Printed from http://www.electronista.com

Heartbleed facilitates identity theft from Canada Revenue Agency

updated 02:58 pm EDT, Mon April 14, 2014

900 taxpayers lose social insurance numbers to OpenSSL flaw

Canada's tax administration has reported that around 900 people have had personal data stolen, with the miscreants making off with the data using the Heartbleed bug. Taken by the hackers are social insurance numbers (similar to Social Security numbers in the US), and potentially other data. The breach is the first directly pointing at the Heartbleed bug as the main vector of attack.

The Heartbleed bug has existed since March 2013, and puts at risk not only the contents of encrypted online communications, but also the SSL keys used in the transmission. Heartbleed appears in the widely-available OpenSSL version 1.0.1, as well as the beta of 1.0.2, with the former version being used in a large proportion of servers.

Heartbleed allows attackers to reveal credit card details in a transaction over HTTPS through exploitation of RAM space. The severity of the issue potentially allows for the SSL keys to be used to enter a server without leaving any sign of an intrusion. Many major services are either immune to the attack, or have since patched any flaw -- but smaller services, and some hardware, remain susceptible.

Security firm Cybereason's chief executive Lior Div said of the attack that "we are in a race. People who hadn't thought about using this type of attack will use it now." Div believes that the simplicity of the attack will allow "unsophisticated hackers" to utilize publicly-accessible tools.

Regarding the breach, the Canada Revenue Agency claimed that "we are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed." The service was shut down on Wednesday, in the middle of tax season. The CRA claims that no other attacks were made before or after the Heartbleed attack.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

  1. dxtr

    Fresh-Faced Recruit

    Joined: 10-30-08

    How could they know this if Haertbleed leaves no trace?
    What fragments could they find or hope to "analyze" if, wait for it, ... "Heartbleed leaves no trace"? Does this mean something different in Canada?

  1. shawnde

    Fresh-Faced Recruit

    Joined: 04-01-08

    No, it means that the CRA simply doesn't know what it's doing .... which is par for the course .... they're a clueless government entity just like the rest. I'll bet that the server was running on some old Pentium Box under a clerk's desk :-)

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lacking ...

Sponsor

toggle

Most Commented

 
toggle

Popular News