January 20, 2015

Physical Breach Highlights Security Holes at Canada’s Electronic Surveillance Agency

The new headquarters of Canada’s electronic surveillance agency had an “extreme vulnerability” which was inadvertently breached by firefighters responding to an emergency call, the Toronto Star reports. The Canadian Communications Security Establishment (CSE) revealed the vulnerability by sending uncensored documents in response to an access to information request by the Star about the fire.
The sensitive information contained in the documents was highlighted, but not censored, compounding one security breakdown with another.
During the construction of the $800 million CAD (about $660 million USD) building for the CSE, a routine call in response to a small fire lead local firefighters to different entrance than the one they were expected at. Finding no-one there, they cut a padlock to access the building.
The documents also reveal vulnerabilities such as inoperative security cameras and a long-missing visitor pass. At least some of those vulnerabilities have since been addressed, and the agency told the Star that the construction access point used in the incident no longer exists, now that the building is complete and occupied.

The documents also included the identities of several CSE employees, which are usually kept secret, along with contact information.
ICANN revealed in December that a network security breach started with a successful spear phishing email, as low tech decision-making continues to be a major factor in information security.
“Careless and untrained insiders” were blamed for 42 percent of breaches at US federal agencies in a 2014 survey by SolarWinds.
read more: