The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.
The agency’s reported decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government’s top computer experts. The NSA, after declining to comment on the report, subsequently denied that it was aware of Heartbleed until the vulnerability was made public by a private security report earlier this month.
“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong,” according to an e-mailed statement from the Office of the Director of National Intelligence.
_____________________________________________________
Canada Revenue Agency is extending the filing deadline for tax returns and promised to resume e-services by the end of the weekend for all federal departments using software vulnerable to the Heartbleed bug.
"The Minister of National Revenue has confirmed that interest and penalties will not be applied to individual taxpayers filing their 2013 tax returns after April 30, 2014 for a period equal to the length of this service interruption," the CRA said in a statement Saturday.
Some department sites had been shut down this week but the CRA said it was making "good progress" in getting e-services back online.
The directive issued late Thursday ordered the immediate disabling of public websites, calling it a precautionary measure until the "appropriate security patches are in place and tested."
The Heartbleed bug is caused by a flaw in OpenSSL software, which is commonly used on the Internet to provide security and privacy.
The bug is affecting many global IT systems in both private and public sector organizations and has the potential to expose private data.
It's not clear the extent to which other federal government systems were affected. Employment and Social Development Canada, which handles things like Employment Insurance and Canada Pension Plan, Social Insurance Numbers and passports, had issued a statement Wednesday saying its web applications do not use OpenSSL and are therefore not affected.
"We have also worked with Shared Services Canada to confirm that none of our other connectivity solutions were affected," the department said in a statement emailed to CBC News.
CRA services affected included tax-filing systems E-file and Netfile, as well as access to business and personal account data stored by the system and new applications for a record of employment. Taxpayers were assured they would not be penalized if they were prevented from filing a return on time because of the shutdown.
In the meantime, Canadians using commercial tax software may need to change their passwords, as some programs such as Turbo Tax were affected by the bug.
The Canadian Bankers Association had said online banking applications of Canadian banks were not affected by the bug.
_________________________________________________________
By Jim Finkle
BOSTON (Reuters) - The U.S. government warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the "Heartbleed" bug, as a German programmer took responsibility for the widespread security crisis.
On a website for advising critical infrastructure operators about emerging cyber threats, the Department of Homeland Security asked organizations to report any Heartbleed-related attacks, adding that hackers were attempting to exploit the bug in widely used OpenSSL code by scanning targeted networks.
Federal regulators also advised financial institutions to patch and test their systems to make sure they are safe.
OpenSSL is technology used to encrypt communications, including access to email, as well as websites of big Internet companies like Facebook Inc, Google Inc and Yahoo Inc.
The bug, which surfaced Monday, allows hackers to steal data without a trace. No organization has identified itself as a victim, yet security firms say they have seen well-known hacking groups scanning the Web in search of vulnerable networks.
"While there have not been any reported attacks or malicious incidents involving this particular vulnerability at this time, it is still possible that malicious actors in cyberspace could exploit unpatched systems," said Larry Zelvin, director of the Department of Homeland Security's National Cybersecurity and Communications Integration Center, in a blog post on the White House website.
A magnifying glass is held in front of a computer screen in this picture illustration taken in Berli …
The German government released an advisory that echoed the one by Washington, describing the bug as "critical."
Technology companies spent the week searching for vulnerable OpenSSL code elsewhere, including email servers, ordinary PCs, phones and even security products.
Companies including Cisco Systems Inc, International Business Machines Corp, Intel Corp, Juniper Networks Inc, Oracle Corp Red Hat Inc have warned customers they may be at risk. Some updates are out, while others are still in the works.
That means some networks are vulnerable to attack, said Kaspersky Lab researcher Kurt Baumgartner.
"I have seen multiple networks with large user bases still unpatched today," he said. "The problem is a difficult one to solve."
OpenSSL software helps encrypt traffic with digital certificates and "keys" that keep information secure while it is in transit over the Internet and corporate networks.
The vulnerability went undetected for several years, so experts worry that hackers have likely stolen some certificates and keys, leaving data vulnerable to spying.
In their advisory, the Federal Financial Institutions Examination Council regulatory group suggested that banks consider replacing those certificates and keys.
"Financial institutions should operate with the assumption that encryption keys used on vulnerable servers are no longer viable for protecting sensitive information and should therefore strongly consider requiring users and administrators to change passwords after applying the OpenSSL patch," said the FFIEC, a consortium of regulators including the Federal Reserve and the Treasury Department.
Comodo Group, the No. 2 provider of SSL certificates, said customers have requested tens of thousands of replacements this week.
"We are very busy, but we are coping. My gut feeling is that we are going to be very busy all the way through next week," said Comodo Chief Technology Officer Robin Alden.
TAKING RESPONSIBILITY
Robin Seggelmann, a German programmer who volunteers as a developer on the OpenSSL team, said in a blog post published on Friday that he had written the faulty code responsible for the vulnerability while working on a research project at the University of Münster.
"I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed," said Seggelmann, now an employee with German telecommunications provider Deutsche Telekom AG.
He said the developer who reviewed the code failed to notice the bug, which enables attackers to steal data without leaving a trace. "It is impossible to say whether the vulnerability, which has since been identified and removed, has been exploited by intelligence services or other parties," he said.
Seggelmann said such errors could be avoided in the future if OpenSSL were to get more support from developers around the world.
OpenSSL is an open source project, which means that it is supported by developers worldwide who volunteer to update and secure its code. It is not as well tended to as programs such as Linux, which is widely supported by a flourishing developer community around the globe and corporate backers.
"OpenSSL in particular still lacks the support it needs, despite being extremely widely available and used by millions. Although there are plenty of users, there are very few actively involved in the project," Seggelmann said in a post on a Deutsche Telekom website.
(Additional reporting by Haro Ten Wolde, Georgina Prodhan, Svea Herbst, Roberta Rampton and Doina Chiacu; Editing by Richard Valdmanis, Bernadette Baum and Richard Chang)
*********************************************************************
No comments:
Post a Comment
Thank..U We will Get Back You Soon