ISA is committed to keeping the security community up to date with the latest cybersecurity news.
FBI issues Windows 7 warning
On August 3, the Federal Bureau of Investigation (FBI) issued a private industry notification (PIN) reminding companies about the potential risks of running Windows 7. Microsoft ended most support for Windows 7 on January 14, and now only provide security updates and tech support for customers on extended security update (ESU) plans. Unless customers are maintaining one of these plans – which grow more and more expensive the longer customers persist in using the old operating system – the FBI underscores that there are increasing potential risks of cyber attack.
“The FBI has observed cyber criminals targeting computer network infrastructure after an operating system achieves end of life status. Continuing to use Windows 7 within an enterprise may provide cyber criminals access into computer systems,” advises the statement, which also provides a sobering chronology of recent attacks on Windows 7-based systems, including the devastating WannaCry attack in 2017. “With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target.”
The FBI acknowledged that there may be challenges in replacing Windows 7 (e.g., “cost for new hardware and software and updating existing custom software”), but that the risks likely outweigh those challenges.
Companies are strongly encouraged to review their network infrastructures for any remaining Windows 7 instances. Remote workers’ systems using Windows 7 should also be identified, and designated for upgrade or replacement as appropriate. While Microsoft’s offer of complimentary upgrades to Windows 10 officially expired in 2016, free upgrades still appear to be available online according to reports in ZDNet and Forbes.
Canada’s COVID-19 tracing app launched
On July 31, Canada’s COVID-19 contact tracing app was released for use. The initial launch of the app is focused on Ontario, but already, Alberta has committed to using the app as well and plans to abandon its local “ABTraceTogether” application. The Atlantic provinces are also expected to come on board shortly, pending the early results of the Ontario implementation. Discussions are proceeding with the other provinces as well, as there is general agreement that a single national application will offer the greatest chance for effective contact tracing countrywide.
The development project was spearheaded by the Canadian Digital Service and the Ontario Digital Service. A group effort to create the app included open source code development from volunteers at Shopify Inc., security features and testing from BlackBerry Ltd., and Bluetooth communication technologies provided by Google and Apple.
The app works by using the Bluetooth signal on the smartphone to silently exchange codes with other phones in your vicinity (about two metres) every five minutes. A unique identifier for each smartphone is shared; your personal information like name, address, location, health details, or phone contacts are never transmitted or stored. The app does not use GPS or location tracking services.
If someone reports to the app that they have had a positive COVID-19 test, everyone who has been in the proximity of the user in the preceding two weeks will get a notification. Unique codes exchanged that are older than 15 days are automatically purged.
Concerns about the privacy and security of the application were expected. Consequently, the Office of the Privacy Commissioner of Canada conducted a thorough review of the security and privacy implications of the application. In an official release summarizing its analysis and findings, the OPC stated “While experts generally agree that there is no such thing as zero risk of the re-identification of de-identified data, we are satisfied that exceptionally strong technical security safeguards have been put in place.” Ontario’s privacy watchdog also released a statement confirming their support for use of the app.
The app is available for both iPhone and Android smartphones. Be sure to download the app directly from the links on the official Government of Canada website on your smartphone in order to avoid fake or compromised versions.
Canadian fundraisers affected by May ransomware attack on Blackbaud
The Centre for Addition and Mental Health (CAMH), CARE Canada, and Foodbanks Canada are among dozens of fundraising organizations affected by the May 2020 ransomware attack on Blackbaud, one of the world’s largest CRM providers for fundraisers and non-profit organizations.
Blackbaud’s official statement was released on July 16, and their notification to affected customers triggered a wave of notification alerts among their Canadian, U.S., and European client base.
According to CARE’s statement, they were told that “the breach did not include sensitive financial information, such as credit card numbers and banking information, which were encrypted in Blackbaud’s database”. However, the incident did affect data “such as email and mail addresses, names and phone numbers, and in some cases date of birth”.
While Blackbaud was reportedly able to detect and prevent the ransomware attack from locking their files, the cyber criminals were able to exfiltrate the donor data. Blackbaud apparently paid the ransom demand and was told that the copy of the stolen data had been destroyed.
Foodbanks Canada’s statement outlined a similar sequence of events. In CAMH’s email to their donor base, they advised that “[i]n addition to notifying all potentially affected parties directly, we are working closely with Blackbaud to understand why this happened, what data [were] impacted, and what actions they are taking to increase their security.”
Foundation offices at several Canadian universities were affected as well, with notices posted on July 20 by Ambrose University in Calgary, July 24 by Western University in London, and July 29 by the University of Toronto.
The incident has provided a fascinating window into the different communications processes and strategies at the different organizations affected. More importantly, it highlights the importance of understanding the cybersecurity exposures of not only your own infrastructure, but that of your partners and third-party providers. As law firm Miller Thomson outlined in a general news alert bulletin, “Your organization must understand that while Blackbaud is its service provider, any potential legal or contractual obligations, including potential notification requirements with respect to the particular individuals involved or reports to Privacy Commissioners, likely fall on the particular charity or not-for-profit organization.”