Assigning blame accurately

As a followup to the last articles; CBC has today published a new take on the security camera incident at a Cape Breton School last week.

“We are actually going to be sending letters and reaching out the manufacturers in the very near future,” said Jennifer Rees-Jones, a senior advisor at the Office of the Privacy Commissioner of Canada.

The office wants all manufacturers to make devices that require users to change the default password when they plug the surveillance camera in. It also said the boxes the cameras come in should have strongly worded warnings about the privacy risks if the device is not secure.

These simple steps would make Canada a world leader in IoT security. They’re not without precedent though; in March of this year, a California Senator introduced a cyber-security bill. 

As WCSR reported just last month; the bill would require manufactures to design devices in such a way that they will

– … indicate to the consumer when it is collecting information
– obtain consumer consent (presumably through some form of user interface) before the device collects or transmits information

CBC spoke with experts again;

“Some of them have very strong security. Some have no security at all. Some have very weak and hackable security settings,” said Robert Currie, director of the Law and Technology Institute at the Schulich School of Law at Dalhousie University.

Tom Redford of Wilson’s Security in Dartmouth said … “If it’s just left at factory default, you’re leaving yourself susceptible to being hacked,” he said.

The default is transmit, with no password, and no authentication. It’s working as designed.  To call it a “hack” implies those viewing the public feed are at fault.

Redford suspects a lack of passwords may be to blame.

The lack of passwords is an issue, and was certainly relevant. The question is why were there no passwords? The user manual for the device in question recommends setting a password and protecting the video feed.

If the device had defaulted to password protected, as the Office of the Privacy Commissioner of Canada requested in 2015; this may not have been an issue.

Nova Scotia’s privacy commissioner and the Cape Breton-Victoria Regional School Board have launched investigations into how the security camera was left open to the internet.

School officials have not revealed the results of their inquiry, but are calling it an “isolated incident.”

From discussions with another school board; It appears likely that a hole was explicitly opened in the schools firewall to allow it through. That would imply there was a conscious decision to make the cameras available publicly.

I strongly recommend reporters dig a bit deeper on this issue. For example;

  • Who requested the cameras?
  • For what purpose?
  • Who requested they be available publicly?
  • Did the IT department read the manual, and make appropriate recommendations?
  • If they did, were they overruled, and if so, by whom?
  • Who’s responsibility is the security of the devices attached to the network?

The Russians are Coming

Last week several webcams at a Cape Breton school were discovered to be broadcasting publicly, and indexed by a search engine, at insecam.org. The camera was taken down after the incident was reported; but CBC’s coverage by Susan Bradley and Jack Julian leaves much to be desired.

(Privacy Commissioner) Tully said passwords need to be encrypted and the length of time images are kept should be limited so they are less likely to be accessed.

The recommended practice is to hash passwords not encrypt them. That being said this advice is inapplicable to the issue at hand; and doesn’t address the issue that the device was using the default password, as evidenced by the screenshot that says change password.

Charlene Chaisson, a parent of two children at the school, spoke to CBC:

“All I can add is that although it’s my son in the image and it’s alarming, I don’t blame anybody for it happening. Things get hacked all the time and hopefully now the cameras are secure.”

Nothing was “hacked.” One can find default passwords for most devices online in aggregated list of passwords, or in the user manual for the device. In fact, the manual for the camera in question details how to password protect the camera feed, and explicitly says to set a password for security reasons.

CBC did talk with a cybersecurity expert:

Daniel Tobok, a cybersecurity expert in Toronto, said the problem of webcam images being streamed around the world is common…

… He blames the way the webcams are connected directly to the internet.

With the ever-impending migration to IPv6, more and more devices will be connected to the internet. The issue is not connecting devices to the internet. IP security cameras are designed to connect to the internet, and restricting it with a firewall, would have only resolved this issue by rendering the device inoperable at best, or limiting the exposure to the school’s own network at worst.

Not once in the article did the CBC or the cyber-security expert mention ‘changing the default password’ on devices, which in 2014 Infoworld ranked one of the Top 10 Colossal Security Mistakes.

Insecam.org’s FAQ does tell users both how to fix their camera, and provide users with information on removing their camera from their site.

Q: How to remove my camera from this site
A: If you want to leave your surveillance camera public accessible but want to remove it from this site send the URL of your camera to email from contacts section. But remember that your camera still will be available to all internet users that use surveillance camera search software and sites like Shodanhq.com .The only solution to make your camera private is to set up a password!

As of May 4, it was longer linking to the Cape Breton camera.

Kris Klein, a privacy lawyer in Toronto, had this to say:

You don’t know who was looking at them,” Klein said. “It’s not to say that they were necessarily doing anything wrong, it’s just the fact that they had their own personal image broadcast and made available to the public at large via these shady characters.

Appeal to emotion aside, the feed was available only because the school board’s own IT staff didn’t read the manual. With accurate reporting of the issue, one realises the school board employees that set up the camera, are the “shady characters” whom made the broadcast public.

Hello world!

Welcome to the #0 tech blog news outlet in Atlantic Canada.

All facetiousness aside, this is born out of the misrepresentation of tech in the local media.

I don’t think anyone would argue; the role of a journalist is to find and report on the truth. It’s one thing to say “a local system administrator didn’t set a password on the school’s camera system” and it’s another to blame the Russians. Even worse, they weren’t the ones who found and reported that issue as they claim; it was reported and action was being taken before CBC even heard about it.

It’s not good enough to just cover tech. It’s important to get it right so people don’t jump to conclusions.

It’s not for us to decide whether it’s just a lack of understanding of what they’re talking about, or whether they don’t care. It’s just very hard to take the local news media very seriously when they think pentesting is to weed out fetishes at city hall.

Subject matter experts have repeatedly reached out to local news, and the response is usually somewhere between derision and silence.

Someone has to do this right. So we’re going to start reporting on local tech issues, upcoming startups, and make sure IT is being covered fairly and accurately.