Presented at Atlseccon 2018, steps through the policy that lead to the arrest of a 19 year old Nova Scotian for archiving public documents; and exactly where it fell apart.
to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk. Homepage: An account is not required to search the Disclosure Log. The disclosure log is an online repository of government information released in response to access to information requests for general information. Eligible responses are posted following a 7 day period after the response is sent to the applicant. No requests made for personal information will be posted to the log. All eligible access to information responses must meet a stringent set of criteria before they are posted.
to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk. Homepage: An account is not required to search the Disclosure Log. The disclosure log is an online repository of government information released in response to access to information requests for general information. Eligible responses are posted following a 7 day period after the response is sent to the applicant. No requests made for personal information will be posted to the log. All eligible access to information responses must meet a stringent set of criteria before they are posted.
to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk.
to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk.
non-interactive network downloader. SYNOPSIS wget [option]... [URL]... DESCRIPTION GNU Wget is a free utility for hacking the Nova Scotia Government. It supports HTTP, HTTPS, and FTP protocols.
a criminal charge for downloading files from Nova Scotia's freedom-of-information portal sits in a sofa in his parent's living room in Halifax. His bedroom is upstairs. That's where police found him sleeping when 15 officers raided the family home last Wednesday morning. His demeanour is polite, almost meek. When he speaks, his voice is quiet. He could easily pass for younger than 19. (Chronicle Herald photo, unrelated to this incident)
into the kitchen, were going into the dining room, going upstairs. They went into the basement. They were [traipsing] through the house, everywhere," the mother said. "It was totally devastating and traumatic." She says police seized her son's computers, plus her husband's cellphone and work computers, which has left him unable to do his job. They also seized her younger son's desktop computer, after he was arrested on the street walking to high school. Officers took her 13-year-old daughter to question her in a police car. (Chronicle Herald photo, unrelated to this incident)
been one breach, we had - what do they call it? - an IPF number. We called in the Halifax Regional Police, our senior security team were talking to them many times over the weekend” “The door wasn't wide open. Someone had to make changes to go get that information, to steal the information.” “Our senior staff was in contact with [HRP] over the entire weekend Mr. Speaker, on advice from our senior staff, the best way for us to contain [the information], was to [get a warrant for] the equipment that was used to breach our equipment to make sure that we know who that information has been sent to.” Hon. Stephen McNeil Premier $202,026 Chair of the Internal Affairs Committee
Kousoulis said government members were never briefed on the situation. "We had no information about the individual" "If that's what the evidence suggests [that there was no ill intent] then I'm sure the individual will have no problem." Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
“Mr. Speaker … I’m amazed that within six days, somebody has been arrested, and we have recovered the computer. I think it’s just phenomenal.” “I will get to why, and I’ll give the data behind it in terms of, if we followed the Opposition’s approach, we could have had all this data put on WikiLeaks. We could have had all this data sold.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
“When I was the Minister of the Department of Internal Services, I had a chance to go to a Gartner conference, and a big part of that conference was cybersecurity.” “One thing the individuals from Gartner said - and they had no reason to share this - they said we were light years ahead of every other province in terms of cybersecurity and protecting our data.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
“None of us in here are security experts… “ “Well, what the minister did is listen to the experts, and I would hope if the [opposition] ever go into government, that they’re going to listen to the advice of the civil servants who are subject matter experts.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
the onset of our knowledge of this serious incident.” “On advice from my IT staff, all of the tests and protocols on the software had been run” Hon. Patricia Arab, MEd., CCC, ECNS Minister, Internal Services and Communications Nova Scotia $138,281 Formerly HRSB Teacher SSRSB Co-ordinator
constant conversation with Halifax Police throughout the course of the weekend, and up until yesterday’s apprehension of the suspect.“ CBC: “Arab said they held off notifying people was because police suggested it would help them in their investigation.” Hon. Patricia Arab, MEd., CCC, ECNS Minister, Internal Services and Communications Nova Scotia $138,281 Formerly HRSB Teacher SSRSB Co-ordinator
not someone just playing around. It was someone who was intentionally after information that was housed on the site.” “The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site — made a typing error and identified that they were seeing documents they should not have seen.” Jeff Conrad, BSc Deputy Minister, Internal Services $173,988 Formerly Associate DM, NSGov Executive Lead, NSGov Leadership, Service Canada
URL and just sequentially went through every document available on the portal" "Because [FOIPOP] was hosted outside of our data centre, in another data centre, in a Unisys data centre, we don't have the same line of sight to what is happening on that application" "My cyber-team is on heightened alert” Sandra Cascadden, PEng Associate DM / CIO / Chief Privacy Officer $160,126 Formerly Chief Health Information Officer Director IT CDHA Manager IT Aliant/MTT Mobility
tech to stop fake news and disinformation campaigns when it’s becoming easier to mislead, manipulate and influence people?” April 23 “As you contemplate incidents and breaches across the world, heed these assumptions: - You may not have all of the facts; - The media sensationalize information to increase readership. - Determining attribution is one piece of the puzzle, determining intent is another. “ Robert Samuel, CISSP Chief Information Security Officer $79,614 Vice-Chair of the National CIO Subcommittee on Information Protection (NCSIP) Formerly Senior Advisor Shared Services Canada Chief of Staff DND Manager Client Services DND
tech to stop fake news and disinformation campaigns when it’s becoming easier to mislead, manipulate and influence people?” April 23 “As you contemplate incidents and breaches across the world, heed these assumptions: - You may not have all of the facts; - The media sensationalize information to increase readership. - Determining attribution is one piece of the puzzle, determining intent is another. “ Robert Samuel, CISSP Chief Information Security Officer $79,614 Vice-Chair of the National CIO Subcommittee on Information Protection (NCSIP) Formerly • Senior Advisor SSC • Chief of Staff DND • Manager Client Services DND
implemented each step? What checks and balances were in place? Policy is public. https://novascotia.ca/is/programs-and-services /documents/Managing-a-privacy-breach.pdf
you must act immediately to: 1. Contain the breach 2. Evaluate the breach and assess the risk 3. Notify and report details of the breach 4. Investigate the cause to prevent future breaches https://novascotia.ca/is/programs-and-services/documents/Managing-a-privacy-breach.pdf
you must act immediately to: 1. Contain the breach • “Discoverer” notifies their supervisor who reportedly left a message with the cyber-security team. • Privacy Designate assesses the situation a. Did an inappropriate collection, use or disclosure of personal information occur? ✓ b. Does personal information continue to be at risk? ✓ c. Do clients or employees continue to be concerned? ✓ d. Is there a possible violation of policy or law? ✓
risk Actions are taken by the “Privacy Designate/IAP Administrator” whom is responsible for “recommending containment efforts” “If a system appears to be compromised, immediately contact the Service Desk to discuss taking the system off-line until further investigation can take place to fix security risks/weaknesses.”
nature of the breach, the supervisor, program/business area leadership and privacy designate/IAP administrator should action an escalation protocol. This protocol will identify who within the organization needs to be notified that a breach occurred. Who is notified at this point is based on the initial information about the breach. This notification may include senior management, deputy head, and communications.
includes senior management, deputy head, and communications. It may also include Communications Director, Legal Counsel, and IT resources/Cybersecurity
the PII involved: case by case basis. Context is important, as is specificness. Evaluate the cause and Extent of the Breach The policy itself says if there is a “deliberate database intrusion” that the “information is sought for “purposeful misuse” Clearly, since they took down the system, they considered this issue to be a “deliberate intrusion”
“Unique government identification number” • “Theft by Stranger” • “Intentional Breach” • “Large group or entire scope not identified” • “Data at risk of further disclosure” • “Data was not encrypted” • “Identity theft or fraud risk” By policy, this was the highest risk breach imaginable.
Notification must describe particulars including mitigation steps, contact info, steps taken to contain, etc. “An individual was apprehended and charged by the Halifax Regional Police in connection with inappropriately accessing 7000 documents through the FOIPOP website between March 3 and March 5 2018.” Letter sent by Deputy Minister Jeff Conrad, April 18, 2018 https://twitter.com/kempthead/status/98699352187281817
Letter sent by Deputy Minister Jeff Conrad, April 18, 2018 Must describe particulars including mitigation steps, contact info, steps taken to contain, etc. “An individual was apprehended and charged by the Halifax Regional Police in connection with inappropriately accessing 7000 documents through the FOIPOP website between March 3 and March 5 2018.” https://twitter.com/kempthead/status/98699352187281817
of Internal Services team was: 1) We accident noticed that someone accessed files they shouldn’t have had access to. 2) We can’t admit we left files out in the open in violation of several policies, laws and our own ToS so call it a “compromise” 3) Now the risk rating is off the charts! 4) Notify the police that an elite hacker has breached government systems, and stolen personal information that could be used for identity theft, from his home IP address.
do wget --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0" -O "record$i.html https://novascotia.ca/sns/lobbyist/search.asp?regid=$i&lobbytype=consultant" done
situation is • The same team that failed to secure the system • The same team that wrote the response policy • The same team that advising the Cabinet • The same team that claimed the police said to keep quiet • The same team that briefed the police on the offense Most importantly: • The same team directly responsible for the breach of private information
evandentremont
naitosatoshi
soudai
aiqlab
lycorptech_jp
kkato1
hr01
shkitayama
yutakikai
mtx2s
kentaitakura
k6s4i53rx
onk
destraynor
colly
rmw
kneath
brad_frost
marcelosomers
michaelherold
cassininazir
tanoku
bermonpainter
keavy
![~$ shutdown now Support: https://tinyurl.com/wgetisnotacrime Questions? Comments? Heckling? [email protected]](https://files.speakerdeck.com/presentations/ae160fcc52164f89bac973d1fce2f7a0/slide_64.jpg){kind=link}