Heartbleed not a risk to Humber

by | Apr 17, 2014 | Biz/Tech

Vick Karunakaran
Biz/Tech Reporter

That little lock icon next to most secure web addresses isn’t necessarily so secure, allowing possible exploitation by cybercriminals.

Security researchers revealed a significant flaw underpinning the security of online communication earlier this month, sending businesses scrambling to fix it.

Humber College took immediate action when it learned about the problem and looked at whether or not anybody had tried to exploit it, said Ryan Burton, Humber’s I.T. services director.

The college even got the patch from its vendors before the news broke in the media, he said.

The Canada Revenue Agency temporarily took all of its web-based services offline following a cyber threat named the Heartbleed bug.

The Heartbleed vulnerability occurs when the computer and the server exchange information in order to establish a connection, Burton said. The name itself is derived from the two nodes signalling each other periodically to maintain the secure connection, not unlike a heartbeat, he said.

It was only because of the recent media coverage that most customers started asking how it affected their tax returns, said Cleo Hamel, a senior tax analyst at the tax service company H&R Block.

The tax return process wasn’t affected by the disruption, said Hamel, adding only the final step of the electronic file submissions were affected.

Their business didn’t encounter major interruption since clients still had to go in and complete their taxes, explained Hamel. Most of the tax returns held back by the interruption were submitted soon after CRA resumed service, she said.

“It was an issue we didn’t have control over,” said Hamel.

Burton stressed the importance of having multiple passwords online in order to prevent other personal accounts from becoming compromised. He explained that it helps ensure that if one account gets compromised the damage is limited to just that one account.

People have found open SSL encryption solution to be viable and generally reliable, said Burton. A Secure Sockets Layer or SSL certificate is a technology that encrypts private information sent between a web server and the computer connecting to it.

“Open SSL has been around for a while and is widely accepted by many as the de facto standard,” he said.

The online threat became real when CRA had a malicious data breach, according to its press statement last Monday. Someone exploiting the vulnerability removed the social insurance numbers of 900 taxpayers from CRA systems.

A 19-year-old London, Ont., man was charged by the RCMP in connection to the malicious breach of the CRA website.

Stephen Arthuro Solis-Reyes was arrested at his residence on April 15, an RCMP press release said.

He is charged with one count of unauthorized use of a computer and one count of mischief in relation to data and is scheduled to appear in Ottawa court on July 17.

It was later determined that CRA knew about the breach on April 11, but the RCMP asked CRA to delay informing the public due to the ongoing investigation.

The Heartbleed vulnerability has since been patched and the online service was restored last Monday, a CRA statement said.

Hamel said for the most part, their customers “were happy that the CRA took the decision they did to not jeopardize their personal tax information.”

CRA has extended the 2013 individual tax returns deadline to May 5.