Can't wait
To hear what that guy actually did.
Lifting 900 social security numbers over a 6 hour window through an untraceable bug and being found out shortly after through "leads" and "interviews" does not compute at all.
A teen suspected of exploiting the Heartbleed bug to rifle through Canada's tax computer systems has been arrested. The Royal Canadian Mounted Police (RCMP) said 19-year-old Stephen Arthuro Solis-Reyes of London, Ontario, was cuffed at his home, and charged with the unauthorized use of a computer and criminal mischief in …
The only thing that doesn't compute is this word "untraceable". It's only untraceable if you weren't logging your traffic - and why is it unthinkable that an Internet-facing tax agency's server would be logging its traffic?
I don't know who first used the word "untraceable" in conjunction with Heartbleed, but s/he needs a good kicking. On the bright side, it seems to have fooled both the public AND the script kiddie community; this individual may be neither the biggest fish in the pond nor the sharpest tool in the shed, but the world will not suffer because he's out of circulation for a while. Good riddance, sez I.
So how would you trace it?
You would need to be storing all your ingress traffic to the SSL site in order to determine, for certain, that this particular request was trying to exploit heartbleed. Not summaries of the traffic or request logs, but every single byte.
What they CAN do however is look and see for suspicious requests in the period immediately after the bug was announced. Oh look, this IP address hit the same page 52,000 in 6 hours, gee, I wonder what they were doing.
Theoretically, this can be done, IF perfect perfect forward secrecy was not enabled.
I can imagine scenario when, upon learning of a bug first thing the admins did was to setup full packet logging on IDS (with big storage array attached) and making sure PFS was disabled. Next thing you "just" need private server key to decrypt the traffic and get into individual requests, but this does not need to be done in real time - unless you want to drop data unrelated to potential attack (saving disk space). Tax website surely has respectable traffic, but nothing comparable to gmail.com or other popular global services, so it might be still in the domain of "doable".
Very tricky and if this is indeed roughly what they have done, they deserve some respect. I guess we will learn when it comes to presenting evidence in court.
But you can store every single bit; there are products that do this. In a DC network I manage, I have two of them running. They can write over 20Gbps each and have multiple 10Gbps links on each one. Total storage on each 5PB. With a single 10Gbps link at 100%, I can store 48-hours of traffic coming in the front door. So, 6 hours is NOTHING.
In reality I have no idea whether or not he did it, but how hard would it be for some anonymous hacker to drive around until they find an access-point they can crack in 5 minutes (WPS exploit), crack it, execute the heartbleed exploit, and because the hacker also now has access to the unsuspecting person's local NAT, just put some "evidence" in a shared folder somewhere. The real perpetrator would get away scot-free, and the police would just stop looking.
@MacGyver:
Because then they would have traced the hacker. They know what packets went from that location to where. Likely there is much more than they are letting on. Remember that this is the collection agency for the government tax monies, it is the biggest cash/personal info flow in the country. Electronic intelligence likely came from the very top.
@Tom 38:
I'd take that bet that they log every byte.
@taxman:
I think you should get +10 for the wry comment, and an extra 100 oolor points for the accidentally subject-matter appropriate handle.
Not every organisation has the resources to have Full Packet Capture in place, and given that there were no IDS signatures to detect this attack until a week ago, that's the only way they would have logs of this having happened. Other equivalent organisations in different countries I am aware of have security operations that are somewhat behind the times and would likely not have this capability currently installed. Don't be so quick to criticise the person making the statement which could very well be perfectly accurate.
Well, who needs the signature to detect it from the start. I can take the captured data from the start of when the exploit was announced and export it out for later review, like when there is a way to detect it.
We are talking about the government, they always have money. If they need more, they just do one of the following:
1) Raise taxes
2) Print more
3) All of the above
We are talking about Canada, not some third-world country.
which may mean that, heartbleed is 2-phased (or even more) exploit exploited by 3-lettered agencies:
Phase 1: exploit the bug and get data for 2 years.
Phase 2: announce the bug and monitor who attempts to exploit it (netting at least one canadian teen).
Phase 3: watch and wait while the world patches and sleeps soundly again and continue via another exploit. Go back to phase 1.
"Mounties Getting Their Man" is more myth than fact as many of their failed investigations prove.
What they DO have is large budgets - by local police standards - and the fact that provincial boundaries don't limit their activities as they do local, city or provincial, cops.
They love having cars without antennae - these cars have a dual cavity antenna mounted under the rear window parcel shelf and in the trunk (aka 'boot'). After a few months on the road the outline of the antennae can be seen as the road dust becomes ingrained in the cloth material covering the shelf!
And they are big in red uniforms, riding horses, at community fairs and exhibitions.
This is the 3rd time I've seen the "Remarkably, in the miniscule 6 hour window!!!" defense mentioned for the Canada Revenue Agency.
But the social security number snaffle happened on Wednesday, while Heartbleed was announced to the world April 7 at 1:27 p.m. New York time.
What am I missing? Or do they really mean "But it was only 6 hours from when we realized the bug affected us until we took the site down!!!" ?
Slight correction:
6 hours later: took public facing websites off-line.
Not sure if they have got it patched and back up again, but pulling you tax-filing website off-line just a couple of weeks before the filing deadline was a very public move and how everyone in Canada learned about the bug.
I made a comment earlier that it probably took 6 hours to get permission to pull the sites off-line, but they may have set up a system to log all out-going data during this time so that they knew what had gone missing. There was discussion about this when they came out with the "900 SIN numbers hacked" story and people questioned how they knew. This doesn't clear up anything about possible data loss prior to the bug being announced however.....
The patch was easy and I had all my customer's stuff patched by the end of the first day they were down.
The problem for CRA though isn't the time to patch it is the time to install the update on the test server, test the update, document the test, install the update on the live servers and then document the roll-out onto the live servers.
Internal procedures are fun
So, I see El Reg has succumbed to the old "trial by press" bug. The one that sweeps the whole concept of "INNOCENT until proven guilty in a court of law" into the manure pile while slagging anyone the police care to arrest, making sure that even if they are subsequently found guilty their lives will be pretty much ruined. Not a shred of objective analysis, but instead just a rehashing of the same tired "rah rah rah go police rah rah" press release. Sickening, really.
This post has been deleted by its author
It will be hard to prove this one, because they need to prove he was doing this maliciously of his own choice. There are a number of defence options. He was doing it in a security testing capacity (not sure on Canadian law regarding this), he wasn't aware it was happening (his computer was acting as a bot), he was just making lots of requests and never captured any data returned, this never even happened (prove it did). They would have to be logging all of the incoming heartbeat requests and logging all of the outgoing heartbeat responses to be able to mount a serious prosecution that can prove this beyond reasonable doubt. That is a very large amount of data and would require custom logging to be setup as the programme in all likelihood will not have a log option to capture all of this. I think this one will fall by the wayside in the not too distant future, before ever reaching a court.
This post has been deleted by its author