After a month on hiatus the Evince Blog is back. My apologies for those that have been visiting but have not found anything new.

A couple of new updates:

1. We are now offering Background Due Diligence services. This is an audit type service that is consent based. It’s purpose is to reduce the risks of new relationships and transactions by identifying red-flags in an individual’s or corporation’s background.

The standard background research audit would encompass what we have learned are our client’s key concerns but the service can be customized to include areas which are unique to each client’s needs. The client then has an opportunity to either accept the risk, attempt to mitigate the risk, or exit the transaction or relationship all together.

Please contact us if you have any questions on this service.

2. Speaking of contacting us, Evince Services has moved and expanded. Our offices are now located in Westboro in Ottawa. Our other contact information remains the same.

3. Algonquin College will be hosting another Internet Investigations course this Fall and I am honoured to have been invited back to teach again this term. Some minor changes will be happening for this term with a little more focus on chain of custody and other issues. For those prospective students that are interested in the program please keep an eye on the link above for when the program will become available for enrollment.

As you can see there is a lot going on, but all very positive. Please drop us a line if you have any questions.

A great article in the Globe and Mail on the use of intelligence for proactive policing by the RCMP in British Columbia The program, which is part of a larger program called the Crime Reduction Initiative uses civilian intelligence analysts to help police identify trends in crime and correlate to other information, such as newly released offenders.

When police identify that there is a rise in a particular kind of crime within an area where a given offender lives who has a similar M.O. they pay more attention to that offender, especially if they have signed an undertaking relating to their parole conditions.

The article does refer to the consideration of police harassment and the Superintendent in the article does indicate that he is ultimately accountable for the members of his detachment to ensure that they operate within acceptable bounds. I agree with this approach and have had excellent experiences working with the RCMP in BC. They have been ethical and very professional.

That being said I would also suggest that over time the program be reviewed as a part of an assessment of the force, possibly by the Ministry of Public Safety and the Solicitor General in BC, simply to prove that officers are acting appropriately.

For those civilians interested in this kind of work there are various courses available two examples include at Algonquin College here in Ottawa, and at BCIT in British Columbia.

I first saw this article on the Analysts’ Corner.

HTCIA Ottawa Chapter members, don’t forget that tomorrow (April 13, 2010) is our regular Chapter meeting.

The speaker will be Webster Pilcher, Regional Manager for Digital Investigations and Electronic Discovery at Clearwell. The topic will be Digital Investigations and Forensic Evidence Gathering.

This institute was developed jointly by Matthew McGuire of Williams McGuire AML Inc. and Seneca College. Matthew is an expert in this area and he has been working on this contribution to the field for quite a while. I am happy to see that all of his efforts are coming to fruition.

This centre of excellence approach looks like it has real potential and I’m looking forward to seeing what research products and training emerge in the coming years. It would also be interesting to see if they partner with any universities to offer Masters level degrees given that the training is likely to be fairly specialized.

For more information visit their press release.

For those readers interested in privacy issues relating to cloud computing it would be worth while to look at the March 29, 2010 report released by the Office of the Privacy Commissioner of Canada titled “Reaching for the Cloud(s): Privacy Issues related to Cloud Computing.”

The OPC identified nine key areas relating to privacy and cloud computing, including: Jurisdiction; Creation Of New Datastreams; Security; Data Intrusion; Lawful Access; Processing; Misuse Of Processing Data; Permanence Of Data; and Ownership Of Data.

The reorganization and repackaging of consumer data is addressed in “Creation of New Datastreams” but the issue of meta-data is also addressed in “Ownership of Data” where the report specifically states “Finally, there is also the secondary data that is generated by interactions with a cloud-based infrastructure – although it may well be “personally identifiable information” for the purposes of PIPEDA, users may not be aware of the creation/existence of this data.”

It is also worth reviewing the jurisprudence that is provided in the report. The OPC has provided some useful case law on its own ability to investigate cases internationally as well as enforcement of orders in Canada that were adjudicated in foreign jurisdictions.

Organizations that are selling or using cloud computing services should consider the Privacy Commissioner’s report in their security posture as it will likely be the basis for any privacy impact assessment or review conducted by that office.

The topic summary according to the HTCIA Ottawa website:

In order to foster innovation, the culture of a university environment must support the principles of academic freedom and the sharing of information. The traditional principles of IT security (e.g. control of information assets) are often directly opposed to this concept. This presentation will examine the unique issues and challenges associated with managing? IT security in the University environment, and will also discuss the non-traidtional approaches that must be employed to improve IT security in a University.

The speaker will be Jamie Campbell, CISSP, Manager of Information Security and Operating Platforms at Carleton University. We’re very much looking forward to having Jamie speak.

Even if you are unable to come to see Jamie speak on March 2, 2010 please drop by the new HTCIA Ottawa website to check out the new look and feel. I think you’ll agree that the design and implementation team did a great job!

This blog does not deal with the Internet security side of the equation very often, but I saw a post on the Hyperion Digital Identity Forum that I thought was interesting.

According to that post eBay in the United Kingdom may now be implementing a location based authentication scheme which aims to protect its users from being hacked. This is an interesting step towards account protection, provided of course that you never access your eBay account on business trips or vacations.

Perhaps the best way to implement this would be on an opt-in basis?

I just finished reading a fascinating article on the Cyb3rcrime3 blog on a case that was recently heard in Ohio. Ms. Brenner describes how the threat of posting someone’s personal information on-line for some form of compensation could be considered a form of extortion.

Ms. Brenner also described a US Statute where by it is an offence to use information obtained from a computer to extort someone. I have only read the post on Ms. Brenner’s blog so I may be missing something here but in the case of State v. Soboroff it does not appear that the defendant obtained information from the victim’s computer, but rather that he was going to use the Internet (a network of computers) to post information that was potentially harmful. In other words the post did not stipulate whether or not the personal information was obtained from the victim’s computer or whether or not it was obtained through other means such as personal contact with the victim. I’m not sure if all of the elements of 18 US Code 1030(a)(7) offence were met.

What I think is the most interesting part of the article is that the Court of Appeals of Ohio found that the potential fallout of someone posting personal information on line for the purposes of obtaining compensation from them is close enough to the threat of physical harm to be considered extortion. It adds an interesting dimension to the value of personal information and privacy.

A quick note on the upcoming speaker for the HTCIA Ottawa Chapter. Bruce Cowper of Microsoft Canada will be speaking on the Top Security Threats for 2010. The date for the presentation is February 9, 2010 and it is at Russell’s Lounge at the Ottawa Police Association.

Bruce is an excellent speaker and I would encourage anyone in the Ottawa area who is interested in technology security and investigations to join us at the event.

I am a regular reader of Steven Davis PlayNoEvil Blog, as should anyone be who is interested in game security and online fraud. Through one of the Playnoevil posts I learned about a string of posts on the WoW.com site relating to account security.

I think these are a very useful read for anyone interested in protecting online accounts, including individuals, game companies and policy makers.