Heartbleed bug's government impact may go far beyond Revenue Canada
A bold move to block the Canada Revenue Agency’s e-services amid worries about the massive security bug Heartbleed is but one "service disruption" to one artery of the internet.
But potentially more troubling, according to cybersecurity specialists, are the other online government services likely vulnerable to hackers seeking to exploit the newly detected security flaw.
"You can’t sugarcoat it. This is a big one," said Daniel Tobok, who heads the digital forensics and security division at Telus in Toronto.
"Financials could be targeted, big government organizations could be targeted, potentially military organizations could be targeted because they hold a lot of confidential data."
Security analysts noted that small snippets of user data from transactions involving banking information, electronic health records or insurance record transfers could be at risk of being scooped up by cybercriminals.
The problem can be traced to an oversight in the coding of one of the web’s most common security systems, OpenSSL. The CRA’s online services are among the millions of websites running the compromised "cryptographic software library," which is meant to encrypt web communications through email, instant messaging and VPN (virtual private network).
"And if the CRA uses that software, many other government organizations will have used it as well," said Raymond Vankrimpen, a cybersecurity expert with the financial advisory firm Richter.
"But it’s not the only vulnerability out there," he said. "There will be more to come…I don’t have an inventory of all the government websites and which versions of OpenSSL they might be using, but I can imagine it’s very widespread."
How widespread?
An estimated two-thirds of all of the world’s web servers use OpenSSL.
A simple error in the software’s Heartbeat extension — released two years ago — went undetected until just this week. The coding flaw leaves an opening for attackers to read sensitive data that users believe is being kept confidential by allowing them to recall bits from a server’s memory.
The ubiquity of OpenSSL poses a major challenge, as the security mechanism is already running on millions of computers, and beyond just government websites.
Rafal Rohozinsky, an Ottawa-based expert on cyber warfare and a senior fellow with the International Institute for Strategic Studies, likened the problem to a worldwide product recall.
"This is like finding out your airbags in your car don’t work. Every car that has an airbag will have the same problem," he said.
"Unlike a car recall that may affect you, your family and another 50,000 people who bought the same model, we’ve got two-thirds of humanity on the internet. That’s a pretty high volume."
Corporate websites would be just as susceptible, though the Canadian Bankers Association released a statement Wednesday assuring consumers that Heartbleed won’t threaten Canada’s banking websites.
Now that the Heartbleed vulnerability to the OpenSSL protocol has been exposed, Rohozinski believes hackers will build toolkits to steal passwords and other data.
As a precautionary measure, his own cyber-research consultancy, SecDev Group, closed off their VPN, which creates an encrypted tunnel for confidential communications.
"It’s better to pull down what we have right now in order to make sure that when we patch it, everybody has the same security," he reasoned.
Whether or not other government departments join the CRA’s lead by closing public access to their e-services depends on their security posture, Vankrimpen said.
The CRA’s case has another element of urgency, too, with the announcement coming at the height of the tax-filing deadline. Security is ever more critical given the volume of transactional tax data expected to be processed soon.
"The CRA has a very low appetite for risk, given especially the time of the season it is," Vankrimpen said. "By all accounts, they did the right thing, but each organization is going to be different. Some will be more proactive to install patches. They may have already done it and no one would have been the wiser, and they’re safe."
Following the tax agency’s announcement on Wednesday, Tobok said he has already fielded several calls from Canadian government officials asking what their departments should do.
"100 per cent, I’m advising them to go offline," he said.
"If them shutting down is necessary in order to recuperate or fix what we need to fix, and to guarantee that everybody’s private data is protected, why not do it?"
The response could be perceived as extreme, but it’s an appropriate precaution, said Seth Hardy, a senior security researcher with the Citizen Lab at the Munk School of Global Affairs at the University of Toronto.
"While it may be an inconvenience in tax season, until a patch is applied, there’s no way for users to use that service and be safe," he said.
There is some cause for concern due to the potential magnitude of the problem, Hardy said.
But while he agrees with the CRA’s move, he can’t envision a scenario in which all government websites running OpenSSL’s Heartbeat extension suddenly go offline in a co-ordinated decision.
"People might start panicking," he said. "I don’t think it’s a reasonable response for every government server to shut down all at the same time over this, but it is something that is an incredible risk and needs to be addressed as quickly as possible."
