# Heartbleed security hole in SSL



## Paddy (Jul 13, 2004)

On a scale of 1 to 10, security experts are calling this one an 11. (I'm surprised nobody here has posted anything about it)

http://readwrite.com/2014/04/08/heartbleed...~oAXby6Y6lqHLre
Alarming Web security flaw has exposed millions of passwords, credit-card numbers to theft risk | Toronto Star

You can check to see if sites you commonly use (banking etc.) that have secure logins where you see "https://" in the URL, are still unpatched: 

Heartbleed OpenSSL extension testing tool, CVE-2014-0160

So far I've checked TDCanada Trust (ok), Ufile (ok) and Gmail (mixed results which I'm not sure how to interpret)

If the site in question is ok, you may want to change your password on that site in case it was recently patched. It's always possible that your login info was grabbed before the vulnerability was discovered. It's also possible that the site was never vulnerable in the first place, but unless the institution/business/entity in question issues a statement to that effect, I'd err on the safe side and change your password. 

Right now, the CRA site is partially shut down while they patch things. It means we can't upload our tax returns right now - I'm sure a lot of accountants across the country aren't very happy today. I am working on one return I thought I'd file today - I did a bunch yesterday for family members. Guess I'll have to wait and see.

It's hard to know with stuff like this whether anything much was done with this vulnerability - one has to suspect not or there would have been many more apparent thefts of passwords etc. Still...a bit disquieting, to say the least.


----------



## eMacMan (Nov 27, 2006)

Thanks

My main webmail sites are secure although it appears I would be wise to change passwords on one of them.


----------



## krs (Mar 18, 2005)

I thought of posting here yesterday when this issue was reported on a German news site but decided against it since it's not a Mac issue and there is really nothing one can do on the computer end.

However, one question that comes to mind for which I haven't found an answer - most of my bank accounts where I do on-line banking have sort of a two-step log in - first an image comes up that I had initially selected which supposedly confirms that the website I have logged in is the correct one and not a phishing site and then one enters user name and password.
The initial log in step is already at the https level, so if that is OK do I still have to worry about this issue?


----------



## Paddy (Jul 13, 2004)

krs, from what I've read, two step authentication is much better, but do check the sites out with the link I posted to be sure.

As for it not being a Mac issue - that's why I put it in "everything else" 

Frankly, I'm rather surprised that this isn't the number one story out there right now - it's actually pretty serious. It's not just a password issue. 

It gets worse: Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style | Ars Technica

Read some of the comments from system admins as well.

My husband's company sent everyone an email on Monday telling them to change their passwords immediately - there was no explanation, but I suspect that this was the cause.


----------



## krs (Mar 18, 2005)

Paddy,

I decided to check all my financial sites with the link you posted and they all came up with:


> TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.


So I assume all of those companies are on the ball.

Nobody has contacted me yet to change my password - probably a good cautionary move but is it really necessary at this time?
If somebody had my user name and password I would think they would have logged in already.

PS: As to the Yahoo Mail issue.
I don't use Yahoo Mail but many of my friends do and their Yahoo Mail account has been "hacked" several times in the last few years - basically to use it to send out spam that way.
I found out after a bit of digging that Yahoo doesn't even encrypt mail passwords - at least they didn't when I was checking into this a while back.
All passwords for Yahoo Mail were in plain text.
So I'm not sure what the exitement is all about when it comes to Yahoo Mail.

In any case, messages sent by email should be treated like sending a postcard - anyone can read it, there is no basic security


----------



## eMacMan (Nov 27, 2006)

The message can also say something along the lines of; the issue has been patched and suggest changing your password.

Since it says disabled you should be OK.


----------



## Paddy (Jul 13, 2004)

One of the biggest problems is that there are a lot of ISPs who USE Yahoo for their email - ie: Rogers. So if you have a Rogers.com email address, you're using Yahoo, even if you never go anywhere near their webmail. Rogers isn't the only big ISP using them either - a friend in the UK with one of the big ISPs there reports that they also use Yahoo.

I've been thinking of shifting my primary email over to my own domain - just haven't found the time to actually DO it. I have many email addresses attached to various domains as well as several Gmail ones - but my primary friends/family/business one is still the Rogers one. Sigh.


----------



## eMacMan (Nov 27, 2006)

krs said:


> ...
> 
> In any case, messages sent by email should be treated like sending a postcard - anyone can read it, there is no basic security


One thing that should concern is having that eMail used as a SPAM source or even someone sending out messages with criminal liability. 

Unfortunately the authorities seem more than a bit dense when it comes to the possibility of computers or accounts being hacked, which could leave you on the hook for others misdeeds.


----------



## krs (Mar 18, 2005)

This issue relates to a security hole in SSL

Emails are normally not encrypted - so how does all this even affect regular emails?

I'm getting a bit lost here


----------



## CubaMark (Feb 16, 2001)

Here's the result I get when checking my Banking login on the Heartbleed test site linked above:

Looking for TLS extensions on https://scotiaonline.scotiabank.com

connect:errno=0

*Seeing red text up there? What to do?*

As a user: Contact the company hosting your service, tell them that you value the security of your information.
As a company: Send this page to your sysadmin or contact us to solve this for you.
As a system administrator: Patch your OpenSSL and statically linked binaries; change your certificates, if you've been affected by this.

Uh-oh. 

But doing the test for the root domain gives me:

Looking for TLS extensions on https://www.scotiabank.com

ext 65281 (renegotiation info, length=1)
ext 00035 (session ticket, length=0)
TLS extension 15 (heartbeat) seems disabled, so your server is probably unaffected.​


----------



## SINC (Feb 16, 2001)

I got identical results with CIBC Mark, so assumed all is OK. Phoned bank and was assured they are free from the issue.


----------



## CubaMark (Feb 16, 2001)

SINC said:


> I got identical results with CIBC Mark, so assumed all is OK. Phoned bank and was assured they are free from the issue.


Hmmm. I wonder... when I login to my banking site, I don't start with the Scotiabank.com and then hit the link... my browser auto-fills the scotiaonline.scotiabank.com address... and that's the one that's getting the warning....

Don't know why I'm that worried... balance is rarely above $0.50 anyway.... :-(


----------



## krs (Mar 18, 2005)

I ended checking the main domain of each of my financial institutions - when I check the actual log in URL I use I also get really strange results even a message that this is not a valid URL


----------



## macintosh doctor (Mar 23, 2009)

i patched all 3 of our mail servers today with new updated provided by manufacturer and created new SSLs


----------



## SINC (Feb 16, 2001)

CubaMark said:


> Hmmm. I wonder... when I login to my banking site, I don't start with the Scotiabank.com and then hit the link... my browser auto-fills the scotiaonline.scotiabank.com address... and that's the one that's getting the warning....
> 
> Don't know why I'm that worried... balance is rarely above $0.50 anyway.... :-(


That may be a good thing Mark. Maybe if they hack into your account a see that balance, they will take pity and make a deposit instead!


----------



## pm-r (May 17, 2009)

Wow!! 

I've got to say I'm quite shocked and surprised to find this posted and relegated to the somewhat back page of ehmac's Everything Else, eh! forum.

And even double shocked to read stuff like - "*not a Mac issue*..."!! Oh really??? Or does that mean being different to being a "*Mac User*"?? 

But they sure got a lot of info together and on line at their site in a short time:
Heartbleed Bug


----------



## Paddy (Jul 13, 2004)

pm-r said:


> Wow!!
> 
> I've got to say I'm quite shocked and surprised to find this posted and relegated to the somewhat back page of ehmac's Everything Else, eh! forum.
> 
> ...


I was surprised to see that nobody else had already posted it when I started this thread, pm-r, but decided to put it in the Everything Else area simply because it ISN'T Mac-specific but affects anyone using secure online sites (ie: almost everyone) and this part of the forum seems to get the most traffic.


----------



## CubaMark (Feb 16, 2001)

SINC said:


> That may be a good thing Mark. Maybe if they hack into your account a see that balance, they will take pity and make a deposit instead!


Heh... I wouldn't mind being at risk... even a few hundred bucks' worth of 'at risk' right now would be welcome...


----------



## Paddy (Jul 13, 2004)

krs said:


> This issue relates to a security hole in SSL
> 
> Emails are normally not encrypted - so how does all this even affect regular emails?
> 
> I'm getting a bit lost here


krs, your login and password are encrypted though. Your connection to your mail server may be SSL (Rogers requires it now). 

See: 'Heart Bleed' Bug Imperils Web Encryption; Passwords, Credit Card Numbers at Risk - before Yahoo patched things, people were able to get login and password info.

BTW - for those of you using TDCanada Trust, they've posted this notice on their web banking login page. God only knows why they did it as an IMAGE, so that anyone with vision issues may not be able to see it. <_< (You'd really think they'd know better...sheesh) https://oasc12.247realmedia.com/RealMedia/ads/Creatives/TDBank/TDCT-EmergencyMsg2013/Heartbleed.jpg

The bizarre thing is that I see it in Chrome for one account but NOT in Safari or Firefox for the other accounts. Don't know what that's about; I can't find any mention of it on the site via a search either. Someone needs to get their act together on that one.


----------



## krs (Mar 18, 2005)

pm-r said:


> Wow!!
> 
> I've got to say I'm quite shocked and surprised to find this posted and relegated to the somewhat back page of ehmac's Everything Else, eh! forum.
> 
> ...


Quoting from the link you published:



> How common are the vulnerable OpenSSL versions?
> 
> The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems.


I can't get too exited about a 2+ year old problem.

What I don't understand is why CRA needs until the weekend to fix this while every financial institution I deal with and checked already has this issue under control.


----------



## pm-r (May 17, 2009)

krs said:


> Quoting from the link you published:
> 
> 
> 
> ...



I think it would have helped a bit more if they had said it HAD the POTENTIAL to be a problem, but they don't really know if any hackers took advantage of it, and you just might get a bit excited if they had harvested any of your info that they either haven't got around to using or you're not aware of anything at least - so far.


----------



## pm-r (May 17, 2009)

krs said:


> ... ... ...
> What I don't understand is why CRA needs until the weekend to fix this while every financial institution I deal with and checked already has this issue under control.



Maybe you don't realize the severity and seriousness of the issue and what's all involved. Especially when it comes to protecting the client or user.

Bottom line, they should and often take the sites offline until they’re vetted and fixed if necessary and there can be a lot involved to get things totally and properly fixed.

Heartbleed bug: Why it’s not easy to fix a bleeding heart | Financial Post


----------



## krs (Mar 18, 2005)

All I was getting at is that all the major financial institutions (and smaller ones) that I and others checked have already fixed the problem (according to that test website in the first post anyway) and the CRA needs to take several more days to do the same.

Is the CRA website so much bigger and more complex than Amazon or other large shopping sites?

And as has been stated already - this problem has been around for more than two years - yeah, one can protect oneself now and going forward by changing the passwords but with the CRA website possibly compromised what about identity theft?
Anyone getting in in the last two years could have picked up SIN, name, birthday etc. anything needed for that. I wonder if that is an issue - I haven't seen that mentioned anywhere in the news and it's an issue that can only be addressed by issuing new SIN numbers


----------



## eMacMan (Nov 27, 2006)

CubaMark said:


> Here's the result I get when checking my Banking login on the Heartbleed test site linked above:
> Looking for TLS extensions on https://scotiaonline.scotiabank.com
> 
> connect:errno=0
> ...


Mark the way I am reading that red message is that no connection could be made, so I probably would not worry too much. I am counting on the experts to correct me if I blew that one.

As to Revenue Canada being down for an extended period I would view this as good rather than bad, they should be absolutely certain the problem is fully resolved before coming back on line. If this should create a bottle neck come April 30, one hopes they would extend the deadline for a week or so.


----------



## pm-r (May 17, 2009)

Personally I wouldn't have too much faith on what any site or even any "test" that may say they are now safe that might have been exposed, especially any financial/commercial sites as they have just too much money at stake, i.e.: sales and lost sales etc.

And how would they even know when the Heartbleed security hole doesn't even leave a trace??? That's a bit scary I'd suggest as to their now confirming safety and nothing was harvested.

But I think we and the 'Net have and will survive well, especially considering that there have been several big languishing nasties that have been out there since 2005, 2011, and 2012 that only just got discovered and squished within the last six months.

And, it's not just one's data that the CRA handles, but all other companies and agencies that everyone deals with. And that's a HUGE amount of people and data...


----------



## krs (Mar 18, 2005)

The more I read about this the more confused I get.

For instance:


> Yahoo Inc.’s Tumblr blogging service uses OpenSSL. In a blog post Tuesday, officials said they had no evidence of any breach and had immediately implemented the fix.
> 
> “But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr’s blog post read. “This might be a good day to call in sick and take some time to change your passwords everywhere — *especially your high-security services like email*, file storage, and banking, which may have been compromised by this bug.”


Since when is email a "high security service"?
Every financial institution will tell you never to send sensitive information by email.

And "file storage" - I assume they mean people who store files in the cloud.

Thus far I assumed that the only sites possibly affected are thoase where one uses SSL at some point, ie an https URL.

But if one looks at the list of sites that were affected April 8th, there are a number where One would never use SSL

Anyone test ehMac.ca?
I get a message which essentially syas "can't tell if ehMac.ca is "safe"


----------



## eMacMan (Nov 27, 2006)

krs said:


> The more I read about this the more confused I get.
> 
> For instance:
> 
> ...


One more reason not to trust cloud storage. The one time I had to send a sensitive document by eMail, they demanded an encrypted pdf. I supplied the pass word over the phone. Not 100% foolproof but much safer than an open file.

As to ehMac my password is unique, and I do not list personal data, so anyone hacking the account would gain no more than access to the account.


----------



## macintosh doctor (Mar 23, 2009)

i just had a bunch of apple phishing emails.. asking me to reset my password emailed to me..
so everyone watch out.

as well as IFFT too.


----------



## SINC (Feb 16, 2001)

macintosh doctor said:


> i just had a bunch of apple phishing emails.. asking me to reset my password emailed to me..
> so everyone watch out.
> 
> as well as IFFT too.


Nothing new about that, I have been getting these for many months on my mac.com email address spoofing Apple and suddenly a who daily raft of "enlargement" type emails. Spam Sieve takes care of them, but Apple seems to allow anything through.


----------



## Paddy (Jul 13, 2004)

krs said:


> All I was getting at is that all the major financial institutions (and smaller ones) that I and others checked have already fixed the problem (according to that test website in the first post anyway) and the CRA needs to take several more days to do the same.
> 
> Is the CRA website so much bigger and more complex than Amazon or other large shopping sites?
> 
> ...


krs, I think most of the banks actually _aren't using_ OpenSSL, so they weren't vulnerable in the first place. FFIEC Issues Heartbleed Warning; Major Banks Say They re Protected - American Banker Article

Amazon wasn't using OpenSSL either. Neither were Paypal, eBay, AOL, Hotmail/Outlook, Microsoft, the IRS, LinkedIn, and Twitter. Amazon cloud services WERE using OpenSSL and are working to fix everything.

And it's not just about picking off passwords - the real concern is "man-in-the-middle" exploits where hackers get in and spoof the site's security certificate, so you think you're safely connected to a secure site, but you're not. This is why over the next few weeks, any site that WAS vulnerable before the patch, should replace its security certificate. I suspect that's what the CRA is up to at the moment. These can take from one to TEN business days to issue, BTW.

LastPass, a password storage app, has now added a Heartbleed checker to the app so you can check to see if the site has updated its security certificate: The LastPass Blog: LastPass Now Checks If Your Sites Are Affected by Heartbleed

As for ehMac, it isn't a secure website and doesn't use OpenSSL or any other variety of SSL.


----------



## krs (Mar 18, 2005)

I just stumbled across this article which confuses me even more

Heartbleed: 900 social insurance numbers stolen from Canada Revenue Agency | canada.com



> Canada Revenue Agency says someone used the Heartbleed encryption bug to steal about 900 Social Insurance Numbers last week before the tax collection agency shuttered its web services.


Wasn't it made abundantly clear over and over again that it was impossible to determine how often a website was compromised or how many "secure" connections were compromised in the past?
So how does CRA supposedly know that only about 900 Social Insurance Numbers were "stolen" and not 9000 or 9 million for that matter?


----------



## eMacMan (Nov 27, 2006)

krs said:


> I just stumbled across this article which confuses me even more
> 
> Heartbleed: 900 social insurance numbers stolen from Canada Revenue Agency | canada.com
> 
> ...


They really don't. However the government wants us to believe that the private banking information of over a million Canadians, information so sensitive that the RCMP currently needs a warrant to obtain, will be perfectly safe in the hands of the CRA.


----------



## pm-r (May 17, 2009)

Yes krs it''s all really quite pathetic really, especially for those that may just wonder about some of the "info and facts" that was gathered and then released.

And now the RCMP's investigative division is publishing some facts about how p'd off they are with what the CRA did and didn't do with their requests.

And I would guess some other Canadian agencies along with the RCMP are just as P'd off with what and how the CRA dealt with the problem but are typically not saying anything publicly.

But hey, maybe the CRA was using something like Little Snitch and some tech checked some log of something. Yeah right!!


----------



## fjnmusic (Oct 29, 2006)

OSX and iOS users are safe. Apple devices using Blackberry apps may have been affected. Boy, now there's irony for you, since Blackberry is the only system approved by the US gov't due to its security features.


Sent from my iPhone using Tapatalk


----------



## krs (Mar 18, 2005)

fjnmusic said:


> OSX and iOS users are safe. Apple devices using Blackberry apps may have been affected. Boy, now there's irony for you, since Blackberry is the only system approved by the US gov't due to its security features.
> 
> 
> Sent from my iPhone using Tapatalk




This bug has nothing to do with the OS one is running on their computer, Mac or otherwise.
It's strictly a problem on the server end.


----------



## eMacMan (Nov 27, 2006)

Yep, anyone who filed their taxes electronically is potentially at risk. As mentioned earlier, the bug has been around for a couple of years before it was made public. Had the CRA been aware of it before it was made public those 900 they are aware of would not be at risk.


----------



## krs (Mar 18, 2005)

The plot thickens.

Just got a call from supposedly the CRA.
Shows up as GOC-GDC on CLID
Call was for another person who lives here.
Person asked for a call back at 1-866-864-5825

Now when I google that I get half the people think it's a scam, another group thinks it's some collection agency on defaulted student loans.
I don't know what to think other than not to provide confidential info over the phone.
Don't really know what CRA would have to do with student loans

I wonder if this ties back to this CRA security breach and the hackers are now trying to get more info about specific persons.


----------



## eMacMan (Nov 27, 2006)

krs said:


> The plot thickens.
> 
> Just got a call from supposedly the CRA.
> Shows up as GOC-GDC on CLID
> ...


*100% bogus*

The CRA has issued a public statement that they will only contact the known victims via registered letter. 

FWIW Similar FATCA scams happening in NZ except the caller actually has the SS# of the people he's calling. Most likely hacked from the IRS data banks.


----------



## pm-r (May 17, 2009)

Hmmm...??? When has the CRA *EVER* sent out personal emails for at least anything personally important - *NEVER*!!!

"What Area Code Is 866?
An 866 area code is a toll free number prefix that was put into service in 2000. It is not assigned to any particular geographical location and some of the charges for placing a call are paid by the individual who receives the call rather than the caller. "

" The area codes 800, 855, 866, 877 and 888 are toll-free area codes which are not assigned to a geographical area. ..."

"Area code 866 is one of the area codes reserved for toll-free calls in which the calling party is not charged. Instead, the telephone carrier charges the cost of the call to the called party. Toll-free numbers, such as 866 numbers, have applications such as technical support, customer service, and personal use. ..."

Sure doesn't sound like any sort of number the legitimate CRA would use does it???


----------



## Paddy (Jul 13, 2004)

krs said:


> The plot thickens.
> 
> Just got a call from supposedly the CRA.
> Shows up as GOC-GDC on CLID
> ...


*Actually, it IS a legit call from the CRA* - I just checked because I was curious and decided to track it down, given that the government provides a Service Canada number you can call to check these things: 1-800-622-6232. 

The call your house received, krs, was from an outbound call centre run by the CRA to do with debt repayment. Anyway, this has nothing whatsoever to do with the Heartbleed issue, other than people are now more suspicious than ever about calls!

BTW - while a hacker using the Heartbleed vulnerability to get into a server's memory to steal data doesn't change anything on the server (ie: leaves no "footprints") he/she IS recorded in the server logs. Obviously, going through those logs is a tedious business - it's not something you'd normally undertake, and you'd be unlikely to spot any problems if the hacker only visited once or twice. But repeated short visits from the same IP would no doubt raise a red flag in this situation. Remember - this hole only allows for grabbing random 64k chunks of data from the server's memory - it can be utterly USELESS bits of data or it could be a SIN number, name and address - it all depends on what is in the RAM at the time of the incursion. It doesn't give anyone wholesale access - unless of course, they intercept logins (which is why we're being told to change our passwords) or if the security certificate keys are obtained and a "man-in-the-middle" exploit is launched. It's unclear from the CRA statements exactly what has been compromised.


----------



## krs (Mar 18, 2005)

pm-r said:


> Hmmm...??? When has the CRA *EVER* sent out personal emails for at least anything personally important - *NEVER*!!!
> 
> "What Area Code Is 866?
> An 866 area code is a toll free number prefix that was put into service in 2000. It is not assigned to any particular geographical location and some of the charges for placing a call are paid by the individual who receives the call rather than the caller. "
> ...


Boy pm-r are you ever wrong this time.

To start with, all of those 8xx numbers you posted are all valid toll-free numbers.
They were assigned when the North-American Numbering Plan started to run out of numbers in the traditional 800-xxx-xxxx number block.
Toll-free numbers were never assigned to any specific area code since it is not an area code at all - the '800' prefix just happens to take the same spot in the numbering sequence as the traditional area codes.
Most companies that require a toll-free number today will probably not receive an 800 number but one of the other 8xx toll-free prefixes.
So much for basic telephony.

Second point - if you check the CRA website, which I just did, you will find the telephone number I tedright on that CRA site at the very bottom.
Telephone numbers
So it is a perfectly legitimate CRA number.
The fact that the number on the website ends with 5823 instead of 5825 is irrelevant - that is in the same number block of Centrex service.


----------



## Paddy (Jul 13, 2004)

krs said:


> Boy pm-r are you ever wrong this time.
> 
> To start with, all of those 8xx numbers you posted are all valid toll-free numbers.
> They were assigned when the North-American Numbering Plan started to run out of numbers in the traditional 800-xxx-xxxx number block.
> ...


I'm assuming you didn't see my post just above yours, krs (probably were working on your response to pm-r when I posted it) but just to reiterate in case anyone doesn't go back - *when/if in doubt about ANY call from the CRA or federal government, you can always call Service Canada to check the legitimacy of a phone number at 1-800-622-6232.*


----------



## pm-r (May 17, 2009)

krs said:


> Boy pm-r are you ever wrong this time.
> 
> To start with, all of those 8xx numbers you posted are all valid toll-free numbers.
> ... ... ...
> ...


Any working toll free phone number is legitimate if it's a working number and I may have been incorrect about the legitimate source, just as you and others were quite suspicious, but neither did I see the number that called you listed on the CRA page - close but not the same. And yes it may be part of a block of numbers, but who really knows?

The other thing that's a bit strange is that most companies and businesses don't usually use their 8XX numbers for calling OUT, but are made available for clients or customers to call IN on. Maybe they have and use a different setup.

Anyway, Paddy provided a source which you also discovered and I'm sure the recipient will want to call them back ASAP and get their "Other payment arrangements" all sorted out.


----------



## krs (Mar 18, 2005)

Paddy said:


> I'm assuming you didn't see my post just above yours, krs (probably were working on your response to pm-r when I posted it) but just to reiterate in case anyone doesn't go back - *when/if in doubt about ANY call from the CRA or federal government, you can always call Service Canada to check the legitimacy of a phone number at 1-800-622-6232.*


Yes....
I typed about 3/4 of my post, then was called away for about 20 minutes before I could finish typing it.


----------



## pm-r (May 17, 2009)

I was just finishing up our income taxes and ended up at the CRA site, and I notice they seem to have a new notice I hadn't noticed before:

"Fraudulent emails and phone calls – Protect yourself!

The CRA is warning Canadians that fraudulent emails and phone calls purporting to be from the Agency are currently being reported. Find out more about these scams and learn how you can protect yourself."
Canada Revenue Agency

So I'm guessing that a lot more scams are happening and being reported, so best to play extra safe as always.


----------



## eMacMan (Nov 27, 2006)

pm-r said:


> I was just finishing up our income taxes and ended up at the CRA site, and I notice they seem to have a new notice I hadn't noticed before:
> 
> "Fraudulent emails and phone calls – Protect yourself!
> 
> ...


From that link and as stated above:


> Beginning today, the Agency is putting in place measures to support and protect the individuals affected by the breach. Each person will receive a registered letter to inform them of the breach. A dedicated 1-800 number has also been set up to provide them with further information, including what steps to take to protect the integrity of their SIN. *The Agency will not be calling or emailing* *individuals* to inform them that they have been impacted – we want to ensure that our communications are secure and cannot be exploited by fraudsters through phishing schemes.
> 
> 
> The CRA will also provide those who have been affected with access to credit protection services at no cost. And we will apply additional protections to their CRA accounts to prevent any unauthorized activity.


----------



## eMacMan (Nov 27, 2006)

While extremely unlikely, the real danger would be if someone exploiting the Heartbleed bug intercepted an administrative level log-in. That would give them the keys to the vault.


----------



## pm-r (May 17, 2009)

And I'd assume, maybe incorrectly, that even if they had intercepted an administrative level log-in, that it would have been encrypted.

But like others, I really wonder how the CRA came up with the number of those possibly affected, and especially considering the very small amour of data from any lingering memory the hacker(s) might have been able to gather.


----------



## Kosh (May 27, 2002)

To answer krs on what the CRA has to do with student loans, the CRA receives data from other government departments on money people owe those other government departments or legal cases where people owe money. The CRA has a system that deducts this money from any refund those people would receive.

One of these departments is the department in charge of student loans. So if you default on a student loan, don't expect to get a tax refund. 

Same thing can happen if you owe child support.

Still, as advised by the CRA themselves and as krs said, I wouldn't trust any phone calls you receive nowadays. Either phone them back on their official phone # or ask for a letter on the issue.


----------



## eMacMan (Nov 27, 2006)

pm-r said:


> And I'd assume, maybe incorrectly, that even if they had intercepted an administrative level log-in, that it would have been encrypted.
> 
> But like others, I really wonder how the CRA came up with the number of those possibly affected, and especially considering the very small amour of data from any lingering memory the hacker(s) might have been able to gather.


I also think they would have changed all admin passwords before going back on line. As well I believe had an admin password been captured they would have noticed unusual activity when they reviewed the logs. 

The big thing here is that the vulnerability has been around for two years and they have only reviewed logs since it was made public.

The billion dollar question is how long has the hacker community been aware of the hole?


----------



## krs (Mar 18, 2005)

eMacMan said:


> The billion dollar question is how long has the hacker community been aware of the hole?


Exactly!

On a side note - EhMac email notification seems to have died again.
I didn't receive any notification of the last few posts in this thread even though I'm subscribed.


----------

