Internet wide, I meant. Estimates are over 66% of the internet is affected. It's not a virus, it's something else. Over my head. I hope it's fixed soon.

Just to give more details.

Heartbleed is vulnerability in OpenSSL which about 2/3 of websites use for secure connections. Generally, this means means anything using https: instead of http: in the address bar and includes pretty much anything with a login from portals (e.g. Yahoo! is a victim) to financial institutions.

The problem, as I understand it, is that the vulnerability enables the attacker to access the decrypted data on the server, thus stealing passwords and other data encrypted by the secure connection.

The patch went out Monday but many organizations cannot simply throw it on. They have to test it in their specific environment to make sure nothing breaks (something that we may confront from time to time on WC2).

That's why CRA took their site down. They need time to properly install and test the fix and don't want to risk taxpayer data on that server until it is done.

Mendalla

Thanks for your explanation Mendalla.  And I thank CRA for doing that!  And for being transparent about it.  Hopefully our banks etc. are doing the same!

To give further information.

If applications are appropriately presented to the internet, the vulnerability will not be able to be taken advantage of.

It depends on the install.

I am really surprised by CRA being impacted, as to be honest, they should be better than that....

It is likely why you haven't heard of the banks panicing.

My main bank has a message on their login page saying they have fixed the issue already.

I don't know if I feel like being bothered to change any passwords or not.

Does anyone know if this is going to effect tax refunds as well?  We've already submitted.  Inlaws and ours were done on the weekend, there's on a Saturday, ours on Sunday.  They got their money back Friday, I was hoping that we would have seen ours yesterday.  Still don't have it and now I'm wondering how long the delay will be.

*Snickers at the thought of government IT being on top of anything*

sigh.....

True , to be fair, it implies funding and staff with foresight and resources for implementation.

If you have few funds or resources you are stuck just waiting for someone to break in.  Sad really, as you might  know how to  deploy your externally-facing site or amend existing ones

Hi Pinga,

coughs politely.

Yeah. 

blinks somewhat.

Well then . . . . . .

checks imaginary watch for time.

Carry on.

Grace and peace to you.

John

Read an analysis of the bug in The Register (UK IT news site) this morning. A few lines of code that essentially allowed a hacker to lie about the size of a data transmission were all it took to mess up an important security protocol.  It's always little crap like this that are simply the result of someone not reviewing and testing their code to the n'th degree that do it.

Mendalla

Well, well...

So many reasons to be worried and anxious. Every day we are reminded of our vulnerability before the advance of the great machine which has been imagined and constructed to protect and guard us from the threat of nature.

George

its been nice knowing you all

anyhew,

here's the detailed go-to information and FAQ on Heart Bleed

several web sites have made available updated lists as to when websites/banks/orgs fix their sites

like mashable http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/ with suggestions as to should you change your password

for those who like to do a little more hands on, here you can find out if a certain website is 'safe' or what from Heart Bleed http://filippo.io/Heartbleed

for those who are tired of changing passwords, here is an article on managing your passwords better http://www.slate.com/blogs/future_tense/2014/04/10/password_managers_can...

(i am reading that if you want to change your password on these certain potentially affected sites that you wait until you hear/read confirmation that these sites are safe from Heart Bleed :3)

thank those 4 people who found this exploit...Riku, Antti and Matti & Neel Mehta of google security...

what Heart Bleed really is I'm still trying to get my head around

but here is a video that helps me try to explain it in plain english

Some information was stolen from the CRA due to this.

From the CRA:

Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

*facepalm*

Just finished reading about it in the Globe at lunch. Please note that CRA is going to use Registered Mail to notify the owners of the affected SINs. Therefore do not accept or believe any emails or phone calls claiming to be CRA contacting you about this. If you are affected, you will get a letter from CRA by registered post.

Mendalla

i'm reading that CRA has extended the due date to file until May 5th to account for the delay during which they shut down their processes

i also read that a suspect has been arrested, a 19-year-old boy, in the case of these 900 stolen SIN

Yeah, local kid from here in London. Graduated from the Catholic High School near me and doing computer science at Western.

Mendalla