button in May 2018, after the backlash from Cambridge Analytica? It’s still nowhere to be seen. And that lack of follow-through is oh-so typical of Facebook. 

A wasted year

In the last year, legislators in the States have at least started to have serious conversations about what a national privacy law might look like. The American focus is on trying to rein in the power of big tech. But fast-forward 12 months and Canadian politicians have failed to create anything resembling a national data strategy. Probably because they’re more focused on winning the upcoming election than on protecting citizens’ privacy.  

What politicians should do is take Europe’s General Data Protection Regulation and Canadianize it, effectively cracking down on rule-breakers like Facebook with major fines that would have a real impact on their practices.  

Tragedy broadcast on social media

A horrific tragedy unfolded in New Zealand last week, where a terrorist attacked a mosque in Christchurch. Because Facebook is still basically a free-for-all of information dissemination, videos of the deadly shooting were live-streamed millions of times – almost instantly – on social media.  

Once digital data is created and replicated, it’s nearly impossible to control; people have created more data in the last couple of years than in all human history, and criminals are swimming in a sea of personal information that can be easily exploited.  

Who’s accountable?

New Zealand internet service providers actually blocked areas of the internet that continued to host these reprehensible materials. This was one of the most aggressive actions taken by ISPs worldwide, and it raises some thought-provoking questions regarding who should be accountable for data that’s shared online: the platform, or the internet service providers, or solely the individuals sharing it? Is there such a thing as regulated free speech? 

And while we’re on the topic: Is it really necessary for every human being to have the capability to instantly broadcast anything with zero vetting? Facebook should restrict this live-streaming capability to verified news media and individuals, so this kind of thing can’t happen in the future. 

An encouraging reaction

It was heartening to see the numbers of people across the world who refused to watch or share these violent images, in a sort of moral protest. If we really want change, though, we should be pushing our legislators to create laws that crack down on big firms that handle and distribute data. 

Co-op students across province receive cybersecurity awareness training

FREDERICTON — Through a partnership with Opportunities New Brunswick, CyberNB and the Department of Education and Early Childhood Development (EECD), Beauceron Security is providing cybersecurity awareness training to high school co-op students across the province.

Cybersecurity is a risk that businesses across New Brunswick are facing as more services and information is being provided online.

“This partnership is a collaboration between ONB, the private sector and government as a whole, working together to deliver value for New Brunswickers,” said Honourable Mary Wilson, Minister of Economic Development and Small Business and Minister responsible for Opportunities NB. “We’ve made a significant difference for high school students in the province by providing industry quality awareness training prior to their co-op placements.”

According to the 2018 Verizon Data Breach report, 93% of malicious data breaches came from a form of cyber attack that leverages e-mails, texts, phone calls or even in-person visits, known as social engineering.

The most effective and affordable solution to social engineering is an educated and engaged community. Beauceron was designed to empower people across organizations to make better decisions regarding cybersecurity. It teaches them to ask the right kinds of questions at the right time.

“It’s been fantastic to take the technology we’ve built and deployed to customers around the world to help educate students entering the workforce in our own province,” says Beauceron CEO and co-founder David Shipley. “This partnership helped us develop a new line of potential business that could lead to export opportunities in Canada and around the world in K-12.”

Beauceron Security’s behaviour change platform will give New Brunswick co-op students a leg up when they enter the workforce. They will be educated and empowered to mitigate risk in this growing global concern on behalf of their future employers.

About Beauceron Security Inc.

Beauceron Security empowers behavior change across organizations by providing the right information at the right time, enabling individuals to make better decisions. They accomplish this by providing a unique integrated and highly automated platform that combines phishing simulations, cyber awareness training, surveys, and newsletters with advanced analytics and dashboarding.

Have you been pwned?

If you’ve ever wondered how exposed you are to hacking or how vulnerable your online presence might be, now you can find out in a matter of seconds.  

Here’s what you do: go to the site haveibeenpwned.com and input your email address. Hit enter. Moments later you’ll get either an all-clear saying “Good news – no pwnage found!” or an “Oh no – pwned!” message letting you know how many breached sites that email address has appeared on.  

More spam, more attacks

“Pwn” is an old gaming slang term derived from the verb “own.” According to the Wikipedia page, “pwn” “implies domination or humiliation of a rival, primarily in the internet-based video game culture to taunt an opponent who has just been soundly defeated (e.g., ‘You just got pwned!’).” 

Troy Hunt, a respected security researcher, created the website, which lets you check whether your email and/or passwords have been compromised, and which sites your information was leaked from.   

If you have appeared in any breaches, you will inevitably be getting more spam, and even targeted criminal attacks against you. It’s a good idea to check your work email and personal email against this cool tool to see how exposed you are.  

Hunt’s password service also allows you to securely check whether your passwords are in one of these data breaches. He has compiled a data set of 551 million passwords, and if you use passwords that appear here, you should change them immediately! 

How can you secure yourself?

The site suggests three steps to better security.  

1) Protect yourself using 1Password (or another reputable password manager such as LastPass) to create and save strong passwords for each site you use. Don’t use built-in browser password storage; Google Chrome, for example, will often ask, “Do you wish to remember the password for the site?” But it’s better to use a third-party password manager. It’s more secure and more convenient.  

2) Enable two-factor authentication

3) Subscribe to notifications for any other breaches on haveibeenpwned. This will keep you in the loop and informed on the status of your accounts and passwords. 

Remember: while this site is not a catch-all fix to any vulnerabilities in your online identity, it is a useful tool that can go a long way in boosting your overall security.  

Google: violating home and public privacy

The reasons to install a home security system are obvious: you want to see what’s going on in your house when you’re not there, you want to deter would-be thieves, and in the unlikely event of a break-in, you want to be able to identify the perpetrators. And you just want to feel safe and secure.  

Last month, Google announced that users could now enable Google Assistant virtual assistant technology through their Nest cams. Instead of celebrating, though, users were irate, because Google inadvertently revealed that the cams had contained a built-in microphone the entire time. There was never any indication in the packaging, marketing materials, their website – anywhere – that a mic was part of the deal. 

 Imagine learning that the device you installed to keep you secure may have been secretly recording everything you said? Talk about a betrayal of trust! 

Google denied that the microphone had ever been a secret, but it’s tough to buy that; if it were a feature they intended you to know about, they would have bragged it up from the beginning.

Victim blaming

The Nest cams have been riddled with flaws: last month its indoor and outdoor cameras had a bug that caused the camera to behave as if someone were accessing the “live view” mode when they weren’t. There have been several cases of hackers taking control of the cams; in response, Google blamed the victim and said the fault lay with customers and their weak passwords. 

From smart homes to smart cities

Even if you don’t own any smart-home tech, you may not be safe from Google’s clutches; they’re piloting a project called Sidewalk Labs that has been plagued with privacy and ethics problems.  

Sidewalk Labs, a subsidiary of Alphabet Inc., Google’s parent company, wants to create a connected community in Toronto that will measure traffic flow, embed sensors so lights will go on and off more efficiently, track where and when people are out walking in order to plan when it’s best to clear snow, and so on. Again, instead of being thrilled by the advancement, many people are calling this project out as nothing but a big data mine. 

More information about the scale and scope of the project is emerging (they want more real estate and more money, basically) showing that Google’s aspirations for Toronto are far greater than they’d initially let on. This is in keeping with Google’s almost pathological style of hiding the big picture from the public, only releasing details in dribs and drabs. 

Refusal to do the bare minimum

Sidewalk Labs has already squandered a lot of goodwill, first by losing the support of former Ontario privacy commissioner Dr. Ann Cavoukian with their refusal to implement common-sense tech that would de-identify people from video surveillance installed in public places.  

Surveillance can increase convenience, but unless there are measures in place to protect people from the array of abuses that can arise, as we’re seeing in China, the data collection technology that goes along with surveillance is just waiting to be exploited.  

Whether it’s with Nest smart homes or Sidewalk Labs, Google needs to be clear about what they want from the consumer and the public, and be explicit in how they plan to put privacy at the forefront of all their products and projects. And we need hold them accountable for our own data privacy – if we don’t, no one will.  

StatsCan wants your personal financial data

StatsCan wants your personal financial data

On October 26, 2018, news broke that Stats Canada is asking financial institutions across Canada for “individual-level financial transactions data” for 500,000 randomly selected Canadians in order to develop a “new institutional personal information bank.” Data requested