Heartbleed Victim: Canadian Agency Takes Additional Security Measures


The agency overseeing the Canadian government's massive taxing authority is taking additional security measures to protect taxpayer data that was exposed in an attack this week from the notorious Heartbleed bug.

The Canada Revenue Agency said Social Insurance Numbers of about 900 taxpayers were stolen in the attack and halted operations April 8 to let computer forensics investigators identify the scope of the breach. The agency resumed taxpayer online services this week after administrators applied the OpenSSL patch, said Andrew Treusch, the commissioner of the Canada Revenue Agency. Treusch wrote in a blog post that the attack occurred over a six-hour period following the disclosure of the widespread OpenSSL flaw.

"We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," Treusch wrote in an apology to those impacted by the data breach. "The [Canada Revenue Agency] is one of many organizations that was vulnerable to Heartbleed, despite our robust controls."

[Related: Five Essential Facts About Heartbleed And OpenSSL]

The breach appears to have been contained to the impacted Web server, Treusch said, prompting the agency to take additional steps to protect its sensitive data. In addition to offering standard credit monitoring services, the agency has added security technology, including more proactive network monitoring, to prevent unauthorized activity.

"We have augmented our monitoring and surveillance measures, so that the security of the [Canada Revenue Agency] site continues to meet the highest standards," Treusch said.  

Security experts and solution providers insist that the Heartbleed bug deserves the attention it has gotten since the OpenSSL open-source encryption implementation is widely used in networking gear, including two popular open-source Web servers: Apache and the ngix HTTP server (pronounced "engine-x").  The popularity of the two Web servers, said to support hundreds of thousands of websites globally, has prompted experts to advocate password changes.

Meanwhile, Canadian law enforcement authorities have arrested a 19-year-old for allegedly carrying out the Heartbleed attack against the Canada Revenue Agency. Stephen Arthuro Solis-Reyes was arrested at his residence Tuesday and faces one count of unauthorized use of computer and one count of mischief, according to a statement issued by the Canadian Mounted Police.

While the flaw has impacted websites, consumer products and embedded systems, it also demonstrated the ability of solution providers and IT teams to address the issue once the details were released to the public, said Fredrik Lindstrom, practice resource manager at Accuvant. The OpenSSL vulnerability has existed for two years, requiring organizations to take action in not only deploying the patch, but in many cases, revoking digital certificates.

Some network security vendors, including Fortinet, Sophos and WatchGuard, also were impacted. In addition, Cisco Systems and Juniper Networks issued patches for some of their networking gear to address Heartbleed. A Fortinet spokesperson said the company has completed issuing patches for some of its appliances. In addition to updating its FortiOS platform, Fortinet, like many network security vendors, has issued signatures designed to detect attempts to exploit the OpenSSL bug. 

Businesses are stepping forward by communicating to the public about the state of their systems while promoting password management best practices, Lindstrom said. The Heartbleed bug is dangerous because an attack is difficult to detect, Lindstrom said.

"People are taking it very seriously," Lindstrom said. "Financial institutions are updating their systems because banks should assume that they have been breached if this hasn't been addressed."

Greg Bell, IT director of DCI Donor Services, a Trend Micro customer, said DCI Donor Services immediately investigated whether its systems were impacted by the OpenSSL bug and determined none of the company's platforms were affected by the flaw.

"The biggest concern is that threats change so rapidly," Bell said. "Issues like OpenSSL that hit everyone in the face are difficult to see coming and, as a small group, you have to really prioritize how you address issues by the risks they pose."

PUBLISHED APRIL 18, 2014