Advertisement

CSEC aware of Heartbleed bug day before CRA website shutdown

Communications Security Establishment Canada says it learned of the Heartbleed bug a full day before a federal government public warning went out and parts of the Canada Revenue Agency website were temporarily shut down.

CSEC, the government agency responsible for cybersecurity, told CBC News Wednesday that it learned of the Heartbleed vulnerability in server encryption software "at the same time as the global IT security community."

An advisory about the bug in OpenSSL encryption software was posted globally on Monday, April 7. The U.S. Department of Homeland Security also issued a warning about the vulnerability on April 7.

Yet Canada Revenue Agency's website was not temporarily shut down until late on the Tuesday night, once Public Safety Canada had posted a public notice there were security concerns.

On Monday, April 14, the CRA said it had been "notified by the Government of Canada's lead security agencies" that 900 social insurance numbers had been "removed" from its website in a malicious breach of taxpayer data that occurred over a six-hour period" that exploited the Heartbleed flaw.

In a statement on its website, the CRA also said other "fragments of data" that related to businesses "may also have been removed."

The RCMP announced the arrest of a 19-year-old London, Ont. university student in the case on Wednesday. Stephen Solis-Reyes faces one count of unauthorized use of a computer and one count of mischief in relation to data.

Part of CSEC's mandate, as written on its website, "is to provide advice, guidance and services to help protect electronic information and of information infrastructures of importance to the Government of Canada."

When asked whether CSEC alerted CRA of the bug, the spy agency said; "CSE's IT Security team has been assessing the impact of the vulnerability on government networks, and we have been advising government departments on mitigation and protection measures to address the Heartbleed bug."

CSEC also went to say that it works with its government partners to defend networks and mitigate potential damage.

The notice from Public Safety on April 8 was issued by the Canadian Cyber Incident Response Centre, another federal agency that "works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government."

A subsequent notice on the Public Safety Canada website is warning of email scams, known as "phishing," that have sought to exploit media reports about the Heartbleed bug. The department warns Canadians not to click on links in emails that ask them to update internet passwords. Instead, visit sites for which you have accounts directly in your web browser to make changes to your password.