CRA stops E-filing for few days! Heartbleed virus!
- CRA has shut down its EFILING Tax service
- Deadline to submit claims has been moved
- User passwords and sesitive information could be in trouble
Read also Worst passwords of 2013
The CRA said the move was considered precautionary, because there is no evidence of a breach.
Heartbleed, however, is particularly vexing to security experts because it allows hackers to slip in and out of the Internet’s most deeply encrypted systems without leaving a trace. The flaw had gone undetected for more than two years, until it was revealed this week.
So far, computer experts have found no proof that anyone has exploited the flaw to steal information. But given that hundreds of thousands of web servers use the technology affected by Heartbleed, the risk is massive.
“It’s all about potential,” said Gerry Egan, senior director of product management at Symantec. He said that many large sites, including banks, use the vulnerable software.
Many popular websites – including Yahoo and Tumblr – confirmed they were affected and are implementing a fix. A statement posted by staff of Tumblr, a blog-sharing site, put the situation in clear terms.
“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” they said. “This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like e-mail, file storage, and banking, which may have been compromised by this bug.”
Canadian banks and credit unions said Wednesday that their online banking sites were not affected.
Mr. Egan said most large companies and websites have the resources to quickly fix the bug, but the greater problem lies in smaller sites that don’t get around to fixing it. If a user employs the same log-in information for one of those sites as they do for their online banking account, for example, their security could be compromised regardless of what the bank’s IT department does.
“Imagine you had a master key for your front door, your car, your office,” said Mr. Egan. “It’s really convenient, but if you lose the key and someone finds it, now you’re in trouble.”
Other federal departments in Canada were reviewing whether they should take specific measures in response to the bug.
Numerous respected experts in cybersecurity stressed that Heartbleed should not be taken lightly.
“ ‘Catastrophic’ is the right word. On a scale of 1 to 10, this is an 11,” wrote Bruce Schneier, an author and fellow at Harvard’s Berkman Center for Internet and Society, on his blog.
The federal government is likely going through its inventory of servers to decide which websites need to be dealt with first, said cybersecurity expert Raymond Vankrimpen. “They’ve obviously identified this CRA website as a critical one to take offline. But I have no doubt that there are other government websites that use SSL technology,” said Mr. Vankrimpen, a partner at the financial advisory firm Richter.
“They’re probably triaging everything.”
The Heartbleed bug affects a common cryptographic program called OpenSSL, and specifically how OpenSSL is used in combination with a communication protocol called the RFC6520 heartbeat.
The Ontario government confirmed that it uses OpenSSL, but it said it has not found that any information is at risk of getting hacked as a result of Heartbleed.
“As of right now, we have not seen any data, personal information or servers compromised as a result of the software flaw that has affected the federal government,” said Jenna Mannone, a spokeswoman for Government Services Minister John Milloy, whose ministry oversees the collection of information for such things as health cards and drivers’ licences.
The online services affected by the temporary CRA shutdown include EFILE, NETFILE and My Account, which taxpayers would normally access to track their refund or check their RRSP limit.
Globe and Mail