Massive global software flaw forces Quebec to shut down government websites


MONTREAL – Nearly 4,000 Quebec government websites were shut down over the weekend as a preventive measure following cyberattack threats, the provincial minister of digital transformation said on Sunday.

MONTREAL – Nearly 4,000 Quebec government websites were shut down over the weekend as a preventive measure following cyberattack threats, the provincial minister of digital transformation said on Sunday.

Eric Cairo made the announcement during an afternoon press conference in Quebec City, in which he said all official government websites would be taken offline until further notice.

“We are sort of looking for a needle in a haystack,” Cairo said. “Not knowing which websites are using the software, we decided to shut them all down.”

The shutdown follows a recently discovered software vulnerability in a Java library of an Apache product – known as Log4j – which the Department of National Defense says could affect thousands of organizations around the world.

The Common Vulnerability Scoring System, also widely used around the world, rated the current threat as 10 out of 10.

Cairo said Quebec was made aware of the problem on Friday and made an effort to identify risky websites one by one before bringing them back online.

“Once a system has been scanned, if it is found not to be using the problematic library, the system is automatically brought back online,” Cairo said. “If he uses it, a fix is ​​made. Once we’ve made sure the system is up and running, it comes back online. “

Cairo said the government does not keep an inventory of websites using Apache software.

“It’s like saying how many government offices are using 60-watt light bulbs, we have to go around and look at each one,” Cairo said, without specifying how long the verification process will take.

The provincial Clic Santé portal used to make an appointment for the COVID-19 vaccine across Quebec was already back online Sunday afternoon, while the Revenu Quebec site among others was still down.

Cairo said the provincial vaccine passport system has never been threatened, saying it does not require Apache software.

Marc-Etienne Léveillé, cybersecurity expert for international internet security company ESET, said global internet traffic had increased dramatically since Friday, adding that he had noticed that many users were trying to find vulnerable services to hack.

He said that while the software’s vulnerability is not expected to impact the general public, websites storing personal data – such as the Canada Revenue Agency – are at greater risk of being compromised.

The vulnerability allows code to be executed over the Internet, Léveillé said.

“The loophole allows him to bypass security, in other words,” he said.

The province, however, has no current indication that the systems have been compromised or that personal data has been accessed, Cairo said at the press conference.

The Canada Revenue Agency, which has taken similar precautions by taking its web services offline after learning of the potential vulnerability on Friday, issued a statement saying there is nothing to suggest its systems have been compromised yet.

Léveillé praised the government’s precautionary measures, saying they could have prevented major data breaches.

“One of the big issues was that everyone was informed about the flaw at the same time,” said Léveillé. “The developers and its users didn’t have time to fix the problem before people started to jump in. on vulnerability. And since there are many systems that use the software around the world, it will take several months to find which ones are vulnerable to this vulnerability. “

Federal Defense Minister Anita Anand released a statement on Sunday saying the government is aware of the security risk and calling on Canadian organizations to “pay attention to this critical Internet vulnerability.”

“As a precaution, some departments have taken their services offline while all potential vulnerabilities are assessed and mitigated,” Anand said. “At this point, we have no indication that these vulnerabilities have been exploited on government servers. ”

This report by The Canadian Press was first published on December 12, 2021.

Virginie Ann, The Canadian Press


About Author

Comments are closed.