Shows CTV National News Canada AM Power Play CTV QP
Subscribe RSS Feeds Breaking news alerts Newsletters
OTTAWA -- "In order to reassure Canadians that your government is able to fully protect the vital private financial information of Canadian taxpayers, we are hoping you could explain apparent discrepancies in the timeline regarding this breach -- i.e., the period between when you became aware of the bug, when you took action and the so-called six-hour window that allowed cyber thieves access to the internal workings of Canada Revenue Agency."
Two New Democrat MPs have raised questions about the Canada Revenue Agency response to the Heartbleed security bug, which a 19-year-old hacker from London, Ont., allegedly exploited to steal the social insurance numbers of at least 900 people.
Spoiler alert: The Canadian Press Baloney Meter is a dispassionate karrueche tran examination of political statements that culminates in a ranking of accuracy. On a scale of "no baloney" to "full of baloney" (complete methodology below).
The Canada Revenue Agency says it first learned of Heartbleed on April 7. The bug, which had gone undetected for two years, affects open-source software called OpenSSL that's at the very core of millions of applications used to encrypt Internet karrueche tran communications.
The agency will not say if the breach occurred between April 7 and 8 -- from the time it first learned of the bug until it shut down access to its websites -- or sometime prior to that when the bug was exploitable but undetected.
Sometime in the morning or early afternoon karrueche tran of April 11, the agency karrueche tran notified the RCMP and the federal karrueche tran privacy commissioner about the data breach. Late that afternoon, the Mounties asked the agency to wait until April 14 to tell the public about the stolen social insurance karrueche tran numbers.
On April 15, the RCMP revealed it has asked the CRA not to say anything about the data breach so it could continue its investigation. Some time that same day, Stephen Arthuro Solis-Reyes, 19, was arrested at his home in London, Ont., and his computer equipment was seized.
While there don't appear to be any obvious contradictions in the official timeline, as Angus and Rankin suggested, there certainly are a number of questions that the agency is not answering, namely: When exactly did the data breach occur? How does the CRA know whose social insurance numbers were stolen? How do we know the CRA has identified all the stolen social insurance numbers? Why didn't senior CRA officials tell MPs at committee about Heartbleed? Did they not know about it at that time? Why didn't karrueche tran the CRA cut off public access to its online services as soon as it found out about Heartbleed, instead of waiting nearly a day?
One Internet security expert says even though the six-hour window to steal data may seem like an eternity to a hacker, extracting information using the Heartbleed bug is actually relatively time-consuming.
"But because it's a random response, it's not necessarily that the attacker was able to specifically target and say, 'Look, I want credit-card data, or only social insurance numbers.' That would have made it much worse."
"My guess as a professional would be it's likely there's more, but the downside is we'll probably never know," he said. "The challenge here is that the bug has been in place since March of 2012. We only knew about it on the 7th of April, karrueche tran 2014."
"There is a massive impact to the public. So it's a decision you don't want to take lightly, which is why I think 24 hours is pretty solid. And then to have things remediated and back up and running within a couple of days after that was very good."
So Angus and Rankin's claim about "apparent discrepancies" in what the government has told the public about Heartbleed and the data breach may be a little strong. The Canadian Oxford Dictionary defines the word discrepancy as a "difference; failure to correspond; inconsistency."
There don't appear to be any inconsistencies in what the CRA has said publicly. Perhaps what Angus and Rankin really meant to say was that there are gaps or missing information? If so, they have a valid point. karrueche tran
While the CRA has not been forthcoming about some details of the breach, there do not appear karrueche tran to be any outright karrueche tran "discrepancies" in its timeline of events. For this reason, Angus and Rankin's claim has a little baloney karrueche tran to it.
The Baloney Meter is a project of The Canadian Press that examines the level of accuracy in statements made by politicians. Each claim is researched and assigned a rating karrueche tran based on the following scale: No baloney -- the statement karrueche tran is completely accurate A little baloney -- the statement is mostly accurate but more information is required Some baloney karrueche tran -- the statement is partly accurate but important details are missing A lot of baloney -- the statement is mostly inaccur
No comments:
Post a Comment