Announcement

Collapse
No announcement yet.

CRA website temporarily shut down due to virus

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • CRA website temporarily shut down due to virus

    http://www.theglobeandmail.com/techn...ticle17892916/

    The Heartbleed security bug has forced Canada’s tax agency to block public access to its online services just three weeks ahead of the April 30 deadline for filing personal income tax.

    The Canada Revenue Agency’s move came after security researchers discovered this week the Heartbleed bug, a massive Internet encryption flaw that exposed millions of passwords and went undetected for more than two years.

    The impact of the bug could soon lead to a much wider shutdown of federal government services. A government official told The Globe that other federal departments are “on an urgent basis” deciding whether they should follow the CRA in pulling its online options.

    The official described the bug as one of the most serious security flaws uncovered in recent years and said Heartbleed has the capacity to reveal the sensitive contents of a server’s memory.

    The CRA temporarily shut down public access to its online services late Tuesday evening and issued a public notice on its website Wednesday morning.

    “We have received information concerning an Internet security vulnerability named the Heartbleed Bug. As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold,” the agency said in a notice on its website.

    The notice said that affected online services include EFILE, NETFILE and My Account, which taxpayers would normally access their account to track their refund or check their RRSP limit.
    “You have to dream big. If we want to be a little city, we dream small. If we want to be a big city, we dream big, and this is a big idea.” - Mayor Stephen Mandel, 02/22/2012

  • #2
    Yep, it's a big one.. any SSL key or cert generated with the bad version of OpenSSL will need to be re-generated.

    There will be a lot of busy sysadmins today.

    Comment


    • #3
      Hmm, so I NETFILED yesterday, should I be worried?

      Comment


      • #4
        Oh for FFS! It's not a virus! Calling it a virus is like calling an unlocked door a thief.

        It's an extremely serious and widespread security hole that a virus could use (although none has been documented) but is more likely to be directly used by an individual mining a system for secure data. Of major significance is that its been around for two years and using the exploit does not leave a trace. In other words there is no way for a service that uses OpenSSL to know how much of their data has been leaked.

        http://www.vox.com/2014/4/8/5593654/...romise-privacy

        We had a meeting today on it and we're fortunate that we are unaffected as we do not use OpenSSL.

        "For every complex problem there is an answer that is clear, simple, and wrong"

        Comment


        • #5
          ^ that's okay.. the unwashed masses uses these words to spread confusion.

          "virus"
          "hackers"

          can't edumacate them all.

          I like that link, dumbs it down for the technologically challenged.
          Last edited by Legacy; 09-04-2014, 08:53 AM.

          Comment


          • #6
            I love how the know-it-alls on this board get bent out of shape over semantics. Bug, virus, security hole...it's all one to me.
            “You have to dream big. If we want to be a little city, we dream small. If we want to be a big city, we dream big, and this is a big idea.” - Mayor Stephen Mandel, 02/22/2012

            Comment


            • #7
              You might have a virus. ITS NOT A VIRUS!!!
              A people that elect corrupt politicians, imposters, thieves and traitors are not victims, but accomplices.

              Comment


              • #8
                Originally posted by Sonic Death Monkey View Post
                I love how the know-it-alls on this board get bent out of shape over semantics. Bug, virus, security hole...it's all one to me.
                Given how much of our lives are happening online a basic understanding of these things has value. Twenty years ago it didn't really matter if most people didn't understand the differences but these days a basic understanding of online security isn't too much to expect. At the very least I'd expect if you don't understand it, ask or don't post. It's why I generally stay out of threads on cars.

                "For every complex problem there is an answer that is clear, simple, and wrong"

                Comment


                • #9
                  Originally posted by Sonic Death Monkey View Post
                  I love how the know-it-alls on this board get bent out of shape over semantics. Bug, virus, security hole...it's all one to me.
                  The difference is those with Anti-Virus software may thing, oh, this won't affect me! I have anti-virus software!

                  Big difference.

                  Comment


                  • #10
                    Based on what I'm hearing today this is bad but not as bad as it could have been. Most financial institutions are not using OpenSSL and amongst sites using OpenSSL most aren't using the feature that has the bug. That still leaves a large number of sites that were vulnerable over the last couple of years. Hopefully the sites that were vulnerable will be instructing users to change their passwords once they've patched the flaw and changed their certificates.

                    "For every complex problem there is an answer that is clear, simple, and wrong"

                    Comment


                    • #11
                      Apparently NETFILE will be back up by the weekend.
                      “You have to dream big. If we want to be a little city, we dream small. If we want to be a big city, we dream big, and this is a big idea.” - Mayor Stephen Mandel, 02/22/2012

                      Comment


                      • #12
                        Originally posted by Paul Turnbull View Post
                        Based on what I'm hearing today this is bad but not as bad as it could have been. Most financial institutions are not using OpenSSL and amongst sites using OpenSSL most aren't using the feature that has the bug. That still leaves a large number of sites that were vulnerable over the last couple of years. Hopefully the sites that were vulnerable will be instructing users to change their passwords once they've patched the flaw and changed their certificates.
                        the problem is that people use common usernames and passwords over multiple sites. So, a hacker gets your user/pass for one site, and will then try it on many other sites/webmail that haven't been compromised... If they can get into your webmail, then they can reset the passwords for other accounts....
                        A people that elect corrupt politicians, imposters, thieves and traitors are not victims, but accomplices.

                        Comment


                        • #13
                          Originally posted by Medwards View Post
                          Originally posted by Paul Turnbull View Post
                          Based on what I'm hearing today this is bad but not as bad as it could have been. Most financial institutions are not using OpenSSL and amongst sites using OpenSSL most aren't using the feature that has the bug. That still leaves a large number of sites that were vulnerable over the last couple of years. Hopefully the sites that were vulnerable will be instructing users to change their passwords once they've patched the flaw and changed their certificates.
                          the problem is that people use common usernames and passwords over multiple sites. So, a hacker gets your user/pass for one site, and will then try it on many other sites/webmail that haven't been compromised... If they can get into your webmail, then they can reset the passwords for other accounts....
                          Definitely an issue and why people shouldn't be using the same passwords across sites. This is still a very, very bad bug, I was just noting the number of sites directly affected is much less than initial reports indicated.

                          "For every complex problem there is an answer that is clear, simple, and wrong"

                          Comment


                          • #14
                            We spent some of the day addressing a few websites that were vulnerable. Luckily all of our important services weren't affected by the vulnerability.

                            Comment


                            • #15
                              The latest news is that the site is up but they are aware of a breach affecting 900 SINs and some businesses as well.

                              http://www.cbc.ca/news/business/hear...nada-1.2609192

                              Addressing the issue that exploiting Heartbleed is untraceable so there's no way the CRA could know they'd been hacked:

                              Heartbleed exposes data in the active memory of the machine being exploited. That data can include passwords of people logging in, including, for example, administrators. If someone exploiting Heartbleed got an administrator password and used that to access the system then that could be traceable.

                              "For every complex problem there is an answer that is clear, simple, and wrong"

                              Comment

                              Working...
                              X