[SecurityRatty] tag: canadian

The Analyzer Is Among The Suspects In $1.8 Million Theft From A Canadian Company

Fri, 05 Sep 2008 13:42:04 +0000

Ehud Tenenbaum, a 29-Israeli known online as “the Analyzer” and living in Montreal, was arrested after investigators spent nine months and found out that him and three other suspects allegedly stole $1.8 million from a Calgary company. The operation involved the U.S. Secret Service and municipal police in Calgary and Vancouver - as well as [...]

Starbucks Canada Frees Wi-Fi in Its Stores

Fri, 08 Aug 2008 10:45:00 +0000

The Canadian branch of the coffee giant has secured a free Wi-Fi deal for customers: Just as Starbucks American stores are offering limited but free Wi-Fi in about 8,000 stores for its customers through a partnership with provider AT&T, Starbucks's northern brethren are opening its 650 company-operated locations that have Bell hotspots to free use by customers. Terms appear the same as in the states: 2 hours of free use per day with the regular use of a Starbucks Card.

And, as with the AT&T deal, Bell's Internet customers get unlimited access in Starbucks's stores. The deal starts up immediately, as Bell is the current operator. AT&T is transitioning to running Starbucks in the U.S., taking over by the end of 2008 from T-Mobile.

Random Killing on a Canadian Greyhound Bus

Mon, 04 Aug 2008 02:19:40 +0000

After a random and horrific knife decapitation on a Greyhound bus last week,

does this surprise anyone:

A grisly slaying on a Greyhound bus has prompted calls for tighter security on Canadian bus lines, despite the company and Canada's transport agency calling the stabbing death a tragic but isolated incident.

Greyhound spokeswoman Abby Wambaugh said bus travel is the safest mode of transportation, even though bus stations do not have metal detectors and other security measures used at airports.

Despite editorials telling people not to overreact, it's easy to:

"Hearing about this incident really worries me," said Donna Ryder, 56, who was waiting Thursday at the bus depot in Toronto.
"I’m in a wheelchair and what would I be able to do to defend myself? Probably nothing. So that’s really scary."

Ryder, who was heading to Kitchener, Ont., said buses are essentially the only way she can get around the province, as her wheelchair won’t fit on Via Rail trains. As it is her main option for travel, a lack of security is troubling, she said.

"I guess we’re going to have to go the airline way, maybe have a search and baggage check, X-ray maybe," she said.

"Really, I don’t know what you can do about security anymore."

Of course, airplane security won't work on busses.

But -- more to the point -- this essay I wrote on overreacting to rare risks applies here:

People tend to base risk analysis more on personal story than on data, despite the old joke that "the plural of anecdote is not data." If a friend gets mugged in a foreign country, that story is more likely to affect how safe you feel traveling to that country than abstract crime statistics.
We give storytellers we have a relationship with more credibility than strangers, and stories that are close to us more weight than stories from foreign lands. In other words, proximity of relationship affects our risk assessment. And who is everyone's major storyteller these days? Television.

Which is why Canadians are talking about increasing security on long-haul busses, and not Americans.

Goodbye Scrabulous

Tue, 29 Jul 2008 13:21:05 +0000

Everyone on Facebook today is mourning the loss of the scrabblicious game Scrabulous, after the game was removed for being too similar to the Hasbro board game -

Facebook has removed the popular word game Scrabulous from its U.S. and Canadian sites after Hasbro sued the online game makers.

The social networking site said Scrabulous creators Rajat Agarwalla and Jayant Agarwalla and their company RJ Softwares made the decision after Hasbro said Scrabulous infringes on its intellectual property by copying and threatening to diminish its Scrabble brand.

This is pretty ridiculous. They may be similar games, but they’re still different experiences — I doubt having an online version would “diminish” the board game brand.

Over 80 percent of Storm Worm Spam Sent by Pharmaceutical Spam Kings

Mon, 28 Jul 2008 23:29:54 +0000

It used to be a case where a botnet would be used for a single purpose, spamming, phishing, or malware spreading. At a later stage, the steady supply of malware infected allowed botnet masters more opportunities to "sacrifice" the clean IP reputation and engage in several malicious activities simultaneously - today's underground multitasking improving the monetization of what used to be commodity goods and services.

Today, a botnet will not only be sending out phishing emails, automatically SQL inject vulnerable sites across the web, but also, provide fast-flux infrastructure to money mule recruitment services, all of this for the sake of optimizing the efficiency provided by the botnet in general. This optimization makes it possible for a single botnet to be partitioned and access it it sold and resold so many times, that it would be hard to keep track of all the malicious activities it participates in. Cybercrime in between on multiple fronts using a single botnet is only starting to take place as concept.

That's the case with Stormy Wormy, according to IronPort whose "Researchers Link Storm Botnet to Illegal Pharmaceutical Sales" :

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow. "Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of (US)$150 million per year."

Murky until now? I can barely see in the room due to all the smoke coming from the smoking guns of who's what, what's when, and who's done what with who, especially in respect to Storm Worm whose multitasking on different fronts in the first stages of their appearance online made it possible to establish links between several different malware groups and the "upstream hosting providers", until the botnet scaled enough making it harder to keep track of all of their activities.

The Storm Worm-ers themselves aren't sending out pharma spam, the customers to whom they've sold access to parts of Storm Worm are the ones sending the pharma spam. Here's a brief analysis published in May - "Storm Worm Hosting Pharmaceutical Scams". What's in it for the scammers? Income based on a revenue-sharing affiliate program, a pharmacy affiliate program has been around for several years :

"This criminal organization recruits botnet spamming partners to advertise their illegal pharmacy websites, which receive a 40 percent commission on sales orders. The organization offers fulfillment of the pharmaceutical product orders, credit card processing and customer support services"

What's coming out of Storm Worm's botnet isn't necessarily coming from the hardcore Storm Worm-ers whose job today is more of a campaign-rotation related in order to ensure new bots are added, what's coming out of Storm Worm is coming from those using the access they've purchased to a part of the botnet.

Related posts:
Storm Worm Hosting Pharmaceutical Scams
All You Need is Storm Worm's Love
Social Engineering and Malware
Storm Worm Switching Propagation Vectors
Storm Worm's use of Dropped Domains
Offensive Storm Worm Obfuscation
Storm Worm's Fast Flux Networks
Storm Worm's St. Valentine Campaign
Storm Worm's DDoS Attitude
Riders on the Storm Worm
The Storm Worm Malware Back in the Game

Credit-card firms investigate fraud at Canadian airport kiosks

Thu, 24 Jul 2008 09:00:00 +0000

Fraud concerns have promoted discount Canadian airline WestJet to temporarily halt the use of credit cards as identification when checking into flights at self-service kiosks.

Young Canadian Model Murdered in Shanghai.

Sat, 12 Jul 2008 10:49:00 +0000

This is a very sad story. It needs to get out so other young girls and their parents can learn from this tragedy.

I traveled to China last year on a two week business trip. One of the thoughts that struck me was that it appeared to be a very law abiding society. Then when I visited Tiananmen Square, I was reminded of the scene when Government tanks turned on young student protestors and masacared them. There is much about China that lays beneath the surface.

Diana O'Brien was a young model from Canada who was lured to China with promises of "catwalk" modelling opportunities. Once she arrived there, the opportunities became offers to dance in bars. Apparently, many young girls go to China thinking they are breaking into the big time when in reality, many of these modelling agencies inlvolve little more than an apartment and a cell phone.

The JH model managment company that Diana worked for disappeared when news of her murder broke. Their website was taken down on Thursday. Although an official from the State Security Bureau would not comment, her murder seems to have been committed by a street criminal who stabbed her to death near her apartment for her belongings.

Young women and the parents of young women, need to know what they are getting themselves into before they travel to a strange place and put their lives in the hands of people who see them merely as a way to make money. This coming in the wake of the summer Olympics might cause some to question their own saftey in Beijing. Some of the age old principles still hold true; Beaware of your surroundings, Never travel alone - always have at least one companion at all times, Always let people know where you are going, Carry a cell phone (and pepper spray it is is allowed)to enable you to call for help.

In the streets of Beijing and Shanghai, people will approach you all of the time trying to get you to buy; fake watches, perfume, stamps and many other things. Most of these people are legitimately trying to make a sale but you do not know who are the ones that may be trying to pick-pocket you or surround you to rob you or lure you off a busy street where you won't be seen so easily. Walk briskly past them and ignore them. You should shop whee you are not being hassled and therfore can concentrate on your safety.

Service Canada employee loses flash drive

Sat, 28 Jun 2008 19:18:19 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
Government of Canada

Contractor/Consultant/Branch:
Service Canada

Victims:
Canadian Residents

Number Affected:
More than 1,500

Types of Data:
Name and Social Insurance Number

Breach Description:
"Service Canada recently sent a letter to 1500 individuals that where affected by a recent incident. It seems that a USB key, containing the names and social security number of 1500 canadians was lost."

Reference URL:
NowPublic
Radio-Canada (French)
Radio-Canada (Google English translation)

Report Credit:
Radio-Canada, via an email from an informed Breach Blog reader

Response:
From the online sources cited above:

An Employee Service Canada has lost in March, a USB stick containing personal information on more than 1,500 Canadians.
[Evan] This statement was translated from french. An employee of Service Canada lost a flash drive with confidential personal information belonging to more than 1,500 Canadians stored on it. Service Canada is responsible for the security of some very sensitive personal information belonging to thousands (maybe millions) of Canadians. As such, the people that are permitted to access (assuming that role-based access control is enforced at Service Canada) confidential information must be properly trained and made constantly aware of the risks involved with creating, accessing, storing, destroying, and transferring this information. Was this employee aware of the risk of using a flash drive to store this information? If so, then there should be consequences for his/her actions. If not, then Service Canada really needs some help. Training and awareness is only a part of an effective information security program, but it is a very important one. Are flash drives permitted for use at Service Canada? They probably shouldn't be.

The agency sent a letter to the persons concerned to advise them of the situation and asking them to check their bank accounts, their credit file and expenditure on their card.

Among the information contained in the key, were found including the names of persons and their number of social insurance.

One of the victims wanted to know why Canada Service data contained on the key, a minidisk drive, were not protected. "They said they did not want to invest to secure customer data," said Queen Fraser.
[Evan] Obviously, this is an unacceptable response and probably one that wasn't authorized.

There are a few problems with this statement of course... First and foremost, Service Canada employees need training in Security incident management and, in particular, in the important aspect of security incident communications.
[Evan] Among many other things, I'm sure.

Second, this means that they are either not aware of Governement of Canada security policies or Privacy policies as published by Treasury Bord [sic] Secretariat, or they do not care.

The government agency has opened an investigation and added that no identity theft had been reported.

It did not specify whether measures have been taken to avoid another incident.
[Evan] We can only imagine what the current state of information security is at Service Canada. It may be worse than some of us think, and it may be better than others of us think. In my opinion, Service Canada owes a thorough explanation to the victims of this breach and owes detailed assurances to Canadian citizens.

As anyone with some knowledge of IT security practices can tell you, USB keys should not be used to carry delicate, protected or private information.
[Evan] In general, I agree.

If it must be done then, at a minimum, a threat and risk assessment must be done and proper encryption of the data must be used.
[Evan] I absolutely agree. Risk management is critical.

However, mosts organisations that deal with data that is sensitive, protected under privacy laws, such as PIPEDA, commercial trade secrets or of national interest (such as National Defence secrets) AND are serious about IT security would disable floppy disk drives and USB ports on most computers.
[Evan] Most "organisations" should, but unfortunately most do not.

Commentary:
I would like to think that this is an isolated incident at Service Canada, but I don't think that it actually is. I would like to see the Privacy Commissioner of Canada investigate and audit the security program and practices at Service Canada. We'll see if this happens. I don't expect things to change until the people responsible are held responsible.

How does the Canadian government expect the private sector to provide adequate security measures for the protection of personal information if it does not follow best practices and the law itself?

Past Breaches:
Government of Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600
December, 2007 - Passport Canada web site suffers serious breach
June, 2008 - Canadian farmer personal information on stolen CCGA laptop
Service Canada:
November, 2007 - Service Canada stolen laptop affects more than 1,600

Security Briefing: June 19th

Thu, 19 Jun 2008 07:17:24 +0000

Making lists of things to remember as I scramble to keep my focus in the face of a lack of sleep. Next thing you know I’ll be putting sticky notes on things. “Coffee cup”, “Door”, “Advil” and “C-61 / bad joke”.

You get the idea.

Click here to subscribe to Liquidmatrix Security Digest!. Welcome to the new subscribers who joined us yesterday! Thanks!

And now, the news…

Copyright Bill’s Fine Print Makes For a Disturbing Read | Michael Geist
A Week in the Life of the Canadian DMCA: Part Two | Michael Geist
DMC-eh? Why Canada’s new Copyright law is a mistake | Mang Bat
E-Mail: To Encrypt or Not to Encrypt? | NPR
Hazel Blears’s stolen laptop was not encrypted | Information Age
Encryption: DLP’s Newest Ingredient | Dark Reading
Merchant Securities’ stock broking firm fined for poor data security procedures | RTT News
State computers headed for sale had private information | The Topeka Capital-Journal
Fed slammed over internal controls | Houston Chronicle

Tags: News, Daily Links, Security Blog, Information Security, Security News

US FTC halts domain name registration scam

Mon, 16 Jun 2008 20:00:00 +0000

A U.S. judge has ordered a Canadian company to stop billing small businesses and other customers for nonexistent domain name registration services, the U.S. Federal Trade Commission said Tuesday.