The first of what are likely to be several arrests made in connection to the Heartbleed vulnerability has come out of Canada.  Nineteen year-old Stephen Arthuro Solis-Reyes of London, Ontario was charged by the Royal Canadian Mounted Police (RCMP) with the unauthorized use of a computer and one count of mischief in relation to data.  Reyes is the Western University computer science student charged in a recent breach of the Canada Revenue Agency’s (CRA) website.  In that attack, some 900 social insurance numbers were stolen, and the RCMP has connected the breach to the Heartbleed SSL bug.  The CRA is Canada’s tax collection agency, a massive target of information that was attacked at a critical time for tax collection.

Stephen Arthuro Solis-Reyes was arrested at his residence on April 15 without incident. He faces one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data contrary to Sections 342.1(1)(a) and 430(1.1) of the Criminal Code.

It is believed that Solis-Reyes was able to extract private information held by the CRA by exploiting the security vulnerability known as the Heartbleed Bug.  – RCMP website

In the release issued this past Wednesday, the RCMP announced the arrest, investigation and charges in this incident.

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in “O” Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners,” said Assistant Commissioner Gilles Michaud.

More to come?

This could be the beginning of a wave of stories involving breaches executed with the Heartbleed bug as the attack vector.  Given that statistics at the time of public disclosure showed that up to two thirds of all internet webservers were potential soft spots for the bug, the potential impact is well beyond considerable.  Despite some early doubts about the impact, this first breach and arrest suggest that the exploit is being actively tested by hobbyists and cyber-criminal organizations.

The bug allows unencrypted data to leak out of computer servers while completely undetected and it existed for as long as two years before it became public.  Just about every type of information possible is vulnerable to the threat including names, passwords, credit card numbers and other personal information.  The patch to fix the issue was released last week, yet it may not be clear how advanced efforts to get it rolled out have been.

The extent of impact of the bug in the wild also has yet to be known, and we have seen an incredible reaction from the world of security researchers and security firms on the subject.  Thieves have clearly wet their feet in exploiting the bug, and many would-be and curious hackers have likely given the exploit a try.  We will not provide a link, but it is well-known in security circles that instructions for how to breach computer servers and websites via the Heartbleed bug are easily found online.

photo credit: John Bristowe via photopin cc