Heartbleed sees first arrest in wake of Canada Revenue Agency breach

Filed Under: Data loss, Featured, Law & order

canada-heartbleed-SS_9368002-170Canadian police have arrested and charged a 19-year-old man who allegedly exploited the Heartbleed bug to steal personal data from the Canadian Revenue Agency's website.

The arrest of Stephen Arthuro Solis-Reyes, who allegedly grabbed 900 social insurance numbers (SINs) over a period of six hours, marks the first time that authorities have apprehended someone in relation to the bug in OpenSSL.

Solis-Reyes of London, Ontario, a student at Western University, was detained by the London Police Service and the Royal Canadian Mounted Police (RCMP) National Division Integrated Technological Crime Unit.

In a statement, Assistant Commissioner Gilles Michaud of the RCMP, said:

The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in "O" Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.

Following a search at his residence, and the seizure of his computer equipment, Solis-Reyes now faces one charge of Unauthorized Use of a Computer and one count of Mischief in Relation to Data contrary to Sections 342.1(1)(a) and 430(1.1) of the Criminal Code.

He is scheduled to appear in court in Ottawa on 17 July 2014.

Canada's tax agency was one of the first major organisations to be impacted by the Heartbleed flaw and subsequently had to remove public access to its online services for four days in order to protect taxpayer information.

It's unclear what Solis-Reyes's motivations were. But it's important to remember that while security researchers and other interested parties may like to think that testing for Heartbleed or other vulnerabilities may be ethical and useful in purpose, the law may not agree.

Such activity may not be regulated in every nation, but some countries certainly do prohibit the testing of security on third-party websites without permission.

Besides Canada, the US has the Computer Fraud and Abuse Act and the UK employs the Computer Misuse Act to outlaw such behaviour, regardless of intent.

While simply scanning a site to check for vulnerabilities is a violation that may not be enforced, it would still pay to think before doing so – what would happen if, for instance, your request returns more data than you expected, and some of that data contains personal information you ought not to have?

Furthermore, it should be obvious that actually exploiting any discovered vulnerabilities in order to gain unauthorised access to networks and data is a bad idea at all times. More so if the organisation in question is your national tax office.

If you do have legitimate concerns about a website's security, the correct course of action would be to notify the owners and engage in responsible disclosure in a manner that doesn't place other people's data at jeopardy.

Image of Canadian heart courtesy of Shutterstock.

, , , ,

You might like

11 Responses to Heartbleed sees first arrest in wake of Canada Revenue Agency breach

  1. Hugh Dixon · 537 days ago

    how exactly did he do this? this sounds like the canadian government just making up an excuse when they discovered someone hacking their systems-- heartbleed just doesn't let people steal SINs from a MITM attack Was he hijacking sessions?

    Sounds like the canadian government is makings things up.

    • Paul Ducklin · 537 days ago

      Heartbleed lets you keep sucking quasi-random 64KB RAM snapshots out of a vulnerable server. So whatever is lying around from recent traffic - including other people's data - may be revealed to you.

      It's like dumpster diving in which:

      1. Everything in the dumpster is important enough that it's supposed to be encrypted and private.

      2. The dumpster is huge and continually refreshed.

      3. You can automatically make a copy of a random selection of what's in the dumpster without any physical effort (and no getting covered in rotten fruit, used engine oil or emptied-out coffee machines).

      4. You can use your computer to search through the leaked data later, looking for items of interest. Like SINs.

      So you aren't reading all of someone's traffic, like you would in a MitM attack. You're reading snippets of everyone's traffic.

      If you don't care much about context, you'll find *something* sooner or later.

      Cloudflare ran an experiment, setting up a test server and inviting people to try to recover encryption keys from it. One chap managed to do so (legally, in this case) using 2,500,000 heartbleed requests overnight, giving him 160GB of unstructured, *mostly* useless, data to work with. But only *mostly*, not *totally*, useless.

      He had a small needle in a big haystack...but computers are really good at finding needles in haystacks.

      • VL-S · 536 days ago

        It leaves one to question the level of security at the CRA when the hack was able to go on for six hours. The time line is important particularly from when the CRA learned of heartbleed to when it "closed its doors". Are they six hours behind the general public in terms of their network security? Or is it that the CRA and the RCMP allowed the hack to go on so they could build a case rather than protect the data?

  2. Gil · 537 days ago


    I think you meant Ottawa in the article. :)

  3. Anonymous · 537 days ago

    And 'Western University' is actually the 'University of Western Ontario'.

    Just an FYI from someone who lives near there. :)

    • Paul Ducklin · 537 days ago

      Well...the University uses the domain name "uwo.ca," but if you visit the UWO website, you'll see:

      © 1878 - 2014 Western University
      Western University
      1151 Richmond Street
      London, Ontario, Canada, N6A 3K7

      (The website uses the name "Western" or "Western University" everywhere, including in its logo. It even links in many places to "westernu.ca" :-)

      And if Wikipedia is to be believed, it was founded in the abovementioned year of 1878 with the name "The Western University of London, Ontario."

      • Branwen · 536 days ago

        It's the University of Western Ontario, hence UWO. That's how anyone who attended or attends that university refers to it. When I applied there I applied to UWO, not Western University. A domain name doesn't necessarily reflect the name of the institution exactly. It's no different than the MTO in Ontario which is really the Ministry of Transportation. And in the end, this conversation digresses from the article.

        I hope Mr. Solis-Reyes enjoys his stay at the Kingston Penitentiary.

        • Paul Ducklin · 536 days ago

          Well, things must have changed, because the UWO admissions page on http://welcome.uwo.ca/admissions/ gives you the following address for University admissions:

          Undergraduate Recruitment and Admissions
          Western Student Services Building
          Western University
          London, Ontario, Canada, N6A 3K7
          Tel: 519-661-2100

          In fact, the University refers to itself frequently, but only ever as "Western" or as "Western University." It seems to have given up on "University of Western Ontario" altogether.

  4. Mac · 536 days ago

    When was this done?? Article leaves a bit to be desired.

    Was this post-publicity or pre? I was under the impression that exploiting heartbleed left no detectable traces of abuse. Or was that only pre-fix / pre-publicity? Are there now methods of detecting malicious attempts? If there are now detection methods those methods could, logically, only be used on a server which still contains the vulnerability otherwise the attempts to exploit said vulnerability would fall on deaf server-ears, yes?

    If it were still vulnerable post hypothetical-detection-methods, why hadn't it just been patched? If it were patched (apparently not the case, as he allegedly siphoned these SINs [cleverly fitting acronym]), ipso facto making it non-vulnerable, how was it detected?

    Is there some release of OpenSSL that contains heartbleed but incorporates some type of detection so that concerned admins can continue to run the 'vulnerability' but log malicious activity while somehow properly protecting data? Should this guy hire me as his attorney? Questions...

    • Paul Ducklin · 536 days ago

      I think most of the information you need is in the article and earlier ones that we published.

      How did they they notice that the data had been slurped? Perhaps they turned on some heavy levels of logging once news of the vulnerability broke, and then after patching it (apparenly six hours later - not a bad result for a taxation office sized web service) went and anaylsed the logs?

      Perhaps the accused decided to prove that he had the data by sending them memory dumps that were commensurate with a heartbleed attack?

      The patched OpenSSL code simply discards malformed heartbeat packets, as required by the relevant RFC standard, but you could add in a logging line at that point if you wanted to say "huge heartbleed reply requested" or "malformed input found."

      Check out CloudFlare's blog for what you can learn about heartbleed with some customised logging.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.