Apparently this is a major threat Internet, to servers using SSL (?) and CRA has temporarily shut down their website because of it.
http://www.cbc.ca/m/touch/news/story/1.2603988
© WonderCafe. All Rights Reserved
Brought to you by the people of The United Church of Canada
Opinions expressed on this site are not necessarily those of WonderCafe or The United Church of Canada
Comments
Kimmio
Posted on: 04/09/2014 16:19
Internet wide, I meant. Estimates are over 66% of the internet is affected. It's not a virus, it's something else. Over my head. I hope it's fixed soon.
Mendalla
Posted on: 04/09/2014 16:37
Just to give more details.
Heartbleed is vulnerability in OpenSSL which about 2/3 of websites use for secure connections. Generally, this means means anything using https: instead of http: in the address bar and includes pretty much anything with a login from portals (e.g. Yahoo! is a victim) to financial institutions.
The problem, as I understand it, is that the vulnerability enables the attacker to access the decrypted data on the server, thus stealing passwords and other data encrypted by the secure connection.
The patch went out Monday but many organizations cannot simply throw it on. They have to test it in their specific environment to make sure nothing breaks (something that we may confront from time to time on WC2).
That's why CRA took their site down. They need time to properly install and test the fix and don't want to risk taxpayer data on that server until it is done.
Mendalla
carolla
Posted on: 04/09/2014 17:11
Thanks for your explanation Mendalla. And I thank CRA for doing that! And for being transparent about it. Hopefully our banks etc. are doing the same!
Pinga
Posted on: 04/09/2014 17:12
To give further information.
If applications are appropriately presented to the internet, the vulnerability will not be able to be taken advantage of.
It depends on the install.
I am really surprised by CRA being impacted, as to be honest, they should be better than that....
It is likely why you haven't heard of the banks panicing.
chemgal
Posted on: 04/09/2014 17:24
My main bank has a message on their login page saying they have fixed the issue already.
I don't know if I feel like being bothered to change any passwords or not.
Does anyone know if this is going to effect tax refunds as well? We've already submitted. Inlaws and ours were done on the weekend, there's on a Saturday, ours on Sunday. They got their money back Friday, I was hoping that we would have seen ours yesterday. Still don't have it and now I'm wondering how long the delay will be.
Mendalla
Posted on: 04/09/2014 18:30
I am really surprised by CRA being impacted, as to be honest, they should be better than that....
*Snickers at the thought of government IT being on top of anything*
Pinga
Posted on: 04/09/2014 18:34
sigh.....
Pinga
Posted on: 04/09/2014 18:37
True , to be fair, it implies funding and staff with foresight and resources for implementation.
If you have few funds or resources you are stuck just waiting for someone to break in. Sad really, as you might know how to deploy your externally-facing site or amend existing ones
revjohn
Posted on: 04/10/2014 06:26
Hi Pinga,
I am really surprised by CRA being impacted, as to be honest, they should be better than that....
coughs politely.
Yeah.
blinks somewhat.
Well then . . . . . .
checks imaginary watch for time.
Carry on.
Grace and peace to you.
John
Mendalla
Posted on: 04/10/2014 09:43
Read an analysis of the bug in The Register (UK IT news site) this morning. A few lines of code that essentially allowed a hacker to lie about the size of a data transmission were all it took to mess up an important security protocol. It's always little crap like this that are simply the result of someone not reviewing and testing their code to the n'th degree that do it.
Mendalla
GeoFee
Posted on: 04/10/2014 10:44
Well, well...
So many reasons to be worried and anxious. Every day we are reminded of our vulnerability before the advance of the great machine which has been imagined and constructed to protect and guard us from the threat of nature.
George
InannaWhimsey
Posted on: 04/12/2014 21:11
its been nice knowing you all
InannaWhimsey
Posted on: 04/12/2014 21:38
anyhew,
here's the detailed go-to information and FAQ on Heart Bleed
several web sites have made available updated lists as to when websites/banks/orgs fix their sites
like mashable http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ with suggestions as to should you change your password
for those who like to do a little more hands on, here you can find out if a certain website is 'safe' or what from Heart Bleed http://filippo.io/Heartbleed
for those who are tired of changing passwords, here is an article on managing your passwords better http://www.slate.com/blogs/future_tense/2014/04/10/password_managers_can...
(i am reading that if you want to change your password on these certain potentially affected sites that you wait until you hear/read confirmation that these sites are safe from Heart Bleed :3)
thank those 4 people who found this exploit...Riku, Antti and Matti & Neel Mehta of google security...
InannaWhimsey
Posted on: 04/12/2014 22:23
what Heart Bleed really is I'm still trying to get my head around
but here is a video that helps me try to explain it in plain english
chemgal
Posted on: 04/14/2014 10:34
Some information was stolen from the CRA due to this.
chemgal
Posted on: 04/14/2014 10:35
From the CRA:
Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.
Mendalla
Posted on: 04/14/2014 12:56
*facepalm*
Just finished reading about it in the Globe at lunch. Please note that CRA is going to use Registered Mail to notify the owners of the affected SINs. Therefore do not accept or believe any emails or phone calls claiming to be CRA contacting you about this. If you are affected, you will get a letter from CRA by registered post.
Mendalla
InannaWhimsey
Posted on: 04/16/2014 16:36
i'm reading that CRA has extended the due date to file until May 5th to account for the delay during which they shut down their processes
i also read that a suspect has been arrested, a 19-year-old boy, in the case of these 900 stolen SIN
Mendalla
Posted on: 04/17/2014 11:01
i also read that a suspect has been arrested, a 19-year-old boy, in the case of these 900 stolen SIN
Yeah, local kid from here in London. Graduated from the Catholic High School near me and doing computer science at Western.
Mendalla