CrackBerry is Under New Ownership and Relaunching in 2022 Beyond BlackBerry - Read All About It!
Canadian tax agency confirms "Heartbleed" data loss
- OmnitechDragon SlayerCanada's equivalent of the US Internal Revenue Service - The Canada Revenue Agency - has confirmed that confidential citizen tax-related information has been stolen from their web portal via the recent "HeartBleed" flaw in the widely-used open-source OpenSSL library.
This should serve as a wakeup-call to those who poo-poo the significance of this very serious issue.
BlackBerry itself has backtracked somewhat from blanket assurances given last week, and now admits that it is working on patching the Android/iOS versions of BBM, as well as some other BlackBerry products affected by the issue.
Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug
Heartbleed used for Canada Revenue Agency breach | ZDNet
BBC News - Heartbleed hacks hit Mumsnet and Canada's tax agencyUnlimitedEra likes this.04-15-14 03:02 AMLike 1 -
-
- OmnitechDragon Slayer
Well it would give the thiefs access to your personal income and tax documents that would be associated with a login account for the national tax collection agency.
You can probably imagine for yourself. Financial fraud, identity stealing, blackmail, etc.04-15-14 03:45 AMLike 0 -
As a Canadian this sucks. Canada revenue should have been more careful. Why is it that so many banks were not affected? They didn't trust OpenSSL with sensitive information. Then why did Canada revenue?04-15-14 08:06 AMLike 0 - Yes. They are experts in security and the government should have recognized a need and supported them for that very reason. The Canadian government wouldn't bother anyway.04-15-14 08:09 AMLike 0
- OmnitechDragon Slayer
You remember wrong.
Unless Crackberry has pulled the first one, go take a look at the quotes from BlackBerry in the first blog post about HeartBleed where Crackberry quoted their initial response (the post was by Bla1ze, as I recall) versus the quote from BlackBerry in the second blog post.
The first one they said basically BBMx was affected but it was no big deal, the second one they said BBMx is affected and they're working on patching the apps.
I think most banks are justifiably unwilling to use non-commercially-supported open-source software for critical functions like data encryption. Or maybe anything at all, actually.
If something goes wrong with a critical function, you have no one to go to to fix it who has any sort of responsibilty, it's all "best effort", "as-is/where-is".
That doesn't sit too well with regulators when you do something really stupid with citizenry data.
Who knows why Canada's tax agency didn't have better protections in place. Could have been a cost-saving measure.04-15-14 03:03 PMLike 0 - Unless Crackberry has pulled the first one, go take a look at the quotes from BlackBerry in the first blog post about HeartBleed where Crackberry quoted their initial response (the post was by Bla1ze, as I recall) versus the quote from BlackBerry in the second blog post.04-15-14 04:34 PMLike 0
- OmnitechDragon Slayer
Having been involved with I.T. security as many years as I have, I have a bit more cynical attitude than you when it comes to such "disclosures" from large corporations.
Also wanted to mention that what happened with TCRA is not actually a "worst case scenario" by any means. There are far more organizations that either do not have the expertise to even figure out that a data loss has occurred, or simply don't care. And would not even divulge it unless they were legally compelled to. (ie, we have a law in California that does compel this, but it certainly isn't the norm in the USA yet)eddy_berry likes this.04-15-14 08:54 PMLike 1 - Would explain why I'm still quite impressed with BB security through all this. Not impressed with CRA but I have read that the RCMP are all over this case and that the suspect only got a hold of about 900 SINs. Still though, not happy with that at all.04-15-14 10:25 PMLike 0
-
It is interesting that Blacberry chose to use OpenSSL for the Android or iOS apps but not for their own systems and their apps. Is it due to licensing or what?04-15-14 11:58 PMLike 0 - OmnitechDragon Slayer
Here's the wording of their initial statement, as quoted by CrackBerry:
BlackBerry addresses OpenSSL Heartbleed vulnerability | CrackBerry.com
Affected Software
BBM for iOS and Android - There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit. [...]
BlackBerry Link for Windows - This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.
Bla1ze claims that that text came directly from the knowledgebase article. But that particular text pertaining to BBM is nowhere to be found in the article now, and is replaced by this.
BBM on Android
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.
BBM on Android
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.
There are no workarounds for this vulnerability for BBM on iOS and Android and Secure Work Space for Android.
In regards to Link and their recommendations - first of all, client software has been demonstrated to be equally vulnerable to this issue, if it is running an affected service, which apparently Link is. And before someone claims that Link is not a public server - do not forget that in order for remote file access to work, Link and the drivers it installs IS actually a type of server, and if you have it running and are hopping onto some unsecured public hotspot somewhere, it could indeed be exploitable. (Depending on your OS configuration)
Then they suggest using a "firewall system to filter out heartbeat requests". Have YOU ever seen a personal firewall app that had detailed granular filters for SUB-components of the SSL protocol at layer 7? I haven't. Yeah, there are professional hardware security products that can do that stuff, but 99.9% of average PC users don't have access to them nor do they know how to use them.
They also use the excuse that in a "typically in a business environment"... "external traffic is sent via a proxy".
EVEN IF that were the typical scenario - what percentage of BlackBerry end-users are running Link while at work, or on work computers?
In the second Crackberry article by Rene Richie, they claim BlackBerry is fixing BBMx, though the knowledgebase article does not make that claim. However I have seen several Wall St. analysts publish articles in the last day or so claiming Blackberry is working on patched versions of BBM too.
So it seems to me there is more than a bit of "message management" going on here.
Also, do not forget that the simple presence of OpenSSL does not mean it is vulnerable to Heartbleed. Only versions 1.0.1 and above of OpenSSL were impacted, and you do not have to compile-in support for the affected component (the "heartbeat extension" as described in RFC6520) to your particular OpenSSL implementation. For example: recent versions of BlackBerry10 OS actually use the affected OpenSSL version - but the heartbeat functionality is disabled.
Trivia: the guy that wrote the IETF RFC for the Heartbeat extension to SSL is the same guy who submitted the flawed code to the OpenSSL project - which as a result of not being caught by someone else - resulted in the Heartbleed flaw which has existed for nearly 2 years now.04-16-14 01:15 AMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
Canadian tax agency confirms "Heartbleed" data loss
Similar Threads
-
Where Can I Access the Temporary Browser Data?
By Yoox_II in forum BlackBerry Z10Replies: 2Last Post: 04-15-14, 09:48 AM -
BlackBerry patching Heartbleed vulnerability for Secure Work Space, BBM
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 1Last Post: 04-15-14, 08:59 AM -
Data for prepaid plans with BB OS10 devices
By ZeroSeveneh in forum General BlackBerry News, Discussion & RumorsReplies: 2Last Post: 04-14-14, 10:08 PM
LINK TO POST COPIED TO CLIPBOARD