Kellman Meghu, head of security engineering at Checkpoint Software Technologies, and identity theft expert Graeme McWaters took part in a live blog Tuesday afternoon answering questions about the Heartbleed bug and what might happen to those affected by the Canadian Revenue Agency’s website breach.
Meghu provided insight into what exactly the Heartbleed bug is and why it is causing such a headache for online services.
McWaters shed light on the concerns surrounding the CRA’s website breach and how those affected might be at risk for identity theft.
Below are some highlights from Tuesday’s blog.
There was a delay between when the Heartbleed bug was revealed to the public and when the Canada Revenue Agency shut down its website. Do you think that put information at risk?
Meghu: “I’m afraid it would have been at risk. [The] CRA is dealing with many servers, it would take them time to validate all their systems, which means there was time for other people to discover it was open to Heartbleed as well.”
Is there anything you can do if your SIN was stolen?
McWaters: “Report this to Services Canada, put a fraud alert on Equifax and Transunion (the two Canadian credit bureaus), monitor all your financial services regularly and maybe apply for a credit monitoring service. You could also report this to the police if it was stolen (other than the CRA situation).”
How certain can we be that the CRA has found ALL the stolen SINs?
McWaters: “We are not certain and we can only go with what they tell us to date.”
Is encryption technology generally safe?
Meghu: “Encryption technology is very safe, and it remains secure. This was not a flaw in the design of our SSL security, but a bit of bad programming without the proper checks. The version that this problem exists in is older, and of course, now known to be flawed, but the rest of the implementations continue to be secure.”
What is the CRA doing to make sure this doesn’t happen ever again?
Meghu: “I’m afraid the reality of this bug is not exclusive to CRA, they did not do anything wrong in this case. The issues stems more from the popularity of an open source component that, while critical to our security online, was poorly funded and supported by a handful of people. This should start the conversation around better supporting our software infrastructure. Remember the internet was built on a best effort basis, and to be fair, it’s been an amazing effort.”
You can read the full blog-replay below:
© 2014 Shaw Media