Are you looking for a stock?
Try one of these
About 900 social insurance numbers were stolen from the computers of the Canada Revenue Agency, the revenue department has confirmed, following a shutdown of its public online services caused by the Heartbleed Internet bug.
The RCMP is now investigating the breach, the CRA said in a statement released Monday morning following a six-day closing of its Web filing services.
Each person whose SIN was stolen will be notified by registered mail, the CRA said.
The agency won’t say when the breach occurred – whether it was during the two years during which the bug went undetected, or during the 24-hour gap between the public revelation of Heartbleed’s existence and the CRA’s shutdown of its websites last week.
Nor would the CRA explain how it determined what SINs were hacked, since Heartbleed intrusions are hard to detect.
“Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the CRA communiqué said. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”
WHEN DID THE BREACH TAKE PLACE?
Internet security expert Mark Nunnikhoven said it appears the breach was recent and retraced through network monitoring from one of the federal government’s agencies dealing with Internet security, such as Shared Services Canada or even the Communications Security Establishment Canada.
“The CRA has been notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said in its statement.
While a Heartbleed breach would have left no traces of data leak on the logs of CRA servers, it would have been spotted by the network-monitoring tools of other federal agencies that capture and analyze transiting data packets, Nunnikhoven said.
A vice-president for cloud and emergency technologies at the software security firm Trend Micro, Nunnikhoven previously worked for a decade in IT in the federal government.
“If you have multiple layers of security controls in place, you can catch it … that means someone upstream on the government’s shared network saw it,” he said.
A likely candidate for such role, he said, is Shared Services Canada, the department created three years ago to streamline and consolidate all federal government’s IT structures under one roof. CSEC, the secretive signals-intelligence agency, is also responsible for computer security.
“Those agencies are tasked with that type of monitoring for government networks … It’s for security purposes, because government departments are interlinked at some levels. They also share defences,” Nunnikhoven said.
Since it is unlikely that the government security agencies would have stored several years’ worth of network data, it appears that the SIN data theft would have been recent, he said.
People whose SINs were stolen will be contacted by registered letter mail rather than by telephone or e-mail. “We want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes,” the CRA communiqué said.
The office of Privacy Commissioner Chantal Bernier was informed of the problem Friday, though the breach wasn’t made public until Monday morning.
WHAT IS HEARTBLEED?
According to the OpenSSL Project, which manages the encryption system affected by Heartbleed, the vulnerability was made public early last Monday afternoon. The CRA shut down its online services on Tuesday evening.
“Given the pace that the government normally moves, that’s pretty fast,” Nunnikhoven said.
It would have been a difficult decision because the CRA would have had to consider the shutdown’s impact on the April 30 tax deadline, which has now been postponed to May 5.
One of the characteristics of the Heartbleed bug is that it is hard to detect if someone had attacked a computer server.
“Exploitation of this bug leaves no traces of anything abnormal happening to the logs,” Codenomicon, the Finnish security firm that co-discovered the security flaw, said when it announced the problem.
In testing the bug, Codenomicon programmers were, however, able to demonstrate they could steal usernames and passwords from their own servers, indicating that a hacker could further exploit a website after using Heartbleed to obtain its passwords.
The CRA statement is one of the first disclosure by an organization that it had lost data to someone exploiting the Heartbleed vulnerability.
“There’s probably going to be more organizations that are going to come forward to confirm there were breaches,” Nunnikhoven said.
The only organizations that can provide “100 percent reassurance” to their users are the ones that didn’t use that version 1.0.1 of the popular open-source cryptographic system OpenSSL, he said.
In December, 2011, OpenSSL was given an update to handle its “heartbeat” extension. This is a communications protocol that bounces little parcels of data, heartbeats, between a remote user and a computer server to ensure that the connection stays alive.
Because of a programming mistake, additional information could trickle out of the computer’s processing memory during each heartbeat. A persistent hacker could keep sending heartbeat requests and collect the resulting data leak until the computer releases confidential information.