What we learned from Heartbleed
Image from Shutterstock Shutterstock.com

After weeks of reports of data breaches related to retail point of sale devices, a new crisis: Data breaches related to something else.

On April 8 the Canada Revenue Agency discovered that some 900 social insurance numbers had been captured by an attacker exploiting the so-called Heartbleed bug revealed seven days earlier. Things were serious enough the government shut all Web sites that hadn’t been patched.

On April 1, Neel Mehta of Google’s security team reported a problem with the OpenSSL’s year-old version of the Heartbeat Extension for the Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) protocols, which according to Wikipedia provides a way to test and keep alive secure communication links without the need to renegotiate the connection each time.

Quite simply, it causes a buffer over-read.  The problem is OpenSSL is used by millions of Web sites around the world for issuing security certificates. One estimate is that about 17 per cent (half a million) Web sites were at risk.

Ultimately, the son of a University of Western Ontario computer science professor was charged by the RCMP with one count of unauthorized use of a computer and mischief. (Update: In December the RCMP laid 16 more charges including illegally obtaining computer services, illegal interception of computer functions, five counts of possessing unauthorized computer passwords, three counts of possession of devices used to hack computers and two more counts of mischief to data.)

ITWorld Canada chief information officer Jim Love penned a column on lessons learned, which include remembering that all code — not just open source — is vulnerable to attack.  Therefore “you have to act like you can’t keep everyone out, you can only slow them down.”

That wasn’t the only problem the feds had in April. In one of those “oops” moments, the privacy commissioner’s office admitted that in February it lost an unencrypted hard drive with personal information of staff while the bureau was moving across the river from Ottawa to Gatineau, Que.

The drive was always connected to a server in a locked server room until the move, commissioner Chantal Bernier said. The move itself was watched over by commissionaires.  However, it wasn’t until some time later that IT staff realized the drive was missing and only on April 9 that they realized it had personal information.

The information couldn’t be used for impersonation or fraud. Still, “it is certainly humbling,” she said, “but we will come out of this wiser. We’ve already learned precious lessons that we will be able to apply.”

Coincidentally, the Harper government introduced proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) obliging organizations covered by the federal legislation to notify people of data breaches. Organizations usually notify provincial or federal privacy commissioners, but have had no legal duty to tell potential victims — although often they do.

Also this month IBM said Toronto would get one of its 18 global mobile application development labs. I also talked at the Microsoft Build conference with Mary-Ellen Anderson, vice-president of Microsoft Canada’s developer and platform group, who helps match company resources to projects of customers.

Shane Schick, editor of Canadian CIO, had two interesting columns: One was on the ongoing struggle over technology between CIOs and CMOs. “Failing to involve the CIO in market-facing innovation, where digital technology is a primary driver, is counter-intuitive,” he quoted a Pricewaterhouse Coopers official saying. “Don’t leave any room for interpretation when it comes to market-facing digital technology like consumer apps, websites or customer analytics. Get explicit agreement between the CIO and CMO on who owns the initiatives, the role each leader will take on and when and how they are expected to work together.”

The other was an anecdote from VMware CEO Pat Gelsinger on the late Steve Jobs showing the thinking process of the Apple chief. Arguably, it should have been expected from someone who heads a consumer products company that incidentally makes devices used in the enterprise. That, of course, was then. This is now, when — as we’ll see later in the year — Apple strikes a partnership with IBM aimed at business users.

Finally, the Harper government released its long-promised national digital strategy.  It included the $305 million announced the previous month for helping Internet providers in small communities and a promise to cap wireless roaming fees. Critics said the government didn’t go far enough.  “Once again the government is aiming at 1993, driving Canada down the road while looking in the rearview mirror,” one told a conference.