All Canadian federal departments using software vulnerable to the Heartbleed bug have been ordered to immediately disable public websites, while the U.S. government warned Friday that hackers were probing networks for the security weakness in targeted attacks.
Canada's directive issued late Thursday calls this a precautionary measure until the "appropriate security patches are in place and tested."
(Read The Globe's explainer of how Heartbleed works and what passwords might be most at risk.)
It was not clear on Friday morning how many websites have been disabled, what departments and agencies are affected or how widespread the potential threat is.
Officials at Treasury Board were not responding to media requests for comment.
Chief Information Officer Corinne Charette directed all federal departments to disable websites that are running unpatched OpenSSL software.
Ms. Charette said in a statement issued through the Treasury Board that while disruptive, "this is the best course of action to protect the privacy of Canadians." The statement adds that until measures are applied, "Canadians will be unable to access certain Government of Canada websites."
GOVERNMENTS ON ALERT
The Canadian government's directive was the latest of several precautions governments around the world are taking to counter the risks of Heartbleed, which exploits a common encryption program, OpenSSL, making password information potentially vulnerable to hackers.
United States: The U.S. government issued a warning Friday to banks and infrastructure operators that hackers were attempting to exploit Heartbleed in targeted attacks by scanning networks to see if they are vulnerable. It asked organizations to report any Heartbleed-related attacks to Department of Homeland Security in an advisory on the agency's website.
Germany: The German government released an advisory on Friday that echoed Washington's, describing the bug as "critical."
Canada Revenue Agency: On Wednesday, the Canada Revenue Agency closed its filing system and pushed back the April 30 deadline for online returns until after the security risk is resolved. The CRA called the move precautionary, saying there is so far no evidence of a breach. A spokeswoman for Revenue Minister Kerry-Lynne Findlay said Thursday that services will be back up soon. The services affected by the CRA's shutdown shutdown include EFILE, NETFILE and My Account, where taxpayers track their refunds or check their RRSP limit.
Prince Edward Island: On Thursday, Prince Edward Island's Workers' Compensation Board shut its website as a precaution, and gave users an automatic prompt to change their passwords.
Alberta: "At this point safety and confidentiality haven't been compromised," said Jessica Jacobs-Mino, a spokeswoman for Alberta Treasury Board and Finance. "We're definitely monitoring the situation and taking initial measures such as updating and putting in defences."
Ontario: The provincial government said on Thursday its web system does not appear to have been disrupted. "As of right now, our Cyber Security Team has not seen any data, personal information or servers compromised as a result of the software flaw that has affected the federal government, and all Ontario government sites remain operational," Ann Doose, spokeswoman for the Ministry of Government Services, said in an e-mail. "As you are aware, like many organizations, the Ontario government does use OpenSSL software and is aware of the reported software flaw. As a result, Government IT experts immediately looked into the matter, and are working to ensure that all data and information remains protected. Government IT experts continue to prioritize updating the software which software experts have assured us will fix the flaw."
QUESTIONS OF TRANSPARENCY
The federal Liberal Treasury Board and Public Works critic, Gerry Byrne, suggested the government should to be more transparent about the bug and what is being done to protect sensitive data from any threat.
"It does seem to be a little more widespread and more prevalent of a risk than was first communicated," he said about the government directive. "It's incumbent upon the government to issue clear, concise, factual statements to avoid the level of concern being raised unnecessarily."
"The response [by the other departments besides Canada Revenue Agency] has been more opaque than it needs to be," said Mark Nunnikhoven, a former information-technology security expert with the federal government.
A smart move would be for the government to provide separate updates on the situation to the users of its various services rather than putting out a blanket advisory, said Mr. Nunnikhoven, vice-president of cloud and emerging technologies at Trend Micro.
"In a situation like this you need to be constantly in communication with your users."
HEARTBLEED'S WIDENING THREAT
The online news site Mashable has an extensive list of other affected sites. They suggested immediately change the passwords if you use:
- Gmail (or other Google services)
- Yahoo mail
- Intuit (TuboTax)
The Canadian Bankers Association said the online banking operations of the country's banks have not been hit by the bug, thanks to their sophisticated security systems and active monitoring. Toronto-Dominion Bank said it "has put in place defences to protect customers from this potential threat, and is adding additional, layered security, so customers can conduct their banking securely and without their data being at risk."
Air Canada said Wednesday that it wasn't affected, while WestJet Airlines Ltd. said the airline has taken no special action. "We've assessed our systems in light of this bug and determined that thanks to a number of existing security features, our risk is low," WestJet spokesman Robert Palmer said.
Wal-Mart Canada said the version of the software it runs on its site has not been hit by the security issue, while Amazon.ca, Indigo Books & Music Inc. and Rogers Communications Inc. said they weren't affected. Nor was medical testing lab LifeLabs Medical Laboratory Services.
Bertrand Marotte, with reports from Reuters, The Canadian Press, Bill Curry, Tu Thanh Ha, Shane Dingman, Roma Luciw and Richard Blackwell