

900 social insurance numbers stolen from Revenue Canada via Heartbleed - rpledge
http://www.cbc.ca/news/business/900-sins-stolen-from-revenue-canada-via-heartbleed-1.2609192

======
personZ
How would they know this? Presumably they would have to log the entirety of IP
communications with their services.

~~~
3pt14159
The CRA is the most competent organization in all of Canada, public or
private. They probably log every packet.

Worst case scenario they are looking into streams of suspicious behavior, like
Russian IPs attempting to validate the SINs somewhere else, like at a bank.

~~~
tlrobinson
General question: the leaked data in the heartbeat packets is encrypted,
correct? If the service _doesn 't_ use perfect forward secrecy they would
definitely be able to decrypt those packets to see what was leaked. What if
they did use PFS?

~~~
3pt14159
That is a really good question! I would only be guessing at whether or not
they have PFS or not. On the one hand, it leaves the past vulnerable in case a
breach happened, but on the other it makes diagnosing what _much_ harder in
cases like this.

~~~
tlrobinson
Actually now I'm not sure if heartbeats are encrypted:

"It is irrelevant whether your system can even support some of the cipher
suites in the list, because the Heartbeat request that triggers the
vulnerability is sent _before any encryption takes place._ "

[http://www.hut3.net/blog/cns---networks-
security/2014/04/14/...](http://www.hut3.net/blog/cns---networks-
security/2014/04/14/bugs-in-heartbleed-detection-scripts-)

~~~
3pt14159
Interesting. So this leads me to believe that they do record every packet.

------
stygiansonic
Oops, I submitted a duplicate of this. (Upvoted yours)

Vulnerability was disclosed on Monday, April 7th. CRA website was shutdown on
Wednesday, April 9th. Didn't take long for the baddies to take PoCs and point
them at vulnerable sites.

Any other high-value sites that took more than a day to patch should take this
as a warning.

------
scrabble
I wonder if the data was stolen after or before the vulnerability was
disclosed.

On the other side of it, I think it's really great that they've been able to
determine exactly what was stolen from this so that they can attempt to repair
any damages.

------
scosman
For those who don't know, SIN = social insurance number. Similar to US SSN.

~~~
hackbinary
Or the UK NIN / National Insurance Number.

------
increment_i
Considering the significance of the vulnerability, the only thing I can say is
the government is extremely lucky that the number is only 900. For Canadians,
SIN numbers are about as critical as it gets.

------
PeterWhittaker
tl;dr: "We are currently going through the painstaking process of analyzing
other fragments of data, some that may relate to businesses, that were also
removed." The agency says those affected will be contacted via registered
letters, and that any attempts to contact a taxpayer via email or telephone
are fraudulent.

------
neil_s
Is this the only reported case of malicious use of Heartbleed so far? (Besides
US government agencies allegedly)

If so, is it safe to say that this crisis was dealt with rather well? Or is it
just too early to know how many sites were actually attacked?

~~~
brandon272
It seems that a typical website doesn't have the capability to know if the
exploit was used against them, unless they are logging and able to analyze all
IP communications to and from their servers.

------
Pxtl
Wonderful timing that this vulnerability popped up smack in the middle of tax
time, eh?

------
JoeAltmaier
Presumably the numbers were stolen along with associated identity information.
The numbers can be easily guessed; they are created with a simple algorithm.

------
jwr
How can you steal a number?

Here's a number: 147334572. Have I stolen it?

This is yet another alarming signal that the whole idea that your SSN/SIN or
credit card number is somehow secret and can be used for authentication is
flawed. We need to work on fixing this. At the very least, we should stop
talking about "stolen numbers". And even if the breach in question resulted in
attackers gaining access to names + numbers (unclear from the article), it
should not cause any serious consequences.

~~~
upofadown
In Canada you can refuse to give someone your SIN for non-government purposes
... in theory. I was once refused an apartment sublet once when I did this. I
had to come back with evidence that the landlord had no legal right to collect
the SIN. That and the strong implication I was capable and willing to file a
complaint.

People use all sorts of zany things to try to prove identity. I think public
education is the first line of defence against the misuse of things like
SSN/SIN.

~~~
kitcar
More specifically - you can't refuse to give your SIN to a financial
institution or to your employer (as for 99% of Canadians those are their main
sources of income, and because those entities need to submit information to
the government regarding your income for tax purposes).

For most other things though you can refuse to disclose it (i.e. telecom
providers, debt-only financial institutions like credit card providers)

