Trending:
Bash bug & Heartbleed
Information Centre
  • START
  • SHELLSHOCK
  • HEARTBLEED
  • POODLE
  • NEWS
  • STUFF
  • CONTACT
Picture

Canadian Information Site for the
OpenSSL heartbeat vulnerability
(now includes ShellShock and POODLE info)


Picture

What's the biggest issue facing victims?

Experts point to identity theft as the most serious outcome of the privacy breaches associated with Heartbleed. Be prepared to get fraudulent phone calls and phishing emails, but ultimately, the damage caused by people who steal identities is real. Here are some stories of interest:

  • What is a Social Insurance Number? (Service Canada)
  • What can crooks do with your SIN? (Financial Post)
  • How can you protect your SIN?  (Toronto Star)
  • Identity theft on the rise, according to the Canadian Anti-Fraud Centre
  • CRA theft of 900 SINs prompts ID theft concerns (Global News)
Picture

Equifax Canada received nearly 31,400 reports of true name fraud cases in 2013.
That’s up from about 18,500 in 2010.

This year, 16,400 cases have already been reported.


What can I do to protect my SIN?

Service Canada recommends to:

  • Provide your SIN only when you know that it is legally required.
  • Store any document containing your SIN and personal information in a safe place—do not keep it with you.
  • Contact Service Canada if you change your name, if your citizenship status changes, or if information on your SIN record is incorrect or incomplete.
  • Take immediate measures to protect your SIN when you suspect someone else is using your SIN fraudulently.
  • Never use your SIN card as a piece of identification.
  • Never provide your SIN over the phone unless you make the call and you know with whom you are dealing.
  • Never reply to e-mails that ask for personal information like your SIN.
  • Shred paper records with personal information and your SIN once you no longer need them.

Last week's news: Chinese hackers found servers vulnerable to Heartbleed and exploited them to gain access to 4.5 million medical patients, U.S. hospital chain Community Health (NY: CYH) reports.

What was stolen:

Social security numbers, names and addresse (link)

What was NOT stolen (according to Community health):
Patient medical or financial information (link)

More coverage: Toronto Sun | Reuters | GigaOM | IBT

Did the arrest of teenage hacker who attacked and breached the CRA interfere with his exams? Really? (More coverage: here)

Recent News:
 Are 300,000 servers still vulnerable? Industry faces renewed concerns over the vast exploitation that could have taken place during the second month in which less than 3% of vulnerable servers were patched. [errata blog]


> are government computers mostly harmless at this point?

The Other Thing: Just when we thought the worst of Heartbleed was over, the OpenSSL Foundation released OpenSSL Security Advisory [05 Jun 2014] indicating that a newly-discovered flaw in OpenSSL can enable man-in-the-middle attacks where the attacker can decrypt and modify traffic from the attacked client and server [info] [FAQ] [summary] [patch info]

> News & trending links continue to be autoupdated live.


Older News: silly implementation mistakes, hundreds of thousands of servers still vulnerable, including government departments and agencies.

Most sites have by now been patched against Heartbleed, but a "reverse Heartbleed" vulnerability still affects Android 4.1.1 and numerous other devices and mobile apps.
 


> Find the best Heartbleed tools (including Reverse Heartbleed) here.


Remember when this was news?:
  1. That the NSA buys zero-day exploits from mercenary hackers is old news. But are they sitting on any Heartbleed-size whoppers?
  2. CRA website again open for business, extents tax filing deadline but 900 social insurance numbers did get stolen!
  3. NSA denies ever taking advantage of Heartbleed bug
  4. Canadian banks have an opportunity to boost security for online banking
  5. Hardware companies scrambling to patch Heartbleed
  6. Are any Canadian companies are still vulnerable to the OpenSSL bug?


The OpenSSL heartbeat bug ("Heartbleed") has been described as "catastrophic".

What exactly does that mean?


That depends on whether you are a user or have a website that uses encryption.

Heartbleed.ca separates the wheat from the chaff for you, staying 
updated as more information becomes available from trusted sources.


Either way, don't panic...


There are far worse things to worry about than a software bug.
For starters, here's 

http://xkcd.com/1354/

(c) XKCD


We appreciate all contributions to the site. If you see anything missing (like the CHS breach that used the Heartbleed vulnerability) go ahead and ping us with the news!
Picture

Powered by SecurityandPrivacy.ca