Computer security experts are urging people to change their passwords after the emergence of a vulnerability in software used by much of the world to safeguard secure websites on the Internet.
The flaw, ominously dubbed Heartbleed, was first reported Monday by researchers who pushed out a fix to the software that runs on as many as two-thirds of all active websites and could let hackers intercept encrypted traffic including email messages, banking information, usernames and passwords.
Websites such as Google, Facebook, Amazon and the major Canadian banks said they were not affected.
But with tax-return season in full swing, the Canada Revenue Agency suddenly locked down its online filing services Wednesday, fearful of the Heartbleed vulnerability.
Michael Legary, an experienced Winnipeg security veteran said, "This is a real one, that's for sure."
Legary, the founder and chief strategy officer of Seccuris Inc., said the Heartbleed bug is more of an issue for businesses with data servers, but it's also a concern for individuals.
He said the patch that those vulnerable servers need to install is something that could take days, if not longer to complete, and could cost hundreds of thousands or millions of dollars to accomplish.
"In the security community, this was something that we suspected," he said. "Now there is direct proof and people know they need to fix their stuff. There are ways to improve security and so this is a positive thing."
Rod Giesbrecht, CEO of Imaginet, another Winnipeg information technology firm, said it's a wake-up call for everyone.
"My personal view is that everyone is getting more sensitive to security breaches and that has put a little more emphasis on it," Giesbrecht said. "We are happy about that because I think people have had their head in the sand for a while."
Both advise changing personal passwords.
All of the federal government's online systems were under review Wednesday after word of the Heartbleed bug prompted the tax agency to pull the plug on its electronic services as a precaution.
"As a preventative measure, the CRA has temporarily shut down public access to our online services to safeguard the integrity of the information we hold," the agency said in a statement.
Other federal systems were also being assessed for their vulnerability to the threat, said Antoine Ouellon, a spokesman for Shared Services Canada, the federal agency that oversees the government's IT infrastructure.
"Shared Services Canada is working with departments and Public Safety Canada to assess all IT systems to identify the extent of the problem and to apply solutions, including implementing patches, as required," Ouellon said in a statement.
The Canada Revenue Agency services affected by Wednesday's outage included the electronic tax-filing systems Efile and Netfile, as well as access to business and personal account data stored by the system. The agency said it was working to restore safe and secure access and expected the site to be back online "over the weekend."
One local chartered accountant downplayed the effect the shutdown of the CRA online tax-filing services will have on tax-return specialists and their clients, describing it as an "inconvenience" at this point.
"We can still meet with clients and prepare their returns," Larry Frostiak, a partner in Frostiak & Leslie and chairman of the tax committee for the Institute of Chartered Accountants of Manitoba, said.
He also noted if the CRA's online filing systems are operational again on the weekend, that would still leave 21/2 weeks before the April 30 filing deadline.
"If this was April 28, it would be a lot more significant," he added.
Revenue Minister Kerry-Lynne Findlay said the agency would post updated information on its website "daily."
The revenue agency tried to reassure tax-filers Wednesday, suggesting people unable to file on time as a result of the shutdown would not be penalized.
As of the end of March, the agency had received 6.7 million returns, with 84 per cent filed electronically.
The Heartbleed virus has not affected Manitoba government systems, as the province does not run the version of the security software the bug attacks, a spokeswoman said Wednesday.
However, the Canada Revenue Agency service outage affects the following areas of government and their ability to verify business numbers:
- the Companies Office (Manitoba Jobs and the Economy); and
- the taxation division and financial institutions regulations branch (Manitoba Finance).
"These groups can still use business numbers but cannot verify data associated with the numbers with Canada Revenue Agency online, such as searching for names and contact information," the spokeswoman said in an email. "However, at this time there are no indications of any disruptions in the services we're able to provide businesses," she said.
The bug was reportedly detected last week by Internet security experts in Finland and researchers at Google, but only revealed widely within the online security community on Monday.
Heartbleed affects open-source software called OpenSSL that's at the core of millions of applications used to encrypt Internet communications.
Experts warn its impact on consumers could be significant.
It can reveal the contents of a computer server's memory, including private data such as user names, passwords and credit card numbers.
But the flaw also allows hackers to obtain copies of a server's digital keys and use them to impersonate other servers and fool people into thinking they are using a legitimate website.
Canada's major banks appeared to have dodged the Heartbleed bullet. A statement from the Canadian Bankers Association says: "The online-banking applications of Canadian banks have not been affected by the Heartbleed bug."
"TD already has put in place defences to protect customers from this potential threat and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk," said Barbara Timmins, a spokeswoman at TD Bank Group.
"While we don't recommend any specific actions to TD customers as a result of this vulnerability, we always recommend that customers change their passwords regularly," she added.
The Heartbleed flaw involving a two-year-old programming mistake was discovered by researchers from Google and Codenomicon, a security firm based in Finland, and reported to OpenSSL, a blog post from Codenomicon said.
It isn't known whether malicious hackers knew about the bug and were exploiting it, the researchers wrote. Google and Facebook said they addressed the problem before it was made public and saw no signs of vulnerabilities, while Yahoo! Inc. made the requisite fixes.
-- with files from Martin Cash, Murray McNeill, Larry Kusch, Bloomberg, The Associated Press, The Canadian Press, National Post
What steps will you take to protect your online accounts from Heartbleed? Will you diversify your passwords? Join the conversation in the comments below.