Is CRA breach just the tip of the iceberg?
Leak at Canada Revenue Agency extensive: experts
The Canada Revenue Agency says social insurance numbers of 900 Canadians were swiped from its website because of the Heartbleed computer bug. But does the scale of the security breach go beyond the window of vulnerability described by the tax agency?
“As soon as this went public, (Internet security experts) started to see it light up as people intentionally tried to
activate data.” MARK NUNNIKHOVEN, VICE-PRESIDENT OF CLOUD AND EMERGING TECHNOLOGY AT SECURITY RESEARCH FIRM TREND MICRO
OTTAWA — Security experts believe the data breach announced Monday by the Canada Revenue Agency could be far worse than it is letting on.
The government department revealed that 900 social insurance numbers were taken from its servers during a six-hour-window after the Heartbleed exploit was announced a week ago.
However, experts are questioning what happened before that six-hour window, during any part of the two-year period when government systems were just as vulnerable to hackers exploiting the computer bug that has been dubbed Heartbleed.
The theft of the SIN information was detected only after CRA had been “notified by the Government of Canada’s lead security agencies of a malicious breach of taxpayer data.” The agency said in a statement Monday that personal information from Canadians was “removed from CRA systems by someone exploiting the Heartbleed vulnerability.”
The government has said it would send letters to all affected Canadians but it has refused to answer questions about what protection it is offering to Canadians who may have had their information compromised. Researchers have been adamant about the threat posed by Heartbleed because hackers exploiting it can steal information without being detected.
“Exploitation of this bug leaves no traces of anything abnormal happening,” said Codenomicon — the security firm that discovered and rang alarm bells about the Heartbleed vulnerability — on a website set up to educate people about the issue.
Mark Nunnikhoven, vicepresident of cloud and emerging technology at security research firm Trend Micro, said the six-hour window during which the “Government of Canada’s lead security agencies” witnessed someone make off with private data, including social insurance numbers, likely occurred between the time the exploit was made public by Codenomicon and the time the CRA website was closed to tax filers Tuesday night.
“Because the CRA was notified, that implies to me that it was someone from Public Safety or Shared Services Canada ... They were looking deeper into the networks for malicious activity and that’s who found this one,” Nunnikhoven said. “That to me says they actually saw the Heartbleed attack come in and then traced the response from CRA systems and saw data leaving.”
Having experts take the time to look specifically for attackers using the Heartbleed vulnerability was the only way to detect the malicious activity. Then security officials would have to monitor the hacker and determining what was stolen. However, with more than 48 hours between the time the bug was announced and the closure of government web services, hackers could have made off with far more than the personal information of 900 Canadians, experts suggested.
“As soon as this went public, (Internet security experts) started to see it light up as people intentionally tried to activate data, or wanted to see if they could do this, or a whole gamut of reasons,” Nunnikhoven said.
John Zabiuk, a security researcher with the Northern Alberta Institute of Technology in Edmonton, said he thought Monday’s news was likely just the tip of the ice- berg, because the Heartbleed vulnerability went undiscovered for two years.
He said the Heartbleed bug, a flaw in the open-source security software that’s commonly used to protect sensitive personal information online, is probably the largest software flaw ever to hit the Internet.
Making things potentially worse for those affected is how the vulnerability works. Heartbleed doesn’t target information, it just relays a small packet of information, 64 kilobytes worth, to an attacker. What’s in the packet is difficult to discern.
The packet contains the most recent 64 kilobytes of encrypted information that was transmitted on to that server. By exploiting the bug, hackers gained access to at least 900 social insurance numbers, according to the federal government. But, they also would have had access to addresses, income, investment details and any other information that was transmitted.
Government officials refused further comment Monday, referring to a statement by CRA’s commissioner of revenue, Andrew Treusch, on the department website.
“The agency is putting in place measures to support and protect the individuals affected by the breach,” the statement said. “Each person will receive a registered letter to inform them of the breach. A dedicated 1-800 number has also been set up to provide them with further information, including what steps to take to protect the integrity of their SIN.”
Heartbleed affects opensource software called Open-SSL that’s at the core of millions of applications used to encrypt Internet communications. Heartbleed can reveal the contents of a computer server’s memory, including private data such as encrypted email, user names, passwords, documents and credit card numbers.