Police make Heartbleed arrest: Taxing times in Canada


Our neighbors to the north get their man, allegedly.

The Royal Canadian Mounted Police (RCMP) says it arrested the perp behind the recent hack of the country's tax agency. The allegedly-Heartbleed-mediated alleged hacker, one Stephen Arthuro Solis-Reyes, is charged with "mischief in relation to data." Oh, Canada!

In other news, nasty new implications of the OpenSSL bug continue to come to light.

In IT Blogwatch, bloggers hold their heads in their hands and weep. Not to mention sleeping all night and working all day

Your humble blogwatcher curated these bloggy bits for your entertainment.


He's an anonymous Aunty author and he's OK:

A 19-year-old Canadian became the first person to be arrested in relation to the Heartbleed [vulnerability]. Solis-Reyes...was accused of hacking into the Canadian Revenue Agency (CRA)'s website.

The Heartbleed bug was made public a week ago by Google and Codenomicon. ... The bug exploits a flaw in OpenSSL.


The RCMP, which has been investigating the breach for four days, charged Mr Solis-Reyes with "unauthorized use of a computer" and "mischief in relation to data."  MORE


With his best girlie by his side, Stephen Lawson will sing, sing, sing:

After discovering the attack, the agency temporarily halted online filing of tax returns.

The RCMP arrested Solis-Reyes ...searched his residence and seized computer equipment. [He] is scheduled to appear in court in Ottawa on July 17.  MORE


RCMP assistant commissioner Gilles Michaud assists in the commissioning of cutting down trees:

The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible. Investigators from National Division, along with our counterparts in “O” Division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.  MORE


Meanwhile, Dan Goodin has more "catastrophic" news (and has buttered scones for tea):

Private encryption keys have been successfully extracted multiple times from a virtual private network server running the widely used OpenVPN.

[Shops using] any OpenVPN server—and likely servers using any other VPN application that may rely on OpenSSL—should follow the multistep path for recovering from Heartbleed. ... Because Heartbleed may have leaked the private key...users may still be susceptible to attacks.


To fully recover from Heartbleed, administrators should also revoke their old key certificates, ensure all end user applications are updated with a current certificate revocation list, and reissue new keys.  MORE


While wilya will press wild flowers: [You're fired -Ed.]

Note that this statement is about OpenVPN Access Server, the commercial distribution of OpenVPN.

There is a bit more info in the "community" wiki. It seems the key point is that TLS-auth would already mitigate the vulnerability. [It's] on by default in OpenVPN Access Server. ... TLS-auth [uses] a single global pre-shared key. It could leak a bit more easily than personal certificates.  MORE

Computerworld Blogs Newsletter

Subscribe now to the Blogs Newsletter for a daily summary of the most recent and relevant blog posts at Computerworld.  

Shop Tech Products at Amazon