Home Tags Ottawa

Tag: Ottawa

Sorry eh? Canadian mounties own up: Yes, we own 10 IMSI-catchers

Denies deploying 'Stingrays' near government buildings in Ottawa, so who are the spys? The Royal Canadian Mounted Police has ‘fessed up to a long-held suspicion that it uses Stingray-style equipment to track mobile phones.…

VW agrees to $1 billion settlement over 3.0L diesels from emissions...

Erik Breader comments 1 Share this story Volkswagen defeat device scandal Sources say VW Group reaches agreement on fix for 80,000 diesel vehicles Regulators investigating new emissions irregularities in automatic transmission Audis 13 months after VW’s emissions scandal, judge approves $15 billion settlement US VW probe finds criminal wrongdoing, regulators work to settle Massachusetts, New York, Maryland accuse Volkswagen execs in fresh lawsuits View more storiesOn Tuesday, US District Judge Charles Breyer announced that Volkswagen Group and regulators had reached a $1 billion settlement over a portion of the 80,000 3.0L diesel vehicles that are still driving on US roads equipped with illegal emissions-system-defeating software. VW Group says it will buy back 20,000 of those cars.

The German company hopes to offer a fix for the remaining 60,000, although approval for the fix is still pending the approval of the Environmental Protection Agency (EPA). This tracks with earlier rumors that VW Group would buy back 20,000 older Audi and VW SUVs due to the more complicated nature of the fix that would be required to make those cars compliant with federal emissions standards.

Those same rumors suggest that the remaining 60,000 cars could be brought into compliance with a mere software fix, potentially saving VW Group billions in buyback costs or more involved fixes. Cynthia Giles, an EPA assistant administrator, said that the total cost for any fixes, buybacks, and additional compensation from VW Group for the 3.0L diesels will total around $1 billion, according to Reuters.

There was no word on how much additional compensation owners of 3.0L vehicles might expect from VW Group. In June the German automaker agreed to a much larger settlement—almost $15 billion over some 475,000 2.0L diesel vehicles that also had emissions-system-defeating software on them.

Those VW and Audi owners are entitled to between $5,100 and $10,000 in additional compensation on top of a fix or a buyback of their cars. Today, VW Group agreed to pay the EPA $225 million to mitigate the cost of the excess pollution that the company’s 3.0L vehicles caused.
In a separate agreement with the state of California, VW Group also agreed to sell an average of 5,000 electric vehicles in the state through 2025 and to pay the Air Resources Board $25 million.

Due to rules set in the ’60s, California is the only state that is allowed to set air regulation standards more stringent than the EPA’s. With VW’s new settlement, Judge Breyer also announced that Volkswagen’s parts maker, Robert Bosch GmbH, had agreed to a settlement with regulators.

Bosch has been accused of furnishing VW Group with components that it knew would contribute to circumventing US pollution laws.

Bosch did not say how much it had settled for, and neither did it accept liability or admit guilt on Tuesday. Reuters reported that the settlement is expected to be worth more than $300 million. Just yesterday, VW Group reached a settlement with Canadian antitrust authorities for $1.57 billion. One hundred and five thousand of the affected diesel vehicles had been sold in Canada when news of VW Group's emissions cheating broke. Ottawa authorities have accused the company of making false and misleading claims to customers about the eco-friendly aspects of its cars.

Hack attack fear scares Canadian exam board away from online tests

Back to pen and paper Every year Ottawa's Education Quality and Accountability Office (EQAO) tests secondary school students in their literacy skills.

This year it rolled out online tests and the results weren't good. In October the online pilot test of the Ontario Secondary School Literacy Test (OSSLT) was deployed and quickly fell over with its legs in the air mimicking a dead parrot.

The failure was the result of what it called an "intentional, malicious and sustained distributed denial-of-service attack," against the testing system. The attack was successful despite earlier testing of the online system against the possibility of just such an online assault.

Forensic examiners are still investigating where the attack came from – El Reg suggests they look for a computer-savvy kid who doesn't study English much. The original plan was for the OSSLT to be run for real in March, with students and teachers being able to choose whether to do the tests online or in the old-fashioned way.

But because the source of the attack is still unknown, the EQAO is dropping all online testing for the time being. "While we are pressing 'pause' on EQAO's move toward online assessments, we are by no means hitting 'stop,'" said Richard Jones, interim CEO of EQAO. "In the days following the cyberattack in October, we heard from hundreds of members of Ontario's education community about the online OSSLT and we will take the time required to continue those discussions, so that we can integrate feedback into our system design.

The intent is to come back with a system that better addresses needs in terms of usability, accessibility and security." ® Sponsored: Customer Identity and Access Management

Body cams too fragile for Canadian Mounties – so they won’t...

Kit dumped after fears over battery life and durability The Royal Canadian Mounted Police (RCMP) says it will not be equipping its officers with body cameras after the units were found to be not rugged enough for field use. The Mounties say that a three-year trial run of the body-worn camera (BWC) gear has concluded and will not be adopted because the units have neither the battery life nor the durability to withstand day-to-day activity. "The potential implementation of BWC would require that the RCMP purchase thousands of units to be distributed in over 750 detachments," said RCMP Deputy Commissioner Kevin Brosseau. "The RCMP needs to have confidence in the product and ensure that the choice of technology justifies the investment at this time." The announcement comes as the Canadian government finds itself re-examining a number of its policies on surveillance and the balance that the nation should strike between security and personal privacy. Though the Mounties will not be wearing the body cameras, local police in a number of Canadian cities are moving forward with their own BWC plans.

As the CBC notes, both Ottawa and Toronto are looking to trial the use of body cameras. A recent study on police forces in the US and UK found that when body cameras were worn, complaints against officers dropped drastically. The Mounties have not ruled out the use of cameras completely.

Brosseau says that if and when the technology is able to better withstand field use, they will reconsider their decision. "As a modern police force, the RCMP recognizes the importance of constantly researching new equipment to be used in operational settings," Brosseau said, "and we will continue to assess new BWC technologies as they become available." ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub

IBM Watson steps into real-world cybersecurity

Watson is done with school -- for now -- and is ready to try out what it has learned in the real world. IBM has launched the Watson for Cyber Security beta program to encourage companies to include Watson in their current security environments.
Startin...

Canadian police get cell-site data to text thousands near murder scene

EnlargeTracy Packer via Getty Images reader comments 95 Share this story The Ontario Provincial Police in Canada are planning to text about 7,500 mobile phones that were in the area where the body of a murdered man was discovered in December—all in a bid to find somebody who may have information about the crime. Welcome to the modern, digital-age version of door-to-door police canvassing. Murder victim Frederick "John" Hatch. According to local media, the authorities obtained a court order that does not include the names or any other identifying information of mobile phone users whose devices pinged a cell tower near where the body of Frederick "John" Hatch was discovered. "Texting is an evolution of this investigative technique that is unique, maybe unprecedented,” OPP Detective Inspector Andy Raffay said in a news release. “But it’s the most efficient way to contact these people quickly to either eliminate them as witnesses or learn whether they have any useful information." The victim's partially burned body was found near Erin, Ontario. Police said the Toronto man was known to hitchhike and was seen the day before his body was discovered at a local discount store in Nepean, near Ottawa, some 450 miles away. According to local media, the text messages, set to be sent Thursday, will be in English and French and will ask people to voluntarily answer questions.

They can also call a tip line at 1-844-677-5010.

The authorities are offering a $50,000 reward for information leading to a conviction. "Building on the accepted practice of the door-to-door witness canvass, texting is an evolution of this investigative technique that is unique, maybe unprecedented," Det.
Insp.

Andy Raffay of the criminal investigation branch told local media. A Canadian attorney, Michael Spratt of Ottawa, told CTV News that the police may be on "constitutionally shaky ground." "This is akin to knocking on everyone’s door and then looking in their mailboxes and opening their mail to see if there is anything of use," he said. Laura Berger of the Canadian Civil Liberties Association said the text messaging is similar to door knocking, but it raises the question of "whether people will feel coerced or not."

Regular password changes make things worse

Security experts have been saying for decades that human weakness can trump the best technology. Apparently, it can also trump conventional wisdom. Since passwords became the chief method of online authentication, conventional wisdom has been that changing them every month or so would improve a person's, or an organization's, security. Not according to Lorrie Cranor, chief technologist of the Federal Trade Commission (FTC), who created something of a media buzz earlier this year when she declared in a blog post that it was, "time to rethink mandatory password changes." She gave a keynote speech at the BSides security conference in Las Vegas earlier this month making the same point. But the message was not new -- she has been preaching it for some time.

Cranor, who before her move to the FTC was a professor of computer science and of engineering and public policy at Carnegie Mellon University, gave a TED talk on it more than two years ago. She contends that changing passwords frequently could do more harm than good. Not because new passwords, in and of themselves, would make it easier for attackers, but because of human nature. She cited research suggesting that, "users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily." This, she said, was demonstrated more than six years ago in a 2009-2010 study at the University of North Carolina at Chapel Hill. Researchers, using passwords of more than 10,000 defunct accounts of former students, faculty and staff, found it much easier to crack new passwords if they had cracked an older one, since users tended create a new password with a minor tweak of the old one. Those tweaks included changing a lower-case letter to upper case, substituting a number for a letter, such as a "3" for an "e," or simply adding a couple of letters or numbers to the end of the previous password. Cranor said the researchers found that if they knew a previous password, they could guess the new one in fewer than five tries.

A hacker who had also stolen the hashed password file would be able to guess new ones within three seconds -- and that was with 2009 technology. The UNC study is not the only one reaching that conclusion. Researchers at the School of Computer Science at Carleton University in Ottawa, Canada, in a paper published in March 2015, concluded that security advantages of password expiration policies were, "relatively minor at best, and questionable in light of overall costs," for the same reason the UNC researchers found. "(W)hen password changes are forced, often new passwords are algorithmically related to the old [password], allowing many to be found in few guesses," they wrote. And the National Institute of Standards and Technology (NIST), in a draft publication from April 2009 (although it was marked "Retired" this past April), said password expiration policies frequently frustrate users, who then, "tend to choose weak passwords and use the same few passwords for many accounts." Not surprisingly, attackers are very much aware of these vulnerabilities.

The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. A report released earlier this month by Praetorian found that four out of the top five activities in the cyber kill chain had nothing to do with malware, but with stolen credentials, thanks to things like weak domain user passwords and cleartext passwords in memory. All of which would seem to be even more ammunition for organizations like the FIDO Alliance, which has been crusading to eliminate passwords entirely since its formation four years ago.

The Alliance has been pitching two passwordless authentication options it hopes will be irresistible to both users and service providers. But even with increasing interest and acceptance of those options, Brett McDowell, FIDO's executive director, has acknowledged that there will be a "long tail" for password use. And during that long transition, he and others say there are multiple ways to improve security that don't involve creating a new password every couple of months that is easier to crack than previous ones. Zach Lanier, director of research at Cylance, cites Apple's TouchID and Google's Project Abacus as mobile options to wean users off passwords, but said passwords are obviously, "still around, and they're likely to be for a bit longer.
It's just that they're so ‘standard' for people and enterprises, and have been for so long, that it's really hard to make them completely disappear." In the interim, he said, organizations can improve their password security through a combination of employee training and, "actively testing their authentication mechanisms and auditing users' passwords -- cracking them -- whether it's through internal infosec teams or external firms.
In my opinion, it should be both," he said. "This can give the organization a better idea of where things are broken, from people to technology." The users can be brought into this as well, he added, by, "making available the tools to enable, if not force, users to test the strength of their own passwords." McDowell agrees that education is, "a laudable endeavor, especially to help users avoid falling victim to phishing and/or social engineering attacks." But he said the "shared secret" authentication model is vulnerable to too many forms of attack -- not just social engineering -- hence the need to eliminate them as soon as possible. Tom Pendergast, chief strategist, Security, Privacy & Compliance, at MediaPro, said organizations can and should have much more rigorous password policies. "Current policies set the bar far too low for complexity in passwords and don't require multi-factor authentication, acknowledged as the best commonly available solution," he said. Lanier agreed. "There are some really awful organizations, sites or services that can't seem to move past the year 1998 with authentication," he said. "Things like not allowing certain characters, or limiting the length of the password to something ridiculously low, all because the developers, database admins, and/or designers are using outdated or deprecated mechanisms." Pendergast said he sees the same thing. "There is plenty of existing technology designed specifically to prevent users from repeating passwords, using common passwords, and enforcing password rules.

A surprising number of companies don't use these basic password reinforcement functions," he said. And, Lanier noted that, "password managers are, of course, a huge boon for generating complex passwords without the fuss of having to remember them or write them on a Stickie note.

This at least reduces the risk that a person might serialize their password choices.

Certainly not a panacea, but for the average person, it's a great idea." Still, as McDowell noted, even rigorous passwords can't compensate for a person being fooled by a skilled attacker. "Many times, passwords are simply given away in a phishing or social engineering attack," he said. "I saw a recent stat from the SANS Institute that 95% of all attacks on enterprise networks are the result of successful spear phishing." All agree that the weaknesses of human nature mean it would be better to move beyond passwords.

But, as McDowell notes, human nature also requires that whatever replaces passwords must be, "easier to use than passwords alone. "User experience is going to win over security every time so the key to building a secure password replacement system is to build ease-of-use into its foundation," he said. Until then, Lanier said, organizations should, at a minimum, not rely on passwords alone. "At the very least, if/when that poor password gets cracked or guessed, two-factor authentication raises the bar for the attacker," he said. This story, "Regular password changes make things worse" was originally published by CSO.

What's Next For Canada’s Surveillance Landscape?

Edward Snowden headlines SecTor security conference as Canadian privacy advocates await the Trudeau government's next move in the country's complex privacy and security debate. Edward Snowden’s 2013 revelations of massive state surveillance shocked the world and made it more aware of electronic privacy issues, but north of the border, Canada continues to struggle with its own. Just over a year ago, the former Conservative Canadian government, led by Stephen Harper, enacted a piece of legislation that enraged privacy advocates.

Bill C-51 extended the powers of Canada’s intelligence services, prompting an open letter from over 100 Canadian academics imploring the government to rethink it.

Even the federal Privacy Commissioner complained about it. A year later, we have a new government that has promised to overhaul things. What has been done, and where does Canada’s complex debate over privacy and national security sit now? C-51 angered privacy advocates by increasing information-sharing powers between 17 government agencies.

The Canadian Security Intelligence Service (CSIS), which is Canada’s domestic intelligence agency, can now obtain the tax records of anyone perceived to be a national security threat, for example.

The bill also permitted the disclosure of information shared between government agencies to others. C-51 gave new powers to CSIS.

They included the "disruption" mandate, which lets it take measures to reduce threats when it believes they pose a threat to the security of Canada. Legal experts have questioned the wording here, worrying that CSIS gets to determine what constitutes a threat and suggesting that it can legitimize a slew of activities including electronic surveillance without the need for the agency to ask for a warrant. All of this dismayed Snowden, who has specifically referenced Canada when warning against passing anti-terror laws that curtail civil liberties. Edward Snowden will be speaking via video link at the SecTor security conference in Toronto at 9 am on Tuesday October 18, and will be taking questions from Dark Reading readers. If you have relevant questions you would like to ask, let the SecTor team know by posting them in the comments section at the bottom of this article.
SecTor will be selecting the best to be addressed at the event.
Politically, the Conservative Harper government naturally supported the bill, having introduced it in the first place, while the left-leaning National Democratic Party (NDP) strongly opposed it.

The moderate Liberal party, which ended up winning last year’s federal election, came down in the middle, supporting the bill but with some caveats. Trudeau: Broader oversight, narrower scopeLiberal leader and now-Prime Minister Justin Trudeau voted for the bill but vowed to temper it a little in two broad areas. The first focal point was oversight.

The Liberal government would create a multi-party oversight committee to ensure that CSIS was acting appropriately.
Snowden himself criticized Canada for poor spying oversight back in May 2015, not long before the Bill became law. CSIS hasn’t been entirely without oversight in the past.

Traditionally, the body responsible for overseeing CSIS has been the Security Intelligence Review Committee (SIRC).

This body typically reviewed a sample of CSIS warrant applications, but in its annual report for 2014-15, it explained that it would have to broaden its review activities to cope with the new powers granted to CSIS under C-51.

The Harper Government had already earmarked additional funding to help with this in its 2015 Economic Action Plan. SIRC explained that it had broadened its scope to cover CSIS’ use of metadata, and had found it wanting in areas including training, policy and procedure, investigative thresholds, and recording its decision-making.
SIRC had made some key recommendations in this area that CSIS had not taken up, the report said. The Trudeau’s concern was that SIRC described itself as a review body, examining past activities, rather than an oversight body, monitoring CSIS operations in real-time. The Liberal leader vowed to alter this and started to make good on this promise in early 2016. His public safety minister Ralph Goodale has now introduced Bill C-22, which would create a cross-party oversight committee that would oversee almost 20 agencies related to national security. Mandatory review periodThe second problem that Trudeau had with C-51 was with the bill’s scope. He promised to refine some of its language to omit legal protests and advocacy from definition as terrorist activities, and said that he would introduce a mandatory review period for the legislation. He hasn’t taken these steps at the time of writing, and privacy advocates are awaiting the government’s next move.
In the interim, Trudeau has been shuffling. One notable political action was his appointment of a new national security advisor, Daniel Jean, in May this year. Jean replaces former Harper government National Security Advisor Richard Fadden, an ex-director of CSIS, who recently retired. Jean doesn’t come from the spy community, moving up instead from his role as deputy minister of foreign affairs.

Before that, he served in Heritage Canada and the Treasury Board.

That may point to a more international intelligence focus at the top and a move away from more hardline domestic intelligence policies.
It could be taken as an indicator that the Trudeau government intends to calibrate Bill C-51 to bring it more in line with its new focus. All this will still be guesswork until Trudeau actually takes steps to change the legislation.

An attempt at proper oversight may appease privacy advocates a little, but we still don’t know what will happen to the government’s electronic surveillance powers until a minister stands up in parliament with a proposed amendment. Even when that happens, it’s unlikely to satisfy privacy advocates who have always called for the repeal of C-51, but they’re unlikely to get much more.

After all, the Trudeau government never promised to do away with the thing altogether. Don’t forget, Edward Snowden will be speaking via video link at the SecTor security conference on October 18, so post your questions in the comments section below. Related Content: Bruce Cowper is a founding member of the Security Education Conference Toronto (SecTor), the Toronto Area Security Klatch (TASK), the Ottawa Area Security Klatch (OASK) and an active member of numerous organizations across North America.
In his day job, Bruce works for ...
View Full Bio More Insights