There’s good news/bad news about the Heartbleed vulnerability.
The good news is the Canada Revenue Agency says as of Sunday it had patched all systems it thinks would have been open for exploitation by poorly-written versions of the OpenSSL code. That means Canadians no longer have a reason to delay online filing of income taxes or making tax payments.
The bad news is it wasn’t fast enough. The department acknowledged Sunday that it has found evidence that during a six-hour period between April 7 — when word about the vulnerability first surfaced – and April 8 — when Canada Revenue shut its tax filing site – social insurance numbers of 900 taxpayers were “removed” from its systems by exploiting Heartbleed.
“We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed, said the statement by Canada Revenue commissioner Andrew Treusch.
While the government has issued statements that it is working on fixing vulnerability, it didn’t acknowledge that on April 11 Treusch told the Privacy Commissioner of Canada of the breach. That only came out in Treusch’s statement three days later.
Meanwhile, the federal government remains quiet on whether other of its Web sites were closed for fixing after CIO Corinne Charette ordered departments to shut Web sites running unpatched versions of the damaged OpenSSL software.
Charette works for Treasury Board. On Sunday Treasury Board president Tony Clement issued a statement that said all federal departments and agencies had updated their software. The temporary disruption in service for some Canadians accessing Government of Canada websites is now over.” The statement does not detail how many sites in addition to CRA were offline.
Other public and private organizations are going through their systems to find if they are vulnerable to attack. This is complicated by the fact that OpenSSL can be used in almost any device that touches the network.
In some cases the cure was worse than the disease: Computerworld U.S. reports that Akamai Technologies, whose network handles a reported 30 per cent of all Internet traffic, acknowledged that it issued a faulty fix and had to do it all over again, including issuing new SSL keys.
For example, on Sunday Cisco Systems Inc. updated its advisory on the problem, saying many of its products include a version of the OpenSSL package affected by a vulnerability.
“Please note that the devices that are affected by this vulnerability are the devices acting as an SSL server terminating SSL connections or devices acting as an SSL Client initiating an SSL connection. Devices that are simply traversed by SSL traffic without terminating it are not affected.”
Products identified so far as affected include Cisco Security Manager, various TelePresence servers and gateways, the MS200X Ethernet Access Switch and several IP phones.
Juniper Networks said it is working “around the clock” to provide fixed versions of code for affected products. According to its Web site, the only product not fixed as of this morning was its Odyssey client 5.6r5 and later.
As for those who doubt whether private keys can be exposed and used by attackers leveraging the vulnerability, CloudFlare said a test site it set up had been successfully impersonated by several authorized attackers. Anyone visiting the site would have been directed to another one masquerading as the legitimate page.
CloudFlare also noted that after the certificate for the test site was revoked people could still get to it. Internet Explorer and Safari browsers did give warnings that the identity of the phony site couldn’t be verified, but users could still go ahead. Firefox denied access to sites using revoked certificates.
The Ontario government said that as of this morning its cyber security team hasn’t seen any data, personal information or servers compromised as a result of Heartbleed, although some systems use OpenSSL. “Government IT experts continue to prioritize updating the software which software experts have assured us will fix the flaw.”
Heartbleed is the name given to a coding error in the open source implementation of the SSL and TSL encryption protocols called OpenSSL. The encryption is used to protect the transport of a wide range of data including private keys, user names and passwords held by public and private organizations. Briefly, part of the SSSL transaction involves a so-called heartbeat. The coding vulnerability allows someone to “bleed” out sensitive information held in memory through packets that trigger a buffer over-read.