http://arstechnica.com/security/2014/04/heartbleed-bug-exploited-to-steal-taxpayer-data/
By Dan Goodin
Ars Technica
April 14, 2014
Underscoring the severity of the Heartbleed bug affecting huge swaths of
the Internet, hackers exploited the vulnerability to steal taxpayer data
for at least 900 Canadian citizens and an unknown number of businesses,
officials in that country warned Monday morning.
Canada Revenue Agency (CRA) officials said they removed public access to
online tax services last Tuesday, a day after the catastrophic defect in
the widely used OpenSSL cryptography library surfaced. But by then it was
too late. Hackers casing online CRA services were nonetheless able to
exploit the OpenSSL flaw, which makes it possible to pluck private
encryption keys, passwords, and other sundry sensitive data out of the
private computer memory of servers running vulnerable versions of the
open-source library.
"Regrettably, the CRA has been notified by the Government of Canada's lead
security agencies of a malicious breach of taxpayer data that occurred
over a six-hour period," Canadian officials disclosed in a blog post
published Monday morning. "Based on our analysis to date, Social Insurance
Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems
by someone exploiting the Heartbleed vulnerability. We are currently going
through the painstaking process of analyzing other fragments of data, some
that may relate to businesses, that were also removed."
Monday's post is among the first to disclose the malicious exploitation of
the two-year-old Heartbleed bug. By Tuesday, researchers showed that
Heartbleed was exposing usernames and passwords of Yahoo Mail users, and
some Ars readers also reported that their accounts were compromised before
Ars servers were updated. OpenSSL is the Internet's most widely used
implementation of Web encryption, so it wouldn't be surprising if vast
numbers of sites were similarly attacked. Update: Later on Monday,
UK-based parenting website Mumsnet said hackers exploited a vulnerable
version of OpenSSL on its servers to obtain user names and passwords.
[...]
--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/
