Heartbleed bug shows governments slow to react - Action News
Home WebMail Tuesday, November 26, 2024, 06:05 AM | Calgary | -17.5°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
News

Heartbleed bug shows governments slow to react

Researchers in Canadas online security community say that the Heartbleed breach was evidence that government is often not as well equipped as private companies to detect and react quickly to online security threats.

Canada Revenue Agency confirms that 900 SINs were stolen as a result of Heartbleed breach

Security experts say that Canadian government agencies, like Canada Revenue, were slow in reacting to the Heartbleed security bug.

The revelation Monday that the social insurance numbers of 900 Canadians were stolen from the website of the Canada Revenue Agency last week has raised yet more questions about the governments response to the Heartbleed computer bug.

Researchers in Canadas online security community say that the Heartbleed breach is evidence that government is often not as well equipped as private companies to detect and react quickly to online security threats.

The government "was really slow on this," says Christopher Parsons, a post-doctoral fellow at the Citizen Lab at the Munk School of Global Affairs at the University of Toronto.

"If you look at Yahoo, it had begun updating its security practices prior to the CRA fully taking action. The same thing with other larger companies. As soon as they saw what was going on, they immediately reacted and issued public statements."

Heartbleed is a hole in the OpenSSL security encryption software, which is used by an estimated two-thirds ofsites on the web, and its existence was first widely revealed on April 7 (though Google and a Finnish company had reportedly discovered it some weeks earlier).

The glitch in the software, which was introduced apparently by error in 2012,gave hackers who were aware of it access to sensitive personal and financial information,and enabled them to steal it without a trace, which is why it has been difficult for government and corporate websites to confirm whether they have been compromised.

The Canadian Cyber Incident Response Centre, which reports to Public Safety Canada, issued its first advisory about Heartbleed on April 8. CRA shut down its site that day, and restored public access on April 13.

According to a press release Tuesday, RCMP's National Division was told about a "malicious breach of taxpayer data due to theHeartbleedbug," by CRA on Friday, April 11. Since the site had already been shut down to prevent further breaches, the RCMP says it asked CRA to "to delay advising the public of thebreach until Monday morning," so that it could pursue a "viable investigative path."

On Monday, CRA confirmed that as a result of Heartbleed, 900 Canadians had their social insurance numbers stolen from its website. The agency says the thefts took place during a six-hour window on April 8.

According to a statement released by CRA on Monday morning, "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed."

A question of resources

In the week since the breach, there has been a lot of talk about the quickness of the governments response. However, it lagged significantly compared to private firms such as Facebook, Google and Yahoo.

On April 14, the Canada Revenue Agency confirmed that 900 social insurance numbers had been stolen from its website as a result of the Heartbleed bug.

Parsons says its not entirely fair to compare the CRA to Facebook and Google, who both had advance notice of the bug and thus patched their software in a timely fashion.

But he also notes that word of the Heartbleed breach was circulating in online forums about 24 hours before CRA made any sort of statement.

When it comes to online security, private companies tend to spend more money, says David Fewer, director of the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic at the University of Ottawa.

"Government tracks every resource to the penny. You cant even get a cup of coffee at a government meeting these days," he says.

As a result, in the event of a security breach, government departments dont have "the same size SWAT team" to deal with these kinds of problems.

The issue of resources isnt necessarily endemic to government, says Mark Nunnikhoven, vice-president of cloud and emerging technologies at global security firm Trend Micro.

Government departments "can always use more resources, but any security team on the planet can always use more resources," says Nunnikhoven, who spent years in the public service, working in Industry Canada as well as the Transportation Safety Board.

"But in my experience, the government tends to have pretty good security."

However, one thing that Fewer suggests governments lack is the profit incentive.

"Every businesss brand is at stake when something like this happens," he says. "They have shareholders and they have to retain market share and maintain consumer trust."

Fewer, who has worked in both the public and private sectors, adds that because government doesnt emphasize the bottom line, "technical support is an oxymoron."

At a private company, technical support is seen as essential to keeping the operation profitable and, as a result, is highly responsive. In government, "there isnt that same imperative," he says.

'Why weren't they protecting us?'

While many in the security community feel that CRAs response to the original threat was slow, Nunnikhoven says hes been encouraged by CRAs responsibility after the bug was identified, as well as the work of a secondary department most likely Shared Services in identifying the theft of those SINs.

"CRA did a good job defending themselves, took a risk-based decision and shut down [the site], and then the additional agency did their due diligence and caught an actual ex-filtration [theft] of data," says Nunnikhoven.

Given how many web sites were vulnerable to the Heartbleed bug, Parsons says there is likely to be a great deal of reflection on how it could have been identified sooner. Some cryptographers have estimated it may have existed for years before it was discovered last week.

This past weekend, Bloomberg News published a story alleging the U.S. National Security Agency (NSA) knew about the Heartbleed vulnerability for two years and that it may have been using it to access personal data.

The NSA denies the charge, but Parsons says it raises serious questions about the Five Eyes, the surveillance partnership between Canada, the U.S., Great Britain, Australia and New Zealand, which collaborates to detect threats such as Heartbleed.

"This is supposed to be the sort of thing that theyre supposed to find and ideally report," says Parsons.

"I think over the coming months, we need to figure out if they knew and if they didnt, why didnt they, because this is what we pay them to do. And if they did know, then why werent they protecting us?"