1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: cyber risk management

Protecting Canadians From Online Crime Act Becomes Law, Impacts Employers

CQuick facts:

  • On March 9, 2015, the Protecting Canadians from Online Crime Act (Act) comes into force.
  • The Act updates Canada’s Criminal Code to make the distribution of intimate images on the Internet without consent a crime.
  • The Act expands the powers of law enforcement agencies investigating online activities and creates new compliance obligations for certain employers.

On Dec. 9, 2014, Bill C-13, the Protecting Canadians from Online Crime Act (Act) received royal assent. The Act, which has been labelled Canada’s cyber bullying law, will come into force on March 9, 2015.

True to its name, the Act introduces new provisions to Canada’s Criminal Code concerning cyber bullying, but it also increases the power of law enforcement agencies to obtain electronic information related to the investigations of crimes.

Going forward, employers that maintain electronic information on behalf of others must be aware of new compliance obligations created by the Act.

Cyber Bullying Provisions

Under the Act, it will now be an offence to knowingly publish, distribute, transmit, sell, make available or advertise intimate images of an individual without his or her consent in electronic mediums, where there is reasonable expectation of privacy.

To help prevent cyber bullying, the Act empowers courts to:

  • Order the removal of intimate images from the Internet;
  • Order the forfeiture of the computer, cell phone or other device used to commit cyber bullying;
  • Provide for reimbursement to victims for the costs incurred from removing the intimate image from the Internet; and
  • Issue orders to prevent an individual from distributing intimate images.

Amendment to Lawful Access Standard

Of greater concern to most employers are the changes to lawful access the Act introduces. “Lawful access” generally refers to an investigative technique used by law enforcement agencies and national security agencies that involves the interception of private communications and the seizing of information where authorized by law.

The Act changes the threshold necessary for obtaining lawful access related to the search and seizure of computer, transmission and tracking data. Prior to the passage of the Act, orders for the search and seizure of computer data were granted only if a judge determined that law enforcement officers had “reasonable grounds to believe” that an offence had been committed.

The Act lowers the legal threshold for lawful access by now requiring that only a “reasonable ground for suspicion” be demonstrated prior to a judge issuing an order. Under this new lower threshold, some legal experts predict that law enforcement agencies will have an easier time gaining access to employers’ electronic data.

Preservation of Computer Data

The Act provides law enforcement agencies with two new tools that they may utilize in investigating crimes, preservation demands and preservation orders.

Preservation demands and orders require employers to preserve computer data in their control or possession to ensure that it is not deleted before a production order or search warrant is obtained.

Preservation demands can be made by law enforcement officers directly to the person or employer without the authority of a judge.  Preservation demands expire after 21 or 90 days, depending on whether the offense is committed under Canadian or foreign laws.

A preservation order is an order issued by a judge requiring a person or employer to preserve the computer data sought by a law enforcement officer or public officer. Preservation orders expire 90 days after they are granted.

It should be noted that preservation demands and orders differ from general data retention requirements. General data retention requirements dictate that employers collect and store data for a particular period of time for all subscribers, regardless of whether they are subject to an investigation. In contrast, a preservation demand or order relates only to a particular telecommunication or person, in the context of an investigation.

New Types of Production Orders

The Act also creates new production orders related to transmission data and tracking data that employers must contend with.

For the purposes of the Act and production orders, “transmission data” is a specific set of metadata that indicates the origin, destination, date, time, duration, type and volume of a telecommunication, but does not include the actual content of the telecommunication. Examples of transmission data include IP addresses of websites visited or search terms used.

“Tracking data” is information that relates to the location of a thing or individual.

The new production orders created by the Act allow law enforcement agencies to obtain transmission or tracking data that is already in an employer’s possession at the time of the order. Employers that are issued a production order must produce the transmission or tracking data requested or face penalties.

Production of Financial Data

The Act also imposes additional obligations on financial institutions. Judges may now order financial institutions to prepare and produce documents with the following information in their possession or control:

  • The account number of the person or the name of the person attached to an account specified in an order;
  • Information related to the type of account the person named in the order holds;
  • The status of the individual’s account; and
  • The date on which the account was opened or closed.

Additionally, judges may order that financial institutions disclose the date of birth, current address and previous addresses or the person identified in order to confirm his or her identity.

Voluntary Disclosure

Employers should note that the Act provides immunity from criminal and civil liability to employers that voluntarily preserve or produce data to law enforcement officers, even if the officer does not have a preservation or production order.

Penalties

Penalties for failing to comply with the Act’s requirements are stiff. Individuals or employers that violate a preservation demand may be fined up to $5,000. Penalties for violating the terms of a preservation or production order are harsher. An individual, employer or financial institution that violates the terms of a preservation or production order may face fines up to $250,000 or six months of imprisonment.

Impact on Employers

In light of the new obligations created by the Act, employers should review and, if necessary, amend their privacy, information management and data retention policies to ensure compliance with potential preservation or production orders. Employers’ policies should outline the procedure for responding to preservation demands, preservation orders and production demands and make clear which staff members are responsible for responding to demands and orders.

 

 

© 2015 Zywave, Inc. All rights reserved.


Guard Your Data When Using Mobile Apps

app_icon_applicationsApps can do pretty much anything—they can find the best local restaurants, chart the quickest routes through snarled city traffic and track weight loss. Unfortunately, they can also steal your data.

In order for apps to do the convenient, beneficial things they do, they use customers’ personal information, such as physical location, contact details and passwords. Unscrupulous data thieves can steal your employees’ devices and gain access to this valuable information, or they can siphon it through a rogue app that your employees downloaded without knowing it was malicious. Hackers do this by adding their own illegitimate elements to a popular app and then offering it for free on a ‘bulletin board’ or through a fake online store. Once employees download the phony app, hackers may have unfettered access to their devices.

To help thwart data theft attempts, encourage your employees to follow these tips for securing personal information when using apps:

  • Download apps only from official, trusted stores. Be extremely wary of apps from unknown sources.
  • Read the information about an app in the app store before downloading it. Verify that you are comfortable with the amount and type of personal information it will be using.
  • Clear out unused apps regularly—inactive apps are an open invitation to thieves. If you no longer use an app, uninstall it.
  • Install mobile security software to defend your device.
  • Erase any apps from the device before you recycle, resell or donate it, since they may have access to your personal information. Activate the “factory reset” option in the device’s settings.

 

© 2014 Zywave, Inc. All rights reserved.


Is Your Website Secure?

Best Internet Concept of global business from concepts seriesIn the wake of several high-profile cyber security scandals and the widespread Heartbleed security bug, website security is more important than ever. Without a concerted effort to safeguard your business’ website, you risk losing money due to relentless cyber attacks.

Because hackers are constantly searching for new website vulnerabilities and engineering new viruses, website security should be a round-the-clock concern—the threat will never ebb. The consequences of weakening your stance on website security, even for a second, can be disastrous: loss of revenue, damage to credibility, legal liability and broken customer trust.

Web servers, which host the data and other content available to your customers on the Internet, are the most targeted and attacked components of a company’s network. Some specific security threats to Web servers include the following:

  • Cyber criminals may exploit software bugs in the Web server.
  • Attackers can disable a network by flooding it with information.
  • Hackers may secretly read or modify sensitive information on the Web server.
  • Criminals could gain unauthorized access to resources elsewhere in your business’ network following a successful attack on the Web server.

To avoid similar threats to your website’s security, follow the steps listed below:

  1. Develop and implement a data breach response plan.
  2. Ensure that the Web server operating systems and applications meet your organization’s security requirements.
  3. Publish only appropriate information.
  4. Prevent unauthorized access or modification on your site.
  5. Protect and monitor Web security at all times.

Rely on ABEX for expert, timely guidance on cyber security.

 

 

© 2014 Zywave, Inc.


Hackers can tap USB devices

Source: mobile.reuters.com

USB Flash DriveUSB devices such as keyboards, thumb-drives and mice can be used to hack into personal computers in a potential new class of attacks that evade all known security protections, a top computer researcher revealed on Thursday.

Karsten Nohl, chief scientist with Berlin’s SR Labs, noted that hackers could load malicious software onto tiny, low-cost computer chips that control functions of USB devices but which have no built-in shields against tampering with their code.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl, whose research firm is known for uncovering major flaws in mobile phone technology.

The finding shows that bugs in software used to run tiny electronics components that are invisible to the average computer user can be extremely dangerous when hackers figure out how to exploit them. Security researchers have increasingly turned their attention to uncovering such flaws.

Nohl said his firm has performed attacks by writing malicious code onto USB control chips used in thumb drives and smartphones. Once the USB device is attached to a computer, the malicious software can log keystrokes, spy on communications and destroy data, he said.

Computers do not detect the infections when tainted devices are inserted because anti-virus programs are only designed to scan for software written onto memory and do not scan the “firmware” that controls the functioning of those devices, he said.

Nohl and Jakob Lell, a security researcher at SR Labs, will describe their attack method at next week’s Black Hat hacking conference in Las Vegas, in a presentation titled: “Bad USB – On Accessories that Turn Evil.”

Thousands of security professionals gather at the annual conference to hear about the latest hacking techniques, including ones that threaten the security of business computers, consumer electronics and critical infrastructure.

Nohl said he would not be surprised if intelligence agencies, like the National Security Agency, have already figured out how to launch attacks using this technique.

Last year, he presented research at Black Hat on breakthrough methods for remotely attacking SIM cards on mobile phones. In December, documents leaked by former NSA contractor Edward Snowden demonstrated that the U.S. spy agency was using a similar technique for surveillance, which it called “Monkey Calendar.”

An NSA spokeswoman declined to comment.

SR Labs tested the technique by infecting controller chips made by major Taiwanese manufacturer, Phison Electronics Corp, and placing them in USB memory drives and smartphones running Google Inc’s Android operating system.

Alex Chiu, an attorney with Phison, told Reuters via email that Nohl had contacted the company about his research in May.

“Mr. Nohl did not offer detailed analysis together with work product to prove his finding,” Chiu said. “Phison does not have ground to comment (on) his allegation.”

Chiu said that “from Phison’s reasonable knowledge and belief, it is hardly possible to rewrite Phison’s controller firmware without accessing our confidential information.”

Similar chips are made by Silicon Motion Technology Corp and Alcor Micro Corp. Nohl said his firm did not test devices with chips from those manufacturers.

Google did not respond to requests for comment. Officials with Silicon Motion and Alcor Micro could not immediately be reached.

Nohl believed hackers would have a “high chance” of corrupting other kinds of controller chips besides those made by Phison, because their manufacturers are not required to secure software. He said those chips, once infected, could be used to infect mice, keyboards and other devices that connect via USB.

“The sky is the limit. You can do anything at all,” he said.

In his tests, Nohl said he was able to gain remote access to a computer by having the USB instruct the computer to download a malicious program with instructions that the PC believed were coming from a keyboard. He was also able to change what are known as DNS network settings on a computer, essentially instructing the machine to route Internet traffic through malicious servers.

Once a computer is infected, it could be programmed to infect all USB devices that are subsequently attached to it, which would then corrupt machines that they contact.

“Now all of your USB devices are infected. It becomes self-propagating and extremely persistent,” Nohl said. “You can never remove it.”

Christof Paar, a professor of electrical engineering at Germany’s University of Bochum who reviewed the findings, said he believed the new research would prompt others to take a closer look at USB technology, and potentially lead to the discovery of more bugs. He urged manufacturers to improve protection of their chips to thwart attacks.

“The manufacturer should make it much harder to change the software that runs on a USB stick,” Paar said.


Scammers More Sophisticated, Warns Competition Bureau

phishing emailThe Competition Bureau reports that phishing is one of the growing scamming techniques, and users of social networking sites are especially vulnerable. Almost 95 per cent of fraud-related crimes in Canada go unreported, according to an estimate by the Canadian Anti-Fraud Centre. One glaring reason for this is because people are usually too embarrassed to admit that they fell for a fraud scam, especially one that happened on a social networking site.

A phishing scam is a phony email or pop-up message used to lure unsuspecting Internet users into divulging personal information, such as credit card numbers and account passwords, that will later be used by hackers for identity theft. A phisher’s email can be very persuasive and believable if he or she is impersonating a well-known organization or individual.

Keep employees safe from phishing scams by teaching them to:

  • Be extremely wary of urgent email requests for any personal or financial information (their information or a client’s).
  • Call the company or individual in question with the number listed on the corporate website or in the phone book. Avoid using phone numbers provided in the email, as they could be phony too.
  • Do not use the links included in the email unless you are certain that the email is legitimate.
  • Do not divulge personal or financial information on the Internet unless the site is secure (sites that start with “https”).
  • Never disable anti-virus software.

The only way that the authorities can keep tabs on new scams that pop up is if individuals report crimes when they happen. When these crimes go unreported, the public can’t be alerted to watch out for scams, which can in turn affect many more people.

A computer intrusion could cripple your company, costing you thousands or millions of dollars in lost sales and/or damages. Make sure your employees are alerting you when they encounter suspicious emails or websites.

 

 

© 2014 Zywave, Inc. All rights reserved


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn