2020 Date for decision in FCS breach expected January.
"THE FINAL DEFENSE SUBMISSIONS."
Part One: https://www.facebook.com/FamiliesUnitedOntario/photos/a.421920498017720/1244397172436711/
Part Two: https://www.facebook.com/FamiliesUnitedOntario/photos/a.421920498017720/1244397722436656/
Part Three:
https://www.facebook.com/FamiliesUnitedOntario/photos/a.421920498017720/1244398162436612/
Part Four:
https://www.facebook.com/FamiliesUnitedOntario/photos/a.421920498017720/1244398895769872/
FINAL DEFENCE SUBMISSIONS PDF.
https://unpublishedottawa.com/sites/unpublishedottawa.com/files/letter/118289/Defence-Submissions-R.-v.-Denham.pdf
DEFENCE WRITTEN SUBMISSIONS
https://hunchneck.blogspot.com/2020/01/courtfile-no.html
By Sabrina Bedford. Published on: December 19, 2019 | Last Updated: December 20, 2019 1:30 PM EST.
A woman charged after she posted an image of a hyperlink to the location of a confidential list of local children’s aid clients to Facebook will learn her fate next month.
https://youtu.be/kLOgGC8k-5o
2011: Hyperlinks not considered ‘publications,’ rules Supreme Court
“A hyperlink, by itself, should never be seen as 'publication' of the content to which it refers. When a person follows a hyperlink to a secondary source that contains defamatory words, the actual creator or poster of the defamatory words in the secondary material is the person who is publishing the libel.
At both the trial and appellate level, the courts ruled the hyperlinks did not constitute publication of the impugned content.
Abella notes in her analysis that hyperlinks are essentially references. “Hyperlinks thus share the same relationship with the content to which they refer as do references. Both communicate that something exists, but do not, by themselves, communicate its content,” she writes.
https://www.canadianlawyermag.com/news/general/hyperlinks-not-considered-publications-rules-supreme-court/271051
The defence argued what Denham did does not constitute publishing. They say the publication occurred when the agency put the information on its website, which they say was accessible to the anybody in the public sphere.
“All she did was tell people they (FCS) published it,” defense lawyer Fady Mansour told the judge on Thursday.
“Reiterating is not publishing.”
They said if anybody has committed an offence, it was FCS since they were the ones that published it originally.
The Crown argued that FCS had no intent to publish the information and that it was always their goal to keep it private.
“They did not publish. It was always their intention to keep it private,” Crown attorney Roberto Corbella said.
“They made a mistake. They did not intend to publish this material and it was not published by them.”
The defence lawyers argued, however, that it doesn’t matter if they intended to publish it, it just matters if they did.
The data could have been reached by anybody, the defence claimed.
They argued simply putting something on Facebook does not constitute publishing, but the Crown said it “makes no sense” to suggest that.
If posting something to Facebook isn’t publishing, nothing is, Corbella said.
According to a separate class-action lawsuit against FCS still before the courts, the personal information of the 285 clients was compiled into an electronic file, prepared for the service’s board of directors on new cases arising between April and November of 2015, but was not properly secured on the agency’s network.
According to court records relating to the civil suit against FCS, Denham said she found and clicked on an unrelated document on the website intended for the public. She deleted a portion of the URL, and she was taken to a directory of folders with documents, within which she found the document with the names of local families.
She said she was never asked a user name or password and was never faced with any security measures that impeded her ability to gain access to the documents.
She said she attempted multiple times to advise the agency the confidential documents were available on the public website, beginning in February 2016, but the documents were still publicly available by late April 2016.
This is when she decided to post the location of the report on the Facebook group where she claims she posted an image of a hyperlink, which was deleted by the group’s administrator within hours.
She did not hack any secure portals, she said, rather the site was completely unsecured and she was able to get to the files unimpeded.
Denham has since been dropped as a defendant in the civil case.
She is a registered social service worker (not employed by FCS) and court documents say she went before a discipline committee of the Ontario College of Social Workers and Social Service Workers where she was found to have committed professional misconduct related to the Facebook post.
She appealed the decision and is awaiting a hearing.
Denham told The Recorder and Times in an email that her role in this matter was in no way related to her job as a social worker. She said she was not acting in a professional capacity when she made the Facebook post, but did so as a client of FCS who felt her personal information was being published online “illegally.”
Denham will appear in court on Jan. 13 to receive her judgment on the criminal charges.
(This story has been edited to clarify that Denham did not act in her capacity as a social worker when she made the Facebook post, and that she is appealing the decision of the discipline committee. It also clarifies she is not employed by FCS.)
Kelley Denham was charged in 2016 after she discovered a list of 285 clients she found on the website of Family and Children’s Services (FCS) of Lanark Leeds and Grenville and posted an image of a hyperlink to the list’s location on a popular local Facebook page called Smiths Falls Swapshop.
Denham does not deny gaining access to the confidential list and posting the image of the hyperlink to the social media site. She told the court in an ongoing civil suit the FCS website lacked proper security and she was able to get her hands on the list of clients easily, but the Crown attorney said it was never the organization’s intent for such private information to be seen by the public.
Denham is being charged with mischief over $5,000, mischief to data, unauthorized use of a computer, and publication of identifying information. She pleaded not guilty to all charges.
A judgment on the criminal charges was scheduled for Thursday morning at the Perth courthouse, but it was put over until Jan. 13.
Smiths Falls Police charged Denham in 2016 after a four-month investigation into the release of the private files after a security breach was discovered by FCS staff in April of that year.
The Child Youth and Family Services Act prohibits the publication of information that “has the effect of identifying a child” who is the subject of a child protection proceeding. Being convicted of this carries fines of up to $10,000 and three years in jail.
https://www.recorder.ca/news/local-news/decision-in-fcs-breach-expected-next-month
sbedford@postmedia.com
:::
CAS calls Mom a hacker after she publicly speaks out, $75 million dollar lawsuit and charges pending TRIAL SUMMER 2019.
Kelley Denham, while doing research on FCSLLG's internal complaint process on the agency's privately operated public information website that also serves as an advertising platform for the agency, Kelley manually typed an address to information she was referencing in her complaint but left off the filename of the precise document she wanted, which took her to a directory on the site's uploads page where she stumbled across internal agency financial documents, minutes of meetings, client files and the personal information of a large number of people looking for a six figure salary.
According to Raymond Lemay the agency's website had multiple layers of security protecting it though he failed to mention that FCSLLG's website is hosted on a U.S. server in Michigan that coincidentally deletes all log files every 30 days and keeps no backups..
The agency has stated in the courts it doesn't matter if they wrongful accused Kelley of hacking them and their site wasn't protected by multiple layers of security or that the Supreme Court has ruled posting a link to something that was published by (FCSLLG) isn't publishing because FCSLLG has claimed Kelley is just another disgruntled client who was just out to get them after she forced them to withdraw a request for a supervision order from court and then after FCSLLG referred our family to another agency - the judge awarded Kelley legals costs of $750 dollars after she forced Kingston's CAS lawyer to withdraw a motion and a request for a supervision order.. FCSLLG now denies Kingston's claim they were only acting as an agent for FCSLLG based on the information FCSLLG gave them.
The news report also fails to mention the outside internet expert they hired is project manager Margret Row's son in law who lives or lived in her basement.. The "expert" was hired after Kelley copied the documents as evidence of what see'd seen and made a video featuring the agency's internal financial documents and ministry directives which she sent to the agency. He made recommendations not to improve the agency's security but instead to remove documents from the site to protect themselves (which they did) only from some reason the client files weren't removed.
In a state of desperation to have not just her own information removed but all the other families information removed as well she informed the pubic of the problem by posting a picture of a link to a document published (in secret) on FCSLLG's site.
FCSLLG has stated that there was nothing wrong with there website operations until Kelley ratted them out...
Kelley speaking to TV news reporter after FCSLLG alleged their privately operated public information website that also doubles as an advertising platform for their services..
https://youtu.be/kLOgGC8k-5o
:::
Here are the top 5 reasons for which you shouldn’t opt for a WordPress site if your part of a government funded multi-billion dollar private corporation with a legal obligation to protect client information:
Website builders are a perfect solution for - individuals and small businesses - to start a website without hiring a developer. However, finding the best website builder can be tricky for beginners.
WordPress is an open source software. It is free in the sense of freedom not in the sense of free beer. ... Open source software comes with the freedom for you to use, modify, build upon, and redistribute the software in any way you like without paying any fees.
What are the disadvantages of using WordPress?
WordPress is the most popular content management system. This fact alone makes WordPress a prime target for hackers everywhere. As a matter of fact, according to a Sucuri report WordPress is the most hacked CMS platform worldwide. (Talk about putting children and clients at risk...)
Disadvantages of A WordPress Website.
Without a doubt, WordPress is the most used Content management system (CMS) in the world. With millions of users, it is widely praised and appreciated for its advantages. But, while the hype is still strong, many people overlook or are not aware that WordPress has certain weak points that might make them reconsider their decisions or options.
1. Vulnerability
Unquestionably the biggest disadvantage of WordPress is its security. WordPress is an Open Source platform, and it relies heavily on plugins and themes for customization. Both the plugins and the themes are developed by different people and companies and since there isn’t anyone monitoring them, they can easily contain bugs or malicious code lines. On top of this, as stated above, today, WordPress is the most popular content management system. This fact alone makes WordPress a prime target for hackers everywhere. As a matter of fact, according to a Sucuri report WordPress is the most hacked CMS platform worldwide.
2. Can be expensive
While the WordPress itself is free, when looking at the whole picture there are significant costs. WordPress relies on plugins and themes for customization, and while there are some that are free, they are not always reliable or safe. Furthermore, if you want your website to stand out and your visitors to have a great you have to buy a theme, as the free ones are overused. With numerous updates coming out constantly, it can become quite expensive to keep your website up to date. Naturally, if you’re a WordPress designer, or have the knowledge you can make a lot of adjustments yourself, but most people need to use a plugin or a well-developed theme.
3. Needs frequent updates
Simply installing WordPress, is going to help you very much as this platform requires a theme and at least several plugins to work properly. WordPress updates can often render parts of your theme or some plugins usable. The more plugins you use, the more likely it is for you to encounter more compatibility problems. The whole maintenance process in WordPress can be quite challenging, and you have to be ready to make adjustments to your plugins and theme in order to have a functional website. If you don’t have the budget or the knowledge (design, programming), giving the fact that in general WordPress doesn’t offer support, and solutions can only be found on WordPress forums, chances are that you should choose another website solution for you.
4. SEO friendliness
WordPress is definitely an SEO friendly platform, but so is virtually any open source CMS. However, for the people with little to no SEO experience and knowledge, WordPress can create quite a few problems. Probably the most known one is caused by the WordPress’ category and tagging system. If the content is over-tagged or marked into many categories, Google will flag it as duplicate content, a fact that will affect your SEO rankings.
5. Customization needs Coding
To make certain change your WordPress site, you have to possess HTML, CSS and PHP knowledge. If you want to personalize in a unique way, or to enhance its design, you may find yourself needing to write numerous complicated code lines. If you’re in the category of people which possess the knowledge, things can go down smoothly, but if you try to write code without having the right expertise — most people in this category, you can make a lot of damage to your website.
https://www.websitetooltester.com/en/blog/wordpress-alternatives/
https://www.wpbeginner.com/beginners-guide/how-to-choose-the-best-website-builder/
:::
IS THERE ANYWAY TO USE WORDPRESS AND GUARANTEE THE INTEGRITY OF THE SECURITY USED BY THE FREE PROGRAM/APP AND WHAT DOES PROPER INTERNET SECURITY ACTUALLY LOOK LIKE?
The ISG Series Integrated Security Gateways.
(estimated cost $40 000 AND UP)
The ISG Series Integrated Security Gateways are ideally suited for securing enterprise, carrier, and data center environments where advanced applications, such as VoIP and streaming media, demand consistent, scalable performance. The Juniper Networks ISG1000 and ISG2000 Integrated Security Gateways are purpose-built security solutions that leverage a fourth-generation security ASIC, along with high speed microprocessors to deliver unmatched firewall and VPN performance. Integrating best-inclass firewall, VPN, and optional Intrusion Detection and Prevention, the ISG1000 and ISG2000 enable secure, reliable connectivity along with network-and application-level protection for critical, high-traffic network segments.
Network segmentation: Security zones, virtual systems, virtual LANS and virtual routers allow administrators to deploy security policies to isolate guests and regional servers or databases.
Optional Integrated IDP:
The ISG Series firewall/VPN with IDP uses the same award-winning software found on Juniper Networks IDP Series appliances.
The IDP security module combines eight detection mechanisms, including stateful signatures and protocol anomaly detection.
The ISG with IDP defends against security threats such as worms, trojans, malware, spyware, unauthorized users and hackers and can provide information on rogue servers and data on applications and operating systems that were inadvertently added to the network. Application signatures enable administrators to maintain compliance and enforce corporate business policies with accurate detection of application traffic.
https://www.terabitsystems.com/juniper/integrated-security-gateways/ns-isg-2000-sk1
https://netpoint-dc.com/blog/wp-content/uploads/2015/11/1100036-en.pdf
:::
CYBER-CRIME OR $75 MILLION SHADES OF BULLSHIT :::
Testimony from the alleged CAS hacker trial transcript: PAGE 29/30 -
2019: EXECUTIVE DIRECTOR RAYMOND LEMAY. I was just repeating what had been explained to me. That the security features of the website, when it was first installed, had not been turned on. That’s what was explained to me, and I am just repeating what I heard.
Q. So, all you know is whoever C.A.S. retained for you working in your position did something incorrectly with respect to the website that caused this issue?
A. That’s what, that’s what I understand, yes.
:::
2016: ‘Disgruntled client’ posts names of 285 children’s aid families on Facebook.
A Brockville-area children’s aid society reels after names of 285 clients were posted on Facebook. (did the alleged hacker copy and paste all 285 names and codes in one post or did she post a picture of a hyperlink?)
Lemay admits the report was on the FCSLLG's website but says it was hidden behind several layers of security including a password given only to the organization's board of directors.
"You have to go through the back door. You have to be looking for this," he says.
A link to the report was obtained by someone — "likely a disgruntled client" — who hacked the secure portal for board members on the society's website, he said. No staff or board members are suspected of the breach, he said.
"Our suspicion, which is a fairly firm suspicion, is that it is a current client who is very disgruntled, very unhappy with us," he said. "We have contacted the police. Our lawyer has sent a letter to the website owner as well as to this individual telling them what they are doing is, we think, illegal."
This is the second time in about three months that the organization has had to take down its website because of security concerns. An outside expert was brought in after a February scare to better secure the website. No sensitive information was revealed or even in danger in the first breach, Lemay says. He says they made the changes and were told the website was secure.
Then in 2018 Family and Children’s Services of Lanark, Leeds and Grenville — claim to have seen an English ransom message flash on their computer screens, demanding $60,000, when they tried to access their database in November.
Read more here:
https://www.thestar.com/news/insight/2018/02/22/ransomware-attacks-hit-two-ontario-childrens-aid-societies.html
The website has been taken down while experts help the FCSLLG improve its security. This branch of children's aid says it is reviewing its policies when it comes to sensitive information and how it handles such documents.
https://www.thespec.com/news-story/6503453--disgruntled-client-posts-names-of-285-children-s-aid-families-on-facebook/
https://ottawa.ctvnews.ca/names-of-285-people-referred-to-children-s-aid-in-lanark-leeds-and-grenville-posted-online-1.2865944
2019: Dealing with a Ransomware Attack: A full guide.
Help! Infected by Ransowmare? This video is a full guide on how to deal with a ransomware attack, how to decrypt your encrypted files, lockdown your network contain damage, recover data and so on. All the steps included here are free and can be performed by anyone before consulting professional help.
For advice about prevention, check out: https://www.thepcsecuritychannel.com/
https://youtu.be/g0yXmQx89x4
:::
Former Privacy Commissioner Ann Cavoukian wrote:
“I am disheartened by the complete lack of action to ensure transparency and accountability by these organizations that received significant public funding. As part of the modernization of the Acts, I call on the government to finally address this glaring omission and ensure that Children’s Aid Societies are added to the list of institutions covered.”
The only oversight for the province’s children’s aid agencies comes from Ontario’s Ministry of Children and Youth Services.
"As the law stands now clients of the Ontario Children's Aid Society under Wynne's liberals are routinely denied a timely (often heavily censored) file disclosure before the court begins making decisions and the clients can not request files/disclosure under the Freedom of Information Act nor can censored information reviewed by the Privacy Commissioner of Ontario or the federal counterpart."
In her 2004 annual report, which was released on June 22, 2005, the Commissioner called for amendments that would bring virtually all organizations that are primarily funded by government dollars under FOI for the purposes of transparency and accountability: This would include the various children’s aid agencies in the Province of Ontario. Many parents and families complain about how difficult it is, if not impossible, to obtain information from children’s aid agencies. Many citizens complain that CAS agencies appear to operate under a veil of secrecy. Unlicensed and untrained CAS workers are making decisions which are literally destroying families, yet there is little or no accountability for their actions short of a lawsuit after the damage has been done.
“Hundreds of organizations that are recipients of large transfer payments from the government are not subject to the provincial or municipal Freedom of Information and Protection of Privacy Acts,” said the Commissioner, “which means they are not subject to public scrutiny.” Among the examples she cites are hospitals and Children’s Aid Societies. “Openness and transparency of all publicly funded bodies is essential – they should be publicly accountable.”
In her annual report for 2013 released on June 17 there is just one paragraph on children's aid on page 12:
In my 2004, 2009, and 2012 Annual Reports I recommended that Children’s Aid Societies, which provide services for some of our most vulnerable citizens – children and youth in government care, be brought under FIPPA. I am disheartened by the complete lack of action to ensure transparency and accountability by these organizations that received significant public funding. As part of the modernization of the Acts, I call on the government to finally address this glaring omission and ensure that Children’s Aid Societies are added to the list of institutions covered.
The Information and Privacy Commissioner is appointed by and reports to the Ontario Legislative Assembly, and is independent of the government of the day. The Commissioner's mandate includes overseeing the access and privacy provisions of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and the Personal Health Information Protection Act, and commenting on other access and privacy issues.
http://www.theglobeandmail.com/news/national/beef-up-information-laws-ontario-privacy-czar-says/article1120573/
http://www.newswire.ca/news-releases/commissioner-cavoukian-calls-on-government-to-preserve-freedom-and-liberty-514463911.html
:::
2016: INTERVIEW with Director of Service for Family and Children's Services of Lanark Leeds and Grenville.
https://youtu.be/kq6JCx5FlfA?list=PLsYhw09i3If44rMBDuZQ0ztayzSQU35Fy
:::
FCSLLG'S SELF TAUGHT INTERNET SECURITY EXPERT TESTIMONY
From the cross examination: PAGE 98
DAVID SCHMIDT (SELF EMPLOYED INTERNET SECURITY EXPERT AND PROJECT MANAGER MARGRET ROW'S SON-IN-LAW AND FORMER EMPLOYEE)
Q. You – in the past – okay, first of all, I don’t think
if you explained, or if you did I don’t remember, you mentioned
WordPress, what’s WordPress?
A. WordPress is something called a content management
system. It is a piece of software that runs on a web server that
people can use to create a website.
Q. Okay.
A. Okay? It’s the most commonly used such tool on the
internet. It commands, I think, thirty five percent of all
internet websites use WordPress.
Q. And, back in February- sorry, yes, February to April
2016, Family and Child Services was using WordPress?
PAGE 103/4
Q. Okay. In the background, the website has to save all
the documents – or the webmaster has to save the documents
somewhere?
A. Correct.
Q. They are saved in the directory?
A. Correct.
Q. Now, if this was properly set up you would have a
directory for the non-confidential information to the public
stuff?
A. Yes.
Q. And, you would have a directory for the confidential
information?
A. Correct.
Q. And, they’d be separate?
A. Yes.
Q. Okay. In this case they were not?
A. That is correct.
Q. Okay. And, if you were going to have a directory for
confidential information, one; it would be password protected?
A. Absolutely.
Q. It would be non-browseable?
A. Correct.
Q. And, nothing in it would be non-confidential?
A. Correct.
Q. Right
A. Unless, unless you were – so, for example, in the case
of a Board Portal, you might have a non-confidential document a board member could see.
Q. That’s the thing...
A. But, realistically you would want a segregation
between that which should be public, and that which should not be
public.
Q. And, all those things that I listed, all of those
things did not occur back in 2016 when you were retained?
A. That is, that is correct.
105/6
Q. All lot of the time, or some times when information
gets out it gets out because someone has done something – I’m
going to call it dishonest, or nefarious...
A. Mm-hmm.
Q. And, what I mean by that is this, I will define it for
you; it’s like hacking. So, for example, you download a program,
or use certain code, or you do something to get past a username
and a password.
A. Breaching passwords, finding an exploit, or something
like that, yeah.
Q. Right. But, it requires, one; a certain level of
knowledge, right?
A. Mm-hmm.
Q. Yes.
A. Yes.
Q. I know you are nodding, but...
A. Sorry, yes. For the record, yes.
Q. And two; it would require excessive knowledge of a
certain amount of dishonesty on your part to try and get past a
username and password that is clearly intended to block you?
A. Dishonesty, interest in what’s behind it, yes,
absolutely.
Q. I’m not talking from a moral sense...
A. Yep.
Q. ...I’m talking from a computer sense, you are trying
to get past something that’s intended to stop you?
A. That’s intended not to be, not to be accessed, yeah.
Q. Right. In this case the directory had no password,
nothing in it was intended to stop you from getting to it?
A. That’s correct.
PAGE 107
Q. Right. It doesn’t require a special knowledge to use
WordPress?
A. Not particularly.
Q. Right. And, because of that, it’s not actually, as
it’s set out by default, not intended for confidential documents
at all?
A. I guess not.
Q. Well, and the reason I say this is from what you said
which is that by default it has a browseable directory...
A. Yep, absolutely.
Q. ...that you could go to that doesn’t lock. So, by
default, a logical inference is, if you have a directory that’s
browseable where you can get to every document with no password,
that’s the default settings.
A. Absolutely.
Q. By default, it is not intended for confidential
documents?
A. That is true.
PAGE 108/9/10
Q. ...etcetera. When you were retained in February you
made a list of all of the problems with the website, right?
A. Yes.
Q. Okay. So, I am going to go through that list with
you, okay?
A. Absolutely.
Q. So, number one; if you are going to put confidential
information, like a Board Portal, the most secure way to do it is
you don’t even put it online. You put it in an intranet system,
like an internal system...
A. Absolutely, that’s right.
Q. Sorry, just let me finish...
A. Sorry.
Q. ...because the transcript becomes really difficult to
follow. So, there is an intranet, an internal system, yes?
A. Yes.
Q. And, you then use what’s called a V.P.N to access that
intranet if you are not on that network, right?
A. Yes.
Q. So, for example, the intranet would be accessible from
your work place only?
A. Typically, yes.
Q. And, if you wanted access from home the board members
would then have access via a V.P.N., yes?
A. Correct.
Q. Which requires a username and password, yes?
A. Yes.
Q. To get in?
A. Yes.
Q. That’s the most secure?
A. That is.
Q. Very difficult to hack?
A. Correct.
Q. You don’t come into any of these problems, right?
A. Correct
Q. And, it is very clear, this is confidential, no one
can get into it?
A. Absolutely.
Q. Okay. If you are one step worse than that, which is not quite as secure...
A. Yep.
Q. You are going to put it on its own separate website,
yes?
A. Yes.
Q. Aside from non-confidential information?
A. Correct.
Q. You are going to require a username and password?
A. For everything.
Q. Well. So the one, you are going to require a username
and password for the website?
A. Correct.
Q. Then, you will make sure that the directory is not
browseable?
A. Correct.
Q. Then, you would make the documents password protected
in the event that for some reason something went wrong, it makes
it very clear that you can’t get here?
A. Yes, that is correct.
Q. None of those things happened in this case?
A. My understanding is that you are right.
Q. Right. We are here for your understanding.
A. Yes, absolutely.
Q. Okay.
A. I mean, I know that they did post some documents that
were passworded, but by and large the documents that they posted
for the board members were not password protected.
Q. So, I was about to go there next. Obviously the
person who did this had the ability to password protect because
some of the P.D.F. documents were password protected?
A. That is correct.
Q. But, the document in question, or one of them, which
is this Excel spreadsheet...
A. Yep.
Q. ...that we went through the log sheet, the log lines
on, that one was not?
A. Correct.
Q. Right. Now, you gave us one way in which you can find
out that it’s open, okay?
A. Yes.
Q. And, that was the whole purpose of you creating this
fake website?
A. Yep. It was demonstration.
Q. Which is just to show us how someone could figure out
that, “Hey, this is open directory”?
A. Yes.
PAGE 112
Q. And, the result will be it’s Google searchable?
A. That is correct.
Q. Right. So, in this case we know it’s an open
directory?
A. Mm-hmm.
Q. We know that – yes?
A. Yes.
Q. We know that it’s not password protected?
A. That is correct.
PAGE 44/45/46/47/48
PROJECT MANAGER MARGRET ROW
Q. So, you know there is a breach in February, there is a
breach in April, you make the decision in April for the website
to eventually go back up. Do you know what the breach in
February was? What caused it?
A. We understood that board documents were posted,
interspersed in an interview that had been surreptitiously
recorded and posted to Facebook, YouTube, and Liveleaks.com.
(THIS IS THAT VIDEO AND IT WAS MISS DENHAM WHO MADE FCSLLG AWARE OF IT IN AN EMAIL SENT TO KIM MORROW MOMENTS AFTER POSTING THE VIDEO TO YOUTUBE https://www.youtube.com/watch?v=kq6JCx5FlfA&t=1281s)
Q. Okay. So, I think my question wasn’t clear. I know
that’s how it came to light for C.A.S, but my question more is,
were you, did you ever become aware as to how that individual got
that information, got that document?
A. No.
Q. So, you’ve never been aware in your roll what the
security breach of your website was, like, what caused it
technically?
A. Oh, I beg your pardon, the technical issue was that
directory tree that lists what files are on the website was
visible.
Q. So, it’s actually a bit more than that. What happened
was you had two systems. One was all of the public documents that
were intended to be in the public’s view, correct?
A. Correct.
Q. And in that exact same spot, under the same months,
arranged by months, folders with months in them, were the
documents on the confidential site, correct?
A. That’s my understanding.
Q. Right. So, the intention was you go on the interface,
and you put in a username or password for the confidential site?
A. Yes.
Q. Correct. Or, you go to the public sphere and you have
access to those things, correct?
A. Correct.
Q. But, all somebody had to do was go to the address bar,
put in the address of a certain month, year, and date, and they
would get the directory of everything that C.A.S. had saved?
A. That’s correct.
Q. And, that included both public and private documents?
A. That’s correct.
Q. You didn’t have to put any password?
A. That’s correct.
Q. You didn’t have to do anything – of any dishonesty,
you just have to put in a link, anyone could have done it?
A. Anyone did
Q. Right. And, the problem is, whoever created your
website back whenever it was created, left that function open,
correct?
A. Correct.
Q. And, the function I am referring to is that ability to
put in any U.R.L. at the top, in the address bar, and be able to
browse whatever you want to browse?
A. That’s correct.
Q. Thereby putting it all in the public’s view?
MR. CORBELLA: Well, I guess that’s the whole issue of the
legal argument, Your Honour.
MR. MANSOUR: We can excuse the witness if my friend has
an issue, and I can explain why I am asking the question.
THE COURT: I think that would be – if you want to just
wait outside I’ll hear from the lawyers, and then we will
call you back in.
MR. MANSOUR: There isn’t much that turns on this. The
witness has said she (indiscernible) anyways, but my
point to the witness was, to the best of her knowledge,
anyone in the public could have accessed this with no
active dishonesty as far as she is aware. That is my
question. I’m not asking her to define what a publics
sphere is, my question was poorly worded. But, my point
to the witness, how I intended it is, to the best of your
knowledge, anyone could have done this, Ms. Denham, or
anybody else could have went online and browsed through
this, that’s it.
MR. CORBELLA: And, she’s answered that, Your Honour. I
think – but the next question was, and that put you into
the public’s sphere, and that’s where the whole point of
the legal argument we are having here. Again, there is
not much contention here, but I think her commenting on
what is or what isn’t in the publics sphere is for Your
Honour to decide.
MR. MANSOUR: I can reword. I’m not trying to tip the
witness or anything.
THE COURT: That’s fine. It seems to me that you are at
agreement in any event.
MR. MANSOUR: Yes. I’ll reword the question, that’s fine.
I think – my friend is right. I’ll reword. I only asked
the witness to be excused out of caution.
THE COURT: I wonder if she could be brought back in.
Q. I think my question was a little bit confusing. So,
let me re-ask you the question. I think you have already
answered it, but let me ask you again. As far as you are aware, at the time when the security breach existed, anybody could have gone on line and accessed those documents if they went to that directory?
A. If they understood the concept of backing out.
Q. Right. So, anybody that put in what was put in the
U.R.L, with that knowledge of how a U.R.L. works, or how folders work within a website, as far as you are aware, could have gone and accessed it?
A. That’s correct.
Q. Okay. Now, prior to this date, were you always in
charge of the website, or is this something that just when you
decided to launch a new website it became your purview?
A. No, it became my purview in November of 2015 when I
assumed the role, when I assumed the communications project. The
website redesign was one part of our communications project.
Q. And, during that time you wouldn’t have been involved
of the storing of the confidential documents?
A. That is correct. I was not.
Q. Okay. But, when you decided to take down the website,
you decided to take down the website because you weren’t sure what the security breach was, and so you wanted to make sure that – shutdown, and make sure you fixed whatever it was?
A. That’s correct.
Q. No, I’m assuming security is quite important to
C.A.S.?
A. Yes.
Q. If you had found out some other way about the same
security breach, or any security breach, you would have taken the same step, which is shut down the website?
A. Yes.
Q. So, if your I.T. department came to you and said, hey,
I think there is a problem, no one has accessed it, but there was a problem, you would have taken the same step of shutting it
down?
:
A. Our I.T. department had nothing to do with the
website.
:
Q. Ma’am, I’m putting to you a hypothetical. If your
I.T. department came to you and said there was a security breach on your website...
A. Yes.
Q. ...no one has accessed it yet. Would you have taken
it down still?
A. Yes.
MR. MANSOUR: Thank you. Those are all my questions.
MR. CORBELLA: No re-examination, Your Honour.
:::
ANOTHER BREACH?
2018: Ransomware attacks hit two Ontario children’s aid societies.
Ransomware attacks at two children’s aid societies have spurred the Ontario government to tighten cybersecurity around a new, $123-million provincial database for children in care.
Officials with the other agency — Family and Children’s Services of Lanark, Leeds and Grenville — claim they saw an English ransom message flash on their computer screens, demanding $60,000, when they tried to access their database in November.
“It encrypted most of our servers,” says the Lanark agency’s executive director, Raymond Lemay. “No data was taken out of our system. It was just an attempt by whatever you call these people to get a ransom.”
Lemay says his agency didn’t pay up. He says it used an offline backup of computer files to get the agency up and running again in about eight hours.
Backup copy or was there two sets of books?
To cook the books is an idiom describing fraudulent activities performed by corporations to falsify their financial statements and God knows what else when it comes to the Ontario CAS..
Lemay says the ransomware attack cost his agency $100,000 to fix, an expense covered by his agency’s “cyber insurance.”
How does that make any sense? FCSLLG could have paid $60 000 and then fixed the problem and maybe the police could have tracked the money back to the bad guys but choose instead to pay $100 000 to regain control of their computers?
Cybersecurity experts from the province’s Ministry of Children and Youth Services, along with a private internet security firm, swooped into the agency to neutralize the malware in the infected servers.
“It took them about three weeks to find the needle in the haystack,” Lemay says.
The ransomware attack locked the agencies out of local online files that contained private information on the children and families they serve.
The computer virus attacked while the Lanark agency was uploading its data to a centralized database known as CPIN. It will allow societies across Ontario to share information more easily and better track how children in foster care and group homes are doing.
“They might have taken advantage of vulnerabilities that occurred because we were changing over to a new system,” Lemay says of CPIN. That’s one of the hypotheses, but we don’t know for sure.”
https://www.databreaches.net/ransomware-attacks-hit-two-ontario-childrens-aid-societies/
https://www.thestar.com/news/insight/2018/02/22/ransomware-attacks-hit-two-ontario-childrens-aid-societies.html
:::
2019: Alleged Ontario CAS Hacker Trial Transcript available to download for free... A 70$ value no strings attached.. (also for absolutely no cost to you we'll include the final legal submissions and the verdict as soon as they become available ....)
Look for the transcript PDF here:
https://unpublishedottawa.com/letter/247562/alleged-ontario-cas-hacker-trial-update-190814…
No comments:
Post a Comment