Tech Letter

Technology Joe Public can rely on

Category: Cybersecurity (page 1 of 10)

Personal information belonging to 144,000 Canadians breached at federal departments and agencies over the past two years

Catharine Tunney, CBC »

Federal departments or agencies have mishandled personal information belonging to 144,000 Canadians over the past two years, according to new figures tabled in the House of Commons — and not everyone who was swept up in a privacy breach was told about it.

The new figures were included in the federal government’s answer to an order paper question filed by Conservative MP Dean Allison late last month. The nearly 800-page response didn’t offer an explanation for the errors, which range in seriousness from minor hiccups to serious breaches involving sensitive personal information.

The Canada Revenue Agency leads the pack in breaches, with more than 3,005 separate incidents affecting close to 60,000 Canadians between Jan. 1, 2018 and Dec. 10, 2019.

The department blames the breaches on misdirected mail, security incidents and employee misconduct.

Even the keepers of Canada’s official secrets aren’t immune. The Canadian Security Intelligence Service, the Communications Security Establishment and the RCMP all reported missteps as well.

The Department of National Defence said most of its 170 breaches, which affected more than 2,000 people, were due to inappropriate access to, or use or disclosure of, personal information.

Four things you can do today that helps protect your privacy and security

1. Scrub your email

2. Ditch old passwords

3. Update your software

4. Upgrade your browser

More » Mozilla

Former Conservative leader Sir Iain Duncan Smith is asking the British government to rethink its decision to allow Huawei to play a role in the UK’s 5G network

There appear to be legitimate national security concerns about allowing Chinese firm Huawei to bid on and install 5G mobile networking equipment. Boris Johnson’s government announced they will allow the firm to install it’s equipment, however, they have not addressed those concerns or stated why they will allow this added risk, when there are other highly reputable alternatives.

The decision appears to be a political one, and not one based on facts. To be clear, Huawei should not be banned based on what is being asked for by the Trump Administration. National security should be top priority.

BBC »

In a letter, the group – which includes four ex-cabinet ministers – said there were alternatives to the Chinese firm.

They want “high-risk” vendors to be ruled out now, or phased out over time.

Foreign Secretary Dominic Raab said the decision followed a “rigorous” review by security experts and that Huawei’s involvement would be restricted.

More » The Independent

US Homeland Security Dept has purchased access to at least one database to track the locations of millions of mobile phones and is using the info in immigration and border controls and possibly other secret government surveillance programs

If the headline surprises you, you haven’t been paying attention. This has been going on for years. Ask Snowden.

What I’d like to know is how much tracking is DHS doing outside it’s borders?

US Department of Homeland Security (DHS) acknowledges tracking millions of smartphone users within the USA, despite a Supreme Court order limiting it’s authority to do so. DHS will not state how the data is being used.

Byron Tau and Michelle Hackman, Wall Street Journal »

The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement, according to people familiar with the matter and documents reviewed by The Wall Street Journal.

The location data is drawn from ordinary cellphone apps, including those for games, weather and e-commerce, for which the user has granted permission to log the phone’s location.

More » Apple Insider

Gaia-X » Europe’s plan to avoid an over-reliance on US-based cloud providers Google, Amazon, and others

The EU is putting together a consortium to build a new, non-US, based cloud platform. It’s called Gaia-X.

Will Bedingfield, Wired »

The project is a collaboration between the European Commission, Germany, France, and according to an email from a spokesperson for Germany’s Federal Ministry for Economic Affairs and Energy “some 100 companies and organisations”. (Firms confirmed include SAP SE, Deutsche Telekom AG, Deutsche Bank AG, Siemens and Bosch.) The first proofs of concept for the European cloud are set to be ready towards the end of this year.

The driving motivation behind the project is “data sovereignty”, or, more accurately “data governance” – an ambition to bring the flow and storage and data under greater European control. “Data sovereignty is the key to GAIA-X,” says Harald Summa, the CEO of DE-CIX Group AG, a group involved in the project. “Especially given that our society is relying more and more heavily on digital services, it is in the interest of a state or a region to enable a certain level of independence from external service providers.”

The project is a direct response to the dominance of American and Chinese service providers. The European Commission has already locked horns with Google, fining the company €4.34 billion for antitrust violations back in 2018. The US Cloud Act requires American firms to provide law enforcement with customers’ personal data on request, even when the servers containing the information are abroad.

Continue reading

4.7 million B.C. residents may have been impacted by the data breach at LifeLabs

Statistics Canada states British Columbia had a population of 5.071 million last year.

This is what happens when companies prioritize profit over their duty to look after customer’s personal information.

Kendra Mangione, CTV News »

The massive cyberattack targeted a laboratory testing company with locations across Canada – primarily in B.C. and Ontario.

The company’s website claims more than a million Canadians use its services, and more than 112 million tests are performed by its labs each year.

Earlier Friday, Alberta’s privacy commissioner said nearly 22,000 Albertans may have been part of the estimated 15 million Canadians that could have had their data compromised.

D’oh

LifeLabs president and CEO Charles Brown called the hack a “wake-up call,” and said “We all need to up our game to protect our customer data.”

Read the whole article at CTV »

Companies and their officers have a duty of care they are not meeting. This will happen again and again until businesses do much more than just speak about security. The number of breaches shows that self-regulation and self-policing often does not work. Stronger legislation, that include public accountability, hefty fines, and perhaps even criminal penalties need to be legislated to prevent this from happening.

Amazon’s Ring doorbell sends customer’s personal data to Facebook and Google

BBC »

The Electronic Frontier Foundation found the Ring app was “packed” with third-party tracking, sending out customers’ personally identifiable information.

Five companies were receiving a range of information, including names, IP addresses and mobile networks, it said.

Ring said it limited the amount of data it shared.

The company told Gizmodo: “Like many companies, Ring uses third-party service providers to evaluate the use of our mobile app, which helps us improve features, optimise the customer experience and evaluate the effectiveness of our marketing.”

But the EFF said Ring was failing to protect users’ privacy, noting only one of the trackers it had found was mentioned in the company’s privacy policy.

Avast’s ‘Free’ antivirus compiles your browsing history and sells them to the highest bidder

Avast is yet another company that demonstrates ‘free’ really means you are the product.

Ryan Whitwam, ExtremeTech »

That’s the case with the free antivirus products from Avast, which harvest browsing history for sale to major corporations. Despite claims that its data is fully anonymized, an investigation by our sister site PCMag and Motherboard shows how easy it is to unmask individual users.

Avast, which offers antivirus products under its own brand as well as AVG, has traditionally gotten high marks for its malware blocking prowess. When setting up the company’s free AV suite, users are asked to opt into data collection. Many do so after being assured all the data is anonymized and aggregated to protect their identities. However, Avast is collecting much more granular data than anyone expected, and that puts your privacy at risk.

Avast markets user data through its Jumpshot subsidiary, which has relationships with firms like Google, Pepsi, Microsoft, and Home Depot. PCMag and Motherboard managed to gain access to internal documents and a sample of data from Jumpshot, and they found Avast is tracking user clicks down to the second. Here’s an example of Jumpshot’s data format.

Read the whole article on ExtremeTech »

What can you use instead of Google and Facebook? [Updated]

In recent months I too have been moving away from Google. I ditched evil Facebook a couple of years ago and haven’t looked back. But I had been holding out for Google to follow through on their promises. They haven’t and it now feels like the Antarctic will melt before Google will change their business practices.

So, searches are now with DuckDuckGo, Ecosia, and StartPage. And recently, I’ve been switching from Gmail to ProntoMail. I no longer use Chrome, except on rare occasions when I need to access Google services. WhatsApp is an extension of Facebook, and so I’ve never used it. I use the much safer Signal and Telegram instead.

Tom Jackson, BBC »

If Google knows everything you have ever searched for, it has a detailed catalogue of your interests, hopes and fears. Facebook knows who your friends are, what you like and what you talk about online.

Online data scandals have raised concerns about the power that information brings. Facebook is facing a fine of $5bn for its part in the notorious misuse of data by political consultancy Cambridge Analytica.

Concern is growing. A survey by the Washington-based digital agency Rad Campaign and analytics firm Lincoln Park Strategies last year, for example, found three out of five responders in the US distrust social media when it comes to protecting their privacy.

I think as more and more people recognize that Facebook, Google, and others are simply using them, they too will look for alternatives.

UPDATE » Here’s a similar take the subject from TechAltar »

Why companies want to do away with passwords

From CNBC via YouTube »

The average office worker in the United States must keep track of between 20 to 40 different username and password combinations. With so many passwords to remember, many of us use the same ones over and over, or have a running list of passwords saved somewhere. Passwords are a very serious and expensive security risk. It’s why companies like Microsoft , Apple and Google are trying to reduce our dependence on them. But the question is, can these companies break our bad habits?

Update (January 21, 2020): A website mentioned in this video, WeLeakInfo, was shut down by the Federal Bureau of Investigation and other law enforcement agencies on Friday, Jan. 17, 2020. The site claimed to have more than 12 billion usernames and passwords from more than 10,000 data breaches.

Passwords are a very serious and expensive security risk. A report by Verizon looked at 2,013 confirmed data breaches and found that 29% of those breaches involved the use of stolen credentials.

Another study by the Ponemon Institute and IBM Security found that the average cost of a single data breach in the U.S. was more than $8 million. Even when passwords are not stolen, companies can lose a lot of money trying to reset them.

“Our research has shown that the average fully loaded cost of a help desk call to reset a password is anywhere between $40 or $50 per call,” says Merritt Maxim, vice president and research director at Forrester.

“Generally speaking, a typical employee contacts a help desk somewhere between 6 and 10 times a year on password related issues,” Maxim said. “So if you just do the simple multiplication of six to 10 times, times 50 dollars per call, times number of employees, in your organization, you’re talking significantly hundreds of thousands of dollars or even potentially millions of dollars a year.”

« Older posts

© 2020 Tech Letter

Theme by Anders NorenUp ↑