Canada’s ‘cybersecurity’ bill is a dangerous overreach

The Trudeau government has proposed a new bill that paves the way for the further erosion of digital rights of ordinary Canadians. Bill C-26 was first introduced and passed its first reading in June of 2022, following several other bills –specifically C-11, C-18, and C-36 – which would also threaten freedom of speech and freedom of the press. Bill C-26, often referred to as the cybersecurity bill in mainstream news proposes significant amendments to the Telecommunications Act, and is frighteningly open-ended in its wording.

Telecommunications providers can be ordered by the Governor in Council to completely cut off any user’s access to services or restrict their access to certain facilities. One of the amendments includes a non-disclosure provision that would shroud the Governor in the Council’s order in secrecy, meaning the person affected would not even be made aware of its existence. Such measures would deprive individuals of due process and leave them to the whims of unelected bureaucrats and political functionaries.

Federal public safety minister Marco Mendichino said that the legislation would “protect Canadian cybersecurity by strengthening the partnerships between the government and the telecommunications sector” but has already been met with criticism over transparency and accountability by opposition MPs. Several activists and civil society groups, such as the Canadian Civil Liberties Association, have also criticized the bill as authoritarian and expressed concerns over the broad freedoms it would grant to regulators and service providers.

In addition to jeopardizing privacy and due process, the bill would also permit the government to share citizens’ collected data with foreign governments and entities. This would have far-reaching consequences that most Canadians cannot even imagine.

Read: https://easydns.com/blog/2023/01/27/canadas-bill-c-26-yet-another-government-power-grab/

IT Pros Sound Alarm: ChatGPT Threat Looms Over Cybersecurity

Are we one year away from a devastating cyberattack credited to ChatGPT? According to a recent survey conducted by BlackBerry Limited, a shocking 51% of IT professionals believe so. The survey, which polled 1,500 IT decision-makers across North America, the UK, and Australia, exposed a perception that while ChatGPT is generally viewed as a tool for good, 74% acknowledge its potential to wreak havoc on cybersecurity with its ability to help hackers craft more believable phishing emails being the top concern (53%).

Shishir Singh, Chief Technology Officer of Cybersecurity at BlackBerry, explains that the technology will likely increase its influence in the cyber industry over time. He acknowledges that while there are many benefits to be gained from this advanced technology, its ramifications cannot be ignored. As the platform and the hackers’ experience mature, it will become more challenging to defend against without using AI in defense.

Hackers crafting more believable phishing emails, less experienced hackers sharpening their skills, and spreading misinformation were the top global concerns among IT professionals. But they need to be more active – a massive 82% of IT decision-makers plan to invest in AI-driven cybersecurity in the next two years, with 48% planning to do so by the end of 2023.

While IT directors are optimistic about ChatGPT’s potential to enhance cybersecurity for businesses, they also believe that governments are responsible for regulating advanced technologies. As for the competition between technology, research professionals, and cybercriminals, the consensus among the former is that they will come out on top. The consensus among technology and research professionals is that they will gain more from the capabilities of ChatGPT than cyber criminals. But as hackers continue to improve at using ChatGPT for malicious purposes, the fight for cybersecurity will only get more challenging.

Read: https://www.darkreading.com/attacks-breaches/chatgpt-may-already-be-used-in-nation-state-cyberattacks-say-it-decision-makers-in-blackberry-global-research

Latest of 8 Cyberattacks on T-Mobile Wireless Carrier Exposes Customers’ Personal and Account Information

The US wireless carrier T-Mobile is investigating a data breach with a third-party cyber security company. The breach leaked users’ personal and account information, but T-Mobile reported that customers’ banking and financial information remains safe. This is the eighth cyber security attack on the wireless carrier since 2018.

T-Mobile reported noticing signs of malicious activity on January 5th but claimed that the breach was stopped within 24 hours before any of the company’s internal systems could become compromised. However, in an SEC filing from January 19th, T-Mobile reported that hackers had been exfiltrating customer data through a vulnerable API breach since November 25th, 2022. Compromised data included basic customer information such as name, date of birth, billing address, email, phone number, and account numbers.

Dr. Ilia Kolochenko, Founder, CEO, and Chief Architect at ImmuniWeb commented on the matter as follows: “Unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches. The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs…but also the full spectrum of accidentally exposed APIs from test and pre-production environments…that have privileged access to sensitive corporate data.”

Meanwhile, T-Mobile has begun contacting the 37 million users potentially affected by the breach and has reported the incident to the concerned law enforcement agencies. The Federal Communications Commission (FCC) has also opened up an investigation into the matter, the latest in a string of data breaches that could have “significant costs” for the company.

The FCC probe may lead to another large settlement for compromised T-Mobile customers. In 2021, the carrier paid $350m to data breach victims while simultaneously investing $150m into cybersecurity and cyber defenses.

Read: https://www.cpomagazine.com/cyber-security/t-mobile-data-breach-hacker-accessed-personal-details-of-37-million-subscribers/

2022 Proven to Be Ground-Breaking Year for DDoS Attacks on Russia

Russia’s largest internet service provider (ISP), Rostelecom, stated in a recent report that 2022 had proven itself to be “a record-breaking (year for) DDoS attack(s).” The ISP report stated that Russia’s largest DDoS attack for 2022 was 760Gb/s—almost double the size of 2021’s top attack—while its longest attack lasted 2000 hours or three months. Rostelecom claims that the latest deluge of attacks comes in a bid to disrupt operations in light of Russia’s current invasion of Ukraine. It further stated that though most DDoS attacks use a “carpet bombing” method of targeting multiple IP addresses for a single organization in a short timeframe since Russia began its war with Ukraine, these attacks have steadily become more fine-tuned and sophisticated.

“Websites of Russian companies have become a key target for hackers. The latter actively used DDoS and web attacks to make online resources inaccessible to users, thus disrupting the work of companies and organizations and sowing panic in society,” Rostelecom said. The ISP further commented that many of these attacks could lead to hackers taking total control of an affected system and stealing users’ private data.

Both Russia and Ukraine have been using DDoS and other cyberattacks to gain an advantage over each other in light of the current war. The Ukrainian cyber effort has been bolstered by a volunteer global “IT army.” The Russian effort, meanwhile, has been supported by hacktivists loyal to the Kremlin. The largest and most effective of the latter’s attacks was a major DDoS campaign against US airports by the prolific Killnet group.

Read: https://www.infosecurity-magazine.com/news/recordbreaking-year-ddos-targeting/

Elsewhere Online:

Crash detection features on Apple’s iPhone causes false 911 calls at ski resorts
Read: https://www.zerohedge.com/technology/apples-crash-detection-feature-triggers-false-911-calls-ski-resorts

A security patch for Drupal is made available to address an Apigee Edge vulnerability.
Read: https://www.cisa.gov/uscert/ncas/current-activity/2023/02/02/drupal-releases-security-update-address-vulnerability-apigee-edge

Security services have been bypassed and users directed to malicious sites using ClickFunnels
Read: https://www.infosecurity-magazine.com/news/threat-actors-clickfunnels-bypass

A security flaw was found in the Cisco IOx and F5 BIG-IP products
Read: https://thehackernews.com/2023/02/new-high-severity-vulnerabilities.html

Jira software from Atlassian has been discovered to contain a serious authentication flaw
Read: https://thehackernews.com/2023/02/atlassians-jira-software-found.html

Columbia Journalism School report by former NYTimes Pulitzer winner finds ethical issues with “Russiagate” reporting
Read: https://www.cjr.org/special_report/trumped-up-press-versus-president-ed-note.php

Previously on #AxisOfEasy