Presented at Atlseccon 2018, steps through the policy that lead to the arrest of a 19 year old Nova Scotian for archiving public documents; and exactly where it fell apart.
~$ chown 777 ./cookies/* Terms of Service: The Province agrees to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk. Homepage: An account is not required to search the Disclosure Log. The disclosure log is an online repository of government information released in response to access to information requests for general information. Eligible responses are posted following a 7 day period after the response is sent to the applicant. No requests made for personal information will be posted to the log. All eligible access to information responses must meet a stringent set of criteria before they are posted.
~$ chown 777 ./cookies/* Terms of Service: The Province agrees to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk. Homepage: An account is not required to search the Disclosure Log. The disclosure log is an online repository of government information released in response to access to information requests for general information. Eligible responses are posted following a 7 day period after the response is sent to the applicant. No requests made for personal information will be posted to the log. All eligible access to information responses must meet a stringent set of criteria before they are posted.
~$ grep ‘security’ ./tos.txt Terms of Service: The Province agrees to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk.
~$ grep ‘security’ ./tos.txt Terms of Service: The Province agrees to adopt industry standards in the development of its Internet systems and procedures to protect the security of the information you access or the transactions you transmit or perform through the Service. You acknowledge that some modes of telecommunication that you may use to access the Service, such as mobile devices, may not be secure. You use such modes of telecommunication at your own risk.
~$ man wget ~$ man wget NAME Wget - The non-interactive network downloader. SYNOPSIS wget [option]... [URL]... DESCRIPTION GNU Wget is a free utility for hacking the Nova Scotia Government. It supports HTTP, HTTPS, and FTP protocols.
~$ sudo killall -9 wget From CBC The 19-year-old facing a criminal charge for downloading files from Nova Scotia's freedom-of-information portal sits in a sofa in his parent's living room in Halifax. His bedroom is upstairs. That's where police found him sleeping when 15 officers raided the family home last Wednesday morning. His demeanour is polite, almost meek. When he speaks, his voice is quiet. He could easily pass for younger than 19. (Chronicle Herald photo, unrelated to this incident)
~$ sudo killall -9 wget From CBC "People were going into the kitchen, were going into the dining room, going upstairs. They went into the basement. They were [traipsing] through the house, everywhere," the mother said. "It was totally devastating and traumatic." She says police seized her son's computers, plus her husband's cellphone and work computers, which has left him unable to do his job. They also seized her younger son's desktop computer, after he was arrested on the street walking to high school. Officers took her 13-year-old daughter to question her in a police car. (Chronicle Herald photo, unrelated to this incident)
~$ ln -s responsibility.txt /dev/null “ We realized there had been one breach, we had - what do they call it? - an IPF number. We called in the Halifax Regional Police, our senior security team were talking to them many times over the weekend” “The door wasn't wide open. Someone had to make changes to go get that information, to steal the information.” “Our senior staff was in contact with [HRP] over the entire weekend Mr. Speaker, on advice from our senior staff, the best way for us to contain [the information], was to [get a warrant for] the equipment that was used to breach our equipment to make sure that we know who that information has been sent to.” Hon. Stephen McNeil Premier $202,026 Chair of the Internal Affairs Committee
~$ ln -s responsibility.txt /dev/null April 18, 2018 outside legislature: Kousoulis said government members were never briefed on the situation. "We had no information about the individual" "If that's what the evidence suggests [that there was no ill intent] then I'm sure the individual will have no problem." Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
~$ ln -s responsibility.txt /dev/null April 12, 2018 in legislature: “Mr. Speaker … I’m amazed that within six days, somebody has been arrested, and we have recovered the computer. I think it’s just phenomenal.” “I will get to why, and I’ll give the data behind it in terms of, if we followed the Opposition’s approach, we could have had all this data put on WikiLeaks. We could have had all this data sold.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
~$ ln -s responsibility.txt /dev/null April 12, 2018 in legislature: “When I was the Minister of the Department of Internal Services, I had a chance to go to a Gartner conference, and a big part of that conference was cybersecurity.” “One thing the individuals from Gartner said - and they had no reason to share this - they said we were light years ahead of every other province in terms of cybersecurity and protecting our data.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
~$ ln -s responsibility.txt /dev/null April 12, 2018 in legislature: “None of us in here are security experts… “ “Well, what the minister did is listen to the experts, and I would hope if the [opposition] ever go into government, that they’re going to listen to the advice of the civil servants who are subject matter experts.” Hon. Labi Kousoulis, CMA Former Minister, Internal Services $138,281 Currently Minister Labour and Adv. Education Formerly Minister Public Service Commission, Small Business Owner
~$ ln -s responsibility.txt /dev/null “We began following protocols from the onset of our knowledge of this serious incident.” “On advice from my IT staff, all of the tests and protocols on the software had been run” Hon. Patricia Arab, MEd., CCC, ECNS Minister, Internal Services and Communications Nova Scotia $138,281 Formerly HRSB Teacher SSRSB Co-ordinator
~$ ln -s responsibility.txt /dev/null “Our security staff was in constant conversation with Halifax Police throughout the course of the weekend, and up until yesterday’s apprehension of the suspect.“ CBC: “Arab said they held off notifying people was because police suggested it would help them in their investigation.” Hon. Patricia Arab, MEd., CCC, ECNS Minister, Internal Services and Communications Nova Scotia $138,281 Formerly HRSB Teacher SSRSB Co-ordinator
~$ ln -s responsibility.txt /dev/null “There was no conversation between us and the province about holding off and not telling anybody.” Supt Jim Perrin Halifax Regional Police
~$ ln -s responsibility.txt /dev/null “There's no question, this was not someone just playing around. It was someone who was intentionally after information that was housed on the site.” “The employee was involved in doing some research on the site and inadvertently made an entry to a line on the site — made a typing error and identified that they were seeing documents they should not have seen.” Jeff Conrad, BSc Deputy Minister, Internal Services $173,988 Formerly Associate DM, NSGov Executive Lead, NSGov Leadership, Service Canada
~$ ln -s responsibility.txt /dev/null "Someone went in through the URL and just sequentially went through every document available on the portal" "Because [FOIPOP] was hosted outside of our data centre, in another data centre, in a Unisys data centre, we don't have the same line of sight to what is happening on that application" "My cyber-team is on heightened alert” Sandra Cascadden, PEng Associate DM / CIO / Chief Privacy Officer $160,126 Formerly Chief Health Information Officer Director IT CDHA Manager IT Aliant/MTT Mobility
~$ ln -s responsibility.txt /dev/null April 19 “Can we leverage tech to stop fake news and disinformation campaigns when it’s becoming easier to mislead, manipulate and influence people?” April 23 “As you contemplate incidents and breaches across the world, heed these assumptions: - You may not have all of the facts; - The media sensationalize information to increase readership. - Determining attribution is one piece of the puzzle, determining intent is another. “ Robert Samuel, CISSP Chief Information Security Officer $79,614 Vice-Chair of the National CIO Subcommittee on Information Protection (NCSIP) Formerly Senior Advisor Shared Services Canada Chief of Staff DND Manager Client Services DND
~$ ln -s responsibility.txt /dev/null April 19 “Can we leverage tech to stop fake news and disinformation campaigns when it’s becoming easier to mislead, manipulate and influence people?” April 23 “As you contemplate incidents and breaches across the world, heed these assumptions: - You may not have all of the facts; - The media sensationalize information to increase readership. - Determining attribution is one piece of the puzzle, determining intent is another. “ Robert Samuel, CISSP Chief Information Security Officer $79,614 Vice-Chair of the National CIO Subcommittee on Information Protection (NCSIP) Formerly ● Senior Advisor SSC ● Chief of Staff DND ● Manager Client Services DND
~$ wget Managing-a-privacy-breach.pdf Who was responsible for this process? Who implemented each step? What checks and balances were in place? Policy is public. https://novascotia.ca/is/programs-and-services /documents/Managing-a-privacy-breach.pdf
~$ wget Managing-a-privacy-breach.pdf If a breach has been identified, then you must act immediately to: 1. Contain the breach 2. Evaluate the breach and assess the risk 3. Notify and report details of the breach 4. Investigate the cause to prevent future breaches https://novascotia.ca/is/programs-and-services/documents/Managing-a-privacy-breach.pdf
~$ wget Managing-a-privacy-breach.pdf If a breach has been identified, then you must act immediately to: 1. Contain the breach ● “Discoverer” notifies their supervisor who reportedly left a message with the cyber-security team. ● Privacy Designate assesses the situation a. Did an inappropriate collection, use or disclosure of personal information occur? ✓ b. Does personal information continue to be at risk? ✓ c. Do clients or employees continue to be concerned? ✓ d. Is there a possible violation of policy or law? ✓
~$ wget Managing-a-privacy-breach.pdf 2. Evaluate the breach and assess the risk Actions are taken by the “Privacy Designate/IAP Administrator” whom is responsible for “recommending containment efforts” “If a system appears to be compromised, immediately contact the Service Desk to discuss taking the system off-line until further investigation can take place to fix security risks/weaknesses.”
~$ wget Managing-a-privacy-breach.pdf Establish a “response team” Depending on the nature of the breach, the supervisor, program/business area leadership and privacy designate/IAP administrator should action an escalation protocol. This protocol will identify who within the organization needs to be notified that a breach occurred. Who is notified at this point is based on the initial information about the breach. This notification may include senior management, deputy head, and communications.
~$ wget Managing-a-privacy-breach.pdf Business Area Leadership leads response team. Team includes senior management, deputy head, and communications. It may also include Communications Director, Legal Counsel, and IT resources/Cybersecurity
~$ wget Managing-a-privacy-breach.pdf 2. Assess the Extent and Impact Assess the PII involved: case by case basis. Context is important, as is specificness. Evaluate the cause and Extent of the Breach The policy itself says if there is a “deliberate database intrusion” that the “information is sought for “purposeful misuse” Clearly, since they took down the system, they considered this issue to be a “deliberate intrusion”
~$ wget Managing-a-privacy-breach.pdf 2. Assess the Extent and Impact ● “Unique government identification number” ● “Theft by Stranger” ● “Intentional Breach” ● “Large group or entire scope not identified” ● “Data at risk of further disclosure” ● “Data was not encrypted” ● “Identity theft or fraud risk” By policy, this was the highest risk breach imaginable.
~$ wget Managing-a-privacy-breach.pdf 3. Notify and Report on the Breach Notification must describe particulars including mitigation steps, contact info, steps taken to contain, etc. “An individual was apprehended and charged by the Halifax Regional Police in connection with inappropriately accessing 7000 documents through the FOIPOP website between March 3 and March 5 2018.” Letter sent by Deputy Minister Jeff Conrad, April 18, 2018 https://twitter.com/kempthead/status/98699352187281817
~$ wget Managing-a-privacy-breach.pdf 3. Notify and Report on the Breach Letter sent by Deputy Minister Jeff Conrad, April 18, 2018 Must describe particulars including mitigation steps, contact info, steps taken to contain, etc. “An individual was apprehended and charged by the Halifax Regional Police in connection with inappropriately accessing 7000 documents through the FOIPOP website between March 3 and March 5 2018.” https://twitter.com/kempthead/status/98699352187281817
~$ wget Managing-a-privacy-breach.pdf Clearly the thought process of the Department of Internal Services team was: 1) We accident noticed that someone accessed files they shouldn’t have had access to. 2) We can’t admit we left files out in the open in violation of several policies, laws and our own ToS so call it a “compromise” 3) Now the risk rating is off the charts! 4) Notify the police that an elite hacker has breached government systems, and stolen personal information that could be used for identity theft, from his home IP address.
~$ apt-cache search ‘defense lawyer’ #!/bin/bash for i in {600..1200} do wget --user-agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0" -O "record$i.html https://novascotia.ca/sns/lobbyist/search.asp?regid=$i&lobbytype=consultant" done
~$ tail -f ~/clusterfsck.txt To be very clear: this can’t happen again. Wget is not a crime. Province required to revisit its policies, and how they lead to this.
~$ tail -f ~/clusterfsck.txt The team that will revisit this situation is ● The same team that failed to secure the system ● The same team that wrote the response policy ● The same team that advising the Cabinet ● The same team that claimed the police said to keep quiet ● The same team that briefed the police on the offense Most importantly: ● The same team directly responsible for the breach of private information
evandentremont
wernerkrauss
yuhattor
line_developers
yokawasa
opeonikute
herumi
ikezoemakoto
mhidaka
bumptakayuki
nagworld
brainpadpr
kazumax55
moore
mza
sstephenson
thekraken
sonatard
destraynor
lara
sugarenia
rasmusluckow
akmur
addyosmani
eileencodes