Mounties Arrest 19-Year-Old Who Delayed Canada's Tax Filing w/ Heartbleed
April 17, 2014 3:24 PM
comment(s) - last by
(Source: Alex Anderson)
Hacking effort set Canada's tax collection back a week; now the youth behind it faces tough consequences
Thanks to a hacker with a penchant for mischief, Canada has been forced to delay tax collection by a week. The delay is likely to cost Canada millions. Now Canadian Royal Mounted Police believe they have the man responsible in custody, a 19-year-old London, Ontario native. But the man's lawyer is condemning the police actions and accusing Canadian officials of overreacting. One thing is for sure -- this Canadian drama is fast becoming the center of attention when it comes to one notorious security flaw.
I. Canada Has a Heartbleed
London is a popular college town west of Toronto in Canada's most populous province, Ontario.
But this week it was the site an intense police investigation on Tuesday as the
Royal Mounted Police
, or "Mounties" as they are referred to locally, raided the apartment of Stephen Arthuro Solis-Reyes, a man suspected of hacking into the
Canada Revenue Agency
Mounties search for the Heartbleed hacking suspect in a suburb of London, Ontario on Tuesday.
[Image Source: The Canadian Press]
[Image Source: Reuters]
The CRA portal remained vulnerable as of two weeks ago to
the Heartbleed vulnerability
, a dangerous
bug in OpenSSL
that endangered websites that use the "heartbeat" feature to automatically log inactive users off of connections to secured web portals.
[Image Source: Surfeasy]
Introduced on New Years Day 2012 due to a programming error, the bug lingered about unpatched for more than two years until its discovery this spring. The bug allows listener apps to request 64 KB chunks of unencrypted heap data, which can contain usernames, and -- critically -- unencrypted passwords and keys.
Sometime in the last two weeks, the Mounties were notified by the CRA that someone appeared to have gained illicit access to user accounts on the unpatched CRA portal. The portal was taken offline, but the suspect was believed to have obtained around 900 taxpayers
Social Insurance Numbers
(SINs). The portal has since been patched and reopened to the public.
A Social Insurance Number card [Image Source: The Canadian Press Images]
SINs are sort of like Social Security Numbers (SSNs) in the U.S. in that they are necessary to work, conduct financial transactions, pay taxes, and use government services. Note while Canada has a universal healthcare system -- aka "public healthcare" --
which the U.S. currently lacks
, that system is implemented at a provincial level and hence uses different cards, meaning that fortunately the healthcare records of Canadians are not at risk in the breach.
II. Teenager Gets Arrested, Charged
The Mounties' Assistant Commissioner Gilles Michaud said in a statement that the law enforcement officials had been "working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorization."
Mounties reportedly denied the young hacker access to a lawyer during his six hours in custody, following their raid of his neighborhood. [Image Source: Reuters]
The CRA announced in a statement:
We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.
While there have been some famous examples of attempted tax record destruction/theft in the U.S. -- such as the infamous "Operation Snow White" in which members of the Church of Scientology cult group infilitrated the U.S. government and attempted to steal founder L. Ron Hubbard's tax records -- the U.S. is not believed to have seen a direct theft of this scale.
The CRA has been forced to delay its tax collection deadline from April 30 to May 5.
Canada was forced to delay tax collection for a week, after the breach. [Image Source: Stockphoto]
Mr. Solis-Reyes is scheduled to be arraigned later today in Ottawa District Court. He is charged with:
unauthorized use of a computer (1 count)
mischief (1 count)
The charges put Mr. Solis-Reyes' studies at London, Ontario's Western University in jeopardy. Mr. Solis-Reyes had been attending the college, pursuing a degree in computer studies. He was currently in his sophomore year, having graduated from Mother Teresa Secondary School in 2012.
III. Teen's Lawyer Condemns Police Propoganda
The student's lawyer, Faisal Joseph, spoke out against what he saw was abuse by the Mounties. He
The Toronto Sun
I just think it is totally inappropriate to try to destroy a kid's life before he even has an opportunity to speak to a lawyer and get legal advice. And now they're going to make a national spectacle out of him.
They know he is starting to write exams on Thursday. They know this is a national story. They threatened to go public with this to humiliate and embarrass him.
The lawyer criticized both that the student was held for six hours at the police station with no access to legal counsel, and the fact that the police publicized the story to the press, which he argues was condemning his client without trial.
High school photos of the Western University computer science student accused of using the Heartbleed exploit to hack the government. [Image Source: The Canadian Press]
A neighbor of the young man's family
as "quiet and studious" to
The Windsor Star
. The report also states that Mr. Solis-Reyes as a well-known developer in the BlackBerry, Ltd. (
) community, having authored a clever app that helped users quickly solve Sudoku puzzles via hints.
One crucial detail the Mounties have yet to explain is why Mr. Solis-Reyes allegedly took the records and what he might have done with them. It is unclear whether he was merely studying the vulnerability, or actively abusing it to harm taxpayers or commit tax fraud.
Thus far this is the highest profile incident regarding Heartbleed. In the U.S. the
Internal Revenue Service
that its system was already patched and not at risk. That early patching raised some eyebrows given claims that the
U.S. National Security Agency
(NSA) discovered the vulnerability sometime in 2012, but failed to inform officials, instead using it to
steal U.S. citizens and foreigners' bank logins
. The NSA denied doing that, but its own slides explicitly state that it
has ways of circumventing OpenSSL
. The same slides forbid agents from discussing how these vulnerabilities work.
The Electronic Frontier Foundation
(EFF) earlier this week
produced the first solid evidence that the claims were true
, showing that last year someone was using IRC botnets to actively exploit Heartbleed in the wild. The NSA is known to widely have
used IRC botnets it hijacked from fellow cybercriminals
. Adding to the suspicion is the fact that whoever was illicitly scooping the data using the flaw did not appear to be doing it for financial gains. In other words, Mr. Solis-Reyes and the NSA may at least one thing in common, albeit operating on a drastically different scope.
Royal Canadian Mounted Police [press release]
The Toronto Sun
This article is over a month old, voting and posting comments is disabled
4/19/2014 10:35:18 PM
Say what you want. But it was unethical having millions of people unable to get even a simple checkup. Republicans had a decade to do something to fix the problem and they didn't. The ACA may cause this that and the other down the road and wipe out this or that class. I don't believe any of that is true. But what is true is that millions of people who were hobbled by medical expenses and bankruptcies and poor health, will now have the freedom to join the workforce and start businesses.
4/20/2014 4:53:48 PM
You can believe that the sky is a mudd hole, but that doesn't make it true. Your imbecility and lack of sense makes a Moron look like he has an IQ worthy of devotion. The ACA, aka, "Obamacare" is nothing more than a ridiculous taunt by a Chinese laundry gang. By the way (BTW for the idiots,) go sit on a stick. It might cure what ails you.
"We’re Apple. We don’t wear suits. We don’t even own suits." -- Apple CEO Steve Jobs
EFF: NSA May Have Used IRC Botnets to Exploit Heartbleed for Last Two Years
April 14, 2014, 4:43 PM
In Spite of Website Glitches, "Obamacare" Reaches Enrollment Target of 7.1M
April 1, 2014, 8:28 PM
Tax and Spy: How the NSA Can Hack Any American, Stores Data 15 Years
December 31, 2013, 12:36 PM
Report: NSA Intercepts PC Deliveries, Pays Cybercriminals to Spy on Americans
December 30, 2013, 3:46 PM
NSA Bypasses Internet Encryption, Spends $250M to Weaken International Encryption
September 6, 2013, 3:05 PM
Microsoft to Discontinue Free, Ad-supported Xbox Music Service on December 1
October 23, 2014, 10:03 AM
Christian Bale Confirmed to Play Steve Jobs in Upcoming Film
October 23, 2014, 8:43 AM
Monica Lewinsky Speaks Out, Calls Herself "Patient-Zero" for Internet Cyberbullying
October 21, 2014, 2:25 PM
Google Fiber Finally Heading to Austin, Texas in December
October 16, 2014, 11:48 AM
Dropbox Flexes Security Muscle, Appears to Have Squashed Password Breach
October 15, 2014, 12:12 PM
U2’s Bono Apologizes for Forced “Songs of Innocence” Album Downloads
October 15, 2014, 7:55 AM
Most Popular Articles
Chinese Government Declares Digital War Against America's Top Tech Firms
October 20, 2014, 12:07 PM
Report: 2015 Ford Focus Electric MSRP Slashed by $6,000, Will Retail for $29,995
October 18, 2014, 6:23 PM
Apple Releases iOS 8.1; Adds Apple Pay Support, SMS Relay, Instant Hotspot
October 20, 2014, 1:00 PM
Windows 8.1 + Android "Sell Mini PC" w/ Bay Trail Creates New PC Form Factor
October 20, 2014, 5:07 PM
Update: Motorola Droid Turbo Coming Oct 28, 48-hour Battery Life Confirmed
October 19, 2014, 9:19 PM
Latest Blog Posts
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
Space Terrorism is a Looming Threat For the United States
Apr 23, 2014, 7:47 PM
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information