Was it a MITM or what?
Was it a MITM job, or were the social security numbers taken from server memory by exploiting the bug? How can they know how many (and which) numbers where taken?
The Canadian Revenue Agency has blamed the theft of 900 social insurance numbers on the infamous Heartbleed vulnerability. The Canadian taxman specifically blamed the data breach on a serious security shortcoming in widely used Open SSL technology discovered last week. What's significant is not the size of the breach, which is …
This does seem very specific. For them to positively know that the data was leaked via Heartbleed, they would have had to log the out-bound packets, and I severely doubt that they have this level of logging enabled.
I also find the term 'removed' a bit strange, because to me, that means that they disappeared from the source. Maybe I'm being a bit too literal, but I find it strange.
Agree, this seems odd, they even know when it was supposed to have happened - "The theft reportedly happened during a six-hour period after the security flaw was discovered..."
Maybe they just tried the exploit themselves, realised what could have been acquired and just said they were to cover their backs.
Either the statement comes from a PR person who knows nothing about IT and used the wrong word unknowingly, or said PR person is French-Canadian and the statement you have read was a (bad) translation. In fact, the term used in the french statement was "soutiré" which is mostly correct as it grossly translate to "extort" in English.
>I also find the term 'removed' a bit strange, because to me, that means that they disappeared from the source. Maybe I'm being a bit too literal, but I find it strange.
Allow me to translate for you.
Our 4-letter security agencies are finding out who did this. Whoever took the numbers better leave them the fuck alone.
Now if you excuse, me I need to file my taxes, perhaps paper will suffice.
>Because one of the other 3 or 4 letter agencies bought them on an exchange.
Doubtful. They don't need to buy this type of stuff to figure out where the data went. Unlike businesses which lack access to infrastructure to investigate, they already gather the type of info needed to track it down:
http://www.theglobeandmail.com/technology/mounties-chasing-viable-lead-in-cras-heartbleed-breach/article18002731/
Yes, I was wondering too how they could possibly have confirmed that data were leaked because of Heartbleed.
Theoretically it is possible to setup an IDS logging heartbeat packages, but then anyone analysing the logs would have to remove TLS decryption and this seems very tricky, even with access to private signing key of the server. I suppose impossible, if perfect forward secrecy was enabled.
Seems strange to me, anyway, think about it. Does this mean that the exploit was not used UNTIL AFTER it became a public spectacle and was reported and then discussed in detail by 'SECURITY EXPERTS'.
So I would blame the Government agency for not shutting down their servers immediately. I would blame the so called Security experts for shouting from every building how the flaw could be implemented so that even someone that couldn't implement it. Then of course the same security experts even told people what websites could be used to find out if a server was secure or not from Heartbleed giving a nice way for the 'bad people' to find targets.
I want to hear of actual reports of lost data from BEFORE it was announced to decide whether it is a real deal thing to worry.
I've noticed that the biggest winner out of heartbleed seems to be lastpass who have been gaining customers rampantly based on this flaw.
"Canadian tax authorities are in the process of notifying affected parties by letter, a sensible precaution..."
Yeah, because the baddies don't have access to laser printers, windowed envelopes, nor the post office. Such letter mail postal technologies are unavailable to anyone except high government officials.
Point being, anyone could now send out 90,000 official looking letters to random folks telling them exactly what to do. The only real dissuading factor to such a nefarious campaign would be the astronomical price of postage in Canada.
The first thing anyone heard of Heartbleed in Canada was when CRA closed their portal for e-filing of tax returns along with their other portals, but since it is tax filing time people noticed this one. From there, the press picked it up and it made the broadcast news outlets.
I suspect that the six-hour window they are talking about is between the public outing of Heartbleed by Google (and whoever else) and the time it took them to shut down their portals. I can postulate that IT bods at CRA knew about their vulnerability, but could not shut down the portals without higher level approval - it is tax filing time after all. They could have set up an outward packet monitoring system as suggested above while they waited for this approval. Since SIN numbers are pretty standard (nine-digits) it would not be hard to extract these from memory dumps, even if encrypted.
I can't say that I am too worried that someone might have my SIN, however. It is used for calculating taxes, benefits etc. but nothing secure uses an SIN alone as it is not exactly a secret number. More worrying would be the user ID and password which was used to log in as this is a pretty extensively used e-pass system. This is why CRA want to contact these people - the SIN provides them with names of people who had potentially had their login credentials exposed. Getting a new login is a pain because they make a point of being secure (separate mailings of ID and one-time only password which is time-sensitive) so they have not recommended blanket re-certification.
Good to know somebody somewhere in government is taking appropriate precautions with your data. Sorry to hear it wasn't enough to protect from compromise. Glad it sounds like it will be harder to use the compromised info than it would be most other places. I know if somebody gets your SSN here in the States, it's pretty much game over.
The National Post are following this and quote other security researchers with a similar line:
http://business.financialpost.com/2014/04/14/cra-waited-days-to-inform-canadians-of-sin-leak/?__lsa=1fcd-7b13
There are still a few people complaining about how long it took to "inform the public", but I think it would have taken some time to analyze the data that had collected.
as I haven't paid Canadian taxes for over 22 years. And before that I filed on paper - to keep people employed as they transcribe the figures into computer terminals.
I feel comforted in the knowledge that the RCMP, repleat in red uniforms and riding trusty steads, is on the job. Guaranteed to lose the trail, like Sergeant Preston of the Yukon.