Vancouver Sun

Bug may have exposed your passwords

- GILLIAN SHAW gshaw@ vancouvers­un. com vancouvers­un. com/ digitallif­e With a file from The Canadian Press

Worried that the Heartbleed security bug has revealed your Internet passwords and other confidenti­al informatio­n?

If you’re in British Columbia, you may have to find that out for yourself: companies don’t have to tell you.

Some Vancouveri­tes who have accounts with U. S.- based companies that are bound by law to disclose security breaches have already received an email warning, but in B. C., where disclosure isn’t mandatory, many concerned consumers are left seeking answers from companies that hold their confidenti­al informatio­n.

While the list of affected websites runs to the hundreds of thousands and includes the Canada Revenue Agency, banks in Canada were not affected, nor were Vancity and Coast Capital or any other credit unions that use banking systems created by Central 1 Credit Union.

While a number of B. C. companies don’t use the security software affected by the Heartbleed bug, Rogers/ Yahoo! email customers are among those whose login informatio­n could have been exposed by the flaw.

“Rogers. com doesn’t use the impacted versions of the SSL software, so was not impacted by the bug. Yahoo!, the provider of Rogers/ Yahoo! email, implemente­d the fix to its mail site shortly after the issue was identified,” Rogers spokeswoma­n Luiza Staniec said in an emailed response to The Sun.

Telus said it has some websites that use the affected technology and, like the Canada Revenue Agency, has taken them offline temporaril­y while it applies the patch to fix the flaw. Telus didn’t identify the websites or the number of customers or vendors affected.

News of the security flaw comes amid possible changes to Canadian privacy legislatio­n with proposed amendments in Bill S- 4 that received first reading this week in Ottawa. And in B. C., a review is underway considerin­g amendments to privacy legislatio­n here, where neither the private or public sector is bound to disclose breaches.

Dominic Vogel, a senior security consultant with Vancouver’s Grant Thornton, an accounting and business advisory firm, said Heartbleed highlights the need to make online security a priority. “My advice to both consumers and businesses is that security is something they need to start taking a little more interest in,” he said. “You don’t need to be a computer science doctorate to practice good security. The most basic stuff isn’t being done and if we all did that, it makes it much harder for attackers or the bad guys to take advantage of us.”

But he said consumers shouldn’t panic. “The analogy I like to give is if you go to bed at night and forget to lock the front door, there is the potential that you will be robbed; it doesn’t mean someone will rob you.”

The Canadian Bankers Associatio­n issued a statement saying Canadian banks have not been affected. “The online banking applicatio­ns of Canadian banks have not been affected by the Heartbleed bug. Canadians can continue to bank with confidence.”

The Canada Revenue Agency abruptly pulled the plug on its online services Wednesday over security concerns, saying it will take until the weekend at least before taxpayers can again file their returns online. The problem has forced it to extend the deadline for online filing.

The government’s super- IT agency was unable to say how widespread the problem might be across federal department­s, or how long it might take to fix. The security loophole that led to the shutdown is found in many government and consumer websites around the world, and could have provided improper access to sensitive informatio­n during the two years before it was discovered this week.

Shared Services Canada said it was working to “identify the extent of the problem and to apply solutions, including implementi­ng patches, as required.” Those patches — or digital repairs — could take several days to complete, one expert said. Because of the nature of the security loophole, which can’t be traced, it may be impossible to say how much, if any, private informatio­n has been accessed.

“Maybe someone was watching” anyone who has already filed their income tax returns, said David Skillicorn, a computer security expert from Queen’s University in Kingston, Ont. “The issue for the CRA, more importantl­y, is that they don’t know how much their internal systems were compromise­d.”

The outage was caused by an online security loophole known as the Heartbleed bug.

Heartbleed is a vulnerabil­ity that has existed for about two years, although only discovered now, in software used by thousands of websites globally to encrypt informatio­n when logging in to secure online services.

The loophole lets someone see encrypted informatio­n sent between two computers, such as usernames and passwords, and secretly snoop around the system running the website and the user’s personal computer.

It only works on systems that use a security device known as Open SSL — which the CRA website does — to encrypt login informatio­n. The Canada Revenue Agency services affected by Wednesday’s shutdown included the electronic tax- filing systems Efile and Netfile, as well as access to business and personal account data stored by the system.

The shutdown came just as the agency had ramped up for tax- filing season, and as it has continued to encourage Canadians to file electronic­ally rather than by using paper forms.

“Given that we are in the midst of tax- filing season, this will be challengin­g and will require sustained effort and collaborat­ion across the agency to minimize the impact on the services we provide to Canadians,” CRA commission­er Andrew Treusch wrote in a notice to employees Wednesday.

Taxpayers looking to file their returns were blocked Wednesday morning from logging on to the Canada Revenue Agency website. An online message told taxpayers that as a security precaution, access was blocked until concerns were addressed.

“We know there’s a systems vulnerabil­ity. We have identified that, so we shut down those systems right away as a precaution­ary measure only,” National Revenue Minister Kerry- Lynne Findlay said. “We’re investigat­ing. We’re working on it.”

Findlay’s office said late Wednesday that no penalties or interest would be applied to anyone filing online after the April 30 tax deadline. The grace period will correspond to however long the service outage lasts.

“Considerat­ion will be given to taxpayers who are unable to comply with their filing requiremen­ts because of this service interrupti­on,” she told the House of Commons.

?? CHRIS MIKULA/ POSTMEDIA NEWS FILES ?? The Canadian Revenue Agency is scrambling to fix security loopholes discovered in their online services. Many government and consumer websites were shut down around the world upon discovery of a malicious bug that makes websites vulnerable to hackers.
CHRIS MIKULA/ POSTMEDIA NEWS FILES The Canadian Revenue Agency is scrambling to fix security loopholes discovered in their online services. Many government and consumer websites were shut down around the world upon discovery of a malicious bug that makes websites vulnerable to hackers.
?? ADRIAN WYLD/ THE CANADIAN PRESS FILES ?? National Revenue Minister Kerry- Lynne Findlay says a grace period will be added to the tax deadline to correspond to the length of the interrupti­on.
ADRIAN WYLD/ THE CANADIAN PRESS FILES National Revenue Minister Kerry- Lynne Findlay says a grace period will be added to the tax deadline to correspond to the length of the interrupti­on.

Newspapers in English

Newspapers from Canada