German authorities suspect the Russian cyber espionage group, “Snake” (aka “Turla” or “Uruburos”), to be behind an attack on the government’s computer network. The authorities only became aware of it in December; they believe the attack had been under way for a year. Snake is believed to have links to Russian intelligence.

   The group’s existence was revealed in 2014 as it was believed to be behind the aggressive cyber espionage operations against Ukraine and a host of other European and US government organizations for nearly a decade.

Security sources believe Snake gained access to the network via the German Federal Academy of Public Administration. The attackers seem to have implanted malware and then searched the federal government’s extensive server network for a way into the German foreign ministry, with particular interest in information about Germany’s Russia policy.

   The German domestic intelligence agency’s report for 2016 suggests Russian hackers had been operating a campaign of attacks since 2005 using highly complex and sophisticated malware known as Uruburos, Snake or Turla. Germany’s interior minister said the hack had been isolated and was brought under control by security services. Some members of the German parliament have heavily criticized the government for holding back information on the attack for two months after learning about it.

https://www.scmagazineuk.com/after-isolated-hack-germany-says-government-computers-are-secure/article/748166/

Romance scams are different from other scams.  They prey on lonely people looking to connect with someone, and can often take months to develop to the point where money changes hands.  The emotional harm to the victim can be even more painful than the monetary loss.  The spread of online dating sites and apps has made this fraud even easier to commit.  Victims in the US and Canada have reported losing nearly $1 billion over the last three years, and BBB estimates there may be more than a million victims in the U.S. alone. Because most people do not file complaints about romance scams with BBB or law enforcement, this may just be the tip of the iceberg.  BBB’s study, “Online Romance Scams: How Scammers Use Impersonation, Blackmail, and Trickery to Steal from Unsuspecting Daters” looks at how these scams work, who the scammers are, and what is being done to combat them.

Anatomy of a Romance Scam – Experts identify several distinct stages of the scam:

Contacting victims – Romance scammers use dating websites, apps, Facebook, and other social media. Many use stolen credit cards to join the sites and post fake profiles.  They meet victims, interact with them, and quickly try to get them to move to a different form communication such as email or texting.  This way, if the dating site identifies the scammer as being bogus and shuts them down, they are already in contact with their victims elsewhere.  The scammers will often make fake Facebook pages for their aliases to help bolster their fake identity

Grooming – This is when the fraudster learns about the victim’s life and builds trust.  This stage can go on for months.  It may include daily texts or messages.  Some scammers even send flowers and small gifts.  This is also when scammers may request small favors.  This can help them test how open a victim ultimately may be to helping when an “emergency” pops up and the scam kicks into high gear.  The grooming process also focuses on isolating victims from their friends and families so they don’t have help when making decisions.  The scammers will convince victims that their friends and families have questionable motives to criticize the scammer.

The sting – The scammer will finally ask for money; usually for an emergency, business problem, or plane ticket to finally meet.  If the victim sends money, the scammer will find ways to keep asking for more. These scams can also be dangerous:  victims have unknowingly been pulled in to money laundering or drug trafficking and, in a few cases, even convinced to fly overseas to meet their love interest only to be kidnapped and held for ransom.

The fraud continues – Even if targets realize they have been victims of a scam, the fraud may continue with a new scam pretending to help them get their money back.  A fake law enforcement official may reach out to say the scammer has been caught and the victims can get their money – if they spend several thousand dollars in fees.  The original scammer will also sometimes reach out and admit that the “relationship” started as a scam but then claim they actually fell in love.  And the cycle continues.  BBB’s study gives much more detailed information on where the scams originate, how the scammers trick their victims (including by posing as military personnel), and how they get their money.  It also details what we know about the victims, why they fall for the scams, and how they can be pulled into other scams.  The research shows that all types of people – male, female, young, old, straight, gay – can be victims of romance scams.

https://www.bbb.org/en/us/article/news-releases/17057-online-romance-scams-a-bbb-study-on-how-scammers-use-impersonation-blackmail-and-trickery-to-steal-from-unsuspecting-daters

According to the 2018 Scalar Security Study (commissioned by Scalar and conducted independently by IDC Canada), Canadian organizations are attacked in varying degrees of severity more than 450 times per year, with 87 per cent suffering at least one successful breach.  Almost half (46 per cent) are not confident in their ability to defend against attacks.  “As cybersecurity breaches become the new normal, organizations can’t be complacent.  Many companies are still reporting gaps in their defences despite hiring full-time security staff, which may point to a deficit in the availability of highly skilled IT workers,” said Theo Van Wyk, Chief Security Architect, Scalar Decisions.  “The rising number of high-impact breaches coincides with the increasing costs of recovery.”

The study, examining the cybersecurity readiness of Canadian organizations and year-over-year trends in handling and managing growing cyber threats, also found:  (1) Of the companies that suffered a security breach, 47 per cent had sensitive data stolen,  (2) One in five breaches were classified as “high impact,” where sensitive customer or employee information was exposed,  (3) 36 per cent of respondents are not confident in their company’s ability to respond to security breaches, (4) The average company spends $3.7 million in direct and indirect costs to recover from security breaches,  (5) One-fifth of smaller organizations believe they don’t have enough resources to effectively defend against attacks,  (6) Firms dedicate about 10 per cent of their IT budgets to security spending,  (7) A majority of respondents do not train employees to identify attacks, such as phishing scams, or to update software with the latest security measures, and (8) Almost three-quarters of respondents don’t comprehensively analyze how third-party relationships effect their overall cybersecurity planning.

“Canadian companies are getting better at prioritizing cybersecurity, but there is still a substantial lack of training and planning,” added Van Wyk.  “Organizations need to look beyond their infrastructure and weigh the insider and third-party risks they face.  If this can’t be tackled in-house, then external expertise is an efficient way to shore up their defences.”  All responses for the study were captured in November and December 2017 by IDC Canada through a Canada-wide cross-industry survey of 421 IT security and risk & compliance professionals.

https://www.canadiansecuritymag.com/news/data-security/nine-out-of-10-of-canadian-companies-suffered-a-cybersecurity-breach-in-2017

Wednesday, February 28 is Anti-bullying Day in Canada

In today’s digital world, it can be impossible to escape online bullying, whether it takes the shape of harassment, spreading rumours, sharing embarrassing information or threats.  This year, Pink Shirt Day is encouraging others to combat cyberbullying by thinking twice before posting something negative, and instead using the internet to spread kindness – because we know that Nice Needs No Filter!

https://www.pinkshirtday.ca/

https://wise.telus.com/en/

A federal grand jury has indicted 13 Russian nationals and three Russian entities for a massive operation intended to interfere with the 2016 US presidential election.  US Special Counsel Robert Mueller has accused the defendants of posing as Americans to sway election results.  The Internet Research Agency, a Russian organization, and the 13 actors reportedly began targeting the United States back in 2014.

Mueller’s indictment claims they “had a strategic goal to sow discord in the U.S. political system, including the 2016 U.S. presidential election.”  To do this, they launched an operation to support the Trump campaign and denigrate Hillary Clinton.  In April 2014 the agency formed a department focused on the US population and operated on social platforms including Facebook, Instagram, Twitter, and YouTube.  By 2014, its strategy included fomenting distrust in US presidential candidates and the US political system.

Activity included buying political advertisements on social media with the identities of US citizens and businesses.  The defendants concealed their Russian identities and affiliation with the Internet Research Agency by using stolen data like Social Security numbers and birthdates of real American people.  They also recruited Americans to aid efforts to spread promotional and derogatory information.  The actors posed as US citizens and groups to create and control social media accounts.  An example is the Twitter account “Tennessee GOP” under the handle @TEN_GOP, which falsely claimed to be operated by a US political party and amassed more than 100,000 followers.  On other sites, particularly Facebook and Instagram, they posted content about political issues.

Around June 2016, the defendants began posing as American citizens and communicating with Americans to gather intelligence and learn where they should focus their efforts.  Some traveled to the US to collect info for their operations and stage political rallies.  To further conceal their identities, the defendants and their co-conspirators bought space on servers based in the US to set up VPNs.  They used these VPNs to connect from Russia to the US and access online social media accounts, open new accounts, and talk with US citizens.

The first time the United States indicted nation-state threat actors was in 2014, when the DoJ indicted five members of the Chinese military for allegedly hacking major American manufacturing companies and stealing trade secrets.  In 2016 it indicted seven Iranian hackers for distributed denial-of-service (DDoS) attacks against US financial companies.  It’s worth noting these indictments are rare and don’t usually end with an arrest.

http://www.darkreading.com/attacks-breaches/13-russians-indicted-for-massive-operation-to-sway-us-election/d/d-id/1331085

The federal government is embarking on a new pilot program that will allow people to cross borders faster if they create a digital profile filled with their personal information on their mobile devices.  The Known Traveller Digital Identity is a joint venture between the governments of Canada and the Netherlands, and will be tested first on travelers going between those countries.  The plan is to have it ready for a wider global roll out by 2020.

The project announcement was made at the Davos World Economic Forum last month but has mostly flown under the radar.  According to the World Economic Forum document outlining the program, international traveler arrivals are expected to jump from 1.2 billion in 2016 to 1.8 billion by 2030.  This will increase risk and security requirements for the aviation and travel and tourism sectors.  Much like other trusted-traveler programs — such as Nexus, which allows people quicker movement between Canada and the U.S. — the Known Traveller Digital Identity program will ask travelers for detailed personal information for pre-screening, including university education, bank statements and vaccination records.

Border expert Bill Anderson said security officials are keen to get people screened well before they pack their bags for a trip.  “The prevailing paradigm in border management is that we need to have risk assessment, and we need to identify those people who are very, very low risk so that you can focus your resources on the ones that you haven’t identified as low risk,” said the head of the Cross-Border Institute at the University of Windsor.  The pilot program will also make use of biometrics like retina and facial recognition for quicker traveler identification.

Technology company Accenture is helping develop the program.  It said user information will be safeguarded and users will be able to decide whom they want to share their information with, and when, on a case-by-case basis.  Accenture said keeping users in control of their data will be critical.  “No personal information is stored on the ledger itself, ensuring that personal information is not consolidated in one system, which would make it a high value target for subversion,” the company said in a statement to CBC News.  In addition to providing personal information before travelling, user profiles would be automatically updated as they move around the world.  The more borders they cross, the more trusted they will become, said Anderson.  In some ways, the program takes a page from private tech companies such as Google and Facebook that have become experts in creating profiles about their users.  “It’s a crazy world where, you know, Google is able to provide information to people in e-commerce that’s more detailed about you than what these security agencies have,” said Anderson.

Anderson says critics argue the advanced screening programs create a two-tiered travel system, with those not signed up ending up in longer lines and getting poorer service.  Nina Brooks is the director of security for Airports Council International, which represents nearly 2,000 airports.  Her organization supports the development of these new technologies, but also wants a system that creates a similar experience for all travelers.  “In the long term, I think we’re looking for the use of some of those concepts for the broader audience, for all travelers, and actually expediting travel for everybody, rather than a specific group of trusted travelers,” she said.

http://www.cbc.ca/news/technology/canada-to-launch-new-border-security-app-that-could-go-global-1.4529162

About four in 10 young Canadians have sent a sext and more than six in 10 have received one, suggests a new report, which also puts a spotlight on the unauthorized sharing of sexual photographs among teens.  Still, sexting happens less commonly among youth than many people believe – including nearly all of the survey’s 800 16- to 20-year-old participants, said Matthew Johnson, director of education for the non-profit organization MediaSmarts.  It’s also not an “intrinsically harmful” behaviour, he said, with the majority of sexts remaining private between the sender and intended recipient.

“We need to move from fear-mongering to talking about things from an ethical and moral point of view,” said Johnson, who called the report one of the first in the world to focus on the non-consensual sharing of intimate images.  “We need to be talking about consent in all contexts, including digital contexts … and to really send a loud and clear message that this is not normal, and this is not OK, and nothing gives you the right to share someone’s sext except them actually telling you that you can.”

Of the survey respondents who said they had sent a sext in the past, about 40 per cent said at least one of their intimate photos had been shared without their consent.  “Even though boys and girls send and receive sexts at similar rates, and even though they have their sexts shared at similar rates, the harm is very much unequal, and it falls much more heavily on girls,” Johnson said.  “There can be harm done to people’s reputation.  Obviously, there’s an inherent harm just in the loss of privacy and violation of consent … (senders) have been blackmailed, in some cases.”

Researchers also found there was a significant relationship between sharing sexts and subscribing to traditional gender stereotypes that cast men as sexual aggressors and women as “gatekeepers.”  According to the study, roughly one-third of participants either said they believed that a girl who sexts outside of a relationship “shouldn’t be surprised if it gets around,” or felt “nobody should be surprised if boys share sexts with each other.”  Young people’s attitudes about sexting were highly influenced by those of their peers, Johnson added, and if their friends engaged in sharing sexts, many participants said there was an expectation that they would reciprocate.  “The sharing behaviours are being done by almost exclusively the same people,” he said.  “All of these things point to essentially a subculture among youth that normalizes sharing, and even to a certain extent valorizes it.”  While nearly two-thirds of participants said they were aware of a relatively recent law against the non-consensual sharing of intimate images, Johnson said the threat of criminal consequences does not appear to be much of a deterrent among teens.

The MediaSmarts study was based on an anonymous, internet-based survey of young people around the country that was conducted in August and September 2017.  The polling industry’s professional body, the Marketing Research and Intelligence Association, says online surveys cannot be assigned a margin of error because they do not randomly sample the population.

https://www.ctvnews.ca/lifestyle/4-in-10-young-canadians-have-sent-a-sext-6-in-10-have-received-one-report-1.3791152

Neat little quiz to test your cyber security aptitude:

https://bcgov.github.io/SecurityAwareness/February2018Quiz/index.html

Canada’s privacy commissioner thinks you should have the right to ask that inaccurate, incomplete or outdated information appearing in search engines be either amended or removed – and that under Canadian law, internet companies should have to comply.  In cases where information about individuals has been posted by others to a website or social media platform, individuals should also have a right to challenge the accuracy and appropriateness of that information.

The proposed policy was announced Friday by the Office of the Privacy Commissioner of Canada.  Although the proposal is similar in some ways to the European Union’s right to be forgotten – which has been criticized for its potential to affect free expression – it isn’t modelled on the EU’s framework, but rather is an interpretation of existing Canadian privacy law.  “There is little more precious than our reputation,” Privacy Commissioner Daniel Therrien said in a statement announcing the policy proposal Friday.  “But protecting reputation is increasingly difficult in the digital age, where so much about us is systematically indexed, accessed and shared with just a few keystrokes.  Online information about us can easily be distorted or taken out of context and it is often extremely difficult to remove.“

If it isn’t possible or practical for information to be modified or corrected, Therrien’s office suggests two remedies:  (1)  De-indexing, which would require search engines such as Google, Bing, or Yahoo to remove links to pages that have been deemed inaccurate or inappropriate under the definition of Canada’s Personal Information Protection and Electronic Documents Act.  (2)  Source takedown, as the name implies, would require a website or social media platform to remove inaccurate or inappropriate content from the internet completely.  Individuals can lodge a formal complaint with the commissioner if the issue can’t be resolved with a search engine or site operator directly.

A right to be forgotten.  In the EU, a process to request the removal of results from search engines such as Google has existed since 2014.  But de-indexing is not without its critics.  Some have expressed concerned that the tactic could be used to crack down on legitimate speech and free expression, and that it won’t stop people from finding the information at its source.  There are also concerns about leaving such decisions to private companies, according to submissions to the commissioner.  “Challenges should be evaluated on a case-by-case basis, and decisions to remove links should take into account the right to freedom of expression and the public’s interest in the information remaining accessible,” the OPC said.

….. In an email, University of Ottawa law professor Michael Geist said he isn’t surprised by the commissioner’s position.  “We’ve seen many privacy commissioners move in this direction,” he wrote.  For its part, giving Canadians more control over their reputation online has been one of the commission’s priorities since 2015.  It launched a consultation and call for essays the following year, and drafted today’s policy in response.  The proposed measures have not yet been put into practice, and the commissioner plans to hold further consultations before finalizing a position.  The commission believes that because search engines portray themselves as sources of the most relevant, reliable, authoritative sources of information online – effectively building ever-changing profiles of personal information around search queries in the process – they also have an obligation under Canada’s personal information act to be accountable for the accuracy and appropriateness of their results. … Information that might be deemed inappropriate and subject to removal includes material that is unlawful or illegally published, or may cause significant harm to an individual and is not in the public interest to leave in place.  The commissioner is also recommending that Parliament study the issue further “to determine whether we have struck the right balance,” according to the draft policy report. [some content has been edited to shorten]

http://www.cbc.ca/news/technology/privacy-commissioner-de-indexing-forgotten-search-results-1.4505425