Security News

An investigation into a security breach and breakin at the University of Victoria has taken a bizarre twist after most of the items that were stolen - minus a key computer-storage device - were found inside a garbage bag that had been left in a mailbox.

The discovery in Langford last week heightened concerns that someone may be planning to defraud UVic employees using unencrypted personal and banking information that was stored on the missing device.

"We think the situation now is more grave as far as the potential for frauds," Saanich police spokesman Sgt. Dean Jantzen said.

A Canada Post employee found the green bag in the box in the 1300 block of Bear Mountain Parkway on Jan. 18. A handwritten note on the bag said: "Stolen data from UVic. Please return."

Inside, police found a second note as well as a number of laptops, computer flash drives and media-storage devices believed to have been taken from a university administration building. The theft was discovered Jan. 8.

The unsigned, computer-generated note in the bag apologized for causing any inconvenience and claimed that none of the information on the hard drives had been misused.

"The information on these drives was not copied, distributed, or exploited," the note said. "We want no part of everyday people living in fear that their personal information is being used against them to take they're (sic) hard earned money."

Police said the devices that were returned had all been "thoroughly and professionally destroyed," making it impossible to recover any data or determine for certain whether they were the ones stolen from UVic.

Police showed the items to university officials who recognized most of them.

But the officials insisted that one media storage device did not belong to them.

The phoney device resembles a stolen drive that contained most of the unencrypted information on nearly 12,000 current and former employees.

"Why return this data absent the one key media drive that does have all the concerning data on it - 99 per cent of the concerning data?" Jantzen said.

"Someone or some people have taken the time to actually mock up a dummy media-storage device and include it in the materials returned, suggesting: 'Here you are, everything's been returned and all is well.'

"In our minds, all is not well . . . This goes beyond just a sick prank in our minds, leading us to believe this is something more sinister."

Jantzen said the concern is that the thief or thieves hope to throw the police off their trail, and dupe some employees into thinking that there is no longer a risk. He advised all employees who have not already done so to contact their banks and credit agencies and take steps to protect their finances and identities.

"We are really trying to head off any future frauds," he said.

Police took the rare step of releasing the note in its entirety in hopes that someone will recognize the words or phrases used.

"We think the note is unique," Jantzen said.

Source: http://www2.canada.com/victoriatimescolonist/news/capital_van_isl/story.html?id=a481f8e9-59a1-4d6f-8552-b115265b5099

Anyone with information is urged to contact police or Crime Stoppers. lkines@timescolonist.com

A report from the B.C. privacy commissioner says B.C. Hydro is not meeting the letter of the law as it replaces wired electrical meters with 1.8 milliion wireless ones.

Elizabeth Denham states that the Crown corporation is taking privacy and security seriously as it implements smart meters and a smart grid, but there is room for improvement.

Hydro is required by the Freedom of Information and Protection of Privacy Act to tell its customers the purpose for collecting personal information for the smart meters project. They are also supposed to cite their legal authority to collect such information and provide a corporate contact to answer questions.

“Hydro is not currently meeting this requirement, and we’ve made some recommendations to help them improve their customer notification,” Denham said.

Conversion to smart meters is underway in Kamloops and the project is expected to continue into 2013. Public concerns have been expressed around the cost, security and health implications of the projected, expected to cost close to $1 billion provincewide.

Analysis of household electrical consumption could reveal more about people’s private lives than they want revealed, so Denham investigated after receiving more than 600 complaints and expressions of concern.

Brian Thiesen, who heads a local chapter of Stop Smart Meters B.C., said the Liberal government is in the process of amending privacy legislation, so the report doesn’t surprise him. Bill 3 was introduced this fall without public consultation.

“Within that context, it’s quite easy to understand how they would say things are favourable when the Liberal government is trying to change the privacy laws.”

In every instance he’s seen where an independent security firm has tested wireless meters, problems have arisen, Thiesen said.

“One went to five separate utilities and he hacked them all. Encryption and firewall are fancy terms and they might confuse people.”

Not even top law-enforcement and military institutions have been able to prevent hacking, he added.

Denham’s report focuses on the here and now, but what worries Thiesen and others is what’s in store. He’s convinced there is a hidden agenda to the conversion — variable rates or time-of-use billing for electricity — and that the security/privacy risk will increase as people convert to smart appliances that can be programmed to operate during lower-cost periods of the day.

Hydro and the provincial government have consistently denied that it plans to introduce time-of-use billing, although there is nothing to stop a future government from introducing it.

Thiesen also argues that the province’s electrical consumption is not rising and that the real reason for converting to smart meters is to facilitate the export of power to California and China.

“This is part of the whole equation.”

Denham said her office will continue to monitor the project.

Source: http://www.kamloopsnews.ca/article/20111219/KAMLOOPS0101/111219787/-1/KAMLOOPS/

On Friday afternoon, some members of the Burlington Bulldogs novice team already had their bags packed for a trip to the World Juniors Hockey Championships in Edmonton later this month.

But on Friday night the online contest, in which the Burlington squad had amassed more than 55,000 votes, was closed due to vote tampering.

“This decision was made with heavy hearts,” read a statement posted by the Tim-Br Mart video challenge team on the contest’s website. The statement said the contest was closed “due to persistent illegal and malicious hacking and tampering.”

The online contest asked teams to post videos showcasing their team sprit and a love for hockey. The Burlington Bulldogs had placed third in the same competition the year before, winning $2,500 at Source for Sports for the team of then seven-year-olds.

This year, they were leading going into the final two days of voting. Ten-thousand votes behind, sitting in second place, was the Ancaster Avalanche pewee (11-year-olds) team. They were poised to with $5,000 from Source for Sports after two weeks of canvassing votes.

“The contest has been the target of significant and sustained attack by one or more hackers, which has continued to impact the integrity of the voting totals,” read the online statement. “We are working closely with both the RCMP and an independent IT forensics security firm and will co-operate in every way with their investigation, as they work to identify and pursue appropriate action against the person or persons responsible for this attack and tampering.”

It is unclear which team’s votes were tampered with.

The prize of a trip to the World Juniors will still be awarded by a Dec. 8 draw of the 25 teams who entered the competition. Each of the remaining teams will receive $1,000 in gift certificates to Source for Sports.

“This is not the outcome we hoped for,” read the statement. “We are as devastated as the teams, their fans, supporters and all voters. Please accept our sincerest and deepest regrets.”

Source: http://www.insidehalton.com/sports/article/1257026--vote-tampering-shuts-down-online-contest

Hackers targeted Saskatchewan government computers during the multi-billion dollar takeover bid of Potash Corporation of Saskatchewan, says the head of information technology for the province.

 

The provincial Information Technology Office said Thursday that an unsuccessful attack was made on government computers during BHP Billiton's takeover bid of PotashCorp. last year. The attempt mirrored an attack on federal governments computers in early 2011 that aimed to get information about the Saskatchewan potash industry.

 

The Saskatchewan technology office declined to comment on the specifics of the case, but said the attack last fall was similar in description to the federal attack, in which foreign hackers posed as an aboriginal group in emails that lead to viruses to gain access to the Finance Department and Treasury Board networks.

 

"We also experienced the same attack signature," said Robert Guillaume, deputy minister at Information Technology Office. He said the province's security systems caught the attack before computers were compromised, but he couldn't reveal how hackers "cloaked" the attack.

 

"We were fortunate in that same situation that was reported nationally that we caught it and responded," Guillaume said. "The Internet is an inherently insecure place. We're aware, in general, of the risks and attempts out there."

 

BHP Billiton attempted a $39-billion hostile takeover of PotashCorp. last year. The federal government rejected the bid saying it was not in the best interest of Canada.

 

An active investigation is looking into the attack, so the province declined to share details and could not confirm the attack came from a foreign source. Guillaume could only say "authorities" are investigating and did not confirm the involvement of RCMP or the Canadian Security Intelligence Service.

 

The two potash companies involved in the takeover bid - PotashCorp. and BHP Billiton - both said the companies do not speak about security issues and did not confirm or deny attacks were made on their systems. The federal government previously has declined to confirm the attack.

 

Guillaume said the province's security systems take a "holistic" approach to information technology protection. The Crown corporation SaskTel actively monitors the government's systems, he added.

 

"The system worked as designed, but I don't take it for granted," he said. "We're focused on continuous improvement. This serves as a good reminder to remain diligent."

 

PotashCorp. spokesperson Bill Johnson said the company generally doesn't comment on any aspect of its security.

 

"I can assure you we have very substantial security measures in place and we are satisfied that our company's information was adequately protected," Johnson said.

 

BHP Billiton declined to comment on the story through a spokesperson. "BHP Billiton does not comment on media reports that concern other companies," spokesperson Bronwyn Wilkinson said in an email.

 

Postmedia News reported Thursday that several Toronto law firms linked to the potash companies also were attacked, with early attempts made in Sept. 2010, by a similar hacking experienced by the federal government. In that January attack, hackers sent emails to government officials containing a webpage infected with a virus. If opened, the webpage virus opened a path into government networks and installed spy malware, Postmedia News reported in October. Some emails also contained corrupted PDF files that installed malicious code that sought and downloaded government information.

 

The hackings are believed to have originated in China, although the Chinese government denies involvement. Chinese multinational Sinochem reportedly had mulled a bid for PotashCorp. with a Russian company at the same time of the BHP Billiton takeover attempt.

 

Douglas Richardson, a senior partner at McKercher LLP in Saskatoon, worked with BHP Billiton and a Toronto law firm during the takeover bid. He said the Saskatoon firm did not experience any computer attacks related to its potash legal work.

 

"I have no direct knowledge of any attacks," Richardson said.

Source: http://www2.canada.com/story.html?id=5803576

In response to a hacking threat, City of Toronto employees are being urged to closely watch web pages for unusual activity and also report any weird phone calls, emails or other “odd occurrences.”

“The city takes all security threats very seriously, including the recent threat by Anonymous,” an internal staff memo said.

The memo outlined the city’s response to a YouTube video claiming to be from hacker-activists Anonymous that threatened to “remove” Mayor Rob Ford from the Internet if he tried to evict Occupy Toronto protesters from St. James Park.

The memo said the city was taking appropriate precautionary measures “to secure and maintain the City’s system.”

If a disruption occurred, internal email communication would probably continue but staff may not be able to send or receive external messages or access the Internet, the memo said.

Contingency plans are in place to continue city business “via other, non-web channels” if the system went down.

Deputy Mayor Doug Holyday said he’s heard no reports of problems.

“I think our system is secure,” Holyday said. “I’d be very surprised if anybody from outside could disrupt it. A lot of things keep me awake but not that, at this point.”

Attempts to hack into the city’s systems have been made in the past, Councillor Peter Milczyn said, adding he hasn’t heard of any recent failed attempts.

“I know there’s a great deal of effort put into IT security all the time, all kinds of filters on incoming email, virus protection and insulating various systems from the public part of the city’s website,” Milczyn said.

“I also know that our IT people are aware that attempts have been made over the years to hack into different systems and they failed.”

Source: http://www.thestar.com/news/article/1089100--city-on-high-alert-for-hackers

Hackers are becoming so sophisticated with their attacks that they are mining Facebook profiles for personal information that could help them steal sensitive data.

Security expert Michel Juneau-Katsuya says a Department of National Defence employee told investigators he received an email from someone pretending to be a co-worker who said he had seen the employee at his daughter's soccer game over the weekend. The hacker claimed to have been added to the employee's work team, which was assembling sensitive information, and asked for a copy of the work done so far.

The personal information came from pictures the DND staffer had posted to Facebook. The staffer alerted department officials.

"Breaches will happen because of human beings getting involved somewhere," said Juneau-Katsuya, chief executive of the Northgate Group security firm and a former senior intelligence officer for the Canadian Security Intelligence Service.

"Whether that's willingly, unwillingly, consciously or unconsciously. Whether they lost or forgot something or they simply held open the door for somebody. There is a human factor in it."

Juneau-Katsuya said international espionage is reaching record levels as governments move away from costly military confrontations in favour of electronic attacks and computer data theft - and they are picking on average people to get what they want.

Speaking at the release of the 2011 Telus-Rotman IT Security Study, Juneau-Katsuya said more than 10 times more spy activity goes on today than at the peak of the Cold War.

"All of the spy activities can now be done remotely. It's less expensive because you don't have to move your assets abroad," he said.

The security expert said Canada is increasingly being targeted because of its lack of a national cyber-security strategy, coupled with rising information breaches being perpetrated by government insiders. Its economic health is another factor as cashtrapped nations, and even private investors, scramble for any advantage to safeguard their investments. That includes hacking into government servers to determine certain policy directions. A January 2001 attack on the federal government was aimed at getting information on Saskatchewan's potash industry. Foreign hackers masqueraded online as an aboriginal group to gain access to the Finance Department and Treasury Board networks.

Source: http://www.edmontonjournal.com/technology/Canada+crosshairs+espionage+booms+expert+says/5717328/story.html

The confidential tax files of almost 2,700 Canadians are missing after a Canada Revenue Agency worker took them home and let a friend download them onto a laptop.

The laptop has disappeared, the agency is scrambling to rewrite its security protocols and the privacy commissioner is asking why no one alerted her to the breach in confidentiality.

“Our office was not informed about this incident,” said Anne-Marie Hayden, spokeswoman for Jennifer Stoddart, privacy commissioner of Canada. “We will be following up with CRA for further information on the issue.”

The investigation report, along with related documents, was obtained by The Canadian Press under the Access to Information Act.

The major breach occurred in early 2006, when an auditor in the agency’s Toronto office asked a government computer technician to download 37,488 of her emails and 776 documents onto 16 CDs. The confidential material covered the years 2000 to 2006, and was not encrypted as required by agency rules.

The woman took the CDs home, and allowed a male friend to copy at least one of them to a laptop.

The breach only came to light when the woman produced the CDs during a grievance hearing before the Public Service Labour Relations Board in 2008. She wanted the panel to read a key 2005 email on one of the CDs, in support of her grievance that the CRA had not accommodated her health problems.

“She was upfront at the hearing that the CDs contained taxpayer information and advised (CRA senior official) Tracey O’Brien to safeguard the information,” says an internal report into the privacy breach. “This caused a disruption in the hearing.”

The woman employee, who suffers from fibromyalgia which causes chronic body pain, eventually won her grievance and was awarded $6,000 for pain and suffering. Two of her supervisors were required to take training in how to accommodate workers with disabilities.

But the privacy breach uncovered at the hearing triggered a wide-ranging internal probe into why the confidential material was poorly safeguarded — and whether it could be retrieved. The woman was sent a letter in early 2009, asking her to produce the friend’s laptop.

“He (the friend) told her that he would not provide the laptop and was unco-operative,” says the investigation report.

The agency eventually recovered the 16 CDs from the employee, but still has not recovered the laptop.

“The laptop was the property of a private company and was no longer available at the time of the administrative investigation,” CRA spokesman Philippe Brideau said when asked about the incident.

“However, the facts gathered during the investigation determined reasonable grounds to believe that the information copied to the laptop had been erased in such a way that an average user could not access through a normal operating system.”

Brideau confirmed the agency’s policy requires that personal information copied onto CDs or any other removable storage device must be encrypted, but there was a “gap in awareness training and procedures.”

He said CRA is currently drafting a guideline to prevent further breaches in confidentiality.

The internal probe found at least 2,660 instances of confidential taxpayer information on the single CD that the employee said she had given to her friend to download. All 16 CDs contained much more confidential information, but the investigation did not indicate how many more taxpayers were involved.

The heavily censored report notes, however, that “a limited number of taxpayer accounts was reviewed. At that point, there did not appear to be any income tax implications such as requested adjustments or unusual refunds.”

Treasury Board policy “strongly” recommends that institutions inform the privacy commissioner soon after learning of any breach if it “involves sensitive personal data such as financial ... information.” The CRA probe determined that the CDs contained exactly such financial information.

But Brideau said the incident was judged to be “low risk,” and the decision taken not to inform the privacy commissioner.

He added that he could not comment on any sanctions taken against the offending employee because of privacy rules.

“All CRA employees are subject to a strict Code of Ethics and Conduct,” he said. “The CRA takes all allegations concerning the conduct of its employees very seriously and takes immediate action to have all allegations investigated.”

“Any employee who violates this code may face disciplinary action up to and including termination of employment.”

The laptop incident is among dozens in which tax agency workers have breached security rules, many of them snooping on other Canadians, including ex-spouses, mothers-in-law, creditors and others by reading confidential tax files.

Source: http://www.thestar.com/news/canada/politics/article/1082212--2-700-personal-tax-files-downloaded-on-missing-laptop

As fallout from Mississauga's judicial inquiry continued Wednesday, Councillor Bonnie Crombie surprised observers by accusing a long-time city watchdog of "cyber-stalking" her teenage children.

The allegation came after Ursula Keuper-Bennett, who maintains a critical blog called MississaugaWatch, raised questions about council's response to the recently concluded inquiry, which found Mayor Hazel McCallion acted improperly by advocating for her developer son.

"What qualities do you possess to make you an authority on ethical behaviour?" Ms. Crombie demanded.

After Ms. Keuper-Bennett, appearing to be caught off guard, conceded she was not an ethics expert, the Ward 5 councillor unleashed a tirade.

"Is it ethical to create a video on a 14-year-old child?" Ms. Crombie demanded. "Is it ethical to cyber-stalk a minor [and] to go after politicians' children in videos?"

She was referring to an online video compilation featuring Facebook photographs of her three children that was uploaded by "MississaugaWatch" this past August. The video primarily focuses on Alex Crombie, now 22, contrasting picture of his vacations and parties with a Facebook site he created to support his political ambitions.

But the video also highlights photographs of 14-yearold Natasha Crombie and 18year-old Jonathan Crombie. The children were younger in some of the featured photographs, Ms. Crombie said.

Ms. Keuper-Bennett says she looked the children up after discovering the Crombie sons' names on a 2009 petition urging the city to cancel the inquiry.

"You have breached every code of conduct that I can imagine by going after my family on a personal level," Ms. Crombie fumed.

Ms. Keuper-Bennett disputed the cyber-stalking allegation, suggesting Ms. Crombie was merely trying to avoid the inquiry discussion.

"She's been trying to sweep the inquiry under the rug," Ms. Keuper-Bennett said, noting her video aimed to underscore Ms. Crombie's "hypocrisy" as a public figure who sent her children to private school.

Ms. Keuper-Bennett also pointed to Ms. Crombie's public Web presence, which includes photos of her children posing with Liberal MP Justin Trudeau.

The unexpected exchange took the focus squarely off Ms. Keuper-Bennett's council presentation, which called into question the city's response to the $7-million inquiry. She replayed clips from last week's fiery general committee meeting, during which pro-inquiry Councillor Nando Iannicca lashed out at his pro-McCallion colleagues: "If you did not vote for the inquiry, if you do not agree with its findings and if you are not appalled at what happened, you are not fit for public service."

Source:http://www.canada.com/nationalpost/news/toronto/story.html?id=65dcd18b-590a-4a2e-b537-c844ede81fd3

More than 150 parents and community members rallied outside a Mississauga elementary school Tuesday to voice concerns over death threats that were sent from the school to a parent.

Protesters at Oscar Peterson Public School, many of whom chanted “Get that predator out,” told the Star they are still shocked about the early-October threats.

They asked why they only learned of them after a story appeared in the Star on Friday.

“Was it a coincidence that they sent a letter home with my son on Friday, after the cat was out of the bag?” asked Yuvi, who did not give his last name. “If the predator knows who I am, my son will be the next one targeted.”

The emailed threats were sent over the course of two weeks to Ashoak Grewal, whose two children have since been pulled out of the school. The last, sent the second week of October, targeted his daughter.

Grewal, who had complained about teachers at the school in the past, earlier told the Star he does not think the threats came from a student. The Peel District School Board confirmed police had traced the source of the emails to a board computer or computers at the school.

Parents, calling the unknown perpetrator a pedophile, circulated a copy of the last threatening email sent to Grewal. It states: “good to see you going to school today. you daughter is beautiful. can’t wait to touch her and make her moan...school cannot help”.

“A pedophile is a pedophile,” said one woman, who said she has nieces and nephews at the school. “They need to get this person out of the school.”

Others said there have been complaints about discrimination by teachers at Oscar Peterson, whose student body reflects the diverse, predominantly non-white community that surrounds it.

Board spokesperson Brian Woodland said the death threats, which have been investigated by police, are not a broad community issue. “This is a specific issue related to individual parents.”

He said the letter informing parents of the threats wasn’t sent out earlier “out of respect for the police investigation.”

A letter from the principal that will be distributed to families Wednesday explains that police were called to the protest to guarantee everyone’s safety, and repeats that the matter, which relates to an individual family, can’t be discussed publicly because of privacy laws.

On Tuesday afternoon, Peel police kept a watchful eye over demonstrators chanting “We want justice.” They grew increasingly loud but remained peaceful.

By the time the final school bell rang around 3:30 p.m., protesters had lined the sidewalk in front of the school and wrapped around the corner.

“I’m going to wait one more week, then I’m pulling my son out if they haven’t found this person,” Yuvi said. “It’s unfortunate because the school is French immersion. I’ll just have to find another school.”

Source: http://www.thestar.com/news/article/1079604--protest-held-at-school-over-anonymous-threats

With multiple video screens in place and a weighty desktop computer hard drive visible beneath the arm of one man, courtroom number one at provincial court in St. John’s was prepared for the start of a five-day trial this morning for a man facing a single charge of possession of child pornography.

The accused, Scott Curtis, was not present in court but represented by his lawyer Rosellen Sullivan.

Sullivan this morning asked the judge for a postponement saying that reviewing details of the case with technical experts had revealed the possibility for the challenge of a search warrant in the case, under the Charter of Rights and Freedoms.

Apologizing for the lateness of the Charter challenge, Sullivan noted it is a “very technical file” and grounds for the challenge only became apparent in the last few days, through her consultations with experts on the evidence. 

She said she was preparing a Charter application for her client to challenge the search warrant, “which I think is necessary in his defence.”

The Crown, prepared to begin trial, did not consent to the postponement citing the lateness of Sullivan’s expression of intent to file the Charter application.

It was left to Judge Gregory Brown to decide whether or not to allow a last-minute challenge, thus pushing back the trial dates.

Brown noted, in cases such as Curtis’, a Charter application should be filed at least three days prior to the start of trial. However, he said, later applications can be allowed in the interest of justice.

The judge credited Sullivan as an experienced and capable attorney, noting he would not allow her application if he felt she was trying to deceive the court.

“Clearly Mr. Curtis has to be afforded full opportunity to make application and defence,” Brown said, ultimately allowing the application.

The judge did, however, push for expediency. Sullivan will have to file immediately and the Crown will speak to the application and potential response on Wednesday.

It is expected new trial dates will be set on Wednesday. The new dates will likely be in December.

Source: http://www.thetelegram.com/News/Local/2011-10-31/article-2791814/Charter-challenge-for-man-accused-of-possessing-child-porn/1