Upgrade to Pro — share decks privately, control downloads, hide ads and more …

1,2,3,4 I Declare Cyber War

1,2,3,4 I Declare Cyber War

Presented at Atlseccon 2018, steps through the policy that lead to the arrest of a 19 year old Nova Scotian for archiving public documents; and exactly where it fell apart.

01d4f345508a9e898004a4d4f6d6459e?s=128

evandentremont

April 27, 2018
Tweet

Transcript

  1. 1, 2, 3, 4 I Declare Cyber War Examining a

    juvenile approach to information security 1, 2, 3, 4 I Declare Cyber War
  2. ~$ whoami

  3. What happened? How a teenager stole public documents What happened?

  4. None
  5. ~$ apt-cache search ‘lawyer’ for i in {1..7000} do wget

    "https://foipop.novascotia.ca/foia/views/_AttachmentDownload.jsp?attachmentRSN=$i" done
  6. https://foipop.novascotia.ca/ foia/views/_AttachmentDownload.js p?attachmentRSN=1

  7. ~$ chown 777 ./cookies/* Terms of Service: The Province agrees

    to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk. Homepage: An account is not required to search the Disclosure Log. The disclosure log is an online repository of government information released in response to access to information requests for general information. Eligible responses are posted following a 7 day period after the response is sent to the applicant. No requests made for personal information will be posted to the log. All eligible access to information responses must meet a stringent set of criteria before they are posted.
  8. ~$ chown 777 ./cookies/* Terms of Service: The Province agrees

    to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk. Homepage: An account is not required to search the Disclosure Log. The disclosure log is an online repository of government information released in response to access to information requests for general information. Eligible responses are posted following a 7 day period after the response is sent to the applicant. No requests made for personal information will be posted to the log. All eligible access to information responses must meet a stringent set of criteria before they are posted.
  9. https://foipop.novascotia.ca/ foia/views/_AttachmentDownload.js p?attachmentRSN=1

  10. ~$ grep ‘security’ ./tos.txt Terms of Service: The Province agrees

    to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk.
  11. ~$ grep ‘security’ ./tos.txt Terms of Service: The Province agrees

    to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk.
  12. https://foipop.novascotia.ca/ foia/views/_AttachmentDownload.js p?attachmentRSN=1

  13. None
  14. None
  15. https://foipop.novascotia.ca/ foia/views/_AttachmentDownload.js p?attachmentRSN=1

  16. None
  17. None
  18. ~$ man wget ~$ man wget NAME Wget - The

    non-interactive network downloader. SYNOPSIS wget [option]... [URL]... DESCRIPTION GNU Wget is a free utility for hacking the Nova Scotia Government. It supports HTTP, HTTPS, and FTP protocols.
  19. None
  20. ~$ sudo killall -9 wget From CBC The 19-year-old facing

    a criminal charge for downloading files from Nova Scotia's freedom-of-information portal sits in a sofa in his parent's living room in Halifax. His bedroom is upstairs. That's where police found him sleeping when 15 officers raided the family home last Wednesday morning. His demeanour is polite, almost meek. When he speaks, his voice is quiet. He could easily pass for younger than 19. (Chronicle Herald photo, unrelated to this incident)
  21. ~$ sudo killall -9 wget From CBC "People were going

    into the kitchen, were going into the dining room, going upstairs. They went into the basement. They were [traipsing] through the house, everywhere," the mother said. "It was totally devastating and traumatic." She says police seized her son's computers, plus her husband's cellphone and work computers, which has left him unable to do his job. They also seized her younger son's desktop computer, after he was arrested on the street walking to high school. Officers took her 13-year-old daughter to question her in a police car. (Chronicle Herald photo, unrelated to this incident)
  22. What does the world think? Blog posts, news coverage, international

    support.
  23. ~$ ls /media/local/

  24. ~$ ls /media/local/

  25. ~$ ls /media/tech/

  26. ~$ ls /media/tech/

  27. ~$ ls /media/international/

  28. ~$ ls /media/international/

  29. ~$ ls /media/international/

  30. What does NSGov Think? As quoted from CBC, Hansard, and

    others.
  31. ~$ ln -s responsibility.txt /dev/null “ We realized there had

    been one breach, we had - what do they call it? - an IPF number. We called in the Halifax Regional Police, our senior security team were talking to them many times over the weekend” “The door wasn't wide open. Someone had to make changes to go get that information, to steal the information.” “Our senior staff was in contact with [HRP] over the entire weekend Mr. Speaker, on advice from our senior staff, the best way for us to contain [the information], was to [get a warrant for] the equipment that was used to breach our equipment to make sure that we know who that information has been sent to.” Hon. Stephen McNeil Premier $202,026 Chair of the Internal Affairs Committee
  32. ~$ ln -s responsibility.txt /dev/null April 18, 2018 outside legislature:

    Kousoulis said government members were never briefed on the situation. "We had no information about the individual" "If that's what the evidence suggests [that there was no ill intent] then I'm sure the individual will have no problem." Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
  33. ~$ ln -s responsibility.txt /dev/null April 12, 2018 in legislature:

    “Mr. Speaker … I’m amazed that within six days, somebody has been arrested, and we have recovered the computer. I think it’s just phenomenal.” “I will get to why, and I’ll give the data behind it in terms of, if we followed the Opposition’s approach, we could have had all this data put on WikiLeaks. We could have had all this data sold.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
  34. ~$ ln -s responsibility.txt /dev/null April 12, 2018 in legislature:

    “When I was the Minister of the Department of Internal Services, I had a chance to go to a Gartner conference, and a big part of that conference was cybersecurity.” “One thing the individuals from Gartner said - and they had no reason to share this - they said we were light years ahead of every other province in terms of cybersecurity and protecting our data.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
  35. ~$ ln -s responsibility.txt /dev/null April 12, 2018 in legislature:

    “None of us in here are security experts… “ “Well, what the minister did is listen to the experts, and I would hope if the [opposition] ever go into government, that they’re going to listen to the advice of the civil servants who are subject matter experts.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
  36. ~$ ln -s responsibility.txt /dev/null “We began following protocols from

    the onset of our knowledge of this serious incident.” “On advice from my IT staff, all of the tests and protocols on the software had been run” Hon. Patricia Arab, MEd., CCC, ECNS Minister, Internal Services and Communications Nova Scotia $138,281 Formerly HRSB Teacher SSRSB Co-ordinator
  37. ~$ ln -s responsibility.txt /dev/null “Our security staff was in

    constant conversation with Halifax Police throughout the course of the weekend, and up until yesterday’s apprehension of the suspect.“ CBC: “Arab said they held off notifying people was because police suggested it would help them in their investigation.” Hon. Patricia Arab, MEd., CCC, ECNS Minister, Internal Services and Communications Nova Scotia $138,281 Formerly HRSB Teacher SSRSB Co-ordinator
  38. ~$ ln -s responsibility.txt /dev/null “There was no conversation between

    us and the province about holding off and not telling anybody.” Supt Jim Perrin Halifax Regional Police
  39. ~$ ln -s responsibility.txt /dev/null “There's no question, this was

    not someone just playing around. It was someone who was intentionally after information that was housed on the site.” “The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site — made a typing error and identified that they were seeing documents they should not have seen.” Jeff Conrad, BSc Deputy Minister, Internal Services $173,988 Formerly Associate DM, NSGov Executive Lead, NSGov Leadership, Service Canada
  40. ~$ ln -s responsibility.txt /dev/null "Someone went in through the

    URL and just sequentially went through every document available on the portal" "Because [FOIPOP] was hosted outside of our data centre, in another data centre, in a Unisys data centre, we don't have the same line of sight to what is happening on that application" "My cyber-team is on heightened alert” Sandra Cascadden, PEng Associate DM / CIO / Chief Privacy Officer $160,126 Formerly Chief Health Information Officer Director IT CDHA Manager IT Aliant/MTT Mobility
  41. ~$ ln -s responsibility.txt /dev/null April 19 “Can we leverage

    tech to stop fake news and disinformation campaigns when it’s becoming easier to mislead, manipulate and influence people?” April 23 “As you contemplate incidents and breaches across the world, heed these assumptions: - You may not have all of the facts; - The media sensationalize information to increase readership. - Determining attribution is one piece of the puzzle, determining intent is another. “ Robert Samuel, CISSP Chief Information Security Officer $79,614 Vice-Chair of the National CIO Subcommittee on Information Protection (NCSIP) Formerly Senior Advisor Shared Services Canada Chief of Staff DND Manager Client Services DND
  42. ~$ ln -s responsibility.txt /dev/null April 19 “Can we leverage

    tech to stop fake news and disinformation campaigns when it’s becoming easier to mislead, manipulate and influence people?” April 23 “As you contemplate incidents and breaches across the world, heed these assumptions: - You may not have all of the facts; - The media sensationalize information to increase readership. - Determining attribution is one piece of the puzzle, determining intent is another. “ Robert Samuel, CISSP Chief Information Security Officer $79,614 Vice-Chair of the National CIO Subcommittee on Information Protection (NCSIP) Formerly • Senior Advisor SSC • Chief of Staff DND • Manager Client Services DND
  43. NSGov Breach Response Policy From Step A to “SWAT team”

    NSGov Breach Response Policy
  44. ~$ wget Managing-a-privacy-breach.pdf Who was responsible for this process? Who

    implemented each step? What checks and balances were in place? Policy is public. https://novascotia.ca/is/programs-and-services /documents/Managing-a-privacy-breach.pdf
  45. ~$ wget Managing-a-privacy-breach.pdf If a breach has been identified, then

    you must act immediately to: 1. Contain the breach 2. Evaluate the breach and assess the risk 3. Notify and report details of the breach 4. Investigate the cause to prevent future breaches https://novascotia.ca/is/programs-and-services/documents/Managing-a-privacy-breach.pdf
  46. ~$ wget Managing-a-privacy-breach.pdf If a breach has been identified, then

    you must act immediately to: 1. Contain the breach • “Discoverer” notifies their supervisor who reportedly left a message with the cyber-security team. • Privacy Designate assesses the situation a. Did an inappropriate collection, use or disclosure of personal information occur? ✓ b. Does personal information continue to be at risk? ✓ c. Do clients or employees continue to be concerned? ✓ d. Is there a possible violation of policy or law? ✓
  47. ~$ wget Managing-a-privacy-breach.pdf 2. Evaluate the breach and assess the

    risk Actions are taken by the “Privacy Designate/IAP Administrator” whom is responsible for “recommending containment efforts” “If a system appears to be compromised, immediately contact the Service Desk to discuss taking the system off-line until further investigation can take place to fix security risks/weaknesses.”
  48. ~$ wget Managing-a-privacy-breach.pdf Establish a “response team” Depending on the

    nature of the breach, the supervisor, program/business area leadership and privacy designate/IAP administrator should action an escalation protocol. This protocol will identify who within the organization needs to be notified that a breach occurred. Who is notified at this point is based on the initial information about the breach. This notification may include senior management, deputy head, and communications.
  49. ~$ wget Managing-a-privacy-breach.pdf Business Area Leadership leads response team. Team

    includes senior management, deputy head, and communications. It may also include Communications Director, Legal Counsel, and IT resources/Cybersecurity
  50. ~$ wget Managing-a-privacy-breach.pdf 2. Assess the Extent and Impact Assess

    the PII involved: case by case basis. Context is important, as is specificness. Evaluate the cause and Extent of the Breach The policy itself says if there is a “deliberate database intrusion” that the “information is sought for “purposeful misuse” Clearly, since they took down the system, they considered this issue to be a “deliberate intrusion”
  51. ~$ wget Managing-a-privacy-breach.pdf 2. Assess the Extent and Impact •

    “Unique government identification number” • “Theft by Stranger” • “Intentional Breach” • “Large group or entire scope not identified” • “Data at risk of further disclosure” • “Data was not encrypted” • “Identity theft or fraud risk” By policy, this was the highest risk breach imaginable.
  52. ~$ wget Managing-a-privacy-breach.pdf 3. Notify and Report on the Breach

    Notification must describe particulars including mitigation steps, contact info, steps taken to contain, etc. “An individual was apprehended and charged by the Halifax Regional Police in connection with inappropriately accessing 7000 documents through the FOIPOP website between March 3 and March 5 2018.” Letter sent by Deputy Minister Jeff Conrad, April 18, 2018 https://twitter.com/kempthead/status/98699352187281817
  53. ~$ wget Managing-a-privacy-breach.pdf 3. Notify and Report on the Breach

    Letter sent by Deputy Minister Jeff Conrad, April 18, 2018 Must describe particulars including mitigation steps, contact info, steps taken to contain, etc. “An individual was apprehended and charged by the Halifax Regional Police in connection with inappropriately accessing 7000 documents through the FOIPOP website between March 3 and March 5 2018.” https://twitter.com/kempthead/status/98699352187281817
  54. ~$ wget Managing-a-privacy-breach.pdf Clearly the thought process of the Department

    of Internal Services team was: 1) We accident noticed that someone accessed files they shouldn’t have had access to. 2) We can’t admit we left files out in the open in violation of several policies, laws and our own ToS so call it a “compromise” 3) Now the risk rating is off the charts! 4) Notify the police that an elite hacker has breached government systems, and stolen personal information that could be used for identity theft, from his home IP address.
  55. None
  56. None
  57. None
  58. ~$ apt-cache search ‘defense lawyer’ #!/bin/bash for i in {600..1200}

    do wget --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0" -O "record$i.html https://novascotia.ca/sns/lobbyist/search.asp?regid=$i&lobbytype=consultant" done
  59. ~$ tail -f ~/clusterfsck.txt To be very clear: this can’t

    happen again. Wget is not a crime. Province required to revisit its policies, and how they lead to this.
  60. None
  61. None
  62. ~$ members breach-response Jeff Conrad, Deputy Minister / Career Bureaucrat

    Sandra Cascadden, CIO / PEng Robert Samuel, CISO / CISSP
  63. ~$ tail -f ~/clusterfsck.txt The team that will revisit this

    situation is • The same team that failed to secure the system • The same team that wrote the response policy • The same team that advising the Cabinet • The same team that claimed the police said to keep quiet • The same team that briefed the police on the offense Most importantly: • The same team directly responsible for the breach of private information
  64. None
  65. ~$ shutdown now Support: https://tinyurl.com/wgetisnotacrime Questions? Comments? Heckling? evan@evandentremont.com