BILL CURRY and TU THANH HA
OTTAWA and TORONTO — The Globe and Mail
A major cybersecurity flaw that exposes encrypted information to hackers has forced the Canada Revenue Agency to shut down its filing system and push back the deadline for online returns.
The flaw, which is known as Heartbleed and affects systems that are designed to protect sensitive information, has major websites around the world rushing to patch a hole that leaves users’ passwords vulnerable to exploitation.
The CRA shut down its online services on Tuesday evening, just three weeks before the April 30 tax deadline, and is not planning to restore public access until at least the weekend. For taxpayers, the penalty-free deadline will be pushed back for as long as the shutdown.
The CRA said the move was considered precautionary, because there is no evidence of a breach.
Heartbleed, however, is particularly vexing to security experts because it allows hackers to slip in and out of the Internet’s most deeply encrypted systems without leaving a trace. The flaw had gone undetected for more than two years, until it was revealed this week.
So far, computer experts have found no proof that anyone has exploited the flaw to steal information. But given that hundreds of thousands of web servers use the technology affected by Heartbleed, the risk is massive.
“It’s all about potential,” said Gerry Egan, senior director of product management at Symantec. He said that many large sites, including banks, use the vulnerable software.
Many popular websites – including Yahoo and Tumblr – confirmed they were affected and are implementing a fix. A statement posted by staff of Tumblr, a blog-sharing site, put the situation in clear terms.
“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue. But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” they said. “This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like e-mail, file storage, and banking, which may have been compromised by this bug.”
Canadian banks and credit unions said Wednesday that their online banking sites were not affected. The U.S. Internal Revenue Service, where Americans must file their taxes by April 15, also said it was not affected by the bug.
Mr. Egan said most large companies and websites have the resources to quickly fix the bug, but the greater problem lies in smaller sites that don’t get around to fixing it. If a user employs the same log-in information for one of those sites as they do for their online banking account, for example, their security could be compromised regardless of what the bank’s IT department does.
“Imagine you had a master key for your front door, your car, your office,” said Mr. Egan. “It’s really convenient, but if you lose the key and someone finds it, now you’re in trouble.”
Other federal departments in Canada were reviewing whether they should take specific measures in response to the bug.
Numerous respected experts in cybersecurity stressed that Heartbleed should not be taken lightly.
“ ‘Catastrophic’ is the right word. On a scale of 1 to 10, this is an 11,” wrote Bruce Schneier, an author and fellow at Harvard’s Berkman Center for Internet and Society, on his blog.
The federal government is likely going through its inventory of servers to decide which websites need to be dealt with first, said cybersecurity expert Raymond Vankrimpen. “They’ve obviously identified this CRA website as a critical one to take offline. But I have no doubt that there are other government websites that use SSL technology,” said Mr. Vankrimpen, a partner at the financial advisory firm Richter.
“They’re probably triaging everything.”
The Heartbleed bug affects a common cryptographic program called OpenSSL, and specifically how OpenSSL is used in combination with a communication protocol called the RFC6520 heartbeat.
The Ontario government confirmed that it uses OpenSSL, but it said it has not found that any information is at risk of getting hacked as a result of Heartbleed.
“As of right now, we have not seen any data, personal information or servers compromised as a result of the software flaw that has affected the federal government,” said Jenna Mannone, a spokeswoman for Government Services Minister John Milloy, whose ministry oversees the collection of information for such things as health cards and drivers’ licences.
The online services affected by the temporary CRA shutdown include EFILE, NETFILE and My Account, which taxpayers would normally access to track their refund or check their RRSP limit.
With reports from Omar El Akkad