CRA website shuts down over Heartbleed bug security concerns

Screen grabThe Canadian Revenue Agency (CRA) said on its website it is working to restore service to Canadians as soon as possible.

• The Canada Revenue Agency said Wednesday it has temporarily cut off public access to its electronic services over a security concern linked to a flaw in the encryption software used on the agency’s website, preventing Canadians from being able to file their taxes online.

The security vulnerability, dubbed the ‘Heartbleed’ bug, could let hackers intercept usernames and passwords, e-mail messages and other sensitive information.
Researchers have pushed out a fix for the security flaw, which affects as many as two-thirds of all Internet servers, including the agency’s.
“As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold,” the agency said in the alert on it website Wednesday. Continue.



The affected services include EFILE, NETFILE, My Account, My Business Account and Represent a Client.
“This is international virus and we’re trying to get to the bottom of it,” Finance Minister Joe Oliver told reporters Wednesday.

The CRA said it is working to restore safe and secure access as soon as possible and promises daily updates at 3 p.m. EST.
This is a busy time of year for the tax agency, as people file returns electronically and track the progress of refunds online.
As of the end of March, the agency had received 6.7 million returns, with 84% filed electronically.
The CRA acknowledged the inconvenience of the service outage and said “consideration will also be given to taxpayers who are unable to comply with their filing requirements because of this service interruption.”

The bug was found to exist in software known as OpenSSL, one of the most common technologies used to secure Web data, and lets attackers not only eavesdrop on “secure” communications, but also potentially gain access to the very encryption keys being used to establish secure connections.
The bug was discovered independently by Neel Mehta of Google Security and a team of security engineers at computer security firm Codenomicon.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” reads a post on Heartbleed.com, a site established by Codenomicon.

“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

Researchers say the Heartbleed bug could affect thousands of Web and email servers around the world, and one of the largest sites to be affected by the bug is Yahoo.com. (On Tuesday afternoon, Yahoo’s official corporate Twitter feed said the company had fixed the vulnerability across its main properties and was working to secure its entire platform.)
“This is an instance of a security service having the potential of being 100% compromised,” said Seth Hardy, senior security researcher at The Citizen Lab, a cybersecurity research lab based out of the University of Toronto.

“So any time that you’re doing something and you see the lock icon in the corner [of your browser] and you think everything is safe and then you do something like banking or send personal information, it is not automatically guaranteed to be completely broken, but there is a possibility … to give complete compromise of all of that confidentiality and privacy.”

With files from Matt Hartley.