hacking

5 questions journalists should be asking about the Capital One breach

Countless Capital One customers were left reeling this week upon learning that a huge data breach exposed their private information including credit scores, balances, and social insurance numbers. Just days ago the institution revealed that the personal data for more than 100 million credit applications and cards — including six million from Canada — were laid bare.   

Paige Thompson — who goes by the name “erratic” online — is alleged to have exploited a vulnerability in Capital One’s online credit card application, for apparently no reason other than to show that she could. Based on the evidence presented by the FBI in court documents, Thompson does not appear to be an experienced hacker, and even seemed to want to get caught, leaving her digital footprint and evidence everywhere. 

Reporters have come at this story from many angles, but here are a few questions the media haven’t yet addressed: 

1) How long has this vulnerability existed?

The focus of this breach has been on the hacker herself — who she is and how she operated — but we don’t know how long this security hole was open, and who else may have taken advantage of it, with what malicious intent. If a more sophisticated hacker had wanted to get their mitts on this data, they could easily have done so. Thompson is less the problem, and more a symptom.

2) Why are banks holding onto this decade-old data in the first place?

“Zombie data” — old data that’s considered dead to the company but that still lurks somewhere, waiting to be revived — is dangerous, and the data involved in this hack has been hanging around since possibly about 2005. There’s no good reason for a financial institution to hang onto years-old credit card applications after they’ve been approved or denied. Why was this info even there to be exploited?

3) Who knew what, and when?

The FBI documents say Capital One was notified July 17 of the breach, but the bank claims it only became aware of the breach on July 19. Why the discrepancy? Is it plausible that no one checked their email for a full two days? Beyond that, Capital One didn’t disclose the breach to customers until July 29 — well after their July 18 second-quarter meeting. What happened during that week and a half? Based on the FBI documents, this doesn’t seem like it took terribly long to figure out what went wrong and who did it.

4) What kind of fine are they facing in Canada?

When the notorious Equifax breach came to light, Canada gave them little more than a slap on the wrist, instead of imposing tough penalties that would force other institutions to take notice and action. According to our country’s new Digital Privacy Act, fines for this type of privacy breach can be up to $100,000. We still don’t know whether the fine will be applied or the government will dole out another freebie.

5) Why aren’t banks required to provide better security tools to their customers?

Multi-factor authentication, for example. The government should regulate banks’ safety tools to remove the option of choosing convenience for the customer over security. If every bank has the same privacy measures in place, our national cybersecurity will see real improvements, so why are governments not acting on this? Requiring banks to offer more advanced security — in a similar, standardized way with a defined date — will end the standoff that exists where the banks are too afraid of losing customers to another institution due to the perceived inconvenience of things such as MFA.

While these breaches are scary — and becoming more common all the time — if we push for legal change and aim to protect our personal data, we can stop hackers in their tracks.  

To learn more about protecting your identity at home or at work, contact the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245. 

Cities: sitting ducks for cyberterrorists

What is ransomware, and why should I care?

Ransomware is a kind of malicious software (malware) that criminals use to deny access to data or computer systems until a ransom is paid.  

You should care because cities are a major target for ransomware attacks, and cities also happen to be the level of government people interact with most, and that impact our day-to-day lives. If cities suffer, so do individuals.  

Why are hackers targeting cities?

Municipalities are enticing for a few reasons: their IT departments are small to non-existent; their employees usually aren’t trained in avoiding phishing emails and other common avenues for attacks; they don’t have the resources that higher levels of government do to prevent and combat attacks; and because many of their systems are so specialized — such as parking and payroll — patching and keeping software up-to-date is seen as more hassle than it’s worth.

Is online extortion rare?

Short answer: No! Stratford, ON is just the latest in a string of small Canadian cities forced to pay hefty ransoms (we’re talking hundreds of thousands of dollars) to criminals who hold important public data hostage. On April 14, part of Stratford’s server system was hijacked, locking out some municipal employees. The police chief confirmed it was a ransomware attack, and the hackers wanted to be paid in bitcoin.  

Stratford Mayor Dan Mathieson said it’s a common occurrence, and that if mayors across the country don’t band together to deal with the ransomware problem, more communities could be hit.  

What will it take for cities to ramp up their security?

Cities who fall victim tend to point the finger at other levels of government or talk about their lack of resourcing without taking any real action. It makes sense that cities are overwhelmed — these attackers are international and organized, and police or RCMP often don’t have the time or resources to help.  

Unless there’s a disruption in essential services like sewage, water and power, it’s going to be tough for these towns to take the problem seriously.  

What can cities do about it?

Municipalities can be proactive about their cybersecurity by: 

1) Using standard security controls such as antivirus, firewalls and good digital identity controls such as two-factor authentication — but being aware that these can’t catch all sophisticated attacks. 
 
2) Teaching people what a cyberattack looks like and how to report it. Beauceron works with municipalities around the world, and security education has a dramatic impact. With proper training, we’ve seen the rate of clicking on links in phishing emails drop from as high as 34% to as low as 5%.  
 
3) Building resiliency — many organizations under-invest in IT and neglect cyberattack “fire drills,” leaving themselves wide open to hacking. Cities should be strengthening their IT teams and prepping for worst-case scenarios by practising cyber incident response plans.  

It’s open season on municipalities, but together we can protect ourselves against ransomware attacks! 

To figure out how your team/organization can reduce cyber risk, reach out to the Beauceron Security Team @ info@beauceronsecurity.com or 1-877-516-9245.

Are you being stalked through your phone?

Tech and science publication Motherboard has been trying for weeks to warn a certain stalkerware company that they’ve been hacked. The app’s services are not secured, so hackers are sitting on a gold mine of exposed pictures, videos, messages and more.  

Motherboard has called out spyware providers for their deplorable security practices many times before, but these companies are all about invading privacy, so naturally they don’t care about the privacy of hacking victims.  

Stalking apps are especially vulnerable because their goal is to operate cheaply, not securely; there are hundreds vying for a slice of this business. And their customers are in no position to complain about their data being leaked – more often than not, they're using the software to commit crimes.  

What is stalkerware?

Stalkerware is what it sounds like: apps and services designed to let you track, without a user’s knowledge, things on their laptop or smartphone such as photos, messages, emails, browsing histories and GPS co-ordinates.  

Stalking apps are scarily salable. According to a study from Cornell University, there are roughly 300 apps on the market for android and iPhone.  

They’re also becoming popular with parents who want to know what their kids are up to online, but stalkerware is still mainly used by people who want to track their significant others – to find out whether a partner is cheating. And they’re commonly used by abusive ex-partners who can stalk their victims with relative anonymity. It’s invasive and creepy, and the data tracked is easy to exploit. 

Part of a bigger stalking issue

These apps and services are part of a major problem in this country, which is stalking in general. 

In just the last five years, data from StatsCan show about two million people have reported being the victims of stalking. Of those victims, only two in five report it to the police, and only a quarter of those reports ever result in charges being laid. Part of the reason for under-reporting is that more stalking is happening online, so it’s harder for police to investigate. 

Parental controls and spyware are not the same thing

Stalkerware and parental controls are very different means to the same end, which is keeping your kids safe online. Parental controls restrict the use of devices to safe situations, and block age-inappropriate websites. Stalkerware, by contrast, violates your kids’ trust by outright spying on them. 

The simplest solution is often the best

Never install stalkerware on your kids’ phones. If you’re tempted to do so, think about what that might be teaching them about what’s acceptable from authorities – it’s a slippery slope leading to an indifference about surveillance. 

 And never, ever stalk your boyfriend or girlfriend! If you care about your partner, don’t put their sensitive data in jeopardy by using these insecure apps. 

Combating the stalkerware industry

On a less personal level, payment processors such as PayPal and credit card companies should stop providing services to stalkerware firms. If they’re fined for accepting money from these apps – especially the ones that track cheating spouses – the offenses would be much harder to commit. When the cash is cut off, so is the crime.  

Services such as Find My Friends on Apple iOS devices should be updated to provide reminders to individuals on a daily, weekly or month basis if that feature is enabled on their device and whenever it is being used. GPS trackers built into modern cars should also provide audio and visual cues when they’re being tracked.

Hacking 9-1-1

Hacking 9-1-1

You might think giving your child your old smartphone, particularly if you’ve removed its SIM card, is a harmless activity. 

But according to police and emergency responders in a growing number of cities across Canada, it’s a terrible idea. That’s because even without a SIM card, old cellphones and smartphones can still dial 9-1-1, tying up lines for real emergencies. 

Staying cyber safe on summer vacation

Staying cyber safe on summer vacation

Staying safe during summer vacation travel used to mean making sure you had enough sun tan lotion, bug spray, spare clothes, travellers cheques and roadside assistance. 

But thanks to the growth of cybercrime all over the world, staying safe now means being careful what wi-fi you use, how much information you’re sharing on social media and keeping your devices updated. 

Why hacking cars underscores the need for greater cybersecurity awareness

Why hacking cars underscores the need for greater cybersecurity awareness

Imagine driving your pickup truck off-road and suddenly having your airbags and seat belts malfunction because of an object striking the undercarriage, which in turn causes a software error in your smart vehicle, causing the computer to incorrectly turn off critical equipment that protects you. 

Sounds far fetched?

It shouldn't. It's part of a recall notice that affected more than 200,000 Dodge Ram trucks in Canada and a million in the United States. Fiat Chrsyler issued the recall in May and is aware of one death and two injuries as well as two accidents that may be related to the issue. 

What's going on with global cybersecurity? Beauceron CEO chats with CTV Atlantic

What's going on with global cybersecurity? Beauceron CEO chats with CTV Atlantic

From government websites being taken down due to a new vulnerability to a Canadian implicated in a conspiracy to hack Yahoo! to Russian interference in the US election, Beauceron CEO David Shipley and CTV Atlantic Anchor Steve Murphy discuss a wild month in cybersecurity.