SecurityandPrivacy.ca Blog, Authored by Claudiu Popa (Informatica)

Privacy breach at local school was preventable, may re-occur: Expert

2013-02-08 11:47:00

In light of a recent breach of student information at a local school, I sent my comments to editorial desks in the Greater Toronto Area. Here is that press release, in its original format.

Privacy Breach at York Region School Was Entirely Preventable, May Re-occur: Expert
The recent breach of the privacy of students showed improper response and failure to follow basic guidelines, but represents an opportunity for schools across the region to improve student protection and demonstrate due care.

Are data breaches a matter of life and death?

2013-01-14 06:14:00

Security assessments are always interesting. I know, I do them all the time. You can never guess what you'll find when you're investigating a breach and a federal agency recently found that to be true.

Human Resources and Skills Development Canada lost a USB key with personal information on some 5000 Canadians. As is the case with things you're looking for, those are precisely what you don't manage to find. While investigating the missing memory stick the agency discovered the disappearance of an entire hard drive containing personal information on more than half a million student loan borrowers.

Do Bullying Victims Deserve Their Fate?

2012-10-15 11:38:00

More shocking than the fact that yet another teenager has opted to take her own life as a direct result of (cyber)bullying is the public response to the tragedy. Thousands have taken it upon themselves to comment on the situation, but the sheer volumes of negative comments are staggering. A simple Tumblr visit seems to pull up cruel, insensitive and downright malicious comments against the victim.

Here’s a Revolutionary Idea to Combat Identity Theft: Lie!

2012-08-09 10:52:00

I’m always impressed at the low-tech nature of today’s most brazen hacking attacks and abuses of identity. It’s inevitable that someone will lie to get at your information, then leverage that information to get access to something valuable. In other words, people will lie to get access to your data. So here’s a thought: why not employ the same strategy to combat the problem?

Is the CBSA Treading a Fine Line Between Deterrence and the Erosion of Public Trust?

2012-06-19 07:15:00

The Canadian Border Services Agency (CBSA) has installed equipment designed to record video and audio in Canadian airports (and possibly other ports of entry). This initiative appears to be based on the 2009 amendment to the Customs Act which allows for the creation of "Customs Controlled Areas" (CCA) to "combat organized crime and internal conspiracies". However, a CCA is only defined as an area where border services officers (BSOs) have the authority to examine goods and to question and search people. So is the bit about audio and video recording just an expensive effort to deter miscreant activity or is it a failure to respect the privacy rights of travelers that will only result in lengthy court challenges and a general distrust of Ottawa's future initiatives?

What LinkedIn Didn't Know: This Breach May Be Good For Business

2012-06-07 12:45:00

LinkedIn is "unable to confirm breach" involving millions of user passwords but agrees that passwords belonging to "some" of their members may have been compromised. While this kind of evasiveness will not earn the publicly traded firm any sympathy, what LinkedIn fails to realize is that this breach is the ideal situation for them and comes at the right time, allowing them to gain publicity at a time when their competitors' stock is battered by regular shareholder expectations, giving them the opportunity to improve their aging code and security controls while other high profile breaches take their turn in the media spotlight.

Happy Alan Turing Year, by the way!

2012-04-26 05:00:00

What? You didn't know? Well now you do. Alan Turing had/was/exhibited one of the greatest minds in computer science. To him we owe not just artificial intelligence but also modern computing (among numerous other ideas and innovations). And yes, he led the efforts to crack German Enigma codes that shortened WWII by two years and saved millions of lives (according to one Dwight D. Eisenhower). No doubt this level of of creativity, intelligence and impact guaranteed him a cushy post-war existence, right?...Well, that's not quite how things unfolded. (...)

Building Trust: 5 Things To Look For in a Good Website

2012-04-11 03:20:00

Trust is the new currency of the global economy. It makes or breaks sites while cementing the relationships upon which the strongest brands are built. By virtue of having so many facets, trust acquisition is almost an art, but we really do know that it's more of a science.

As such, it relies on a lot of visual and support elements such as a clean and fast interface, clear language and inobtrusive opportunities for human interaction. But it's also about assurance, and the amount of perceived safety offered by a good site translates directly into the warm and fuzzy feelings that visitors want to take away and share.

One site that offers such warm-fuzzies is Kiva...

Why Easter Eggs should be enjoyed at home, not at work

2012-04-05 11:27:00

Like a few other traditions, Easter has its followers and they're well represented by children whose innate desire to seek and find things is matched by the chocolate goodies hidden for their pleasure.

But Easter Eggs take on a different meaning when it comes to software applications. They're fun little surprises tucked away in undocumented code and waiting for someone to trigger their launch sequence. For instance, the Google rotation roll that ensues once you type in "do a barrel roll" or any number of other hidden tricks....

100% Secure? Guaranteed Privacy? I'll be the judge of that!

2012-04-02 02:15:00

That's what you should say next time you see a bold statement on the side of a truck, or tucked away in a sales agreement.

"Your data is 100% secure" boasted the back of a shredding truck I recently saw on the road. "Your privacy is guaranteed" promised a paper-based survey form immediately after requesting all but my passport number.

We see blatant exaggerations and plain misrepresentations all the time. I bet you can think of at least three right now. For instance: the names of other patients on a clinic's computer screen, an office recycling bin's interesting contents, the saved photocopies of the device's previous user....

Should You Feel Bad About Blocking Online Ads?

2012-01-08 12:00:00

I'm not a fan of banner ads, browser pop-ups nor of what's come to be called behavioural advertising. I find that such online marketing largely falls into two categories. The kind that has nothing to do with what I'm interested in, and the kind that is surprisingly well targeted to my personal interests. Since the former is irritating and the latter is downright creepy, I'm not likely to click on any online ads anytime soon.

That said, I'm certainly not against commercial promotion and far be it from me to pass judgment on one of the most profitable ways to spend - and make - money online ($25B in 2010 and an estimated $31B in 2011). I'm even sympathetic to the argument that online advertising keeps the Internet humming along quasi-free as the services we practically depend on in turn depend on advertising dollars to help them resist the temptation to charge us.

However, when this online marketing comes with security surprises and compromises user privacy, I am forced to give it a thumbs down. So what's the best way to block Internet ads?

New "Big Name" Security Study Apparently Aims to Confuse, Amuse Canadian Audience

2011-12-31 02:21:00

TELUS and The Rotman School of Management - whose motto is "a new way to think" - decided that asking a few hundred IT professionals about IT security at their firms and reporting the straight numbers would be the way to go. Fair enough, but why they decided to turn it into a comical affair with the allure of a self-serving initiative is curious at best.

Never mind that. It gave me a great opportunity to start your new year off on an amusing note, and for that, we can all be thankful. Enjoy the article. It goes best with eggnog.

Happy new year!

3 Security Tips to Make You Sound Informed at Holiday Parties

2011-12-27 12:00:00

Everything I'm reading these days indicates that hacking and malware infections are going to increase in 2012. I don't need to provide references here because everything you're reading does too. Yet all the software you need to secure computers, both corporate and personal, is available for free. There's everything from scanning and blocking to diagnosing and disinfecting the computing devices you depend on. So how come we're poised for continued growth in data theft and general cyber-mischief?

In short, you're the weakest link. If it weren't for you, your computer would have a much higher chance of leading an infection-free existence, gracefully growing old and slowly descending into obsolescence. Instead, you may hear yourself thinking out loud: "it was fast at the beginning, but now it's so slow I'm thinking of getting a new one". This platform-independent mantra is no doubt very depressing for laptops and smartphones to overhear and even the shiny new tablets, smug in their reliance on a firmware-based operating system, aren't too far behind.

What are your options? Panic? Trade in your new tablet for an old one (circa 3000BC)? Pester the one social recluse in your family with open-ended questions?

Not on MY Internet!

2011-12-19 02:15:00

Another nest of vipers has been uncovered this past week. Over 100 people involved in sharing ‘extreme’ rape videos of babies and children have been arrested with up to 200 more suspected in an operation spanning 22 European countries.

The scale of the crime is staggering. One individual was found to possess over 120 thousand gigabytes (120 terabytes) or 36000 hours of horrific video footage. Over 2400 storage devices were confiscated in Denmark alone. The vermin caught by Europol (the joint police organization for the European Union) in the other 21 countries ranged from Internet stalkers to facilitators in elaborate schemes to lure, prepare and eventually abuse young children. They joined the 184 child rapists arrested earlier this year (this time from 30 countries) in an operation that also rescued at least 230 abused children. 670 more suspects were identified out of a 70,000 pedophile network of mindblowing proportions.

‘Tis the Season for Telephone Scams

2011-12-05 01:15:00

If you have not already received a call from a ‘Microsoft Windows Center’ representative insisting on helping you get rid of ‘lots of hacking file in your computer’, chances are that you will, and soon.

This unfolds according to a pattern in use for the past few years and begins with a long distance ring from any number of fake Caller IDs. It’s almost always an informational message from a somewhat assertive caller indicating that your computer is spewing malware and it needs to stop.

Helpfully, they offer to work with you to clean it up, and if you’re lucky enough for the "supervisor" to be available, that individual will take you through the steps of liberating you of some cash in exchange for the support call, or remotely accessing your computer for further "diagnosis".

Either way, don’t feel too special as this kind of phone scam accounts for up to 80% of all reported fraud according to the organization previously known as PhoneBusters.

Is the iPhone Secure Enough?

2011-11-09 12:24:00

According to popular expert opinion, there are seven areas in today’s mobile devices where vulnerabilities can create security or privacy breaches. Nowhere is this more true than in the paragon of mobile digital success: the iPhone.

Nothing short of a juggernaut, new versions of the quasi-ubiquitous device have all but evaded attempts at hacking it by consistently introducing innovative new features and by leveraging a clever strategy of built-in obsolescence.

It follows then that each of these areas corresponds to specific security controls, tactically building a ‘defense in depth’ approach to securing the iPhone for personal use.

LinkedIn’s Dirty Dozen: Get a Handle on its Top 12 Privacy Settings

2011-11-03 11:09:00

With the introduction of LinkedIn’s new Settings Page this year, the company also took the opportunity to make some changes to its Privacy Policy. Since the expansive document’s 29 pages would put even the most troubled insomniac into a deep slumber, the company conveniently provided a summary which hints at different ways it seeks to monetize its service and in part emulate Facebook’s much maligned model.

Instead of stringing together 7415 words however, the latter prefers to describe its privacy-related practices through a series of nested pages that branch off an initial six sections. You get the idea. Six of one, half a dozen of the other. But enough of that. I plan to send you on your way with something you can actually use.

Got a Reputable Public Image? Here's How to Tarnish it in Three Easy Moves

2011-10-30 06:12:00

Talk to anyone in the world of business about their biggest hacking fears and you’re bound to hear that “embarrassment” ranks right up there near the top. Everyone knows that to do a proper job of alienating clients and embarrassing your organization you need to not just be good at, but excel at three things in particular.

In this post, I don't just discuss those three things, but give real life examples you can follow and achieve similar results, albeit with some effort, because long time customers do tend to be loyal and people have a relatively high, inherent barrier of trust that must be ... overcome. That said, once one gets the hang of it, as spectacularly demonstrated in this post, one can negatively impact thousands, millions, even tens of millions of once loyal followers! Consider this your free, exclusive, three-step guide.

Updated PSN Breach: Inventory of what you may have lost

2011-04-28 07:27:00

For the past few days, we’ve been privy to tidbits of information about the recent PlayStation Network breach (heretofore known as the PSN Breach) often dismissive and always shrouded in a certain aura of non-seriousness due to its status as an entertainment industry fixture. Indeed, breaches of government records, personal health information and financial data garner a vastly more pronounced knee-jerk reaction of shock and awe.

I Won the Twitter Phishing Lottery!

2011-04-12 07:04:00

How does it feel to win the Twitter Phishing Lottery you ask? Pretty good, I must say. I'm one of "the very few 10 Lucky Winners"! I knew it was going to be good when I saw the Subject line that screamed: TWITTER CLAIM ALERT. How could I resist? I clicked. I just had to.

Will 2011 be the year big name companies got owned?

2011-04-05 06:47:00

There has clearly been no shortage of spectacular breaches, and at least some of the perpetrators aren’t altogether shy about their exploits. The brazen attacks are reminiscent of the ‘90s hackers, but with a definite profit motive similar to the new cybercriminals of the ‘00s. It’s an interesting mix and a sign that things are changing. But for now, a lot of big name companies are licking their wounds and they have mostly themselves to blame.

Invasive Airline Security vs. Public Apathy

2010-12-03 06:30:00

As Twitter is my witness, over the past weeks and months we have been deluged with reports of impropriety from the Transportation Security Administration (TSA) and other airport security complaints from around the world. Indeed we’ve read stories of humiliated men, women and children, watched videos and listened to audio recordings [...]

Exotic (and quixotic) security exploits

2010-10-05 06:00:00

Toronto-based security expert Claudiu Popa shares some of his favourite tales od dare-devil crooks and their daring heists.

Facebook security and privacy hardening guide

2010-09-27 03:30:00

Security expert Claudiu Popa provides Facebook users an excellent security and privacy setting guide to help them gain bette control of their social media profile.

QR Code Security – Are we ready to discuss the risks?

2010-08-29 05:30:00

The Quick Response codes we see on everything from movie posters to business cards are becoming the ubiquitous contact links of an entire new generation of mobile devices and the people who use them. Originally invented in Asia at the end of the last millennium (circa 1994 Japan, actually), these matrix or 2D (two-dimensional) barcodes [...]

How to Out-Secure the Competition in 5 Easy Steps

2010-07-26 06:00:00

Security expert Claudiu Popa shares his list of no-nonsense recommendations to help anyone tackle that challenge, and mitigate the vast majority of the risk to their business.

The Toronto G8/G20 Summits:

2010-06-16 06:00:00

How Simple Security Communication Blunders Can Negatively Impact Public Opinion Apparently Toronto drew the short straw. It’s our turn to host the distinguished G8 and G20 summits this year and Canada is certainly stepping up to the plate. All our reluctant tax-paying citizens are financially responsible for ensuring the comfort and safety of a select [...]

Unforgivable: Ignorance and apathy about user privacy

2010-05-21 01:00:00

The Wall Street Journal’s discovery about the shady privacy practices of some of the world’s largest social networks came as a surprise and probably won’t help any of the big names they mentioned. In what the WSJ unfortunately characterized as a ‘privacy loophole’ exploited by such organizations as Facebook, MySpace, Hi5 and Digg, the social [...]

Give Google a break

2010-05-17 12:00:00

Yesterday’s revelation that Google’s StreetView cars collected more than just anonymized pictures of buildings and cars (and some comical situations) came as a surprise to many, including regulatory bodies in a number of countries that are now considering miscellaneous lawsuits and penalties, according to the BBC. To wit, the issue was that these ‘photographic [...]

The Last Throes of Traditional Anti-Virus Software

2010-05-11 11:00:00

It should come as no surprise to anyone that given the vast numbers of malicious software anti-virus companies are claiming to detect, the number of viruses out there is practically limitless. With the introduction of polymorphic viruses more than a decade ago, and the current practice of injecting specialized Trojans into known vulnerabilities, the combinations [...]

Newsflash: Facebook doesn’t care about your privacy

2010-05-07 06:00:00

love how every other article about Facebook has some kind of privacy angle. As if Facebook, a site designed to share your information as broadly as possible, was also responsible for preserving people’s personal details under their control. All for free. The latest privacy snafu allowed a confidentiality breach to occur with people’s Facebook [...]

Scammers & fraudsters extend Holiday earnings at Haiti’s expense

2010-01-19 05:45:00

As much as consumers look forward to Christmas every year, retailers salivate at the boost in revenue and its positive impact on earnings. No one enjoys the holidays more than criminals however, from petty scammers to organized crime groups whose tens, perhaps hundreds of millions of dollars in revenue make up for months of preparation. [...]

What part should travelers play in airport security?

2010-01-11 10:00:00

I can safely say that I have one of the most satisfying occupations in the world. Helping to protect the intangible assets that drive the world’s economies is certainly something that most individuals (read: men) with a superhero complex should aspire to, once they figure out that forcing radioactive spider bite situations to occur is [...]

The decade of convergence and the (n)ever-changing risk landscape

2010-01-06 10:30:00

A full decade after convergence was hailed as the next big thing, right around the turn of the millennium; this elusive concept is making a comeback. The difference is that we now have a massive infrastructure, a vast audience, and the will to make contact. Indeed 10 years ago, the potential of the Internet to [...]

Holiday fear mongering! Will Anyone Survive 2010?

2009-12-24 12:15:00

Since my previous blog post I read a ridiculous number of security projections for 2010. These range from catastrophic scenarios to something much, much worse. To these I say, bah humbug! It seems that Christmas is the time of year when many security professionals find it acceptable to drop their responsible approach to informing the [...]

The only security advice you need this holiday season

2009-12-16 05:52:00

With the holidays now upon us, what better way to get started than to talk about what’s on everyone’s mind? No, it’s not the last minute shopping nor the latest credit card spending statistics. It’s really about the amounts of money lost to financial fraud, scams, hacking and identity theft. The holidays are a special [...]