HEARTBLEEDING STORY: Story of Heartbleed 2014

News

Over nine-hundred Canadian taxpayers identity numbers stolen and thousands of more are potentially at risk.  Canada Revenue Agency’s (CRA) online services was closed for five days from what was called, a devastating “Heartbleed bug”. Never before has the Canadian’s Government lost so much information in so little time.  Who is responsible and what happened?  Join us as we unravel the mystery of what could be the greatest cyber heist on a government agency’s online service in Canadian history and visit their final moments of disaster.

Heartbleed: Starts with OpenSSL

heartbleedTo unlock the key, we must learn where Heartbleed began. A software called “OpenSSL” is where investigators believed the issue began. What is OpenSSL? As Wikipedia states that “The OpenSSL project was founded in 1998 to invent a free set of encryption tools for the code used on the Internet. As of 2014 two thirds of all web-servers use it.”. Now the question is, is this the price for using free software?

To achieve a greater understanding, we must ask a professional about the free software library — OpenSSL. Steven Chui is a graduate from the University of British Columbia specializing in Computer Science and is an expert in protecting documents. He is an information technology professional in the Software industry, and an expert in this field.

“Many large companies including Google, Instagram, and Amazon use this software. Since the source code is open to the public, that means anyone, security professionals and hackers alike, can easily analyze this software for security holes. This places web services companies who use OpenSSL in a dangerous position if hackers found some unknown vulnerability in the library.” — Steven Chui BSc 

So now when we piece together the chain of events that lead to the loss of nine hundred Canadian tax payers identity numbers, we can find out what happened, and how CRA lost so much tax information in so little time.

The Turn of events of Heartbleed 2014

March 21, 2014 – Google Security official, Neel Mehta discovers a vulnerability in OpenSSL, and named this vulnerability “Heartbleed”. Later, Google starts looking into creating a patch to their web services servers across the globe to prevent intruders from exploiting information from this vulnerability.

March 31, 2014 – CloudFlare, a content network distributor finds out about Heartbleed and applies a patch against it. They post on a blog about this issue and impresses their clients on how they fixed it.

April 1, 2014 – Google then sends the message to OpenSSL about the issue. OpenSSL initially thought this was just an April fools joke from Google. They continued to study the facts and finally agree there was an exploit.

April 4, 2014 – Akamai, another content network distributor finds outs out that their server was susceptible to Heartbleed and begins coordinating  a remedy on their server. Rumors pick up speed about heartbleed on openssl’s server.

April 7, 2014 – Facebook finds out about their vulnerabilities to Heartbleed and patches their servers.

April 8, 2014 –  the Finish communication regulation authorities issues a warning on their website.

April 10, 2014 – Canada Revenue Agency ( CRA) is informed about this vulnerability and shut down their web service, Netfile. 900 ids were already stolen.

April 15, 2014 – CBC releases an article summarizing that 900 Canadian Tax payers has been stolen and that the CRA was slow to respond to this issue. This bug does not leave a trail on the computer and it is hard to do forensic analysis.

April 16, 2014 – CTVnews states in an article, “19 year old Stephen Arthuro Solis-Reyes was arrested at his house. He faced charges related unauthorized use of a computer, and one one count of mischief in relation to data.” It is now clear that he was the perpetrator who stole 900 ids.

Story of Heartbleed 2014

heartbleed (2)
With the loss of 900 Canadian Tax payers Social Insurance number, the government will provide access to credit protection services to those affected. CRA has also stated that some businesses information may have been removed, and ask the Royal Canadian Mountain Police investigation to begin their investigation. They manage to trace the internet hacker to London, Ontario on a possible lead. They stormed the front of a 19 year old young man’s house, Stephen Arthuro Solis-Reyes at 1 am eastern time. What they found next was heartbleeding to the masses. The RCMP discovered that the young man was able to extract information from CRA by exploiting the Heartbleed bug, and gather 900 tax payer’s social insurance numbers.

The details of the extent of the CRA breach has emerged into one of the most devastating cyber crimes in history. A young nine-teen year old man was able to breach Canada’s secure servers. Rumours has it, that the NSA knew about the Heartbleed exploit for atleast two years. If these allegations are true about the NSA knowing about the heartbleed for atleast two years, they could have easily taken information from Canada Revenue Agency as part of their intelligence network.  Canadian officials now state that the Heartbleed exploit is now closed, and reopens their services to Canadian Tax payers. But this leaves the people with more open ended questions. Is the Heartbleed incident’s the price CRA must pay for using free open source software? Are there many more exploits in OpenSSL we do not know yet? And how will CRA prevent these internet breach from happening in the future?

Steve is a co-founder of DeviceCritique. He is a technology expert who takes a unique perspective by blending humanity, technology, and business. He visions that there are many untapped technology products that have yet to emerge, and plans to explore those ideas with you in his articles.

2 Comments

  1. Steve – it comes to mind that although 900+ SIN numbers have been stolen without a trace, that use of these numbers for false accounts and ID’s etc has an upside. The names and numbers cannot be changed so does it mean that the moment someone tries to create a false ID that the SIN number will be re-entered into the system. Ergo if our Government is smart they will create SIN traps and in theory the perpetrators will be caught. Or is this an over simplification of a much more complicated fix???

    Jeff Clark

    Reply
  2. “The perpetrators”, as mentioned in the previous reply, appear to be a sole 19 year old man from London, Ont. named Stephen Solis-Reyes. RCMP arrested him yesterday. The story is here:
    http://www.ctvnews.ca/canada/rcmp-charge-19-year-old-man-in-heartbleed-privacy-breach-1.1778934

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

Time limit is exhausted. Please reload CAPTCHA.