[News] CSEC's acceptable proof of vaccination for Saddledome games

[Wormius]

At least Google or Wayback Machine didn’t get around to caching that.

[ben voyonsdonc]

I'm surprised that this isn't bigger news. CSEC should be asked very tough questions about how they could possibly require attendees to their events to upload crucial documents to a company without having done any due diligence to find out how this information would be protected. Heads should certainly roll at CSEC but also the media should be all over this. Thousands of people's personal information was given to a shady company who left it completely vulnerable and has seemingly disappeared. Instead of having an actual statement about the mess that they created and how people could be impacted by it, CSEC has just made a minor change to the website.

Of course, this situation all stems from the fact that we don't have a true vaccine passport program here...just a program that was slapped together in five minutes by drunk monkeys - namely the provincial government and Tyler Shandro.

[Esoteric]

I signed up for some credit monitoring just in case.
Really wish I did some more research before sending in some documents.

[djsFlames]

Quote:

Originally Posted by Inglewood Jack

from the CBC article...would this not be an identity thief's dream? if someone went to your bank or phone service provider claiming to be you and had all the information below, depending on how rigorous the support person is, this might be enough to gain control of your account.

Didn't know what users were entering into their app in order to "confirm".

Figured standard info + pdf/ab health number.


Yeah, thats bad.

[rohara66]

Quote:

Originally Posted by Inglewood Jack

what are the chances that a CBC reporter and their source are the first/only people to grab the unsecured data? I'm going to assume that by the time a vulnerability like this has made front page news, the bad guys have already smashed and grabbed everything. or in this case, calmly walked through the front door that was helpfully propped open with a doorstop.

CBC told the app developer she was running the story shortly (or later that night) which is when the app went down (was taken offline I guess), then the story ran.



But I believe the twitter post went live much earlier in the afternoon.

[Wormius]

Presumably they could tell, if they weren’t complete knobs, if those files were accessed or downloaded and from what IP address.

[powderjunkie]

Presumably anyone wanting that info would use a VPN or something

[Patek23]

Yeah, anyone who’s going to use that information for nefarious reasons typically would be doing so in a way to cover their digital footprints.

[Wormius]

Quote:

Originally Posted by powderjunkie

Presumably anyone wanting that info would use a VPN or something

Even so, depending on what the victims are expecting for compensation, if the guy can at least prove it wasn’t downloaded en masse by anybody except for this guy and the CBC reporter, it would be beneficial.

[Wormius]

Quote:

Originally Posted by Flaming Homer

Yeah, anyone who’s going to use that information for nefarious reasons typically would be doing so in a way to cover their digital footprints.

My point was more that it would give some people peace of mind if they knew it wasn’t downloaded by anyone else.

[kaddy]

Quote:

Originally Posted by Bring_Back_Shantz

What really bothers me about this is the complete silence from CSEC.
I emailed my season ticket rep and got pretty much the same canned response about how they are doing 2 audits, but no follow up communication to season ticket holders about this.

Pretty bad look for CSEC in all of this, and they are handling it really poorly.

I hate dealing with CSEC, the reps I've had are slow to respond and the same canned replies.

I'm super glad I didn't get to sign up with PortPass, the app kept crashing.

They love to take my money for season tickets and give me a mediocre on ice product and poor service.

[Bring_Back_Shantz]

Quote:

Originally Posted by kaddy

I hate dealing with CSEC, the reps I've had are slow to respond and the same canned replies.

I'm super glad I didn't get to sign up with PortPass, the app kept crashing.

They love to take my money for season tickets and give me a mediocre on ice product and poor service.

My rep has actually been pretty responsive through this.
I've been emailing with him asking if it's possible to defer tickets until they get this sorted out.

Obviously there's not much he can do, they only offer full season deferrals, and they have to give the canned response about 2 separate 3rd party audits, but I wanted to make sure that he knows I'm upset.

That being said, I've also been very clear that I empathize with him being in a situation of having to deal with angry customers, and that I think he's doing a good job, but I hope he's able to communicate to his leaders just how badly CSEC has handled this whole situation (especially their complete radio silence on it).
I'm trying my best to tell him "Make sure your manager knows I'm pissed off" without being rude to him, and without going full Karen, and asking to speak to his manager.

[VladtheImpaler]

Email? You sending email to CSEC? What do you think this is - 1997 or something? I strongly worded fax message will get the response you are seeking!
Roar, Bengals, Roar!

[djsFlames]

Any businesses still using faxes are ones that I want to give my business to!

My old man's company was still using their beast of a machine until 6 or 7 years ago I believe.

It went to the curb this summer. We asked one associate's 14 year old son if he knew what it was. He did not.

[Philly06Cup]

I remember when CSEC was pushing Bill Smith as mayor. Coincidentally, Calgary Herald and Calgary Sun were also pushing for Bill Smith. I'm guessing CSEC has close ties with Post Media -- explains the lack of news cycle and fair reporting on this PortPass debacle.

[tvp2003]

This article contains some more responses from the CEO of Portpass:

Quote:

In an interview with IT World Canada on Wednesday, CEO Zak Hussein acknowledged “issues” are being investigated by two cybersecurity firms. But asked if the reports by CBC and CTV news indicate a serious privacy breach, he initially replied, “No. Our firm is looking to see if this is true.”

Faced with the report that CBC News said it was able to see information on dozens of users and asked if that was a serious privacy breach, when pressed Hussein said, “If there are, of course it is. So we’re waiting to get the audit to say exactly how many people, if that is accurate. I don’t know yet. I’m trying to wait to figure out exactly if this was done, how many.”

...

Asked what the controversy has done to the Calgary company’s reputation, he replied, “it obviously, definitely hurt. We want to apologize if there are any issues. We’re going to also try to see if these things happened and why.”

“I want to get it right,” he said at one point. “I need to get every detail ironed out. If there are any flaws, we can’t have any. I was reassured by our app developers things were OK.”

https://www.itworldcanada.com/articl...stioned/459380

I'm not sure what's so hard to understand. A CBC reporter was able to access confidential data... that's a breach. And if you don't know what failed or how that breach occurred, maybe you shouldn't be in a business that involves sensitive personal information.

[djsFlames]

Again, good idea.. but I don't think he had the expertise to make it function the way it was intended.

Hopefully he learns from this and improves his approach, is more thorough the next time around. The reviews on his company warned that he is untrustworthy to worth with and i think that's showing here.

Just be ####ing upfront. The flaws existed from the outset.

[OldDutch]

This has all the makings of outsourcing offshore and trusting what your being told is actually being done.

It happens all the time in the outsourced corporate world. Someone is sold a bill of goods for really cheap and usually they don’t have the internal people to vet if the job was done properly.

I have seen first hand in a past life plenty of issues like this happen. Like plain text password passing caught after years of operating.

That all said, you can’t outsource responsibility. Ultimately this guy has to understand him and his dev team are the same. You take the hit and learn from it.

[Firebot]

Quote:

Originally Posted by tvp2003

This article contains some more responses from the CEO of Portpass:



https://www.itworldcanada.com/articl...stioned/459380

I'm not sure what's so hard to understand. A CBC reporter was able to access confidential data... that's a breach. And if you don't know what failed or how that breach occurred, maybe you shouldn't be in a business that involves sensitive personal information.

What I simply don't get is what exactly has he done for the media to continuously give him the benefit of the doubt as much as he had when there are so many claims by this individual and site that are misleading or can seen as outright lies? I've never seen anything like it. Some of this can be validated or audited freely. The CDHN for example does not exist.

What part of the app's security features is actually working as described? The CBC journalist has personally validated that she could browse hundreds to thousands of accounts unencrypted with zero security, and inadvertently outed the identity of one redditor through the reporting. The breach is real. A breach is a security failure, it doesn't need to be necessarily be used maliciously to still be a breach.

[Electricprez]

Not a security guy, but do business with a lot of cybersecurity firms, app developers, etc. in general -- so take this with a grain of salt.

Everything about this smacks of PORTPass being outsourced to an inept development team with zero oversight done by by a completely negligent and incapable founder.

Even the way Zakir talks about this in the media is indicative (to me, anyways) that he doesn't have the slightest clue how cybersecurity works or what the requirements are.

But CSEC is absolutely to blame here as well. I don't know what their protocol is, but even a basic cybersecurity audit would've helped to illuminate the serious issues here.

For example, my small business needs to answer questions like these to do business with enterprise-level vendors, and this is a fraction of the BASIC audit we go through as a not-even-tech firm that deals with minimal sensitive information:

(Boring stuff ahead)

+ Do all systems with access to sensitive information have automatic locking features?
+ Do you maintain access records to all physical locations containing X information?
+ Do you log inventory, tracking, and accountability for X data (including backups) into or out of facilities, and make logs available to X upon request?
+ Do you have 24/7 physical monitoring of locations storing sensitive X information?
+ Will all X data be stored within the US, or are you able to agree to data locality terms that segments our data within the united states?
+ Is MFA required for employees/contractors to log in to production systems?
+ Do you have procedures for securely deleting X data after use?
+ Do you prevent X data from leaving production systems?
+ Do you limit access to X data to only personnel specifically requiring access?
+ Are access logs to X data personally identifiable?
+ Are you able to restrict access to X systems and data only via the interface X provides, if required?

Beyond this, vendors will ask for things like certifications, letters of attestation regarding penetration tests, and so on. If you're building an app, and that app's primary use is dealing with sensitive documentation, not performing even cursory due diligence like this is patently insane. If these types of things WERE asked, and were lied about, well... that's another story. But the evaluation process here ought to have been RIGOROUS given the nature of the application.

Everyone involved here royally screwed up.