To keep up with the firehose of news and press releases, we’ve decided to deliver some extra news to you on the side every Monday and Thursday morning. Some of it is an extension of our own reporting that didn’t make its way into a story, while others might be content we’ve bookmarked for later reading and thought of sharing with you. We’re doing a similar thing at Channel Daily News – check it out here. You can also view our previous ITWC Morning Briefing here. Today’s briefing is delivered by ITWC editorial director Alex Coop.
What you need to know, right now
It’s what you need to know right now in the world of IT and tech – ’nuff said.
====
Thousands of GCKey service and Canada Revenue Agency income and business tax accounts were hit with multiple credential stuffing attacks last week.
You can read our existing coverage on the attack here (plus more insight from experts in the ICYMI section):
Yesterday evening, the CRA sent out a press release to acknowledge the attack and confirm that its services were restored. The complete response can be read below:
On Saturday August 15, the Canada Revenue Agency (CRA) temporarily disabled its online services as a precaution after discovering that we were the target of three cyber security incidents.
Online access to My Business Account resumed on August 17. All other online services have been reactivated as of 5:00pm on August 19, 2020. We have modified our security systems to protect taxpayer accounts from similar types of attacks in the future.
We would like to thank all Canadians for their patience while the CRA responded to these incidents.
The CRA sincerely regrets the impact that these cyber security incidents has had on Canadians. CRA personnel, and our partners, have quite literally been working around the clock to combat the recent attacks, to make sure Canadians’ personal information is safe, and to restore access to services on which Canadians rely. The individuals affected by these cyber security incidents will receive a letter from the CRA explaining how to confirm their identity in order to protect and restore access to their CRA account.
It is important to note that identity theft linked to scams is not new. Scammers acquire personal information, including SINs, through a variety of means, such as phishing scams and data leaks, and use it in attempt to gain access to taxpayer accounts. The CRA is on constant alert to combat CRA-related scams. As scammers adapt their practices, so does the CRA.
The CRA, together with its Government of Canada partners, will continue to monitor the situation and will adjust its security posture as necessary to ensure that we are continuing to protect Canadians from constantly evolving cyber threats.
Now that services are restored, we strongly recommend that all CRA “My Account” users enable “Email notifications” as an additional measure of security. This service notifies taxpayers, by email, if their address or direct deposit information has been changed on CRA records. These notifications act as an early warning to Canadians of potential fraudulent activity on their account. Canadians who receive these alerts, but have not authorized any changes, should contact the CRA immediately. The CRA has also introduced an optional, additional security measure, which will allow taxpayers to set a unique Personal Identification Number (or PIN) for their account in order to identify themselves quickly and securely.
Additionally, the CRA encourages all taxpayers using online services to update their accounts with a password which is entirely unique to any other password they use, and to avoid using the same password across multiple services.
====
Comments on that CRA hack
Even after our initial reporting, we had a number of experts wanting to chime in about the CRA hacks. Here are some of those emailed responses.
Ian L. Paterson CEO of cybersecurity startup Plurilock
Last weekend’s credential stuffing attacks would be virtually eliminated using two simple security solutions:
-
Enabling a simple two-factor or multi-factor authentication (like a short one-time code sent by SMS) for GCKey and for other government logins as well.
-
Implementing a dark web monitoring program to spot compromised credentials and notify their owners when they’re detected.
Mark Sangster, vice-president and industry security strategist at Waterloo-based eSentire
While we don’t have a direct line of sight to how they infiltrated the accounts, nor what was stolen, we do know the information was used to claim CERB payments and financial support offered by the federal government to support those people affected financially by Covid-19 closures. It again demonstrates how criminal elements exploit the uncertainty and confusion orbiting natural disasters and pandemics. In this case, access to core financial information such as social insurance numbers, and supporting personally identifiable information (PII) such as date of birth, address, and direct deposit banking information, is gold for criminals, and painful to change for those victimized.
For individuals, it’s a wake-up call. Using the secondary questions, tracking of last log-in, and registered web browsers can’t be ignored in search of convenience and easier logging in. For the CRA, they can look to tech giants like Apple and Google that employ multi-factor authentication through pins sent to a second registered device (log in on our laptop web browser and then receive a code to your phone) means criminals must have access to multiple devices. It greatly reduces this type of fraud.
In response, the CRA has disabled its web portal*. While Canada has upped its cybersecurity game, privacy laws and regulations still trail that of Europe with the General Data Protection Rules (GDPR). Of course, this is a case of the fox guarding the henhouse as one federal agency policies its peers. That said, it’s time for federal standards that mandate specific security controls based on a tiered system that increases scrutiny as the information becomes more damaging or more critical. For example, one tier would mandate retail transactions (as is covered now by PCI control), a tougher measure for banking, a top tier for government information (drivers licenses, SINs, etc.) and healthcare records.
With the increase in evolving cyber threats associated with the current COVID-19 landscape, there are best practices every organization should implement, including:
-
Ensure that employees are aware of ongoing COVID-19 phishing attacks and are employing security best practices such as inspecting links prior to clicking, reviewing the sender field for typos, and avoiding unprompted emails and attachments
-
Configure corporate email to show banners for external emails, to reduce the likelihood of successful impersonation by threat actors
-
Limit user permissions where possible to prevent the download and spread of malicious content.
-
Only download software from official sources (ie. App stores, official product websites)
-
Ensure endpoint controls are in places, such as anti-virus solutions or EDR solutions
-
Ensure critical assets, such as VPN, are up to date with the latest available security patches
-
Verify that Video Conferencing platforms are properly secured, and passwords are required for all corporate meetings.
*The portal has since been restored
David Masson, director of enterprise security for Darktrace
Threat actors will always look to exploit a crisis. During the ongoing pandemic, we have seen attackers capitalize on the fear, uncertainty and doubt surrounding COVID-19, particularly by increasing spear phishing attacks. Since the public is desperate for information, successful attacks are able to take advantage of their desperation by getting victims to click on links, view attachments, visit fake websites and even give up personal information.
Many pre-pandemic spear-phishing attacks were successful, and continue to be successful, since this method leads to a treasure trove of personal information. Threat actors may use this information in a variety of ways – some may sell passwords on the dark web, while others may use this information for “credential stuffing” attacks. During these attacks, bad actors simply try to use known passwords to get into a system, and since many people continue to use the same password for several applications and websites, threat actors can end up being lucky. In the case of these attacks against the CRA – the bad guys have been lucky over five thousand times!
Any individual can avoid such an attack by using different passwords for every login. It is simple – if you use a strong, unique password for every application, you will massively reduce the risk of compromised credentials.
For businesses and organizations, prevention is a bit trickier. Only security solutions that leverage artificial intelligence can really prevent these sorts of threats before damage is done, since AI is able to provide full visibility of an entire digital infrastructure.
In case you missed it
The recent news that we maybe didn’t get to yet, or it’s the news we’ve reported on and feel is worth resurfacing. Sometimes we’ll also feature awesome stories from other publications.
A Phoenix rises from the ashes. Or in this case, a BlackBerry phone. BlackBerry this week announced that we can expect a new 5G BlackBerry Android smartphone with a physical keyboard, in the first half of 2021 in North America and Europe. Not much more can be said about the announcement, but here’s what we know so far:
- OnwardMobility entered into an agreement with BlackBerry and FIH Mobile Limited, a subsidiary of Foxconn Technology Group, to engineer and ultimately rollout a new 5G smartphone.
- OnwardMobility CEO Peter Franklin had this to say in an email when asked about IP and software:
“Any hardware innovations will be owned by OnwardMobility as the OEM. As for software, users should experience all the same features they have come to love in a BlackBerry, but updated with innovations around experience and security that users would expect in a 2021 smartphone.”
- We also spoke to BlackBerry about the announcement, but details were scarce. All they could confirm was that the phone will have a keyboard, and that OnwardMobility will be the one steering the ship when it comes to the new phone’s production.
- OnwardMobility is a startup, and there’s no word yet on investments or investors.
- It’s worth noting that OnwardMobility’s executive security advisor worked at BlackBerry for 11 years.
- The announcement got the thumbs up from BlackBerry CEO John Chen:
“BlackBerry is thrilled OnwardMobility will deliver a BlackBerry 5G smartphone device with physical keyboard leveraging our high standards of trust and security synonymous with our brand. We are excited that customers will experience the enterprise and government level security and mobile productivity the new BlackBerry 5G smartphone will offer.” – (Source: Aug. 19 press release)
*With files from Lynn Greiner
====
From IT World Canada – New cybersecurity event MapleSEC is filling a void in the Great White North, says CIRA [FULL STORY]
There’s a new cybersecurity event that you should know about …
====
From IT World Canada – Suspended CRTC wholesale internet price gets the nod from Bell, but reseller ISP warns of higher subscription costs [FULL STORY]
As the CRTC continues its internet wholesale rates review, suspending its proposed 2019 rate has caused one internet reseller to increase its prices – again.
====
From IT World Canada – How CIOs Can Lead Through COVID-19 with Adaptive Strategy [FULL BLOG POST]
Leading enterprises are responding by adopting an adaptive strategy approach. CIOs can play a key role in introducing, customizing and implementing adaptive strategy across their enterprises. While details vary across organizations, a truly adaptive strategy approach is consistent with four core practices designed to move the enterprise from a rigid, top-down, calendar-based process to a more adaptive, event-driven strategy approach.
====
From Financial Times – Oracle enters race to buy TikTok’s US operations [FULL STORY]
The tech group is working with investors in an effort to outbid Microsoft after Trump’s divestment order
====
From DigitalCameraWorld.com – Canon’s cloud platform has lost users’ files – and it CAN’T restore them [FULL STORY]
After losing users’ photo & video files, Canon has admitted that it can only restore photos – but not at their original resolution
====
From Arstechnica – SpaceX Starlink speeds revealed as beta users get downloads of 11 to 60Mbps [FULL STORY]
Beta users of SpaceX’s Starlink satellite-broadband service are getting download speeds ranging from 11Mbps to 60Mbps, according to tests conducted using Ookla’s speedtest.net tool.
Bookmarks of the week
A few bookmarked tweets that we think are worth sharing with you.
*Drool* ….
We picked up a cool sample – this is a flexible OLED display, 6″ diagonal. It’s 1280p so looks great and is somewhat flexible. Could make for a nifty wearable board. It comes with an HDMI to MIPI converter which is also interesting… more later @adafruit pic.twitter.com/Aq9WQKMKIU
— adafruit industries (@adafruit) August 19, 2020
====
📣 It’s here! Serverless is now available in preview for the Core (SQL) API. @th0maswe1ss has all the details: https://t.co/eYXX23m8fy#appdev #NoSQL #serverless
— Azure Cosmos DB (@AzureCosmosDB) August 19, 2020
====
Do you know who to contact in the event of a cybercrime or incident?
➡️Cybercrime: Your local law enforcement or @rcmpgrcpolice.
➡️Scams and fraud: @canantifraud
➡️Urgent cyber incident: The Cyber Centre at 1-833-CYBER-88 or contact@cyber.gc.ca. pic.twitter.com/eEueiiC3FO— Canadian Centre for Cyber Security (@cybercentre_ca) August 19, 2020
====
The updated #COVID19 Situational Awareness Dashboard is now available. It provides Canadians with the latest data in a user-friendly format to better understand how the outbreak is evolving in Canada. https://t.co/T0FXjBGuzH pic.twitter.com/4hJ62sZapp
— Health Canada and PHAC (@GovCanHealth) August 17, 2020