Heartbleed exploit a reality for Canadian agency

Law enforcement officials in Canada might have caught up with one of the "nefarious actors" the U.S. Department of Homeland Security warned was moving to exploit the Heartbleed OpenSSL flaw -- but not before he allegedly filched 900 Social Insurance Numbers from the Canadian tax authority's databases.

DHS' warning and the arrest in Canada were not directly linked, but they highlight the speed with which cybercriminals exploit vulnerabilities.

On April 16, the Royal Canadian Mounted Police announced that it had arrested a 19-year-old Ontario man for the malicious breach of taxpayer data from the Canada Revenue Agency (CRA) website via the Heartbleed flaw. Stephen Arthuro Solis-Reyes was arrested at his residence on April 15 without incident and is slated to appear in court in Ottawa on July 17.

"Based on our analysis to date, Social Insurance Numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability," said CRA Commissioner Andrew Treusch in a statement released April 14.

On April 11, within hours of the Heartbleed flaw's disclosure, DHS' National Cybersecurity and Communications Integration Center warned through an unclassified but restricted memo that a trusted third party had seen exploit code on publicly available online outlets. It also said a number of underground forums were discussing the flaw, "which indicated interest from nefarious actors."

RCMP did not provide details on how Solis-Reyes accessed the data.

CRA shut down public access to its online services on April 8, saying those services were vulnerable to the flaw, and officials moved the deadline for Canadians to file their tax returns from April 30 to May 5. The U.S. Internal Revenue Service and other federal agencies maintained that their operations were not vulnerable to the flaw, and online services remained operational. Experts have said vulnerability to malicious exploitation can vary widely depending on systems' architecture and other factors.

Treusch said CRA is now fixing the problem. "We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed," he said. Before relaunching its online services on April 15, the agency "vigorously" tested its systems and implemented patches for the flaw, he added.

The agency has notified the people whose information was stolen, but instead of communicating through possibly exploitable email messages and telephone calls, Treusch said CRA sent a registered letter to each person affected. The agency has also established a free hotline to provide more information on how people can protect their Social Insurance Numbers.