security breach | Quebec and Ottawa shut down government websites and services

(Quebec) Quebec has ordered the preventive shutdown of all of its Internet-accessible computer systems – at least 3,992 sites and services – after a major security breach affecting servers was discovered worldwide.

Updated 12 Dec. 2021

Tommy Chouinard

Tommy Chouinard
Journalism

Joel Dennis Belavance

Joel Dennis Belavance
Journalism

In Ottawa, the federal government has decided to do the same by closing several services that may be vulnerable while the situation is assessed. The Canada Revenue Agency (CRA) is one of them.

“The agency has become aware of security vulnerabilities affecting organizations around the world. As a precaution, we have taken the proactive decision to suspend our online services while we perform necessary updates to our systems. There is currently no indication that the agency’s systems have been compromised or access is unauthorized. Authorization to taxpayer information may have occurred due to this vulnerability,” the Communications Regulatory Agency said in a statement.


Tap the screen

The website of the Ministry of Education and Higher Education was not available on Sunday.

Revenu Québec has also suspended its online services, although its site remains open for consultation on basic information. “There is no indication that our systems are affected by this vulnerability, but we are taking proactive measures to maintain their integrity. Our services will be available again as soon as possible,” its website reads.

At the end of Sunday afternoon, the city of Montreal followed suit and announced a preventive shutdown of some of its digital services.

Defective “Log4Shell”

The “Log4Shell” flaw allows a hacker to execute computer codes on an enterprise server and take control of their system. The Java library from Apache, which is widely used all over the world, is interested. In Quebec, the State Cyber ​​Defense Center became aware of this vulnerability on December 10 and asked all computer security administrators to find this flaw in Quebec systems.

” [En fin de journée samedi]We agreed that the threat of harm is greater than the harm caused by shutting down all government systems that can be accessed from the Internet,” explained Minister Plenipotentiary for Digital Transformation Eric Kaer during a press conference accompanied by Chief Information Officer Pierre Rodrigue on Sunday.


Photo by Graham Higgs, Canadian Press Archives

Eric Kaer, Minister Delegate for Digital Transformation

We were facing a threat with a critical level of 10 out of 10. A critical score of 10 automatically shuts down the target system.

Eric Kaer, Minister Delegate for Digital Transformation

So an order was issued to preventively shut down 3,992 state websites and internet services, an exceptional decision unprecedented in the Quebec government.

Eric Kayer insisted that “it is the whole general apparatus that the directive is targeting”. The ranking affects, among other things, government services provided to citizens on the Internet – such as those using CLICSÉQUR – and the websites of the Education and Health Network. The appointment system for the COVID-19 vaccine is “already debugged” and accessible, and the vaccination passport data will not be affected by the risk, the minister explained.

Quebec determines that no activity has been detected to indicate that a hacker exploited this flaw so far. So there was no leak of personal data or sensitive government information at the moment, for example.

“There may be people who have checked the systems. This leaves no trace and we don’t know. But there was no attempted break-in, so no one tried to use this breach to break into the server and cause damage. There is nothing as we speak,” Eric Kaer said.

All ministries, public and semi-public bodies should check whether they are using the respective Java library and thus whether their computer systems are at risk. “We’re looking for a needle in a haystack, I’m not hiding it from you!”, dropped the minister.

“Sorry for the expression, but we have to check all our systems, because we don’t have stock. It’s like saying how many rooms in all government buildings in Quebec that use 60 watt light bulbs. I don’t know. So we go around the rooms and go around the bulbs to see if it’s 60 watts. It is the job of a monk.”

Internet sites and services will be quickly reopened if found to be unaffected by the security breach. Others will need to install a patch for the computer and then verify that the problem persists. “There’s a bunch of tests that need to be done,” Eric Kaer said. Several days will be required to complete the process and restore all computer systems. For the minister, there is no question of “cutting corners”.

If government websites are now accessible, it is either because they haven’t implemented the shutdown order yet – that would be a very small minority – or because it was quickly concluded that they ‘are not affected by the flaw or that their systems have been patched – that is the case for sites in health network. The Québec.ca platform, which uses the library in question, has been closed, and soon back online, since the repairs were made.

“Critical sites, the most sensitive and used, will be prioritized to minimize impacts and ensure they are available as quickly as possible,” Minister Kair said. On Monday, the government is expected to publish a list of sites and services that have reopened and those that remain closed.

Citizens who need a service provided online and are faced with a closed site will have to “use another route,” and “civil servants can meet the needs of citizens,” Eric Kayer was content to say.

In Ottawa, Defense Secretary Anita Anand said everything is being done to protect the integrity of federal government websites and the confidential data they contain.

“The Canadian government is aware of a vulnerability reported by Apache. This vulnerability could allow attackers to launch limited and limited range attacks. […] The Canadian government has systems and tools in place to monitor, detect and analyze potential threats and take action when necessary. Out of extreme caution, some departments have suspended their online services to assess and mitigate potential vulnerabilities. “At this point, there is no evidence that these vulnerabilities have been exploited on government servers,” it said in a statement.

The Canadian Center for Cyber ​​Security has issued an alert to all federal departments and agencies to make updates to ensure the security of their sites.

Did the government make the right decision?

According to Marc-Etienne Léveillé, a senior malware researcher at computer security firm ESET, governments made the right decision by temporarily shutting down their sites and services. The researcher estimates that “the effect of shutting down the site for a few hours, for a few days in some cases, is very small compared to the risks to one of these systems.”

Jean-Philippe Decari Mathieu, head of cybersecurity at the Commissionaires du Québec, explains that the flaw makes the program vulnerable to remote code execution. “It is the worst weakness that can exist.”

Professional advice

Did the government make the right decision?

According to Marc-Etienne Léveillé, a senior malware researcher at computer security firm ESET, governments made the right decision by temporarily shutting down their sites and services. The researcher estimates that “the effect of shutting down the site for a few hours, for a few days in some cases, is very small compared to the risks to one of these systems.”

Jean-Philippe Decari Mathieu, head of cybersecurity at the Commissionaires du Québec, explains that the flaw makes the program vulnerable to remote code execution. “It is the worst weakness that can exist.”

When was the defect detected?

Specialized sites reported that the flaw was known to Apache as early as November 24, after it was exposed by an expert from the Chinese company Alibaba, and the patch was released on December 6. The experts interviewed Journalism For their part, they indicated that they learned of the “Log4Shell” defect on Thursday, December 9.

“What should happen is that it was not announced on November 24, but the researcher should have warned Apache,” believes Sebastien Gambs, a professor in the Department of Computer Science at the University of Quebec in Montreal (UQAM). According to him, Apache would have preferred to wait for the patch to be published before revealing the bug to the general public, because there was nothing they could do to fix it.

Did governments respond too late?

Not according to Mr. Gambs. “Updates often take a few days or weeks to complete. He explains that updates are really rare on the first day of a patch release. Publicly exposing a bug is just a way to tell people: This is a very serious issue, please update.”

Who can exploit the flaw?

Marc-Etienne Léveillé says the flaw is “relatively easy” to exploit for those with programming knowledge. Malicious people, in particular, can implement malware on a targeted website. Hackers exploiting the “Log4Shell” vulnerability could also gain access to all information on a website, including personal data on it, in the case of government websites.

Is the defect the work of the hacker?

No, says Marc-Etienne Levy. The researcher believes “it is the fault of the software developers”.

With Coralie Laplante, Journalism

Leave a Reply

Your email address will not be published.