14-04-2014, 14:49 #1
[EN] Heartbleed hackers steal Canada Revenue Agency data
Canada's tax collector has said that hackers exploiting the Heartbleed bug have stolen data about hundreds of citizens from its computers.
The Canada Revenue Agency said that the haul involved social insurance numbers as well as other as yet unidentified information.
The attack is the first confirmed exploit of the cryptography flaw to result in the loss of sensitive data.
The agency said it would send registered letters to those affected.
"Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period," the agency said on a message posted to its homepage.
"Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,"
"We are currently going through the painstaking process of analysing other fragments of data, some that may relate to businesses, that were also removed."
14-04-2014, 14:51 #2
'Heartbleed' blamed in attack on Canada tax agency, more expected
By Jim Finkle and Louise Egan
BOSTON/OTTAWA Mon Apr 14, 2014 11:56am EDT
(Reuters) - Canada's tax-collection agency on Monday said the private information of about 900 people had been compromised as hackers exploited the "Heartbleed" bug, and security experts warned that more attacks are likely to follow.
The breach allowed hackers to extract social insurance numbers, which are used for employment and gaining access to government benefits, and possibly some other data, the Canada Revenue Agency said.
The agency appears to be the first to report that it is the victim of an attack exploiting a flaw in software known as OpenSSL, which is used on about two-thirds of websites to secure data as it travels across the Internet.
Internet companies, technology providers, businesses and government agencies have been scrambling to figure out whether their systems are vulnerable to attack since the flaw was disclosed a week ago. When researchers disclosed that they discovered the bug, they said they did not know whether anybody had exploited it to launch attacks, though it had been present in OpenSSL software for several years.
Andy Ellis, chief technology officer with Akamai Technologies Inc, said he was not surprised to hear about the attack on the Canadian agency because there are already several "tool kits" publicly available over the Internet that hackers can use to launch attacks on vulnerable websites.
"You should expect to start seeing the attacks this week," said Ellis.
News of the attack in Canada came after authorities in Washington warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the bug.
Lior Div, chief executive of the cybersecurity firm Cybereason, said that "even non-sophisticated hackers" will attempt to launch attacks that exploit the vulnerability with the tools that are publicly available.
"We are in a race," Div said. "People who hadn't thought about using this type of attack will use it now."
The Canada Revenue Agency said in a statement posted on its website that government security authorities had warned it of the breach, which occurred over a six-hour period.
Police are investigating the attack on the agency while forensic experts try to ascertain whether other data had been taken, a task that will be complicated because security experts say they believe that the Heartbleed bug allows attackers to steal data without leaving a trace.
"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," it said.
The agency shut down access to its online services on Wednesday, in the heart of the annual tax season, because of the bug.
14-04-2014, 14:54 #3
900 SIN numbers stolen from during Heartbleed breach: CRAHackers have taken the Social Insurance Numbers of approximately 900 Canadians from Canada Revenue Agency computers, the tax agency says.
The attack on the government computers came while they were vulnerable to the Heartbleed bug, the CRA reported on Monday.
A spokesperson for the CRA said the agency will send out registered letters to Canadians affected by the security breach.
A dedicated 1-800 number will be included in the registered letter, spokesperson Philippe Brideau said.
Brideau said he didn’t know when the letters would be sent out, except to say it would be “As soon as possible. I don’t have an estimated time of arrival.”
CRA commissioner Andrew Treusch said the agency will not be calling or emailing individuals to inform them they have been affected because “we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes”
The registered letters will also include information for those affected on “what steps to take to protect the integrity of their SIN,” Treusch said in a press release.
There was no description of whose SIN numbers were erased.
The tax agency began on Monday to “support and protect” Canadians who are affected by the security breach, Treusch said.
The agency says everyone affected will receive free access to credit protection services.
The federal tax agency blocked public access to its online services for several days last week until it put in place measures to address the security risk, but says there was nonetheless a data breach over a six-hour period.
“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed,” Treusch said.
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy.
The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
“The CRA is one of many organizations that was vulnerable to Heartbleed, despite our robust controls,” the agency said on Monday.
Cpl. Lucy Shorey of the RCMP in Ottawa declined to comment on the number of officers assigned to the case or their qualifications or how long the investigation might take.
“We don’t normally get into that,” she said. “Everything is kind of unique and we wouldn’t speculate on that.”
With files from Canadian Press
14-04-2014, 15:09 #4
Heartbleed Patch: Canadian Tax-Filing System Is Now Safe to Use
After an entire weekend of being shut down due to Heartbleed, Canada has announced that its tax-filing system is back online and in working order.
According to an announcement made by the Canadian government, all its public websites are up and running after some of them were disabled to reduce the vulnerability to the OpenSSL bug revealed last week. This was meant to make sure that hackers did not get access to sensitive information until the issue was patched up.
“Service has been restored to all publicly accessible Government of Canada websites,” announced Tony Clement, president of the Treasury Board.
The same Treasury Board made the executive decision to take down all sites belonging to government departments that could be affected by the flawed software.
Now, all federal government departments and agencies have been updated and have tested their OpenSSL software and certificates to address the discovered vulnerability.
“Individuals, businesses and representatives are now able to file returns, make payments, and access all other e-services available through the CRA’s website, including all our secure portals,” reads the announcement.
The problems may have been fixed now and the vulnerability is no longer exploitable, but that doesn’t mean that information has not been leaked.
Unfortunately for everyone, the bug made its way into OpenSSL about two years ago and has gone undiscovered until recently. The official announcement about Heartbleed was made last week, sending the world in frenzy.
Huge Internet companies scrambled to patch their sites to make sure that user data was safe once again, including Google, Yahoo and Facebook. Due to the nature of the bug, however, there’s no way of knowing if there have been any attacks on various servers because such actions leave no traces behind.
Had there been any traces left on servers, the bug would have been discovered a lot earlier.
Many have said that there must be some foul-play involved since such a bug was surely placed there intentionally. Although this did seem like a possibility, the developer that is responsible for Heartbleed says that he did not do this on purpose, but rather made a programming error that affected an incredibly sensitive area – security.
The fact is that OpenSSL is an open source program that is supposed to be safer because anyone can get access to it and review the code to find any imperfections. Somehow, this time around, such a thing did not happen and the entire system was put to risk.