MONTREAL — Almost 4,000 Quebec government websites were shut down over the weekend as a preventative measure following threats of a cyberattack, the province's minister of digital transformation said Sunday.
Provided by The Canadian Press
Éric Caire made the announcement at an afternoon press conference in Quebec City, during which he said all official government websites would be taken offline until further notice.
"We're kind of looking for a needle in a haystack," Caire said. "Not knowing which websites use the software, we decided to shut them all."
The closure comes on the heels of a recently discovered software vulnerability in a Java-based library of an Apache product — known as Log4j — which the Department of National Defence said could affect thousands of organizations worldwide.
The Common Vulnerability Scoring System, also used widely around the world, has assessed the current threat at a 10 out of 10.
Caire said Quebec learned of the issue on Friday and has been working to identify which websites are at risk, one by one, before putting them back online.
"Once a system has been analyzed, if it turns out that it's not using the problematic library, the system is automatically back online," Caire said. "If it uses it, a fix is made. Once we make sure the system is operational, it gets back online.”
Caire said the government doesn't keep an inventory of which websites use the Apache software.
"It's like saying how many government offices use 60-watt bulbs, we have to go around and look at each one of them," Caire said, without specifying how long the verification process will take.
The province's Clic Santé portal used for booking COVID-19 vaccine appointments across Quebec was already back online as of Sunday afternoon, while the site for Revenue Québec among others was still down.
Caire said the provincial vaccine passport system was never at risk, saying it doesn't require the Apache software.
Marc-Etienne Léveillé, a cybersecurity expert for the international internet security company ESET, said global internet traffic has spiked significantly since Friday, adding he's noticed many users trying to find vulnerable services to hack.
He said while the software's vulnerability should not impact the general public, websites storing personal data — such as the Canada Revenue Agency —are more at risk of being compromised.
The vulnerability allows code to be executed over the internet, Léveillé said.
"The flaw allows it to bypass security, in other words," he said.
The province, however, has no current indication that systems have been compromised or personal data was accessed, Caire said at the news conference.
The Canada Revenue Agency, which took similar precautions by taking its web-based services offline after learning of the potential vulnerability on Friday, issued a statement saying nothing so far suggests its systems have been compromised.
Léveillé welcomed the government's precautionary measures, saying it might have prevented major data breaches.
"One of the big problems was that everyone was made aware of the flaw at the same time, Léveillé said. "The developers and its users didn't have time to correct the issue before people started to jump on the vulnerability. And since there are a lot of systems that use the software across the world, it will take many months to find which ones are vulnerable to that flaw."
Federal Defence Minister Anita Anand issued a statement Sunday saying the government is aware of the security risk and calling on Canadian organizations to "pay attention to this critical internet vulnerability."
"Out of an abundance of caution, some departments have taken their services off-line while any potential vulnerabilities are assessed and mitigated," Anand said. "At this point, we have no indication these vulnerabilities have been exploited on government servers."
This report by The Canadian Press was first published Dec. 12, 2021.
Virginie Ann, The Canadian Press
Éric Caire made the announcement at an afternoon press conference in Quebec City, during which he said all official government websites would be taken offline until further notice.
"We're kind of looking for a needle in a haystack," Caire said. "Not knowing which websites use the software, we decided to shut them all."
The closure comes on the heels of a recently discovered software vulnerability in a Java-based library of an Apache product — known as Log4j — which the Department of National Defence said could affect thousands of organizations worldwide.
The Common Vulnerability Scoring System, also used widely around the world, has assessed the current threat at a 10 out of 10.
Caire said Quebec learned of the issue on Friday and has been working to identify which websites are at risk, one by one, before putting them back online.
"Once a system has been analyzed, if it turns out that it's not using the problematic library, the system is automatically back online," Caire said. "If it uses it, a fix is made. Once we make sure the system is operational, it gets back online.”
Caire said the government doesn't keep an inventory of which websites use the Apache software.
"It's like saying how many government offices use 60-watt bulbs, we have to go around and look at each one of them," Caire said, without specifying how long the verification process will take.
The province's Clic Santé portal used for booking COVID-19 vaccine appointments across Quebec was already back online as of Sunday afternoon, while the site for Revenue Québec among others was still down.
Caire said the provincial vaccine passport system was never at risk, saying it doesn't require the Apache software.
Marc-Etienne Léveillé, a cybersecurity expert for the international internet security company ESET, said global internet traffic has spiked significantly since Friday, adding he's noticed many users trying to find vulnerable services to hack.
He said while the software's vulnerability should not impact the general public, websites storing personal data — such as the Canada Revenue Agency —are more at risk of being compromised.
The vulnerability allows code to be executed over the internet, Léveillé said.
"The flaw allows it to bypass security, in other words," he said.
The province, however, has no current indication that systems have been compromised or personal data was accessed, Caire said at the news conference.
The Canada Revenue Agency, which took similar precautions by taking its web-based services offline after learning of the potential vulnerability on Friday, issued a statement saying nothing so far suggests its systems have been compromised.
Léveillé welcomed the government's precautionary measures, saying it might have prevented major data breaches.
"One of the big problems was that everyone was made aware of the flaw at the same time, Léveillé said. "The developers and its users didn't have time to correct the issue before people started to jump on the vulnerability. And since there are a lot of systems that use the software across the world, it will take many months to find which ones are vulnerable to that flaw."
Federal Defence Minister Anita Anand issued a statement Sunday saying the government is aware of the security risk and calling on Canadian organizations to "pay attention to this critical internet vulnerability."
"Out of an abundance of caution, some departments have taken their services off-line while any potential vulnerabilities are assessed and mitigated," Anand said. "At this point, we have no indication these vulnerabilities have been exploited on government servers."
This report by The Canadian Press was first published Dec. 12, 2021.
Virginie Ann, The Canadian Press
Germany: 'Critical' cybersecurity flaw already exploited
BERLIN (AP) — Germany has activated its national IT crisis center in response to an “extremely critical” flaw in a widely used software tool that the government says has already been exploited internationally.
A spokesman for Germany’s Interior Ministry said the country's federal IT safety agency is urging users to patch their systems as quickly as possible to fend off possible attacks using a bug in the Log4J tool.
“The threat situation is extremely critical," the spokesman, Steve Alter, told reporters in Berlin. "Immediate protective measures are required.”
German authorities have recorded efforts to exploit the bug around the world, including successful attempts, he said, without elaborating. So far no successful attacks against German government entities or networks have been confirmed, though a number have been deemed vulnerable, said Alter.
Germany is in contact with “numerous national and international partners” on the matter, he said.
The flaw is considered so serious because the affected software is used in a wide range of devices that use Java software.
“A successful exploit of this weakness would mean that someone could take complete control of the affected system,” said Alter.
The Associated Press
No comments:
Post a Comment