Teen Arrested For Using Heartbleed To Get Canadian Taxpayer Info; Did Nothing To Hide Himself
from the that-didn't-take-long dept
One of the most high profile victims of the Heartbleed vulnerability was the Canadian tax service, Canada Revenue Agency, which shut down its online tax filing offering. A few days later, the agency admitted that about 900 Canadians had information copied from the site via someone exploiting the vulnerability, prior to the site being shut down. And, from there, it was just a day or so until it was reported that a teenager, Stephen Arthuro Solis-Reyes, had been arrested for the hack.
Given the speed of the arrest, it would not appear that Solis-Reyes did very much to cover his tracks. In fact, reports say he did nothing to hide his IP address. He’s a computer science student — and his father is a CS professor, with a specialty in data mining. It seems at least reasonably likely that the “hack” was more of a “test” to see what could be done with Heartbleed and (perhaps) an attempt to show off how risky the bug could be, rather than anything malicious. It will be interesting to see how he is treated by Canadian officials, compared to say, the arrests of Aaron Swartz and weev.
Filed Under: canada, canadian revenue agency, cra, hacking, heartbleed, stephen arthuro solis-reyes
Comments on “Teen Arrested For Using Heartbleed To Get Canadian Taxpayer Info; Did Nothing To Hide Himself”
This is actually something that I could see a reasonable response to come down hard on. Getting people’s tax information could be WAYYYYYYYY more damaging than jstor articles or AT&T e-mails.
“It seems at least reasonably likely that the “hack” was more of a “test” to see what could be done with Heartbleed and (perhaps) an attempt to show off how risky the bug could be, rather than anything malicious.”
That’s a big assumption to make, and it misses the point.
The act of exploiting the tax service to get sensitive information is malicious in and of itself.
There are test servers that people have put up for people to test out the heartbeat bug. The kid should’ve used those servers instead.
Re: Re:
“exploiting the tax service” or used a publicly available feature?
Go up to a man who works for the Tax service.
Stap exploiting the tax service ?
Saying “Hi” is illegal ?
Did they arrest the tax service for giving out the info?
Re: Re: Re:
This is one of those situations where any analogy to the physical world is at best misleading. In the physical scenario, the person on the tax service would be at least aware of the information he was giving away, if not outright in collusion with the requester. There’s no situation where a human being would unknowingly start giving you private information about someone else. Here, a bug was responsibly for inadvertently giving away information.
Whichever way you excuse it, the kid was exploiting a known vulnerability to get confidential private information. If he wanted to run a test, he should have done it on a test server or a server he owned. By accessing confidential private information without permission, he broke the law. Since the vulnerability was already public, he doesn’t even have the moral high ground of white hat hacking to hide behind.
Re: Re: Re: Re:
“There’s no situation where a human being would unknowingly start giving you private information about someone else. “
LOL
“accessing confidential private information without permission, he broke the law.”
A) He was given it. (information stored in ram)
B) There could have been anything in that ram.
C) The people who gave him it are relevant.
“Inadvertently” …. you said it yourself. “a bug was responsibly for inadvertently giving away information”.
Leads to the question. Who had the bug?
Look, I agree that the morality is questionable. The information was sensitive. It was an unwanted feature/bug. However, to ignore the glaring “who dun it” because of that is plain ignorant to the facts. The tax office gave out information. THEY DUN IT.
Heaven forbid we hold the tax office accountable for not donating to openssl and dictating/securing the wanted features in it.
To blame some kid for using it is an applauding “pass the buck” scenario.
They had a feature, someone used it. It’s their fault. It’s that simple.
FFS, You had WHAT feature ?
You better remove that feature you asshole.
meh… don’t say it. Direct your anger at some kid stupid enough to use the feature. Like he is the worst type of person that could have used THEIR feature.
Re: Re: Re:2 Re:
I’m often sympathetic in these cases, but the facts here seem clear. The bug was not of their making, and not their error. The kid accessed data he knew he had no right to access. He did so deliberately.
Sorry, but there’s no excuse here, any more than there would be an excuse for you using a password someone accidentally emailed you. The security error does not excuse its deliberate exploit, unless doing so is a proof of concept to notify those affected. The affected were already informed, so no go.
Re: Re: Re:3 Re:
Even if used as a proof of concept, attacking or subverting security systems without prior authorization is unethical and in many cases illegal. Penetration testers, the aforementioned white hats, and others in the security community who have concern for acting ethically know better.
One may not access a system without authorization and walk away without “doing something wrong.” Sometimes authorization is implicit, sometimes explicit, but it either exists or does not exist and may be dependent upon certain system objects. As an example, I’m authorized to access Techdirt’s articles and comment sections, but attacking the backend or using the administration console would be unauthorized. I doubt the subject was authorized to use the system in the way he did. He certainly wasn’t intended to do so by the system architects or administrators.
To go back to a prior example, weev, the authorization to access the data was assumed by others to have existed in an implicit fashion due to the semi-public nature of the web, however I believe that assumption is flawed. Regardless of how poorly secured a system may be, or how simple the exploitation is, accessing parts of a system (including data stored therein) not meant to be accessed by a given user is intrusion. weev may have been let off after some (well deserved, even if only for other reasons) time served, but I don’t believe he should have been.
Re: Re: Re:4 Re:
You are “authorized” to access the keepalive function that is heartbeat. It’s part of everyday connections.
The “bug” is that when you send a packet, it sends a same sized packet back…Without it authenticating things.
This scenario is possible. (part of the keep alive process)
send a packet
>>>>>>>>> packet is lost due to bad internet connection (it happens)
You tell the server the packet was 64k
>>>>>>>>> server sends back 64k from ram
Accidental heartbleed “exploit”, via proper and “authorized” usage.
Re: Re: Re:5 Re:
Authorized until you artificially and intentionally inflate the payload size. Intent is the key, availability isn’t.
Re: Re: Re:4 Re:
Yeah grey hats just can’t know better, way too neutral to the frustrations of the other party, those black hearted neutrals…
Re: Re: Re:3 Re:
Loaded term. [ exploit = use ]
I’m also not trying to make excuses. Blaming this kid is making excuses for the ones who had the feature that could be triggered inadvertently via normal use and a mildly temperamental internet connection.
The kid shouldn’t have done it. I was clear on that.
He isn’t the problem here. The retards who had that feature are. They should have been supporting openssl etc…
Misdirected anger ?
They will try to make an example of him while the retards will get all the sympathy because they accidentally gave him stuff. Ignore that they were the ones who gave it out. Hang the fucking kid?
I disagree based on what I see as the ignorance of who the real culprits are. Yeah, the kid should probably get some light punishment. The tax office should get the same and be forced to donate to all the open source code projects that it uses.
Re: Re: Re:2 Re:
You are trying to claim the equivalent that if your door is unlocked and somebody goes into tour house and removes things, that that is not theft.
Re: Re: Re:3 Re:
The door was definitely locked.
This is like when they found those expensive locks used by the government had a flaw where they could be shorted out with a paper clip.
It’s as if he went to a government installation and used the paperclip trick to break into the tax records office. He saw some files sitting on the desk so he just took those, having no idea of what he just took.
Nobody would look at that in the real world as innocent.
Re: Re: Re:3 Re:
nope.
It’s like walking up to a locked door. Ringing the doorbell and then more stuff or different stuff is given to you by the owner, than should be given.
They give you the wrong stuff.
Just because someone doesn’t want that to happen when you ring a doorbell doesn’t mean that ringing the doorbell is illegal.
If anything, it’s more like fraud via deception. Definitely not stealing.
Heartbeat is a Keepalive function.
If your connection drops part of a packet during the keepalive process you too could be “exploiting heartbleed”.
Re: Re: Re:4 Re:
Actually you cannot, while UDP does no error correcting, it does do error detecting, length and checksum validation, and silently drops any packets that fail the checks. Therefore if the packet is truncated by the network you do not receive a response. Its exploitation requires deliberate generation of a packet that tells lies about the length of the string within the shorter, but accurately given, packet length, along with a checksum for the packet. This is extremely unlikly to occur by accident.
Re: Re: Re:5 Re:
Corrupted packets happen.
Of course I over simplified the explanation. I think that half a sentence of explanation should have made that obvious.
“Extremely unlikly to occur by accident” is still possible and considering the probable trillions+ of times per day that the “function” is used. Even if it happened once per billion, with those figures it would exploited 1000 times per day.
UDP keepalives are set at 30 second intervals or so.
eg of scale: 5,922,000,000 google searches per day in 2013.
A trillion keepalives a day is probably a gross underestimation.
Re: Re:
“That’s a big assumption to make, and it misses the point.”
Assuming Solis-Reyes did not have nefarious intentions is not such a big assumption when one takes his history into account.
From: http://www.washingtonpost.com/news/morning-mix/wp/2014/04/17/the-first-suspected-heartbleed-hacker-has-long-history-of-hacking/?tid=hp_mm
?This kid, when he was in high school was in the top of his class. He was extremely gifted. So he sent a letter to the [London District Catholic School Board in Ontario] indicating that their school system was susceptible to hacking.? The attorney said the school officials were nonplussed. ?They said they?d like to test it themselves. He was a quote computer nerd unquote and they didn?t take him seriously.? So the 14-year-old, Joseph claims, went into the computer system and found ?all the confidential information.? But then, right when things could have turned criminal, Joseph said his client stopped. ?He could have changed everything, and changed nothing,? Joseph said.
This article doesn’t expound the problems with laws concerning unauthorized computer access but it is not missing the point either. I don’t know what the penalties are in Canada for unauthorized use of a computer but in the U.S. the CFAA is a one-size-fits-all law where any unauthorized access has a maximum penalty of five years in prison. There is a wide range of criminality lumped together as violations of this law and it includes white, or gray, hat hackers who exercise an exploit simply to prove it was possible. Even with the best intentions, if such a hacker accesses a computer they don’t have permission to access, the penalty is 5 years in prison. The law against unauthorized access should not have such a draconian penalty. The heavy penalties should apply to those who exhibit more nefarious intentions by also committing fraud or theft based on the information they illicitly acquired.
Don’t see how the Canadian Government can do anything about this. The information is “publicly available”. No security breach, breaking stuff, unauthorized access or hacking required.
Ask server.
Server sends you information.
It’s a bug or in other words a “publicly available feature”, not a hack or an exploit.
“exploiting a bug” is a really loaded statement.
“Using a feature” or “exploiting a bug” are synonymous in this case.
Love all the comments trying to rationalize in favour of someone who has *allegedly* broken a Canadian law. First, it is only alleged, we have no facts accepted by the court other than the Information laid to accuse him.
While I do support arguments suggesting the CRA is to a degree liable, we are to believe they shut down their servers “as soon as the risk was known,” greatly mitigating their culpability.
As for the young man, what if we discovered a flaw in trousers which allowed wallets to fall from their back pockets with minimal effort from a passerby? There are then several options, including:
A) Walk past a potential victim, doing nothing.
B) Trigger the wallet drop but do nothing.
C) Trigger the wallet drop, advise the victim their wallet just dropped.
D) Trigger the wallet drop, keep the wallet, do nothing.
E) Trigger the wallet drop, use the wallet contents.
I’m thinking we’re looking at “D”, which suggests an intentional act to trigger the event, followed by one of questionable ethics – why keep the wallet? Why keep 900 wallets? Even with the intention of returning them, it would be grossly inappropriate (bordering on plainly stupid) to collect 900 wallets THEN say, “oh, don’t worry, I was planning to return them all.”
While stupidity isn’t illegal (“You can’t fix Stupid,”) it can surely put you in the hot seat, and so it should, to hopefully curb future stupid acts by an accused or anyone watching.
My 2c.
-e
Re: Re:
Naturally, in this case, there is the debate whether picking up a dropped wallet in the first place is or is not already in and of itself “theft.” Other than that, my point remains.
-e
Re: Re: Re:
If you see who dropped the wallet, or caused it to fall out of a pocket, picking it up and not trying to return it is theft, because you can contact the owner.
"Undetectable"
I suspect a factor in this kid’s story is that a lot of the initial media on Heartbleed called the exploit “undetectable”. This was actually shorthand for “undetectable from standard web server logs”, isn’t exactly true either, and ignores the fact that the attack is trivially detectable if the victim is logging IP traffic (which they can do with a sniffer or at the firewall) and has the software that will decrypt the traffic with the web server’s certificate.
In fact, someone connecting to a web site with a weird access pattern, like hitting the home page 10,000 times but never going to a sub-page, is going to throw a giant red flag on a financial site.
Ah I see, since he wasn’t sneaky about it, that means he’s innocent.
The comedy never stops at Techdirt.
Re: Re:
No one said, or even inferred, this. Pulling shit out of your ass is amusing, but everyone does it. Usually we just flush it, though, instead of plastering it on the internet like it was the most ingenious thing ever.
Son of a Computer Scientist
I think he was just screwing around to see how things work. An apt comparison would be to another CS student, Robert Morris, who also had a distinguished CS researcher for a father (Bell Labs and later the NSA (oh noes)), who while screwing around exploring various vulnerabilities accidentally released the first large-scale disruptive internet worm. This was back in the 80’s. As I recall, all he got was a slap on the wrist, and later went on to become a tenured CS professor at MIT.
Re: Son of a Computer Scientist
plot twist: his father did it, and blamed the kid.
Here’s a couple of other bits of information on this story.
– The police raided his home, and seized computer equipment, but apparently did not arrest him at that time.
– He was told to ‘voluntarily’ show up at the police station or else the police would very publicly humiliate him by arresting him in the middle of his exams.
– When he did show up at the police station, his lawyer was not permitted to see his client for six hours.
http://www.lfpress.com/2014/04/16/london-teen-charged-in-heartbleed-breach-of-taxpayer-data
This case has enough irregularities that I would not trust anything the police say unless there is some supporting evidence. It sure looks to me like the authorities are getting desperate to convict a ‘dangerous hacker’ to distract attention from the fact that there was a major security flaw in the government’s computer systems.
The teen was just following in his father’s footsteps, by data mining Social Insurance Numbers. I believe it’s a stretch to give his intentions the benefit of the doubt.
For one, how could a computer science student be so foolish as to pick a government tax return website to carry out his ‘tests’. It’s amazing he was foolish enough lead the Canadian Mounties, right to his doorstep.
I guess just because you’re a data mining Zuckerberg, with a degree in Computer Science, doesn’t make you a network protocols expert.
I am one who was affected by this little s***, and his heartbleed hack with CRA, because of him I did not receive my child tax benefit. I do not make much and my CTB was to help with giving my child an Easter, but due to this the Easter bunny will not be coming to our house this year. I would like to know how to fix this before the Easter bunny needs to travel… Any help would be greatly appreciated…
Re: Re:
“… because of him I did not receive my child tax benefit.”
Explain…
Re: Re: Re:
I’m assuming they mean that since the CRA stopped allowing online filing for a short period, that they were unable to file their taxes electronically or at least had to wait a week. That caused their tax return to be delayed.
So they will still get their tax credits, but not in time for Easter.
Re: Re: Re: Re:
Last years taxes do not affect monthly/quarterly benefits until July.
Re: Re:
On the other hand, thanks to this “hack” and the CRA’s shutdown, I now have an additional week to procrastinate filing my taxes. New deadline is May 5, extended from Apr 30.
=P