Everybody Pwned ‘;-- : The Pitfalls of Breach Ubiquity and the Prospects of Bill C-11
February 16, 2021There are changes coming to the information security landscape in Canada.
Bill C-11 was tabled in the House of Commons on December 2, 2020. It's long name: "An Act to enact the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make related and consequential amendments to other Acts". This proposed legislation comes at a time when Canadian are relying more and more on electronic communication.
Why should you care?
Let's try a little experiment. Go here...
Put your most commonly used email in.
Not willing to put your email in to a random internet site recommended by some random woman you just met over the internet?
I get that.
Let’s use my two main email addresses.
personal email - No breaches reported
work email - Oh oh! - pwned! 1 breach.
NOTE: I was married in 2015 and being ever the romantic I changed my last name to match my spouse. This explains the no breaches on my personal email. My previous personal email had been involved in 7 breaches.
The breach my work email with was discovered by two security researchers. They found an unprotected server belonging to People Data Labs holding 1.2 billion records of personal information (email address, phone numbers, social media profiles, job history data). It’s unclear whether this information came from a breach or scrape (when someone use credentials that have been compromised to download all the information off of a site OR download all public information that was listed at public that perhaps should not have been).
People Data Labs is an aggregator - they collect publicly facing or available information and resell access to that information. Information has more meaning and value when it’s all put together.
Do I feel violated? … not really. Most of the information was publicly available - none of it was intensely personal (the closest thing to private information would have been social media profiles - but that’s just photos of cats so no biggy - right?).
This breach was much smaller than Collection #1. In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services.
Collection #1 and the breach my information was involved in are part of a concerning trend of Mega Breaches - which I define loosely as breaches that tend to dwarf previous breaches - either because the single breach was very large or it was a breach of aggregated sources. Data aggregators are in the business of collecting data and reselling it in large meaningful chunks that would tend to identify an individual in a more personal way than the individual pieces of information would. When they are breached there are significant cascading effects to information security.
For example, if I used my work email to sign up for an online dating app and it was compromised and this was crossed with my scrapped LinkedIn profile this could provide nefarious individuals with enough information to compromise me or my business using a spear-phishing attack.
(Although we've trained on this issue so much, every time my staff gets a spear-phishing email they report it to me with a great deal of smug satisfaction.)
Mega Breach is a problematic working definition because it’s relative. This means there is an ever growing standard for what constitutes a “really bad” security breach.
In relative measures, context is everything - so let’s go back to “The First Hack”.
This is magician and inventor, Nevil Maskelyne. He disrupted John Ambrose Fleming's public demonstration of Guglielmo Marconi's (purportedly secure) wireless telegraphy technology, sending insulting Morse code messages through the auditorium's projector. The messages Nevil sent were “Rats” and “humorous verses” - which, based on the rivalry between the two men, may have been obscene. One incident - it was extremely scandalous and we are still talking about it. At least right now.
haveibeenpwned.com has a list of pwned websites. This is a list of websites that have been hacked (as in completely taken over or otherwise compromised by active agents). It contains hundred of entries. This list doesn’t even include those companies who have had their data accessed or stolen. The first hack was a scandal. Now we just collect statistics.
Let’s talk about fatigue. Not enitrely dissimilar from zoom fatigue. Breach Fatigue is general exhaustion on the part of the consumer as a result of the constant barrage of data breaches reported in the news. Breach Fatigue is particularly troubling given that the consequences of breaches have gone far beyond a few saucy messages between old timey chaps.
Consider this: I have two children under three.
I opted for the epidural. Which means I was hooked up to a drug infusion pump. One of these guys...
An epidural is generally a fentanyl drip. The interesting thing is that the drugs are locked up, but the device is left unattended and unlocked before the drugs are put into it… and it has an open interface. The model used for my drip had a handle little USB port. Devices similar to this one were found to be vulnerable to remote code execution and man-in-the-middle attacks. My spouse, who knows about these things, felt it was a good time to talk to my anaesthetist about device security. Under the current provisions of the criminal code, someone simply accessing the device would be a crime. Prior to the change, they would have to cause harm.
This year we saw the first reported death from a cyber attack. A hospital in Dusseldorf, Germany was the subject to a ransomware attack. Systems at the hospital were crashed and the hospital was forced to turn away patients. A woman with a life-threatening condition was sent to a hospital 20 miles away. She died from treatment delays.
Breach fatigue can settle in because people don’t really understand how far reaching the consequences are.
Attacks happen because of the size of the technology stack (the stack is all the programs that work together to deliver a service). They aren’t kept up to date all the way down from a security perspective… and it may even be impossible to keep them up to date because they’ve become so big.
This causes the threat envelope to grow and once vulnerability is discovered it can be deployed widely.
Above is an example from the construction sector (low tech, right?). All these technologies use dozens or more of individual stacks and bugs likely exist everywhere.
There is also the issue of information delay and the 24 hour news cycle. It can take years to discover the extent of a breach. The LinkedIn breach occurred in 2012, but we only discovered its full extent in 2016. By then people had simply moved on.
On November 1, 2018 mandatory breach reporting under PIPEDA began. In the 2019-2020 Report to Parliament, the Office of the Privacy Commissioner of Canada reported:
341 - Data breach reports received under the Privacy Act678 - Data breach reports received under PIPEDA (The highest percentages of which were in the finance, telecommunications, and retail/sales sectors)
Even on an individual level, people have started to consider hacking a more serious threat - while simultaneously suffering from breach fatigue and a general apathy about their own personal security.
I asked my long suffering IT infrastructure engineer if he could give me updated stats on attacks to my firm’s network.
- We receive an attack or scan every 60 seconds.
- There are 5-6 credible concerning flags per week.
- We’ve stopped approximately 15 credible ransom ware attempts in the past three years.
- We stopped 4 spear-phishing attacks that would have resulted in potential breach.
Go ask your IT people for these statistics - they should be able to give them to you.
We're a small shop of a few lawyers and support staff - but we're still a target.
Scary. Stuff.
Enter, the government.
Innovation Minister, Navdeep Bains, is talking about sweeping changes to privacy legislation in Canada in the form of Bill C-11. I had read about the Mandate Minister Bains had received and I figured something interesting was coming. The mandate specifically mentioned “proactive data security requirements”.
One of the big changes is the fines. If the bill passes, companies could face fines of up to five per cent of global revenue or $25 million — whichever is greater — for the most serious offences. Bains said the legislation provides for the heaviest fines among the G7 nations' privacy laws. Bains says the fines will ensure accountability.
The proposed legislation also would give the federal privacy commissioner order-making powers. Think we can all agree that’s a good thing. This power would including the ability to force an organization to comply and to order a company to stop collecting data or using personal information.
For our purposes today, the relevant section to what we’re talking about here is the section regarding Security Safeguards (s. 57). Check it out:
s.57(1) Security Safeguards(1) An organization must protect personal information through physical, organizational and technological security safeguards. The level of protection provided by those safeguards must be proportionate to the sensitivity of the information.[...](3) The security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.
The amendment creates a duty to protect. An ACTIVE duty to protect. The amendment actively requires an organization to protect user’s data through physical, organizational, and technological security. This means you need the fort mentality to apply to your technology, your building, and your internal office policies.
And the protections must be robust enough to protect personal information against loss, theft, OR access. To put this in context, PIPEDA (s.10.1(1)) currently requires reporting to the Commissioner and notification to the individual where there was a real risk of significant harm to the individual, but it does not mention any requirement for security safeguards to be in place.
This legislation is entering a theatre where information security pros aren't exactly listened to. I’ve spoken to groups of information security professionals… they tell me horror stories about vulnerability disclosure…
 |
| Credit: pentestpartners.com/security-blog |
This Bingo card apparently sums it up. To extend the game analogy, it's like playing monopoly with only three playing pieces: an ostrich, a bull, and a cricket.
Vulnerability disclosure is where a person discovers a security vulnerability and reports it (or not) to the organization. The organization’s reactions generally range from absolute rage to frightening apathy.
The active duty to protect information will *hopefully* change this because companies will be required to pay attention to reported vulnerabilities in order to comply with the new privacy measures.
The active duty to protect is interesting (even encouraging), but how does will it survive in the wild?
I see three immediate challenges:
(1) Bill C-11 doesn’t set a standard or provide definitions for adequate security safeguards. Who gets to create the definition?
The Privacy Commissioner? The industry? The courts? - so far it’s been the courts and the industry - we may be confusing things by adding another player. Everybody seems to know what should happen (information should be protected), but the rapid pace of technological change makes them also very reluctant to set a standard or provide guidance that is specific enough to be helpful.
(2) There is a significant spread between large organizations with significant IT infrastructure and smaller organizations - all of whom will be held to the same standard. Information security solutions like what I have in place aren’t feasible for the average business owner. In this way additional guidance would be essential in making sure people knew what they were supposed to do.
(3) The other challenge is that people are of two minds. As I mentioned before people are both exhausted by the ubiquity of breaches, but also extremely protective of their privacy. The former means people will be less likely to take proactive measures to protect themselves, and the latter means governments will be expected to take an increasingly involved role in protecting privacy, possibly through legislative requirements.
In my opinion, neither of these groups are the appropriate party to make the decisions about what is secure enough and how to best protect data - that should be left to security and privacy professions.
This is a photo of a Commodore 64 - comically old technology - it came out in 1982. That was only 38 years ago.
Lawyers have been around since 750 BC - 2,750 years. The medical profession has been around for a similar amount of time. Insert lawyer joke here.
Computer related professions are in their infancy, but given the pace of technological change, we need to give them a lot more credit so they can guide us to actual practical solutions for protecting privacy.
** Credit to Troy Hunt and his excellent work on haveibeenpwned.com for much of the information in this post and my related talk **
Thanks, as always, to our long suffering IT person who, although nameless, is our steadfast sentry.
 |
| This post was written by Anna Manley. If you'd like to contact Anna you can send her an email: anna@manleylaw.ca |
0 comments