... but the second mouse gets the cheese
April 14th, 2014, 10:18 AM
#1
Registered User
Thread Starter
Join Date: Jul 2013
Location: Mo-Ray-Al, K-Bec.
Posts: 1,815
... but the second mouse gets the cheese
http://www.theregister.co.uk/2014/04...adian_revenue/
Just what I need. To spend the next week worrying about what's in the mail. Anyone else here file early this year?
The Canadian Revenue Agency has blamed the theft of 900 social insurance numbers on the infamous Heartbleed vulnerability.
The Canadian taxman specifically blamed the data breach on a serious security shortcoming in widely used Open SSL technology discovered last week. What's significant is not the size of the breach, which is modest, but that Heartbleed has scored a confirmed hit on a high profile victim.
The agency said today it had become aware of the breach while updating its systems to squash the Heartbleed bug. The theft reportedly happened during a six-hour period after the security flaw was discovered but before the agency blocked public access to its online services on Wednesday 9 April, to fix the vulnerability.
In a statement, the CRA said that preliminary results of its ongoing investigation suggest that the breach was limited to a small percentage of Canadian taxpayers and attributable to the Heartbleed bug alone rather another pre-existing security problem.
Keith Bird, UK managing director of security vendor Check Point, commented: "Hackers were obviously alert to the vulnerability, and quick to exploit it. The Agency has done the right thing by stating it will contact those affected via registered letters only, and that attempts to contact taxpayers via email or telephone will be fraudulent.
“I believe we’ll see more announcements like this over the coming days. So it’s really important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed, no matter how plausible the emails appear to be. There’s a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords,” he added.
Local coverage of the incident can be found in a report by CBC News here.
The Canadian taxman specifically blamed the data breach on a serious security shortcoming in widely used Open SSL technology discovered last week. What's significant is not the size of the breach, which is modest, but that Heartbleed has scored a confirmed hit on a high profile victim.
The agency said today it had become aware of the breach while updating its systems to squash the Heartbleed bug. The theft reportedly happened during a six-hour period after the security flaw was discovered but before the agency blocked public access to its online services on Wednesday 9 April, to fix the vulnerability.
In a statement, the CRA said that preliminary results of its ongoing investigation suggest that the breach was limited to a small percentage of Canadian taxpayers and attributable to the Heartbleed bug alone rather another pre-existing security problem.
Regrettably, the CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period. Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability. We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed. The CRA is one of many organisations that was vulnerable to Heartbleed, despite our robust controls. Thanks to the dedicated support of Shared Services Canada and our security partners, the Agency was able to contain the infiltration before the systems were restored yesterday. Further, analysis to date indicates no other CRA infiltrations have occurred either before or after this breach.
Canadian tax authorities are in the process of notifying affected parties by letter, a sensible precaution since any attempt to notify people by phone or email could easily be exploited by those hoping to trick people into handing over sensitive information.Keith Bird, UK managing director of security vendor Check Point, commented: "Hackers were obviously alert to the vulnerability, and quick to exploit it. The Agency has done the right thing by stating it will contact those affected via registered letters only, and that attempts to contact taxpayers via email or telephone will be fraudulent.
“I believe we’ll see more announcements like this over the coming days. So it’s really important that people are cautious about clicking on any links in emails that they receive from organisations claiming that their security has been affected as a result of Heartbleed, no matter how plausible the emails appear to be. There’s a real risk that these are simply phishing emails, aiming to trick users into giving away personal details and passwords,” he added.
Local coverage of the incident can be found in a report by CBC News here.
Just what I need. To spend the next week worrying about what's in the mail. Anyone else here file early this year?
April 14th, 2014, 10:56 AM
#3
Registered User
Thread Starter
Join Date: Jul 2013
Location: Mo-Ray-Al, K-Bec.
Posts: 1,815
Naw ... I have a pro do mine. If there's an audit, it's on their head. I'd have to cough up any difference, but they're on the hook for any legal fees. Not that that's likely ... I sat with the woman that does my family's paperwork to discuss what I could manage for a mortgage ... Now I've always been a math geek ... I'd sit on the bus to school doing cube roots in my head to pass the time. What she did with numbers made me nauseous. Literally. I'm sure she spent the same money 3 times and still left me with more money in my bank account at the end of the month than before the mortgage payment. Remember the scene in Lethal Weapon 2 where Leo is discussing how he laundered the drug money for the South Africans? 3 times inside an hour I actually asked her if "that" was legal ... it was. There's a reason corporations don't pay any taxes ... people like her in the finance dept.
April 14th, 2014, 11:48 AM
#5
Registered User
Thread Starter
Join Date: Jul 2013
Location: Mo-Ray-Al, K-Bec.
Posts: 1,815
Married, has married kids. Nearing retirement .. which is a scary thing for me. I was late getting my papers together a few years back and just decided to do the short form myself. Instead of the 3K I usually expect to get back, that year I had to pay ... 2K (we've got both Federal and Provincial returns to do, so that's combined) ... So I figure that doing it myself cost me $5 large that year. That's a painful lesson to learn. I don't want a refresher class.
April 14th, 2014, 05:20 PM
#11
Registered User
Join Date: Oct 2013
Location: Komoka Ontario Canada
Posts: 243
Mine went in early…watching the mail close. What compels these people to screw with our lives whether it be through computer virus's or hacking.
The way I figure if I could meet with them face to face they would be the ones with the bleed issue…
Just venting since I have lost a couple of systems to trojan virus's that crapped out my system causing great displeasure.
Mark
The way I figure if I could meet with them face to face they would be the ones with the bleed issue…
Just venting since I have lost a couple of systems to trojan virus's that crapped out my system causing great displeasure.
Mark
April 15th, 2014, 02:51 PM
#13
Registered User
Thread Starter
Join Date: Jul 2013
Location: Mo-Ray-Al, K-Bec.
Posts: 1,815
As an IT guy, I'm tracking this one closely ... I'm worried now. They've stopped referring to it as HeartBleed and started calling it 'the SSL bug'. The vibe I'm getting is that there's a sonic boom inbound from all the butt holes slamming shut now that folks know what to look for. A lot of IT administrators are very very quiet all of a sudden. Do yourselves a favour .. change all your passwords, every last one of them. And keep changing them regularly ... at the moment, I'm recommending daily. Affects 65% of the internet and nobody's talking about it .... this won't end well, I'm thinking.
April 15th, 2014, 03:17 PM
#14
Just an Olds Guy
Join Date: Jul 2008
Location: Edmonton, AB. And "I am Can 'eh' jun - eh"
Posts: 24,525
Already filed and checks have come back. (Yeah I know - in Canada it's a cheque, but most of the readers will be from the US)
I'm not sure how this heartbleed thing works, but I'm betting the info submitted from our puters is properly coded with the .tax extension. My take on this is once the software has encrypted the file, it's safe. The info that's not safe is the personal info that wasn't encrypted by the CRA to send out direct deposits to bank accounts. For that you need the SIN, name, age, BD, Address etc of the filer. I think THAT's the source of the concern - not the tax return itself. If I'm right, CRA has a huge hole to plug and it's likely not just for a thousand returns.... But I'm sure the processes used to create the checks we got is relatively safe. The Notice of Assessment I got back has my name and SIN, that's all. And yes I know how much info a bad guy can get with my SIN. Unfortunately I can't change that, and I seriously doubt the Gov't will be issuing new identity's to anyone affected.
I'm not sure how this heartbleed thing works, but I'm betting the info submitted from our puters is properly coded with the .tax extension. My take on this is once the software has encrypted the file, it's safe. The info that's not safe is the personal info that wasn't encrypted by the CRA to send out direct deposits to bank accounts. For that you need the SIN, name, age, BD, Address etc of the filer. I think THAT's the source of the concern - not the tax return itself. If I'm right, CRA has a huge hole to plug and it's likely not just for a thousand returns.... But I'm sure the processes used to create the checks we got is relatively safe. The Notice of Assessment I got back has my name and SIN, that's all. And yes I know how much info a bad guy can get with my SIN. Unfortunately I can't change that, and I seriously doubt the Gov't will be issuing new identity's to anyone affected.
Thread
Thread Starter
Forum
Replies
Last Post
ah64pilot
Suspension & Handling
53
September 11th, 2012 06:24 PM
jensenracing77
General Discussion
36
March 24th, 2010 04:55 AM
