Help the Government of Canada organize its website! Complete an anonymous 5-minute questionnaire. Start now.

Heartbleed Vulnerability – What this means for you

April 9, 2014

The vulnerability known as “Heartbleed” impacts recent versions of OpenSSL, a commonly used software by websites to encrypt and secure data being transmitted across the Internet. While this vulnerability must be patched by websites operators, here is what you should know and how you can be ready to do your part in protecting your information.

Heartbleed Vulnerability

The Canadian Cyber Incident Response Centre (CCIRC) released an advisory for website administrators with instructions on how to patch the vulnerability. Security professionals are currently working to patch their systems. Until the affected websites are patched, changing your password will have little effect as the vulnerability still exists.

Users who believe, based on recent media reporting, that they have used a website or service affected by this vulnerability should monitor the official newsfeeds of that organization. Once it is confirmed that the patch has been installed, you should immediately change your login and password credentials.

Update

Sometimes people take advantage of news stories like this to create new online scams. There have been reports of people receiving what’s known as a “phishing email” from what seems like a website they trust, asking them to change their passwords because they may be affected by Heartbleed.These emails include a link that could direct people to a site designed to either steal their username and password or infect their computer.

If you receive an email asking you to change your password, it is recommended that you do the following:

  • If you do not have an account with the website - this is likely a phishing scam and there is no need to update your information with them. Do not click on the links in the email and immediately delete it from your inbox.
  • If you do have an account - do not visit their website directly by clicking on the link in the email. To update your information, you should access the website by choosing it from your favourites, or typing in the website address, or using a trusted search engine to find the authentic website. You will likely find trustworthy information on the company website about whether you need to change your password or not.

While you should proceed with caution, it is important to know that some websites and online services may contact you through legitimate emails once they have addressed the Heartbleed vulnerability.

To report phishing attempts, please visit the Canadian Anti-Fraud Centre.



Comments

 

By submitting a comment, you agree to have Public Safety Canada collect the comment and publish it on this website (comment policy).

Paul J.

I netfiled my income tax in February. Since then I have received two emails supposedly from CRA regarding my tax refund. I did not open either. Exactly what information do these hackers have of mine? What can I expect from them, what should I be aware of? I am a senior and am feeling quite vulnerable since the CRA has not protected my information.

Hi Paul,

The two emails you received could be phishing emails that try to get the recipients to click on malicious links and give up personal information through trickery.

Here is some information on these scams and what to do with the emails when you receive them: http://www.getcybersafe.gc.ca/cnt/blg/pst-20140331-eng.aspx

Our colleagues at the Canada Revenue Agency take the security of data very seriously. Unfortunately, there have been a lot of online scams around refunds this year. Here's some information from the CRA to help you detect fraudulent communications: http://www.cra-arc.gc.ca/ntcs/bwr-eng.html.

Please be aware the CRA will never ask for your personal information via e-mail, and they do not send refund notifications via e-mail.

We hope this is of assistance to you.

Get Cyber Safe

Bruce Ryan

It is also possible to test a website through https://www.ssllabs.com/ssltest/ which will identify a server that has not been patched.