# CRA online services shutdown



## balexis (Apr 4, 2009)

http://www.theglobeandmail.com/tech...vices-over-security-concerns/article17892916/

Major cryptography implementation flaw discovered in OpenSSL called Heartbleed forces CRA to shutdown many online services for an undetermined duration: EFILE, NETFILE, My Account, My Business Account and Represent a Client.

CRA says:


> Please note that consideration will also be given to taxpayers who are unable to comply with their filing requirements because of this service interruption.


Alexis


----------



## balexis (Apr 4, 2009)

oops just saw this was already discussed here:
http://canadianmoneyforum.com/showthread.php/17870-Wow-this-IT-problem-real-Sounds-big-and-scary


----------



## Addy (Mar 12, 2010)

'Change every password everywhere': Heartbleed's threat to Web security

http://www.theglobeandmail.com/tech...ge-every-password-everywhere/article17892756/



balexis said:


> http://www.theglobeandmail.com/tech...vices-over-security-concerns/article17892916/
> 
> Major cryptography implementation flaw discovered in OpenSSL called Heartbleed forces CRA to shutdown many online services for an undetermined duration: EFILE, NETFILE, My Account, My Business Account and Represent a Client.
> 
> ...


----------



## sags (May 15, 2010)

I read about this virus on the bitcoin forums, as it set off a bit off a panic when people noticed their coins being withdrawn.

It is a good illustration of the inherent risk of any form of digital currency, and personal information.

The internet is not a "safe and secure" medium for financial affairs or personal privacy.......never was and never will be.


----------



## jamesbe (May 8, 2010)

Just found this out when I went to pay my HST. So I can't pay, I guess I'm screwed not the gov of course.


----------



## carverman (Nov 8, 2010)

sags said:


> I read about this* virus *on the bitcoin forums, as it set off a bit off a panic when people noticed their coins being withdrawn.
> 
> It is a good illustration of the inherent risk of any form of digital currency, and personal information.
> 
> The internet is not a "safe and secure" medium for financial affairs or personal privacy.......never was and never will be.


It's not a virus. It is a BUG (Flaw) in the openSSL protocols that has been (apparently to some sources) about 2 years. All of a sudden more people know about it and patches are
being applied to any server where the secure link can be breached by hackers.



> Don't be shy about reaching out to small businesses that have your data to make sure they are secure. While the high-profile companies like Yahoo and Imgur certainly know about the problem, small businesses might not even be aware of it, said TrustWave's Miller. Be proactive about making sure your information is safe.
> 
> Keep a close eye on financial statements for the next few days. Because attackers can access a server's memory for credit card information,
> it wouldn't hurt to be on the lookout for unfamiliar charges on your bank statements.





> What versions of the OpenSSL are affected?
> 
> Status of different versions:
> 
> ...


http://heartbleed.com/


----------



## Rysto (Nov 22, 2010)

carverman said:


> It's not a virus. It is a BUG (Flaw) in the openSSL protocols that has been (apparently to some sources) about 2 years. All of a sudden more people know about it and patches are
> being applied to any server where the secure link can be breached by hackers.


The bug was introduced 2 years ago -- by which I mean, the code with bug was written and released 2 years ago. It remain undetected for the past 2 years to the best of our knowledge. Of course, any nefarious persons (NSA, hackers, etc) could have secretly discovered it and have been using it in that time, which is why it is strongly recommend that people change their passwords on affected sites.


----------



## balexis (Apr 4, 2009)

To be exact, it is a bug in OpenSSL, which is one of the many implementations of the SSL protocol. It is not a flaw in the SSL protocol itself. The problem is that OpenSSL is the most popular implementation of SSL in production.


----------



## Westerncanada (Nov 11, 2013)

Any word on when this will be reopened? My tax's are waiting in netfile and not yet sent


----------



## Guban (Jul 5, 2011)

I read Saturday. Oh wait, that's today! Maybe they meant next Saturday? Or the next?

I hope that CRA will take this into consideration near the end of April at the deadline.


----------



## GoldStone (Mar 6, 2011)

C'mon, they provide status updates right on their home page. 

http://www.cra-arc.gc.ca/menu-eng.html


----------



## HaroldCrump (Jun 10, 2009)

Most of the banks and brokerages have come out and said their SSL is safe.
Even cheapster Questrade is safe.
So why are all the Govt. of Canada websites vulnerable?
Why is the GOC not using the same security as the banks and brokerages?
Aren't we paying the CRA enough, that they need to cheap out on IT costs?


----------



## Westerncanada (Nov 11, 2013)

GoldStone said:


> C'mon, they provide status updates right on their home page.
> 
> http://www.cra-arc.gc.ca/menu-eng.html


Yeah I saw this as well but still listed as sometime over the weekend.. haven't heard confirmation they are open yet.


----------



## Ihatetaxes (May 5, 2010)

Got my tax refund direct deposited Friday night... Glad that isn't shut down.


----------



## fatcat (Nov 11, 2009)

HaroldCrump said:


> Most of the banks and brokerages have come out and said their SSL is safe.
> Even cheapster Questrade is safe.
> So why are all the Govt. of Canada websites vulnerable?
> Why is the GOC not using the same security as the banks and brokerages?
> Aren't we paying the CRA enough, that they need to cheap out on IT costs?


oh come on harold, you of all people should be happy they are using open-source and thus no licensing costs software :biggrin:


----------



## GoldStone (Mar 6, 2011)

CRA services are back online. Filing deadline extended until May 5th.

http://www.cra-arc.gc.ca/menu-eng.html


----------



## Guban (Jul 5, 2011)

Thanks Goldstone! I guess they weren't too far off when they called for a Saturday fix after all. 

The extended deadline will be appreciated by many.


----------



## Addy (Mar 12, 2010)

HaroldCrump said:


> Aren't we paying the CRA enough, that they need to cheap out on IT costs?


Judging by the staff layoffs they have been doing over the past few years, it seems we don't pay them enough. One good thing, tax evasion may become easier and easier for any of us who wish to try.


----------



## HaroldCrump (Jun 10, 2009)

CRA is reporting that 900 SIN numbers stolen from the website.
http://www.680news.com/2014/04/14/900-sin-numbers-stolen-from-cra-website-tax-agency-says/

As I said, I find it perplexing that the GOC is using open source products on such highly sensitive websites, esp. when most of the other Canadian FIs are clearly using superior products.
The CRA website is just about the most sensitive website the GOC probably has - they could have used a superior product in this case.


----------



## bgc_fan (Apr 5, 2009)

You realize that it's likely that other FIs are actually based on OpenSSL right? It's pretty much the standard throughout, which is why it was such a big issue. It's likely that they had been using the older version that wasn't affected. And if you think it's because it's open source that it's vulnerable, keep in mind all the other alternatives are open source.


----------



## off.by.10 (Mar 16, 2014)

HaroldCrump said:


> As I said, I find it perplexing that the GOC is using open source products on such highly sensitive websites, esp. when most of the other Canadian FIs are clearly using superior products.
> The CRA website is just about the most sensitive website the GOC probably has - they could have used a superior product in this case.


How do you know they are using superior products? They might just be using an unaffected version of the same software or using something different for which the flaws are not known (yet). There's no clearly better solution here and this likely won't be the last problem of its kind.


----------



## HaroldCrump (Jun 10, 2009)

bgc_fan said:


> You realize that it's likely that other FIs are actually based on OpenSSL right? It's pretty much the standard throughout
> ...
> And if you think it's because it's open source that it's vulnerable, keep in mind all the other alternatives are open source.


Microsoft Windows based SSL/TLS is said to be immune to this problem.
This probably indicates that CRA and other GOC websites are running on Apache or some other similar, open-source platforms.


----------



## bgc_fan (Apr 5, 2009)

HaroldCrump said:


> Microsoft Windows based SSL/TLS is said to be immune to this problem.
> This probably indicates that CRA and other GOC websites are running on Apache or some other similar, open-source platforms.


That's not quite true. As you could be running an OpenSSL implementation on a MS server. As well, you can take a look through some MS advisories where you'll see similar problems. You can run through Netcraft to see what servers the FIs are being used. It's generally a mix of Apache on various platforms with the odd MS server.


----------



## carverman (Nov 8, 2010)

CRA are saying this morning that 900 SIN and perhaps more have been stolen due the security flaw caused by the heartbleed bug.
Wonder what they are going to do about it. Re-issue new SIN numbers and link those to the previous SIN under which people filed their online taxes.
A bit of a mess to be sure....

*"Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," the CRA said. "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."
The agency says those affected will be contacted via registered letters, and that any attempts to contact a taxpayer via email or telephone are fraudulent.*

900 registered letters..do CRA pays regular registered mail postage on those... its full price ( $35.10 now), for a priority one envelope..that's $31,590 it's going to cost CRA..and does CRA pay GST on top of that?


----------



## Beaver101 (Nov 14, 2011)

carverman said:


> ] ...
> 
> 900 registered letters..do CRA pays regular registered mail postage on those... its full price ( $35.10 now), for a priority one envelope..that's $31,590 it's going to cost CRA..*and does CRA pay GST on top of that*?


 ... :biggrin: 

Back to regular programming/the topic .. this is serious.


----------



## bgc_fan (Apr 5, 2009)

Beaver101 said:


> ... :biggrin:
> 
> Back to regular programming/the topic .. this is serious.


I don't think government agencies pay GST.


----------



## carverman (Nov 8, 2010)

Beaver101 said:


> ... :biggrin:
> 
> Back to regular programming/the topic .. this is serious.


Just heard that CRA will pay for identity theft protection services for those affected. This could end up costing CRA much more than the registered letter to those affected.


----------



## HaroldCrump (Jun 10, 2009)

Now they are saying that the 900 SINs stolen are from Saskatchewan.
I wonder how the hacker managed to target SK specifically via a bug in the SSL.

And there are actually 900 people in Saskatchewan, who knew :rolleyes2:


----------



## carverman (Nov 8, 2010)

HaroldCrump said:


> Now they are saying that the 900 SINs stolen are from Saskatchewan.
> I wonder how the hacker managed to target SK specifically via a bug in the SSL.
> 
> And there are actually 900 people in Saskatchewan, who knew :rolleyes2:


Looks like the CRA office handling returns in Regina has been closed down for good. Surrey BC is the CRA office handling the paper and efile returns for Saskatchewan.
Interesting that it affected all 900 those in Saskatchewan.


----------



## fatcat (Nov 11, 2009)

HaroldCrump said:


> Microsoft Windows based SSL/TLS is said to be immune to this problem.
> This probably indicates that CRA and other GOC websites are running on Apache or some other similar, open-source platforms.


oh goodness harold ... windows ? security flaws ? .... windows _never_ has security flaws ... do they ? :rolleyes2:



> Now they are saying that the 900 SINs stolen are from Saskatchewan.
> I wonder how the hacker managed to target SK specifically via a bug in the SSL.


 tigercat fans ?


----------



## carverman (Nov 8, 2010)

fatcat said:


> oh goodness harold ... windows ? security flaws ? .... windows _never_ has security flaws ... do they ?


CRA was slow to react, now they are faced with the dilemma of dealing with compromised SINs and possibly other personal information of taxpayers. If cyber criminals actually make use
of these 900+ SIN numbers and sell them to other Cyber criminals to secure credit cards and other identity stealing moves...can you see a class action lawsuit coming up against the gov't? 

More on the heartbleed bug. 
http://readwrite.com/2014/04/14/heartbleed-myths-debunked-fact-fiction#awesm=~oBvPBu2vJvEY9h


----------



## carverman (Nov 8, 2010)

*



The Mounties said in a statement Tuesday that they asked the CRA not to tell the public Friday about the Heartbleed breach so they could investigate a "viable" path. 
The CRA spent days patching a hole in its security that allowed hackers to steal information without leaving a trace. The Heartbleed bug affected servers around the world.

Click to expand...

*Apparently the Mounties have "ID'd" the suspect. Is this a planned arrangement to catch a thief?


----------



## gardner (Feb 13, 2014)

carverman said:


> CRA was slow to react


I think that is too harsh. They likely found out about Heartbleed the same time the general public did, on Tuesday the 8th and they had their servers down later that day. It probably took them a few hours to decide whether any of their servers was vulnerable and assess the risk of shutting down versus not. To act as quickly as they did is a feat for such a large org.

Since exploitation of Heartbleed is totally silent and leaves no logs or papertrail, their guess about whether it was in fact exploited would likely be based on secondary information such as IDS logs which might give a kind of vaguely useful indication. During the hours after the bug was generally known publicly, thousands of people began -- not improperly -- checking to see if services they use or rely on were vulnerable to it. From the perspective of a server operator "checking" is entirely indistinguishable from "exploiting", so even in the best case, knowledge of whether exploitation occurred is imperfect. The "900+ SIN numbers" are probably the 900 odd users who logs indicate were legitimately accessing the CRA server in question, at the time that the maybe, possibly exploitation might possibly have been happening. That would not by any means be a concrete record of the exact ones that were definitely leaked -- just a worst-case estimate.

If you look at the certs on the CRA secure web sites you can see that they were issued on 9-Apr, the very next day, meaning that they were as diligent as could possibly be expected in revoking and re-issuing their certs.

The claim that they referred something to the RCMP, I think, is likely a smokescreen. The fact is that this Heartbleed issue is a big deal and there is a lot of uncertainty everywhere -- not just at the CRA -- as to whether, how and when it might have been exploited and just what the ongoing risks might be. The bug existed for years and may have been deployed at various servers for many months. Nobody -- CRA included -- likely have any basis to prove what was or wasn't at risk in that time, and no real desire to explain the complexities to a questioning public thirsting for simple, absolute assurances.


----------



## james4beach (Nov 15, 2012)

As someone who works in digital security, I think CRA and the security agencies' response was actually quite fast.

The government's "lead security agencies" do, in fact, have the resources to determine that a compromise occurred so I would take it seriously if they say these numbers were compromised.


----------



## fatcat (Nov 11, 2009)

i agree with james, the cra has been sort of a model of how to properly respond ..
stealing sins is nothing, people's trust possibly gave away my whole gic application

you wonder whether eventually the credit bureaus are going to have fraud alerts on everyone in the entire country


----------



## carverman (Nov 8, 2010)

19 year old man in London Ontario charged for infiltrating the CRA website and stealing the SINs. 



> *The fact police were able to follow the trail back to the alleged hacker — let alone so quickly — speaks to his level of experience, says an Internet security expert.
> "They were not a very sophisticated attacker. Any attacker worth their salt would have been covering their track a lot better than that," said a spokesperson at the software security firm Trend Micro.*


----------



## Nemo2 (Mar 1, 2012)

So.....an 'unsophisticated' attacker was able to get into the CRA site and purloin SINs........_that's_ very reassuring.


----------



## Rysto (Nov 22, 2010)

Nemo2 said:


> So.....an 'unsophisticated' attacker was able to get into the CRA site and purloin SINs........_that's_ very reassuring.


That is what makes Heartbleed such a big deal. It's trivial to exploit it.


----------



## carverman (Nov 8, 2010)

Nemo2 said:


> So.....an 'unsophisticated' attacker was able to get into the CRA site and purloin SINs........_that's_ very reassuring.


He's a Western (Ont) University comp-sci student. His father is a prof there. So the kid knew enough about the OpenSSL layer to hack into the CRA account. He's been charged with
computer mischief. You would think that after stealing 900 SIN numbers, there would be a more serious charge, but apparently not. Being a student, he may get off with just some
kind of slap on the wrist, suspended sentence to complete his studies and work for the CSIS or maybe NSA..but if he gets any kind of criminal record, he may not be able to get
into the US.

Still the big question remains..what was he going to do with these 900 SIN numbers..and is there anyone else involved in the background that was willing to pay him for printing
off 900 SIN numbers?


----------



## Nemo2 (Mar 1, 2012)

^ Almost 30 years ago I read _The Cuckoo's Egg_ http://en.wikipedia.org/wiki/The_Cuckoo's_Egg and this incident (plus others) brought the book to mind.........i.e. who else is/might be involved, and who is/was asleep at the wheel?


----------



## carverman (Nov 8, 2010)

Nemo2 said:


> ^ Almost 30 years ago I read _The Cuckoo's Egg_ http://en.wikipedia.org/wiki/The_Cuckoo's_Egg and this incident (plus others) brought the book to mind.........i.e. who else is/might be involved, and who is/was asleep at the wheel?


There was a movie called Hackers. And someone wrote the hacker manifesto...a creed for all hackers. And there is the evolution aspect of a hacker from a bored computer specialist to a mastermind criminal.



> It is considered a cornerstone of hacker culture, and it gives some insight into the psychology of early hackers. It is said to have shaped the hacker community's view of itself and its motivations. The Manifesto states that* hackers choose to hack because it is a way for them to learn, and because they are often frustrated and bored by the limitations of standard society*. It also expresses the satori of a hacker realizing his potential in the realm of computers.


http://en.wikipedia.org/wiki/Hacker_(computer_security)


----------



## Nemo2 (Mar 1, 2012)

^ I have now increased my (limited) vocabulary. :encouragement:


----------



## Beaver101 (Nov 14, 2011)

In a way, the IT industry should thank that boy-genious-Heartbleed-hacker (who came up with the name Heartbleed anyways?) for bringing out this bug. The masses certainly didn't know...


----------



## andrewf (Mar 1, 2010)

Hacking in the common usage refers to malicious hacking. Enthusiasts are trying to 'take the word back' and turn hacking into a positive force as well, meaning to attack a problem with software (or even more generally with any technical solution). I think this is a bit misguided, because outside of that subculture, hacking continues to have strong negative connotations.


----------



## bgc_fan (Apr 5, 2009)

andrewf said:


> Hacking in the common usage refers to malicious hacking. Enthusiasts are trying to 'take the word back' and turn hacking into a positive force as well, meaning to attack a problem with software (or even more generally with any technical solution). I think this is a bit misguided, because outside of that subculture, hacking continues to have strong negative connotations.


Hacking did not originally have a negative connotation. It was Cracking that was the negative and hacking just meant hobbyists doing their thing. The problem is that cracking never really made it mainstream.


----------



## PoolAndRapid (Dec 3, 2013)

..


----------



## carverman (Nov 8, 2010)

Beaver101 said:


> In a way, the IT industry should thank that boy-genious-Heartbleed-hacker (who came up with the name Heartbleed anyways?) for bringing out this bug. The masses certainly didn't know...


Well since you asked.....:biggrin:

From what I have been able to gather about this bug..the internet is packatized communication done through several layers of implementation.
The actual implementation is very complicated but this is what happens around this software bug: The *"Heartbleed" name *comes from the fact that the *"heartbeat response*" once comprimised by a hacker..allows all kinds of secure data to be accessed by the hacker. It is like a damaged heart being allowed to bleed out. 

T.L.S. is TRANSPORT LAYER SECURITY. 



> Heartbleed is a bug in OpenSSL’s implementation of a small part of the *T.L.S. protocol, called the heartbeat extension.* A *“heartbeat,” in this context, is like the “beep… beep…” of a hospital heart monitor: a quick way to check that the other end of a secure connection is still there*. One side sends the other side a small piece of data, up to sixty-five kilobytes long, along with a number indicating the size of the data that has been sent. The other side is supposed to send back the exact same piece of data to confirm that the connection is still active. Unfortunately, in OpenSSL the replying side looks at the stated size of the data rather than at the actual size, and *it always sends back the amount of data that the request asked for, no matter how much was sent.* *This means that if the stated amount of data is more than the amount actually provided, the response contains the data that was sent plus however much additional data, drawn from the contents of the computer’s system memory, is required to match the amount requested*.





> Here is why this is so bad: the
> 
> 
> > heartbeat response can contain up to sixty-four kilobytes of whatever data happens to be in the server’s random access memory at the moment the request arrives. There is no way to predict what that memory will contain, but system memory routinely contains login names, passwords, secure certificates, and access tokens of all kinds
> ...





> An attacker who steals cryptographic keys could use them to decode and read encrypted data that had previously been intercepted; an attacker who steals certificates could use them to mimic a secure site and to intercept communications. In other words, your browser could be tricked into thinking that it’s connected securely to your bank and instead be connected to an intermediary that can read all the data flowing back and forth.


----------



## carverman (Nov 8, 2010)

PoolAndRapid said:


> As for the Ottawa script kiddie that got nabbed, he is anything but a 'boy-genious-Heartbleed-hacker'. What he did is analogous to an inside trader exploiting his knowledge before anyone else could and then walking around with a sign on his forehead that said 'I illegally used inside trading information, arrest me please'.


LoL: He forgot that on the Internet, each computer has a unique IP address and goes through specific serving routers before it goes out on the WWW. The cyber crime police have the computers
and expertise to decode where the attack came from and can trace it back through the ISP right back to the prepretrator's computer in most cases ..unless the prepretrator is very sophisticated.
This is why the cyber cops can eventually trace back a kiddie porn user or other types of illegal activity right to the perpretrators computer using NAP (network access points).

More on it here:
http://www.stanford.edu/class/msande91si/www-spr04/readings/week1/InternetWhitepaper.htm


----------



## balexis (Apr 4, 2009)

An oversimplified explanation of the bug by XKCD: 

http://xkcd.com/1354/


----------



## cainvest (May 1, 2013)

carverman said:


> and expertise to decode where the attack came from and can trace it back through the ISP right back to the prepretrator's computer in most cases ..unless the prepretrator is very sophisticated.


Actually it's not all that hard to cover your tracks nowadays, pretty easy if you have some basic networking knowledge. Scary times ...


----------



## Eclectic12 (Oct 20, 2010)

Nemo2 said:


> So.....an 'unsophisticated' attacker was able to get into the CRA site and purloin SINs........_that's_ very reassuring.


You mean like when my co-worker had his bank account cleaned out while he was visiting relatives in Columbia and the bank said it happens to *every* branch for at least one account a month?


Cheers


----------



## Eclectic12 (Oct 20, 2010)

carverman said:


> There was a movie called Hackers. And someone wrote the hacker manifesto...a creed for all hackers. And there is the evolution aspect of a hacker from a bored computer specialist to a mastermind criminal ...


Actually - in the original usage, the hacker was breaking security for the challenge or to improve the system. A hacker would not steal anything or destroy anything.

A cracker on the other hand - would.

http://en.wikipedia.org/wiki/Hacker_(term)


Unfortunately - the media has made the two the same thing in the public's mind.


Cheers


----------



## Eclectic12 (Oct 20, 2010)

Nemo2 said:


> ^ Almost 30 years ago I read _The Cuckoo's Egg_ http://en.wikipedia.org/wiki/The_Cuckoo's_Egg and this incident (plus others) brought the book to mind.........i.e. who else is/might be involved, and who is/was asleep at the wheel?


It's the same as when people find out how fraud that could be stopped with a holding period and a letter happens where the original owner can take years to regain their property. The public wants to believe there are groups looking out for the general good but the system isn't setup that way or groups get lost in their speciality.

In the case of _The Cuckoo's Egg_, as I recall, the FBI had jurisdiction but as there was no cash obviously involved over $5K, they weren't interested. The computer security group wanted to know the methods used but weren't all that interested as they already knew about them. The CIA was interested but wasn't allowed to operate on domestic US soil.

Bottom line is that there's lots of loopholes.


Cheers


----------

