[Omnitech]

Canada's equivalent of the US Internal Revenue Service - The Canada Revenue Agency - has confirmed that confidential citizen tax-related information has been stolen from their web portal via the recent "HeartBleed" flaw in the widely-used open-source OpenSSL library.

This should serve as a wakeup-call to those who poo-poo the significance of this very serious issue.

BlackBerry itself has backtracked somewhat from blanket assurances given last week, and now admits that it is working on patching the Android/iOS versions of BBM, as well as some other BlackBerry products affected by the issue.

Statement by the Commissioner of the Canada Revenue Agency on the Heartbleed bug

Heartbleed used for Canada Revenue Agency breach | ZDNet

BBC News - Heartbleed hacks hit Mumsnet and Canada's tax agency

[UnlimitedEra]

Wow, that's bad. What could happen with such stolen files?

Posted via CB10

[zocster]

Thanks for sharing.

Sent from a mobile device via Tapatalk

[Omnitech]

Wow, that's bad. What could happen with such stolen files?

Well it would give the thiefs access to your personal income and tax documents that would be associated with a login account for the national tax collection agency.

You can probably imagine for yourself. Financial fraud, identity stealing, blackmail, etc.

[rhon3g]

Wow...this should serve as a lesson. Do you think it's the time that government offices should focus and support BlackBerry now?

Posted via CB10

[eddy_berry]

BlackBerry itself has backtracked somewhat from blanket assurances given last week, and now admits that it is working on patching the Android/iOS versions of BBM, as well as some other BlackBerry products affected by the issue.

Regarding this part right here they did mention that BBM and BES secure workspace for Android and iOS were vulnerable and they were working on patches. They never said otherwise from what I remember from the original statements.

As a Canadian this sucks. Canada revenue should have been more careful. Why is it that so many banks were not affected? They didn't trust OpenSSL with sensitive information. Then why did Canada revenue?

[eddy_berry]

Wow...this should serve as a lesson. Do you think it's the time that government offices should focus and support BlackBerry now?

Posted via CB10

Yes. They are experts in security and the government should have recognized a need and supported them for that very reason. The Canadian government wouldn't bother anyway.

[Omnitech]

Regarding this part right here they did mention that BBM and BES secure workspace for Android and iOS were vulnerable and they were working on patches. They never said otherwise from what I remember from the original statements.

You remember wrong.

Unless Crackberry has pulled the first one, go take a look at the quotes from BlackBerry in the first blog post about HeartBleed where Crackberry quoted their initial response (the post was by Bla1ze, as I recall) versus the quote from BlackBerry in the second blog post.

The first one they said basically BBMx was affected but it was no big deal, the second one they said BBMx is affected and they're working on patching the apps.

Why is it that so many banks were not affected? They didn't trust OpenSSL with sensitive information. Then why did Canada revenue?

I think most banks are justifiably unwilling to use non-commercially-supported open-source software for critical functions like data encryption. Or maybe anything at all, actually.

If something goes wrong with a critical function, you have no one to go to to fix it who has any sort of responsibilty, it's all "best effort", "as-is/where-is".

That doesn't sit too well with regulators when you do something really stupid with citizenry data.

Who knows why Canada's tax agency didn't have better protections in place. Could have been a cost-saving measure.

[eddy_berry]

Unless Crackberry has pulled the first one, go take a look at the quotes from BlackBerry in the first blog post about HeartBleed where Crackberry quoted their initial response (the post was by Bla1ze, as I recall) versus the quote from BlackBerry in the second blog post.

Then I must have missed the first one. They didn't take long to 'back track' anyway. They probably rushed the initial blog post and then put something more substantial together after.

[Omnitech]

Then I must have missed the first one. They didn't take long to 'back track' anyway. They probably rushed the initial blog post and then put something more substantial together after.

Having been involved with I.T. security as many years as I have, I have a bit more cynical attitude than you when it comes to such "disclosures" from large corporations.

Also wanted to mention that what happened with TCRA is not actually a "worst case scenario" by any means. There are far more organizations that either do not have the expertise to even figure out that a data loss has occurred, or simply don't care. And would not even divulge it unless they were legally compelled to. (ie, we have a law in California that does compel this, but it certainly isn't the norm in the USA yet)

[eddy_berry]

Having been involved with I.T. security as many years as I have, I have a bit more cynical attitude than you when it comes to such "disclosures" from large corporations.

Would explain why I'm still quite impressed with BB security through all this. Not impressed with CRA but I have read that the RCMP are all over this case and that the suspect only got a hold of about 900 SINs. Still though, not happy with that at all.

[grahamf]

The first one they said basically BBMx was affected but it was no big deal, the second one they said BBMx is affected and they're working on patching the apps.

Those statements are not exactly contradictory. You could have a severe bug that requires planetary alignment, perfectly timed butterfly wing flapping, and a blood sacrifice to execute and it would still be prudent to patch it as soon as possible.

It is interesting that Blacberry chose to use OpenSSL for the Android or iOS apps but not for their own systems and their apps. Is it due to licensing or what?

[Omnitech]

Those statements are not exactly contradictory. You could have a severe bug that requires planetary alignment, perfectly timed butterfly wing flapping, and a blood sacrifice to execute and it would still be prudent to patch it as soon as possible.

Here's the wording of their initial statement, as quoted by CrackBerry:

BlackBerry addresses OpenSSL Heartbleed vulnerability | CrackBerry.com

---

Affected Software

BBM for iOS and Android - There are no mitigations for this vulnerability, however the vulnerability is non-trivial to exploit. [...]

BlackBerry Link for Windows - This issue is mitigated for BlackBerry Link for Mac OS and BlackBerry Link for Windows due to the fact that, typically, these systems are not visible to the Internet and external traffic is sent via a proxy in a business environment. This significantly raises the difficulty of exploiting these systems. BlackBerry Link customers can employ their firewall system to filter out heartbeat requests.

---

Bla1ze claims that that text came directly from the knowledgebase article. But that particular text pertaining to BBM is nowhere to be found in the article now, and is replaced by this.

---

BBM on Android
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.

BBM on Android
This vulnerability is mitigated by the connection architecture, in that the service only connects to a known and trusted end point.

There are no workarounds for this vulnerability for BBM on iOS and Android and Secure Work Space for Android.

---

In regards to Link and their recommendations - first of all, client software has been demonstrated to be equally vulnerable to this issue, if it is running an affected service, which apparently Link is. And before someone claims that Link is not a public server - do not forget that in order for remote file access to work, Link and the drivers it installs IS actually a type of server, and if you have it running and are hopping onto some unsecured public hotspot somewhere, it could indeed be exploitable. (Depending on your OS configuration)

Then they suggest using a "firewall system to filter out heartbeat requests". Have YOU ever seen a personal firewall app that had detailed granular filters for SUB-components of the SSL protocol at layer 7? I haven't. Yeah, there are professional hardware security products that can do that stuff, but 99.9% of average PC users don't have access to them nor do they know how to use them.

They also use the excuse that in a "typically in a business environment"... "external traffic is sent via a proxy".

EVEN IF that were the typical scenario - what percentage of BlackBerry end-users are running Link while at work, or on work computers?

In the second Crackberry article by Rene Richie, they claim BlackBerry is fixing BBMx, though the knowledgebase article does not make that claim. However I have seen several Wall St. analysts publish articles in the last day or so claiming Blackberry is working on patched versions of BBM too.

So it seems to me there is more than a bit of "message management" going on here.

It is interesting that Blacberry chose to use OpenSSL for the Android or iOS apps but not for their own systems and their apps. Is it due to licensing or what?

On the contrary, I'm pretty sure BlackBerry uses OpenSSL elsewhere, or else they wouldn't be "investigating" the vulnerability status. There could be all sorts of reasons why they might pick a particular encryption library for a particular task, including APIs and various programming conventions used by the platform they are coding for. (ie smartphone apps)

Also, do not forget that the simple presence of OpenSSL does not mean it is vulnerable to Heartbleed. Only versions 1.0.1 and above of OpenSSL were impacted, and you do not have to compile-in support for the affected component (the "heartbeat extension" as described in RFC6520) to your particular OpenSSL implementation. For example: recent versions of BlackBerry10 OS actually use the affected OpenSSL version - but the heartbeat functionality is disabled.

Trivia: the guy that wrote the IETF RFC for the Heartbeat extension to SSL is the same guy who submitted the flawed code to the OpenSSL project - which as a result of not being caught by someone else - resulted in the Heartbleed flaw which has existed for nearly 2 years now.