The first suspected hacker to use a Heartbleed exploit was arrested in Ontario, and quickly made national news. The alleged hacker, a 19-year-old university student named Stephen Arthuro Solis-Reyes, reportedly snatched 900 social insurance numbers (SINs) from the Canadian Revenue Agency website by exploiting the encryption flaw in Open SSL.
The hack wasn't taken lightly by authorities. The Royal Canadian Mounted Police initially called it a "high-priority" case that it had been working tirelessly to resolve as quickly as possible. The mounties also said that Solis-Reyes's eventual arrest happened without incident.
Solis-Reyes's lawyer Faisal Joseph disagrees, and has taken to the press to argue that his client has been treated as far more of a threat than a 19-year-old college kid ought to be. According to Joseph, authorities first served Solis-Reyes with a warrant at 1 AM last Monday, then the next day tried to arrest him during class. When Solis-Reyes eventually turned himself in, Joseph says his client was interrogated for six hours.
"I just think it is totally inappropriate to try to destroy a kid's life before he even has an opportunity to speak to a lawyer and get legal advice," Joseph told the Toronto Sun. "And now they're going to make a national spectacle out of him."
While it's interesting that Heartbleed's first exploit involved such an important government site, it's concerning that Solis-Reyes—like other alleged hackers—has been treated with such a heavy hand. Joining the ranks of other prolific Canadian teenaged hackers, Solis-Reyes is the son of a computer science professor and was characterized by an ex-RCMP superintendant in a CTV profile as possessing near equal computing skills as his father (as if it were some sort of genetic, mutant ability).
Give his profile a brief look, and it's tough to imagine Solis-Reyes having the types of connections needed to peddle SIN numbers to underworld henchmen in the market for stolen tax information. According to reports, Solis-Reyes is currently living with his parents as a second-year honour roll student at Western University majoring in computer science. He was even a spelling bee champion in grade school.
Solis-Reyes exposed network flaws before: When he was in high school he told teachers their network was vulnerable to hacking then demonstrated it by gathering confidential information from their servers.
Though his teachers may have understood his motives, the RCMP’s Technological Crime Unit instead charged him with one count of unauthorized use of a computer and one count of mischief. But security experts argue that, if Solis-Reyes was the one to expose flaws with the CRA's site, he was doing the agency a favor.
That jives with a report from London Community News quoting friends who say he was known for finding flaws in servers. The real question is, why would a 19-year-old son of a computer scientist decide to hack the CRA? Unless it's revealed that Solis-Reyes was trying to sell the tax info, hacking the CRA to shame it for not applying Heartbleed updates immediately seems a likely motive.
If Solis-Reyes was concerned about CRA vulnerabilities, he wasn't the only one. Christopher Parsons of the Citizen Lab openly wondered about weaknesses in taxation sites like Scytl and other governmental sites hours before CRA preemptively shut down its server. Parsons says CRA secured confidential traffic using the flawed Open SSL and was directly vulnerable to an attack. In fact, some Canadian hackers say Solis-Reyes did the feds a favour by exposing vulnerabilities in their site, which processed thousands of people filing their income taxes.
Once Heartbleed was discovered by the security community, a Python-based exploitative tool followed, which allowed for the session hijacking attacks that security researcher Matthew Sullivan warned about in a widely cited blog post.
“The (Heartbleed) vulnerability was announced and subsequently, a tool was published the next day," security expert Robert Masse. "Allowing anyone who knows how to type 12 characters to extract 64K of memory that could contain confidential information from any vulnerable server on the web, including those of the CRA."
Masse, himself an ex-teenage hacker who accessed Soviet research computers and was caught at the age of 15 by the RCMP, said the Solis-Reyes case is not surprising. Even so, a kid tinkering around with a highly-publicized security flaw doesn't make him a malicious hacker.
“With this exploit being accessible to anyone, you now have thousands of new curious 'attackers' who try out the tool against web sites wondering what interesting things can happen,” he told me. “Eventually, in the case of the CRA, you start to get social insurance numbers.”
While it seems unlikely that Solis-Reyes was hacking the CRA for profit, his fate remains less clear. He may end up facing a minor sentence of community service if convicted. Or, like former hacker Michael Calce told Metro, Solis-Reyes could be made an example and punished to the full extent of section 342 of the Canadian Criminal Code, which is largely reserved for crimes of forgery, and carries up to a ten year sentence. Solis-Reyes goes on trial in Ottawa in July.
0 comments:
Post a Comment