back to article Mounties always get their man: Heartbleed 'hacker', 19, CUFFED

A teen suspected of exploiting the Heartbleed bug to rifle through Canada's tax computer systems has been arrested. The Royal Canadian Mounted Police (RCMP) said 19-year-old Stephen Arthuro Solis-Reyes of London, Ontario, was cuffed at his home, and charged with the unauthorized use of a computer and criminal mischief in …

COMMENTS

This topic is closed for new posts.

Can't wait

To hear what that guy actually did.

Lifting 900 social security numbers over a 6 hour window through an untraceable bug and being found out shortly after through "leads" and "interviews" does not compute at all.

9
3

Re: Can't wait

The only thing that doesn't compute is this word "untraceable". It's only untraceable if you weren't logging your traffic - and why is it unthinkable that an Internet-facing tax agency's server would be logging its traffic?

I don't know who first used the word "untraceable" in conjunction with Heartbleed, but s/he needs a good kicking. On the bright side, it seems to have fooled both the public AND the script kiddie community; this individual may be neither the biggest fish in the pond nor the sharpest tool in the shed, but the world will not suffer because he's out of circulation for a while. Good riddance, sez I.

13
1
Big Brother

Re: Can't wait

Nothing to sniff at?! ;)

1
0
Silver badge

Re: Can't wait

So how would you trace it?

You would need to be storing all your ingress traffic to the SSL site in order to determine, for certain, that this particular request was trying to exploit heartbleed. Not summaries of the traffic or request logs, but every single byte.

What they CAN do however is look and see for suspicious requests in the period immediately after the bug was announced. Oh look, this IP address hit the same page 52,000 in 6 hours, gee, I wonder what they were doing.

9
3
Bronze badge

Re: Can't wait

Theoretically, this can be done, IF perfect perfect forward secrecy was not enabled.

I can imagine scenario when, upon learning of a bug first thing the admins did was to setup full packet logging on IDS (with big storage array attached) and making sure PFS was disabled. Next thing you "just" need private server key to decrypt the traffic and get into individual requests, but this does not need to be done in real time - unless you want to drop data unrelated to potential attack (saving disk space). Tax website surely has respectable traffic, but nothing comparable to gmail.com or other popular global services, so it might be still in the domain of "doable".

Very tricky and if this is indeed roughly what they have done, they deserve some respect. I guess we will learn when it comes to presenting evidence in court.

1
0
Anonymous Coward

Re: Can't wait

Agreed. He'd have had to have instigated something on the order of 2,000,000,000 to 3,000,000,000 Heartbleed attacks, unnoticed, in that 6 hour window.

1
2

Re: "untraceable"

In reality I have no idea whether or not he did it, but how hard would it be for some anonymous hacker to drive around until they find an access-point they can crack in 5 minutes (WPS exploit), crack it, execute the heartbleed exploit, and because the hacker also now has access to the unsuspecting person's local NAT, just put some "evidence" in a shared folder somewhere. The real perpetrator would get away scot-free, and the police would just stop looking.

3
2

Re: "untraceable"

@MacGyver:

Because then they would have traced the hacker. They know what packets went from that location to where. Likely there is much more than they are letting on. Remember that this is the collection agency for the government tax monies, it is the biggest cash/personal info flow in the country. Electronic intelligence likely came from the very top.

@Tom 38:

I'd take that bet that they log every byte.

@taxman:

I think you should get +10 for the wry comment, and an extra 100 oolor points for the accidentally subject-matter appropriate handle.

1
0
Anonymous Coward

Re: Can't wait

which may mean that, heartbleed is 2-phased (or even more) exploit exploited by 3-lettered agencies:

Phase 1: exploit the bug and get data for 2 years.

Phase 2: announce the bug and monitor who attempts to exploit it (netting at least one canadian teen).

Phase 3: watch and wait while the world patches and sleeps soundly again and continue via another exploit. Go back to phase 1.

0
1
Anonymous Coward

Re: Can't wait

But you can store every single bit; there are products that do this. In a DC network I manage, I have two of them running. They can write over 20Gbps each and have multiple 10Gbps links on each one. Total storage on each 5PB. With a single 10Gbps link at 100%, I can store 48-hours of traffic coming in the front door. So, 6 hours is NOTHING.

1
0
Anonymous Coward

Re: Can't wait

Not every organisation has the resources to have Full Packet Capture in place, and given that there were no IDS signatures to detect this attack until a week ago, that's the only way they would have logs of this having happened. Other equivalent organisations in different countries I am aware of have security operations that are somewhat behind the times and would likely not have this capability currently installed. Don't be so quick to criticise the person making the statement which could very well be perfectly accurate.

0
1
Anonymous Coward

Re: Can't wait

Well, who needs the signature to detect it from the start. I can take the captured data from the start of when the exploit was announced and export it out for later review, like when there is a way to detect it.

We are talking about the government, they always have money. If they need more, they just do one of the following:

1) Raise taxes

2) Print more

3) All of the above

We are talking about Canada, not some third-world country.

0
0
Silver badge

Re: Can't wait

"We are talking about Canada, not some third-world country."

There's two?

0
0
Bronze badge

Was it in doubt?

I can remember always *knowing* that "the mounties always get their man" - and I've never even been to Canada.

Cheers

Jon

PS I have actually been to Canada - as a foetus, but that was some time ago. I'm 43 now! Mum said it (Canada) was lovely.

3
1
Silver badge
Devil

Re: Was it in doubt?

"Mounties Getting Their Man" is more myth than fact as many of their failed investigations prove.

What they DO have is large budgets - by local police standards - and the fact that provincial boundaries don't limit their activities as they do local, city or provincial, cops.

They love having cars without antennae - these cars have a dual cavity antenna mounted under the rear window parcel shelf and in the trunk (aka 'boot'). After a few months on the road the outline of the antennae can be seen as the road dust becomes ingrained in the cloth material covering the shelf!

And they are big in red uniforms, riding horses, at community fairs and exhibitions.

0
0
Anonymous Coward

Re: Was it in doubt?

Also, the Mounties are so vicious, corrupt and inept they make the Met and LAPD look like schoolchildren. Wouldn't surprise me if this schmuck had nothing to do with it.

1
7
Silver badge
Thumb Down

Re: Wouldn't surprise me if this schmuck had nothing to do with it.

Aaaaaaaaaand the first "Reiser is innocent" troll is posted.

6
0

Only 6 hours

This is the 3rd time I've seen the "Remarkably, in the miniscule 6 hour window!!!" defense mentioned for the Canada Revenue Agency.

But the social security number snaffle happened on Wednesday, while Heartbleed was announced to the world April 7 at 1:27 p.m. New York time.

What am I missing? Or do they really mean "But it was only 6 hours from when we realized the bug affected us until we took the site down!!!" ?

3
0
Silver badge

Re: Only 6 hours

1:27: Bug announced

6 hours later: Patched software rolled out by CRA

1 day later: Logs analyzed, potential disclosure detected, RCMP called in.

0
0

Re: Only 6 hours

Slight correction:

6 hours later: took public facing websites off-line.

Not sure if they have got it patched and back up again, but pulling you tax-filing website off-line just a couple of weeks before the filing deadline was a very public move and how everyone in Canada learned about the bug.

I made a comment earlier that it probably took 6 hours to get permission to pull the sites off-line, but they may have set up a system to log all out-going data during this time so that they knew what had gone missing. There was discussion about this when they came out with the "900 SIN numbers hacked" story and people questioned how they knew. This doesn't clear up anything about possible data loss prior to the bug being announced however.....

1
0

Re: Only 6 hours

Patched sites back on-line April 13 apparently.

Not sure if this is a fast or slow turnaround - anyone know how easy it is to apply the patches?

0
0

Re: Only 6 hours

The patch was easy and I had all my customer's stuff patched by the end of the first day they were down.

The problem for CRA though isn't the time to patch it is the time to install the update on the test server, test the update, document the test, install the update on the live servers and then document the roll-out onto the live servers.

Internal procedures are fun

2
0
Anonymous Coward

"analyzing data, following leads, conducting interviews, obtaining legal authorizations..."

AKA: Routine Police work

AKA: Doing their job

Less spin please.

7
0

"Biting the hand that feeds" doesn't mean "turning into the Daily Mail"

So, I see El Reg has succumbed to the old "trial by press" bug. The one that sweeps the whole concept of "INNOCENT until proven guilty in a court of law" into the manure pile while slagging anyone the police care to arrest, making sure that even if they are subsequently found guilty their lives will be pretty much ruined. Not a shred of objective analysis, but instead just a rehashing of the same tired "rah rah rah go police rah rah" press release. Sickening, really.

3
8

This post has been deleted by its author

Canadian Mounted Police - Ahhhh Due South.

Used to love that show.

7
0
Silver badge
Thumb Up

Re: Canadian Mounted Police - Ahhhh Due South.

One of the all time greats.

Good, clean fun. Witty dialogue. Interesting and varied environments.

Excellent characters. A genuine heart of gold.

Love it.

3
0
Bronze badge

Re: Canadian Mounted Police - Ahhhh Due South.

"Surely that makes you the mount-er, not the mount-ee?"

1
0
Silver badge
Gimp

Re: Canadian Mounted Police - Ahhhh Due South.

"Surely that makes you the mount-er, not the mount-ee?"

...and so is my wife!

0
0

If there's one thing the Mounties should know, it's no use shutting the stable door after the horse has bolted.

2
0
Bronze badge
Go

That would've been way cool if...

...they had actually turned up on horse back to arrest the guy!

0
0
Silver badge

He should have used 7 proxies.

See Title.

8
0
Bronze badge
Pint

Acting in the public good?

Perhaps he should try the white hat defence?

I was sending a 64K heartbeat full of zeroes and only asking for 2 bytes back so I was minimising network traffic whilst sanitising your memory buffers for you.

What?

O.K. - oops - rookie coding error........

4
0
Bronze badge
Paris Hilton

is HeartBleed a HoneyPot?

0
1
Bronze badge

It will be hard to prove this one, because they need to prove he was doing this maliciously of his own choice. There are a number of defence options. He was doing it in a security testing capacity (not sure on Canadian law regarding this), he wasn't aware it was happening (his computer was acting as a bot), he was just making lots of requests and never captured any data returned, this never even happened (prove it did). They would have to be logging all of the incoming heartbeat requests and logging all of the outgoing heartbeat responses to be able to mount a serious prosecution that can prove this beyond reasonable doubt. That is a very large amount of data and would require custom logging to be setup as the programme in all likelihood will not have a log option to capture all of this. I think this one will fall by the wayside in the not too distant future, before ever reaching a court.

0
0
Silver badge

Should read Mounties get their man without spying on the entire nation.

Just shows how modern police can do their jobs with old fashioned warrants naming an individual instead of the Star Chamber justice from south of the border.

2
0
EJ

Hacker? Or more likely...

Computer student who through curiosity tested and discovered the issue was real, then was naively excited by the possibility that his actions could somehow propel him to notoriety and fame in his field?

0
0
Silver badge
Thumb Down

Re: Hacker? Or more likely...

Meh. 19 years old. Many horror stories of what happens when you are caught breaking into other people's computers. Shoulda known better.

Unless ...

0
0
Bronze badge

It's in the name

Surely someone called Stephen Arthuro Solis-Reyes must be up to no good.

Dammit, much of his name sounds foreign!

Harrumph.

0
0
Silver badge
Trollface

Bah!

Let's start a pool on how long it will be from arrest to public announcement of Asperger's Defense.

I call two days.

1
1
Anonymous Coward

Re: Bah!

He should tell people he was looking for aliens.

I believe the bloke who hacked mumsnet was also conducting a search for intelligent signs of life.

1
0
Bronze badge

and when the NSA does it...

Will the Mounties get them?

2
0
This topic is closed for new posts.

Forums