backtop


Print 28 comment(s) - last by Piiman.. on Apr 26 at 12:35 PM


  (Source: Alex Anderson)
Hacking effort set Canada's tax collection back a week; now the youth behind it faces tough consequences

Thanks to a hacker with a penchant for mischief, Canada has been forced to delay tax collection by a week.  The delay is likely to cost Canada millions.  Now Canadian Royal Mounted Police believe they have the man responsible in custody, a 19-year-old London, Ontario native.  But the man's lawyer is condemning the police actions and accusing Canadian officials of overreacting.  One thing is for sure -- this Canadian drama is fast becoming the center of attention when it comes to one notorious security flaw.

I. Canada Has a Heartbleed

London is a popular college town west of Toronto in Canada's most populous province, Ontario.

But this week it was the site an intense police investigation on Tuesday as the Royal Mounted Police, or "Mounties" as they are referred to locally, raided the apartment of Stephen Arthuro Solis-Reyes, a man suspected of hacking into the Canada Revenue Agency (CRA) portal.

Heartbleed arrest
Mounties search for the Heartbleed hacking suspect in a suburb of London, Ontario on Tuesday.  
[Image Source: The Canadian Press]

Heartbleed hacker
[Image Source: Reuters]

The CRA portal remained vulnerable as of two weeks ago to the Heartbleed vulnerability, a dangerous bug in OpenSSL that endangered websites that use the "heartbeat" feature to automatically log inactive users off of connections to secured web portals.

Heartbleed
[Image Source: Surfeasy]

Introduced on New Years Day 2012 due to a programming error, the bug lingered about unpatched for more than two years until its discovery this spring.  The bug allows listener apps to request 64 KB chunks of unencrypted heap data, which can contain usernames, and -- critically -- unencrypted passwords and keys.

Sometime in the last two weeks, the Mounties were notified by the CRA that someone appeared to have gained illicit access to user accounts on the unpatched CRA portal.  The portal was taken offline, but the suspect was believed to have obtained around 900 taxpayers Social Insurance Numbers (SINs).  The portal has since been patched and reopened to the public.

Social Insurance Numbers
A Social Insurance Number card [Image Source: The Canadian Press Images]

SINs are sort of like Social Security Numbers (SSNs) in the U.S. in that they are necessary to work, conduct financial transactions, pay taxes, and use government services.   Note while Canada has a universal healthcare system -- aka "public healthcare" -- which the U.S. currently lacks, that system is implemented at a provincial level and hence uses different cards, meaning that fortunately the healthcare records of Canadians are not at risk in the breach.

II. Teenager Gets Arrested, Charged

The Mounties' Assistant Commissioner Gilles Michaud said in a statement that the law enforcement officials had been "working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorization."

Heartbleed hacker

Heartbleed arrest
Mounties reportedly denied the young hacker access to a lawyer during his six hours in custody, following their raid of his neighborhood. [Image Source: Reuters]

The CRA announced in a statement:

We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.

While there have been some famous examples of attempted tax record destruction/theft in the U.S. -- such as the infamous "Operation Snow White" in which members of the Church of Scientology cult group infilitrated the U.S. government and attempted to steal founder L. Ron Hubbard's tax records -- the U.S. is not believed to have seen a direct theft of this scale.

The CRA has been forced to delay its tax collection deadline from April 30 to May 5.

Canada tax day
Canada was forced to delay tax collection for a week, after the breach. [Image Source: Stockphoto]

Mr. Solis-Reyes is scheduled to be arraigned later today in Ottawa District Court.  He is charged with:
  • unauthorized use of a computer (1 count)
  • mischief (1 count)
The charges put Mr. Solis-Reyes' studies at London, Ontario's Western University in jeopardy.  Mr. Solis-Reyes had been attending the college, pursuing a degree in computer studies.  He was currently in his sophomore year, having graduated from Mother Teresa Secondary School in 2012.

III. Teen's Lawyer Condemns Police Propoganda

The student's lawyer, Faisal Joseph, spoke out against what he saw was abuse by the Mounties.  He comments to The Toronto Sun:

I just think it is totally inappropriate to try to destroy a kid's life before he even has an opportunity to speak to a lawyer and get legal advice.  And now they're going to make a national spectacle out of him.

They know he is starting to write exams on Thursday. They know this is a national story. They threatened to go public with this to humiliate and embarrass him.

The lawyer criticized both that the student was held for six hours at the police station with no access to legal counsel, and the fact that the police publicized the story to the press, which he argues was condemning his client without trial.

Steven Solis-Reyes
High school photos of the Western University computer science student accused of using the Heartbleed exploit to hack the government. [Image Source: The Canadian Press]

A neighbor of the young man's family described him as "quiet and studious" to The Windsor Star.  The report also states that Mr. Solis-Reyes as a well-known developer in the BlackBerry, Ltd. (TSE:BB) community, having authored a clever app that helped users quickly solve Sudoku puzzles via hints.

One crucial detail the Mounties have yet to explain is why Mr. Solis-Reyes allegedly took the records and what he might have done with them.  It is unclear whether he was merely studying the vulnerability, or actively abusing it to harm taxpayers or commit tax fraud.

Thus far this is the highest profile incident regarding Heartbleed.  In the U.S. the Internal Revenue Service (IRS) informed taxpayers that its system was already patched and not at risk. That early patching raised some eyebrows given claims that the U.S. National Security Agency (NSA) discovered the vulnerability sometime in 2012, but failed to inform officials, instead using it to steal U.S. citizens and foreigners' bank logins.  The NSA denied doing that, but its own slides explicitly state that it has ways of circumventing OpenSSL.  The same slides forbid agents from discussing how these vulnerabilities work.

The Electronic Frontier Foundation (EFF) earlier this week produced the first solid evidence that the claims were true, showing that last year someone was using IRC botnets to actively exploit Heartbleed in the wild.  The NSA is known to widely have used IRC botnets it hijacked from fellow cybercriminals.  Adding to the suspicion is the fact that whoever was illicitly scooping the data using the flaw did not appear to be doing it for financial gains.  In other words, Mr. Solis-Reyes and the NSA may at least one thing in common, albeit operating on a drastically different scope.

Sources: Royal Canadian Mounted Police [press release], The Toronto Sun, IRS



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

No wonder this has been blown out of proportion
By iamkyle on 4/17/2014 11:58:44 PM , Rating: 2
Anything that makes the Harper gov't look like an embarrassment will be dealt with swiftly and without remorse.

I expect the law will be laid down hard on this kid.




By chrnochime on 4/18/2014 12:44:18 AM , Rating: 2
You make it sound like the NDP or Liberal would've fared better.

He deserves to be thrown in jail for many many years. And he's not a "kid", not especially when anyone who's older than 19 in Canada is considered an adult, as after 19 consumption of alcohol is legal across the nation. He's an dumbass and the lawyer is speaking the usual attorney speak, nothing worth reading.


RE: No wonder this has been blown out of proportion
By Proton2 on 4/18/2014 6:54:48 AM , Rating: 1
The legal drinking age in the individual provinces and territories of Canada is
•Alberta - 18
•British Columbia - 19
•Manitoba - 18
•New Brunswick - 19
•Newfoundland and Labrador - 19
•Northwest Territories - 19
•Nova Scotia - 19
•Nunavut - 19
•Ontario - 19
•Prince Edward Island - 19
•Quebec - 18
•Saskatchewan - 19
•Yukon Territory - 19


By Camikazi on 4/18/2014 4:13:44 PM , Rating: 3
You do know you just showed the same thing he said right?


RE: No wonder this has been blown out of proportion
By random2 on 4/20/2014 1:34:49 AM , Rating: 2
Only it's the Harper government that introduced and passed new "get tougher on crime" legislation, budgeted big time for increased law enforcement, court costs, and prisons to take the new influx of Canadians caught up in his new minimum sentencing as part of this new legislation.

Thankfully the Supreme Court of Canada has some sense and this legislation Harper jammed through has not held up on their watch, so we won't have to worry, as they do down in the States that kids getting caught out with a baggie of pot are going to go to prison for 5 years.

If any of this sounds unfamiliar, newspapers, news magazines and Google are great resources.


By Piiman on 4/26/2014 12:35:42 PM , Rating: 2
If you have a private prison system they will find a way to fill them and keep them full.


Um...
By Flunk on 4/17/2014 4:14:16 PM , Rating: 4
quote:
As Canada has a universal healthcare system -- aka "public healthcare" -- which the U.S. currently lacks, the ID numbers are even more crucial as they control medical records and medical care access.


The Canadian universal healthcare system is administered provincially and uses totally separate ID numbers and cards.

It's still a pretty serious issue, but it's not going to affect people's healthcare unless they also hacked those databases too.




Deadline delayed
By Proton2 on 4/18/2014 7:06:44 AM , Rating: 2
Delaying a deadline, which will only affect a few, will not cost millions. My father is a tax preparer and he simply prints out the tax forms and mails it in when the efile system was down. None of his clients will be delayed in their filings.




By masamasa on 4/21/2014 1:39:28 PM , Rating: 2
No surprise here. Next time maybe he'll consider the consequence of his actions.




Shocking
By Reclaimer77 on 4/17/14, Rating: -1
RE: Shocking
By JediJeb on 4/17/2014 6:07:54 PM , Rating: 2
The big question is why did the Canadian government continue to use the portal when they knew full well it was compromised?

Funny how it takes someone actually breaking into it to motivate them to shut it down and patch it. How do they know that someone else has not gotten into it prior to this indecent and stolen even more information?

If the kid is going to be on trial for breaking into the site, then the ones in charge of the site should also be on trial for leaving Canadian citizens vulnerable to having their data stolen.


RE: Shocking
By stm1185 on 4/17/2014 10:57:24 PM , Rating: 3
Yeah the Canadian government should have known better then to be walking in that dark alley with their cleavage showing.

They were asking for it.

Always blame the victim.


RE: Shocking
By JediJeb on 4/18/2014 2:26:50 PM , Rating: 2
This would be more like walking up naked to someone holding a sign that said "I am a rapist and I am looking for victims"

Not knowing there is a problem with your software and suffering from an attack you are a victim, knowing the problem exists and doing nothing about it is just negligent.


RE: Shocking
By KCjoker on 4/17/2014 6:52:31 PM , Rating: 2
Careful you'll be called a racist, sexist etc...


RE: Shocking
By wordsworm on 4/17/2014 10:51:30 PM , Rating: 1
Why use a parade of insults when you can just call him a Republican?


RE: Shocking
By KCjoker on 4/18/2014 6:29:47 PM , Rating: 4
Because being called a republican isn't an insult. Neither is being called a Democrat or whatever party they "call" themselves. It's more important how they govern not which party they belong to. However many people, maybe such as yourself have fallen into the trap both sides want. That trap is to pit us citizens against each other rather than focus on what they are and are not doing. But most importantly it would still require that person to defend/argue their position or stance on that subject.


RE: Shocking
By A.D.Hominem on 4/20/2014 5:04:52 PM , Rating: 2
Oh come on, he was being facetious and you know it. Not to mention, yet I will, it was George Washington that warned us about a "party" system. Hmmmmm!


RE: Shocking
By Dr of crap on 4/21/2014 8:32:22 AM , Rating: 2
Great reply. I have always believed this.
YET grown men will point fingers and say that it the other sides fault.

<....grown>


RE: Shocking
By wordsworm on 4/21/2014 3:56:29 PM , Rating: 3
Well, when I think of Bush II I think of wars fought over oil and the colossal amount of damage he did to America's economy through policy. Obama may have spent a lot of money, but he did so in trying to rebuild America rather than by dropping bombs (which rarely hit their targets and often kill enough innocents to earn a lot of hate).

Obama did a masterful job of working with Putin to very quickly and quietly end the Russian-Ukraine problem that came up recently. He has tried to fix the medical debacle that this generation has been reeling from, but I don't expect him to succeed.

You're more likely to find a Democrat or a liberal in a college/university than you are a Con/Rep, while if you go to church you're more likely to find your Con/Rep than your Dem/lib.

In Canada we have had successive bad choices resulting in the Cons taking power and reversing years of austerity that the previous government had exercised. But, the Liberal party too often offered up conservative sounding leaders splitting the left leaning vote.

I understand your position on the fence, and certainly in a lot of ways you are right. In British Columbia we have a Liberal premiere who has openly declared herself as a Conservative while the NDP offered up one of those liberal wishy washy idiots who couldn't be trusted with anything.

I guess what I'm saying is that I buy the idea that you do have to be careful who you elect, regardless of their party, but statistically speaking the best presidents are liberal presidents. Bill Clinton and Obama are by far superior to Bush I, II, and Regan.


RE: Shocking
By blzd on 4/17/2014 8:58:24 PM , Rating: 2
Obligatory American President post achieved.


RE: Shocking
By FaaR on 4/18/2014 8:04:59 AM , Rating: 3
Never miss an opportunity to kneejerkingly bash "obamacare" no matter what the actual topic of the article is, because healthcare for those who otherwise could not afford it is SUCH a terrible thing!


RE: Shocking
By deltaend on 4/18/2014 1:05:17 PM , Rating: 2
Of course for many people who were having difficulty affording healthcare before are now forced to pay even higher prices with Obamacare... so... yeah.


RE: Shocking
By Reclaimer77 on 4/18/2014 1:24:45 PM , Rating: 2
FaaR is a typical low information idiot, don't waste your time.

Only a colossal moron could look at Obamacare, and come to the conclusion it's all about helping the "uninsured".


RE: Shocking
By eddiehurst23 on 4/19/2014 10:30:21 PM , Rating: 3
I'm someone who hasn't had healthcare in almost ten years. I went to the doctor yesterday to finally start getting things fixed that have made my life a living hell. The affordable health care act is the single greatest thing to ever come out of DC. I am proud to call Obama my president. He is the only politician that has had a positive impact on my life.


RE: Shocking
By A.D.Hominem on 4/20/2014 4:41:37 PM , Rating: 1
I'm sorry for your plight, but you are a silly douche. "Health Care" has been available for all people since the beginning of time. You just have to pay another intelligent human being for his service. Screw you, you pathetic leech.


RE: Shocking
By tng on 4/18/2014 3:24:26 PM , Rating: 2
Ah... Yes cover your eyes and believe that it is great because you like the politician that started it.

In the meantime, many people in my particular neighborhood are learning that full time jobs that have benefits are no where to be found. Permanent-Part-Time is now the preferred choice of most employers who are dealing with increased costs due to Obamacare.

This one bill is doing in one fell swoop what the left in America have been blaming the right of doing for years, creating a permanent sub-culture of people who will be under educated, under-employed just above the poverty line, while there will be no middle class left, only very wealthy and the poor.


RE: Shocking
By eddiehurst23 on 4/19/2014 10:35:18 PM , Rating: 3
Say what you want. But it was unethical having millions of people unable to get even a simple checkup. Republicans had a decade to do something to fix the problem and they didn't. The ACA may cause this that and the other down the road and wipe out this or that class. I don't believe any of that is true. But what is true is that millions of people who were hobbled by medical expenses and bankruptcies and poor health, will now have the freedom to join the workforce and start businesses.


RE: Shocking
By A.D.Hominem on 4/20/2014 4:53:48 PM , Rating: 1
You can believe that the sky is a mudd hole, but that doesn't make it true. Your imbecility and lack of sense makes a Moron look like he has an IQ worthy of devotion. The ACA, aka, "Obamacare" is nothing more than a ridiculous taunt by a Chinese laundry gang. By the way (BTW for the idiots,) go sit on a stick. It might cure what ails you.


“So far we have not seen a single Android device that does not infringe on our patents." -- Microsoft General Counsel Brad Smith














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki