#CyberFLASH: Heartbleed bug: RCMP asked Revenue Canada to delay news of SIN thefts


The Canada Revenue Agency knew last Friday that hundreds of Canadians had their social insurance numbers stolen from its website because of the Heartbleed security bug but waited until Monday to make it public.

“The Canada Revenue Agency contacted our office last Friday afternoon to notify us about the attack and of the measures it was taking to mitigate risks and notify affected individuals,” said Valerie Lawton, a spokeswoman for the Privacy Commissioner’s Office, in a written statement Monday afternoon.

The commissioner’s office later clarified that it was told by CRA that “several hundred Canadians” had their social insurance numbers stolen from the agency’s website due to the Heartbleed security bug.

The CRA publicly confirmed the attack Monday morning.

“Social insurance numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” the CRA said in a statement.

But the RCMP said in a statement Tuesday it asked the CRA to delay notifying the public about the breach when the revenue agency referred the matter to the Mounties on Friday.

Read more here 

#CyberFLASH: Heartbleed security bug: Canadian tax services back online


The Canada Revenue Agency says full service has been restored on all of its online systems as of Sunday.

A release from the CRA said that “individuals, businesses and representatives are now able to file returns, make payments, and access all other e-services available through the CRA’s website, including all our secure portals.”

“Our systems are back online. We apologize for the delay and the inconvenience it has caused to Canadians. That said, the delay was necessary. We could not allow these systems back online until we were fully confident they were safe and secure for Canadian taxpayers,” said CRA Commissioner Andrew Treusch.

Read more here

#CyberFLASH: Heartbleed bug shows governments slow to react


The revelation Monday that the social insurance numbers of 900 Canadians were stolen from the website of the Canada Revenue Agencylast week has raised yet more questions about the government’s response to the Heartbleed computer bug.

Researchers in Canada’s online security community say that the Heartbleed breach is evidence that government is often not as well equipped as private companies to detect and react quickly to online security threats.

The government “was really slow on this,” says Christopher Parsons, a post-doctoral fellow at the Citizen Lab at the Munk School of Global Affairs at the University of Toronto.

“If you look at Yahoo, it had begun updating its security practices prior to the CRA fully taking action. The same thing with other larger companies. As soon as they saw what was going on, they immediately reacted and issued public statements.”

Read more here



#CyberFLASH: Heartbleed bug highlights banks’ severe cyber security headaches


Shortly after news of the Heartbleed bug hit the media this week, the Canadian Bankers Association put out a statement declaring that their members were secure and that Canadians could rest easy. Their financial information was safe.

But while there is no question that banks in this country are sophisticated players that spend big money to ensure that their online systems are protected, they are far from impregnable.

Losses due to cybercrime have been on the rise for years in Canada, topping $3-billion in 2013, up from $1.4-billion the previous year, according a report by Symantec Corp., the anti-virus software company. Financial institutions such as banks don’t generally disclose the cost of online crime on their operations but observers say it is substantial.

Read more here

#CyberFLASH: Federal government conducting system-wide checks for Heartbleed bug


Federal government departments are scouring their IT systems in the wake of revelations that the Canada Revenue Agency’s website may have been vulnerable to a computer bug that has threatened the security of websites around the world.

Jacques Gourde, parliamentary secretary to Prime Minister Stephen Harper, said officials are trying to verify whether the CRA’s system has been breached and whether other government departments are affected.

“I think that all information systems, not only in Canada but around the world, are doing that kind of verification.”

Gourde’s comments came after the Canada Revenue Agency announced early Wednesday that it had shut down a number of web-based services, including electronic tax return filing, following the realization that its information technology systems were vulnerable to the newly discovered Heartbleed bug.

Read more here

#CyberFLASH: Police allege breach of trust by former McGuinty staffer over computer access


Dalton McGuinty’s last chief of staff got a deputy’s IT-savvy boyfriend “unrestricted” access to 24 employees’ computers in the premier’s office before and after Kathleen Wynne took power, alleges a search warrant request from an OPP officer probing deleted emails in the $1.1 billion scandal over cancelled power plants.

Before obtaining the access, chief of staff David Livingston told the executive assistant to Cabinet Secretary Peter Wallace of his intent to use a person from outside the Ontario Public Service to wipe out hard drives in the offices of the premier during the transition to Wynne’s government, the document alleges.

Information in the warrant application has not been tested in court.

Its approval cleared the way for the Ontario Provincial Police anti-rackets squad to take 24 computer hard drives from a Mississauga data storage warehouse, according to documents ordered unsealed Thursday by a judge in Ottawa at the Star’s request.

Read more here


#CyberFLASH: Internet data routinely handed over without a warrant: Geist


The lawful access fight of 2012, which featured then-Public Safety Minister Vic Toews infamously claiming that the public could side with the government or with child pornographers, largely boiled down to public discomfort with warrantless access to Internet subscriber information. The government claimed that subscriber data such as name, address, and IP address was harmless information akin to data found in the phone book, but few were convinced and the bill was ultimately shelved in the face of widespread opposition.

The government resurrected the lawful access legislation last year as a cyber-bullying bill, but it has been careful to reassure concerned Canadians that the new powers are subject to court oversight. While it is true that Bill C-13 contains several new warrants that require court approval (albeit with a lower evidentiary standard), what the government fails to acknowledge is that telecom companies and Internet providers already hand over subscriber data hundreds of times every day without court oversight. In fact, newly released data suggests that the companies have established special databases that grant law enforcement quick access to subscriber information without a warrant for a small fee.

Read more here

#CyberFLASH: Federal departments cite cyber-attacks among biggest risks


OTTAWA — Three years after hackers were found snooping around Treasury Board systems, a successful cyber-attack remains the biggest risk facing the department, according to a new report to Parliament.

And Treasury Board is not alone. IT security risks are mentioned in planning and priority reports for multiple departments as the federal government closes old data centres and modernizes an aging IT system that may not meet current security requirements.

Meanwhile, heavily censored incident reports give a glimpse of the environment departments are facing in the coming year. The reports, released under the access to information law to the Ottawa Citizen, show four instances between March 1 and July 31, 2013 in which hackers overwhelmed government servers with what’s called a “denial of service” attack.

In one case, an undisclosed government website was taken down. In another, a website was “intermittently inaccessible,” but no data were compromised. And in a July attack, public servants were cut off from their cloud computer.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.