Systemic Cybersecurity Vulnerabilities Exposed in Canadian Government Entities

🎬 The presentation at Black Hat by Patrick from ACFES (a Quebec-based cybersecurity organization) and Steve Waterhouse (former Quebec CISO) revealed systemic cybersecurity vulnerabilities across Canadian government entities, including federal, provincial, and municipal levels. Since 2019, their team has conducted large-scale scans of exposed assets, uncovering critical issues such as outdated TLS/SSL certificates (including SSL 3.0 and TLS 1.0), SQL injection flaws, exposed administrative interfaces (e.g., Portainer, Active Directory enumeration), and misconfigured cloud services. Their 2024 scans identified over 60,000 subdomains, with federal entities alone accounting for 22,900, alongside hardcoded credentials, default configurations, and unpatched systems dating back to 2004–2011. Tools used included off-the-shelf GitHub scripts and OSINT techniques, with findings shared directly with governments—Quebec, for example, remediated vulnerabilities after prior disclosures. Key takeaways emphasized the lack of basic security hygiene, such as inventory management and patching, with only Alberta and Quebec having functional responsible disclosure programs, while most provinces failed to implement security.txt or bug bounty initiatives. The speakers warned that adversaries likely already exploit these gaps, citing undetected intrusions in critical infrastructure, and urged immediate action to reduce the expanding attack surface.