World frets over Heartbleed bug
With tax-return season in full swing, the Canada Revenue Agency (CRA) suddenly locked down its online filing services Wednesday, fearful of a new vulnerability in software used by much of the world to safeguard secure websites on the Internet.
All of the federal government’s online systems were under review after word of the so-called “Heartbleed” computer bug prompted the tax agency to pull the plug on its electronic services as a precaution.
“As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold,” the agency said in a statement.
The shutdown came after the Canadian Cyber Incident Response Centre (CCIRC) issued a warning to system administrators about the coding flaw. It recommended that system operators unable to plug in an immediate fix get off the grid.
Other federal systems were also being assessed for their vulnerability to the threat, said Antoine Ouellon, a spokesperson for Shared Services Canada, the federal agency that oversees the government’s IT infrastructure.
“Shared Services Canada is working with departments and Public Safety Canada to assess all IT systems to identify the extent of the problem and to apply solutions, including implementing patches, as required,” Ouellon said in a statement.
It was not immediately clear Wednesday whether any other online government services would have to be taken offline.
The Canada Revenue Agency services that were affected by Wednesday’s outage included the electronic tax-filing systems Efile and Netfile, as well as access to business and personal account data stored by the system.
See CRA, page D4
Hoping to be back online in days
The agency said it was working to restore safe and secure access and expected the site to be back online “over the weekend.”
The agency also took steps to reassure anxious would-be tax filers, suggesting that anyone who was prevented by the shutdown from filing a return on time would not be penalized.
The minister of national revenue has confirmed that individual taxpayers will not be penalized for this service interruption,“ the agency said later Wednesday.
“We continue to investigate any potential impacts to taxpayer information, and to be fully engaged in resolving this matter and restoring online services as soon as possible in a manner that ensures the private information of Canadians remains safe and secure.”
It is a busy time of year for the tax agency, as people file returns electronically and track the progress of refunds online.
As of the end of March, the agency had received 6.7 million returns, with 84 per cent filed electronically.
The computer bug was reportedly detected last week by Internet security experts in Finland and researchers at Google, but only revealed widely within the online security community on Monday.
Heartbleed affects open-source software called OpenSSL that’s at the very core of millions of applications used to encrypt Internet communications. Experts warn that its impact on consumers could be significant.
It can reveal the contents of a computer server’s memory, including private data such as usernames, passwords, and credit card numbers.
But the flaw also allows hackers to obtain copies of a server’s digital keys, and use them to impersonate other servers and fool people into thinking they are using a legitimate website.
A number of large global websites, such as Google, Facebook and Yahoo, have said they were either in the process of fixing the problem or had already dealt with the threat.
Banks also scrambling
Canada’s major banks were also scrambling to reassess their systems Wednesday, with at least two assuring clients that measures were in place to prevent any loss of information.
“TD already has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk,” said Barbara Timmins, a spokeswoman at TD Bank Group.
“While we don’t recommend any specific actions to TD customers as a result of this vulnerability, we always recommend that customers change their passwords regularly,” she added.
“That said, TD has intelligent and multi-layered authentication, so there are multiple safeguards in place to protect customers.”
RBC spokesman Jason Graham added that while the bank takes every threat seriously, RBC websites “have not been affected by the Heartbleed security bug.”
Despite the fact the problem is global in scope, NDP Leader Tom Mulcair wasted no time in blaming the federal Conservative government for failing to adequately protect and provide services to Canadians.
“The Conservatives are such poor public managers that they can’t deliver the grain, they can’t even deliver the mail and now at tax time they can’t even communicate with Canadians through the revenue agency,” Mulcair said.
Liberal Leader Justin Trudeau said only that he would support any measures needed to battle the bug.
Quick facts about the Heartbleed bug
New York — Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.
The damage caused by the “Heartbleed” bug is currently unknown. The security hole exists on a vast number of the Internet’s Web servers and went undetected for more than two years. While it’s conceivable that the flaw was never discovered by hackers, it’s nearly impossible to tell.
There isn’t much that people can do to protect themselves until the affected websites implement a fix.
Here are answers to some common questions about Heartbleed and how you can protect yourself:
Q: What is Heartbleed and why is it a big deal?
A: Heartbleed affects the encryption technology designed to protect online accounts for email, instant messaging and e-commerce. It was discovered by a team of researchers from the Finnish security firm Codenomicon, along with a Google Inc. researcher who was working separately.
It’s unclear whether any information has been stolen as a result of Heartbleed, but security experts are particularly worried about the bug because it went undetected for more than two years.
Q: How does it work?
A: Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed. Interlopers can also grab the keys for deciphering encrypted data without the website owners knowing the theft occurred.
The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.
Q: So if the problem has been identified, it’s been fixed and I have nothing to worry about. Right?
A: It depends on the website. A fixed version of OpenSSL has been released, but it’s up to the individual website administrators to put it into place.
Yahoo Inc., which has more than 800 million users around the world, said Tuesday that most of its popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products that it didn’t identify.
Q: So what can I do to protect myself?
A: Ultimately, you’ll need to change your passwords, but that won’t do any good until the sites you use adopt the fix.
It’s also up to the Internet services affected by the bug to let users
know of the potential risks and encourage them to change their passwords.
— Bree Fowler, The Associated Press