Results 1 to 19 of 19

Thread: CRA website temporarily shut down due to virus

  1. #1
    C2E Long Term Contributor
    Join Date
    Mar 2006
    Location
    Downtown
    Posts
    32,430

    Default CRA website temporarily shut down due to virus

    http://www.theglobeandmail.com/techn...ticle17892916/

    The Heartbleed security bug has forced Canada’s tax agency to block public access to its online services just three weeks ahead of the April 30 deadline for filing personal income tax.

    The Canada Revenue Agency’s move came after security researchers discovered this week the Heartbleed bug, a massive Internet encryption flaw that exposed millions of passwords and went undetected for more than two years.

    The impact of the bug could soon lead to a much wider shutdown of federal government services. A government official told The Globe that other federal departments are “on an urgent basis” deciding whether they should follow the CRA in pulling its online options.

    The official described the bug as one of the most serious security flaws uncovered in recent years and said Heartbleed has the capacity to reveal the sensitive contents of a server’s memory.

    The CRA temporarily shut down public access to its online services late Tuesday evening and issued a public notice on its website Wednesday morning.

    “We have received information concerning an Internet security vulnerability named the Heartbleed Bug. As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold,” the agency said in a notice on its website.

    The notice said that affected online services include EFILE, NETFILE and My Account, which taxpayers would normally access their account to track their refund or check their RRSP limit.
    “You have to dream big. If we want to be a little city, we dream small. If we want to be a big city, we dream big, and this is a big idea.” - Mayor Stephen Mandel, 02/22/2012

  2. #2

    Default

    Yep, it's a big one.. any SSL key or cert generated with the bad version of OpenSSL will need to be re-generated.

    There will be a lot of busy sysadmins today.

  3. #3

    Default

    Hmm, so I NETFILED yesterday, should I be worried?

  4. #4
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,583

    Default

    Oh for FFS! It's not a virus! Calling it a virus is like calling an unlocked door a thief.

    It's an extremely serious and widespread security hole that a virus could use (although none has been documented) but is more likely to be directly used by an individual mining a system for secure data. Of major significance is that its been around for two years and using the exploit does not leave a trace. In other words there is no way for a service that uses OpenSSL to know how much of their data has been leaked.

    http://www.vox.com/2014/4/8/5593654/...romise-privacy

    We had a meeting today on it and we're fortunate that we are unaffected as we do not use OpenSSL.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  5. #5

    Default

    ^ that's okay.. the unwashed masses uses these words to spread confusion.

    "virus"
    "hackers"

    can't edumacate them all.

    I like that link, dumbs it down for the technologically challenged.
    Last edited by Legacy; 09-04-2014 at 09:53 AM.

  6. #6
    C2E Long Term Contributor
    Join Date
    Mar 2006
    Location
    Downtown
    Posts
    32,430

    Default

    I love how the know-it-alls on this board get bent out of shape over semantics. Bug, virus, security hole...it's all one to me.
    “You have to dream big. If we want to be a little city, we dream small. If we want to be a big city, we dream big, and this is a big idea.” - Mayor Stephen Mandel, 02/22/2012

  7. #7

    Default

    You might have a virus. ITS NOT A VIRUS!!!

  8. #8
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,583

    Default

    Quote Originally Posted by Sonic Death Monkey View Post
    I love how the know-it-alls on this board get bent out of shape over semantics. Bug, virus, security hole...it's all one to me.
    Given how much of our lives are happening online a basic understanding of these things has value. Twenty years ago it didn't really matter if most people didn't understand the differences but these days a basic understanding of online security isn't too much to expect. At the very least I'd expect if you don't understand it, ask or don't post. It's why I generally stay out of threads on cars.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  9. #9
    C2E Hard Core Contributor
    Join Date
    Sep 2008
    Location
    Iqaluit, Nunavut
    Posts
    2,223

    Default

    Quote Originally Posted by Sonic Death Monkey View Post
    I love how the know-it-alls on this board get bent out of shape over semantics. Bug, virus, security hole...it's all one to me.
    The difference is those with Anti-Virus software may thing, oh, this won't affect me! I have anti-virus software!

    Big difference.

  10. #10
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,583

    Default

    Based on what I'm hearing today this is bad but not as bad as it could have been. Most financial institutions are not using OpenSSL and amongst sites using OpenSSL most aren't using the feature that has the bug. That still leaves a large number of sites that were vulnerable over the last couple of years. Hopefully the sites that were vulnerable will be instructing users to change their passwords once they've patched the flaw and changed their certificates.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  11. #11
    C2E Long Term Contributor
    Join Date
    Mar 2006
    Location
    Downtown
    Posts
    32,430

    Default

    Apparently NETFILE will be back up by the weekend.
    “You have to dream big. If we want to be a little city, we dream small. If we want to be a big city, we dream big, and this is a big idea.” - Mayor Stephen Mandel, 02/22/2012

  12. #12

    Default

    Quote Originally Posted by Paul Turnbull View Post
    Based on what I'm hearing today this is bad but not as bad as it could have been. Most financial institutions are not using OpenSSL and amongst sites using OpenSSL most aren't using the feature that has the bug. That still leaves a large number of sites that were vulnerable over the last couple of years. Hopefully the sites that were vulnerable will be instructing users to change their passwords once they've patched the flaw and changed their certificates.
    the problem is that people use common usernames and passwords over multiple sites. So, a hacker gets your user/pass for one site, and will then try it on many other sites/webmail that haven't been compromised... If they can get into your webmail, then they can reset the passwords for other accounts....

  13. #13
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,583

    Default

    Quote Originally Posted by Medwards View Post
    Quote Originally Posted by Paul Turnbull View Post
    Based on what I'm hearing today this is bad but not as bad as it could have been. Most financial institutions are not using OpenSSL and amongst sites using OpenSSL most aren't using the feature that has the bug. That still leaves a large number of sites that were vulnerable over the last couple of years. Hopefully the sites that were vulnerable will be instructing users to change their passwords once they've patched the flaw and changed their certificates.
    the problem is that people use common usernames and passwords over multiple sites. So, a hacker gets your user/pass for one site, and will then try it on many other sites/webmail that haven't been compromised... If they can get into your webmail, then they can reset the passwords for other accounts....
    Definitely an issue and why people shouldn't be using the same passwords across sites. This is still a very, very bad bug, I was just noting the number of sites directly affected is much less than initial reports indicated.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  14. #14
    C2E Continued Contributor
    Join Date
    Nov 2007
    Location
    Edmonton
    Posts
    1,423

    Default

    We spent some of the day addressing a few websites that were vulnerable. Luckily all of our important services weren't affected by the vulnerability.

  15. #15
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,583

    Default

    The latest news is that the site is up but they are aware of a breach affecting 900 SINs and some businesses as well.

    http://www.cbc.ca/news/business/hear...nada-1.2609192

    Addressing the issue that exploiting Heartbleed is untraceable so there's no way the CRA could know they'd been hacked:

    Heartbleed exposes data in the active memory of the machine being exploited. That data can include passwords of people logging in, including, for example, administrators. If someone exploiting Heartbleed got an administrator password and used that to access the system then that could be traceable.

    "For every complex problem there is an answer that is clear, simple, and wrong"

  16. #16

  17. #17
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,583

    Default

    Quote Originally Posted by Legacy View Post
    Here's XKCD's explanation.

    http://xkcd.com/1354/
    A very good explanation. Randall nailed it again.

    In current news, apparently the RCMP requested the CRA not reveal the breach on Friday so they could pursue an active investigation. They're now reported they have active leads in tracking down source.

    http://www.cbc.ca/news/politics/hear...rcmp-1.2610803

    "For every complex problem there is an answer that is clear, simple, and wrong"

  18. #18
    I'd rather C2E than work!
    Join Date
    Mar 2007
    Location
    City of Champions
    Posts
    7,487

    Default

    Canadian charged in 'Heartbleed' attack on tax agency
    http://www.reuters.com/article/2014/...A3F1KS20140416

  19. #19
    I'd rather C2E than work!
    Join Date
    Feb 2009
    Location
    Westmount, Edmonton
    Posts
    5,583

    Default

    Good work on the part of the RCMP and CRA.

    "For every complex problem there is an answer that is clear, simple, and wrong"

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •