back to article Mounties always get their man: Heartbleed 'hacker', 19, CUFFED

A teen suspected of exploiting the Heartbleed bug to rifle through Canada's tax computer systems has been arrested. The Royal Canadian Mounted Police (RCMP) said 19-year-old Stephen Arthuro Solis-Reyes of London, Ontario, was cuffed at his home, and charged with the unauthorized use of a computer and criminal mischief in …


This topic is closed for new posts.
  1. Dave Stevens

    Can't wait

    To hear what that guy actually did.

    Lifting 900 social security numbers over a 6 hour window through an untraceable bug and being found out shortly after through "leads" and "interviews" does not compute at all.

    1. mt_head

      Re: Can't wait

      The only thing that doesn't compute is this word "untraceable". It's only untraceable if you weren't logging your traffic - and why is it unthinkable that an Internet-facing tax agency's server would be logging its traffic?

      I don't know who first used the word "untraceable" in conjunction with Heartbleed, but s/he needs a good kicking. On the bright side, it seems to have fooled both the public AND the script kiddie community; this individual may be neither the biggest fish in the pond nor the sharpest tool in the shed, but the world will not suffer because he's out of circulation for a while. Good riddance, sez I.

      1. Tom 38

        Re: Can't wait

        So how would you trace it?

        You would need to be storing all your ingress traffic to the SSL site in order to determine, for certain, that this particular request was trying to exploit heartbleed. Not summaries of the traffic or request logs, but every single byte.

        What they CAN do however is look and see for suspicious requests in the period immediately after the bug was announced. Oh look, this IP address hit the same page 52,000 in 6 hours, gee, I wonder what they were doing.

        1. Bronek Kozicki

          Re: Can't wait

          Theoretically, this can be done, IF perfect perfect forward secrecy was not enabled.

          I can imagine scenario when, upon learning of a bug first thing the admins did was to setup full packet logging on IDS (with big storage array attached) and making sure PFS was disabled. Next thing you "just" need private server key to decrypt the traffic and get into individual requests, but this does not need to be done in real time - unless you want to drop data unrelated to potential attack (saving disk space). Tax website surely has respectable traffic, but nothing comparable to or other popular global services, so it might be still in the domain of "doable".

          Very tricky and if this is indeed roughly what they have done, they deserve some respect. I guess we will learn when it comes to presenting evidence in court.

        2. Anonymous Coward
          Anonymous Coward

          Re: Can't wait

          But you can store every single bit; there are products that do this. In a DC network I manage, I have two of them running. They can write over 20Gbps each and have multiple 10Gbps links on each one. Total storage on each 5PB. With a single 10Gbps link at 100%, I can store 48-hours of traffic coming in the front door. So, 6 hours is NOTHING.

      2. MacGyver

        Re: "untraceable"

        In reality I have no idea whether or not he did it, but how hard would it be for some anonymous hacker to drive around until they find an access-point they can crack in 5 minutes (WPS exploit), crack it, execute the heartbleed exploit, and because the hacker also now has access to the unsuspecting person's local NAT, just put some "evidence" in a shared folder somewhere. The real perpetrator would get away scot-free, and the police would just stop looking.

        1. oolor

          Re: "untraceable"


          Because then they would have traced the hacker. They know what packets went from that location to where. Likely there is much more than they are letting on. Remember that this is the collection agency for the government tax monies, it is the biggest cash/personal info flow in the country. Electronic intelligence likely came from the very top.

          @Tom 38:

          I'd take that bet that they log every byte.


          I think you should get +10 for the wry comment, and an extra 100 oolor points for the accidentally subject-matter appropriate handle.

      3. Anonymous Coward
        Anonymous Coward

        Re: Can't wait

        Not every organisation has the resources to have Full Packet Capture in place, and given that there were no IDS signatures to detect this attack until a week ago, that's the only way they would have logs of this having happened. Other equivalent organisations in different countries I am aware of have security operations that are somewhat behind the times and would likely not have this capability currently installed. Don't be so quick to criticise the person making the statement which could very well be perfectly accurate.

        1. Anonymous Coward
          Anonymous Coward

          Re: Can't wait

          Well, who needs the signature to detect it from the start. I can take the captured data from the start of when the exploit was announced and export it out for later review, like when there is a way to detect it.

          We are talking about the government, they always have money. If they need more, they just do one of the following:

          1) Raise taxes

          2) Print more

          3) All of the above

          We are talking about Canada, not some third-world country.

          1. Ole Juul

            Re: Can't wait

            "We are talking about Canada, not some third-world country."

            There's two?

    2. taxman
      Big Brother

      Re: Can't wait

      Nothing to sniff at?! ;)

    3. Anonymous Coward
      Anonymous Coward

      Re: Can't wait

      Agreed. He'd have had to have instigated something on the order of 2,000,000,000 to 3,000,000,000 Heartbleed attacks, unnoticed, in that 6 hour window.

    4. Anonymous Coward
      Anonymous Coward

      Re: Can't wait

      which may mean that, heartbleed is 2-phased (or even more) exploit exploited by 3-lettered agencies:

      Phase 1: exploit the bug and get data for 2 years.

      Phase 2: announce the bug and monitor who attempts to exploit it (netting at least one canadian teen).

      Phase 3: watch and wait while the world patches and sleeps soundly again and continue via another exploit. Go back to phase 1.

  2. Anonymous Coward
    Anonymous Coward

    Was it in doubt?

    I can remember always *knowing* that "the mounties always get their man" - and I've never even been to Canada.



    PS I have actually been to Canada - as a foetus, but that was some time ago. I'm 43 now! Mum said it (Canada) was lovely.

    1. JaitcH

      Re: Was it in doubt?

      "Mounties Getting Their Man" is more myth than fact as many of their failed investigations prove.

      What they DO have is large budgets - by local police standards - and the fact that provincial boundaries don't limit their activities as they do local, city or provincial, cops.

      They love having cars without antennae - these cars have a dual cavity antenna mounted under the rear window parcel shelf and in the trunk (aka 'boot'). After a few months on the road the outline of the antennae can be seen as the road dust becomes ingrained in the cloth material covering the shelf!

      And they are big in red uniforms, riding horses, at community fairs and exhibitions.

      1. Anonymous Coward
        Anonymous Coward

        Re: Was it in doubt?

        Also, the Mounties are so vicious, corrupt and inept they make the Met and LAPD look like schoolchildren. Wouldn't surprise me if this schmuck had nothing to do with it.

        1. Stevie
          Thumb Down

          Re: Wouldn't surprise me if this schmuck had nothing to do with it.

          Aaaaaaaaaand the first "Reiser is innocent" troll is posted.

  3. Frank Marsh

    Only 6 hours

    This is the 3rd time I've seen the "Remarkably, in the miniscule 6 hour window!!!" defense mentioned for the Canada Revenue Agency.

    But the social security number snaffle happened on Wednesday, while Heartbleed was announced to the world April 7 at 1:27 p.m. New York time.

    What am I missing? Or do they really mean "But it was only 6 hours from when we realized the bug affected us until we took the site down!!!" ?

    1. Tom 38

      Re: Only 6 hours

      1:27: Bug announced

      6 hours later: Patched software rolled out by CRA

      1 day later: Logs analyzed, potential disclosure detected, RCMP called in.

      1. 100113.1537

        Re: Only 6 hours

        Slight correction:

        6 hours later: took public facing websites off-line.

        Not sure if they have got it patched and back up again, but pulling you tax-filing website off-line just a couple of weeks before the filing deadline was a very public move and how everyone in Canada learned about the bug.

        I made a comment earlier that it probably took 6 hours to get permission to pull the sites off-line, but they may have set up a system to log all out-going data during this time so that they knew what had gone missing. There was discussion about this when they came out with the "900 SIN numbers hacked" story and people questioned how they knew. This doesn't clear up anything about possible data loss prior to the bug being announced however.....

        1. 100113.1537

          Re: Only 6 hours

          Patched sites back on-line April 13 apparently.

          Not sure if this is a fast or slow turnaround - anyone know how easy it is to apply the patches?

          1. Gerhard Mack

            Re: Only 6 hours

            The patch was easy and I had all my customer's stuff patched by the end of the first day they were down.

            The problem for CRA though isn't the time to patch it is the time to install the update on the test server, test the update, document the test, install the update on the live servers and then document the roll-out onto the live servers.

            Internal procedures are fun

  4. Anonymous Coward
    Anonymous Coward

    "analyzing data, following leads, conducting interviews, obtaining legal authorizations..."

    AKA: Routine Police work

    AKA: Doing their job

    Less spin please.

  5. raving angry loony

    "Biting the hand that feeds" doesn't mean "turning into the Daily Mail"

    So, I see El Reg has succumbed to the old "trial by press" bug. The one that sweeps the whole concept of "INNOCENT until proven guilty in a court of law" into the manure pile while slagging anyone the police care to arrest, making sure that even if they are subsequently found guilty their lives will be pretty much ruined. Not a shred of objective analysis, but instead just a rehashing of the same tired "rah rah rah go police rah rah" press release. Sickening, really.

    1. This post has been deleted by its author

  6. Steve Button Silver badge

    Canadian Mounted Police - Ahhhh Due South.

    Used to love that show.

    1. Piro Silver badge
      Thumb Up

      Re: Canadian Mounted Police - Ahhhh Due South.

      One of the all time greats.

      Good, clean fun. Witty dialogue. Interesting and varied environments.

      Excellent characters. A genuine heart of gold.

      Love it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Canadian Mounted Police - Ahhhh Due South.

        "Surely that makes you the mount-er, not the mount-ee?"

        1. John Brown (no body) Silver badge

          Re: Canadian Mounted Police - Ahhhh Due South.

          "Surely that makes you the mount-er, not the mount-ee?"

          ...and so is my wife!

  7. Dr Who

    If there's one thing the Mounties should know, it's no use shutting the stable door after the horse has bolted.

  8. i like crisps

    That would've been way cool if...

    ...they had actually turned up on horse back to arrest the guy!

  9. Crisp

    He should have used 7 proxies.

    See Title.

  10. David Roberts

    Acting in the public good?

    Perhaps he should try the white hat defence?

    I was sending a 64K heartbeat full of zeroes and only asking for 2 bytes back so I was minimising network traffic whilst sanitising your memory buffers for you.


    O.K. - oops - rookie coding error........

  11. All names Taken
    Paris Hilton

    is HeartBleed a HoneyPot?

  12. bigtimehustler

    It will be hard to prove this one, because they need to prove he was doing this maliciously of his own choice. There are a number of defence options. He was doing it in a security testing capacity (not sure on Canadian law regarding this), he wasn't aware it was happening (his computer was acting as a bot), he was just making lots of requests and never captured any data returned, this never even happened (prove it did). They would have to be logging all of the incoming heartbeat requests and logging all of the outgoing heartbeat responses to be able to mount a serious prosecution that can prove this beyond reasonable doubt. That is a very large amount of data and would require custom logging to be setup as the programme in all likelihood will not have a log option to capture all of this. I think this one will fall by the wayside in the not too distant future, before ever reaching a court.

  13. NoneSuch Silver badge

    Should read Mounties get their man without spying on the entire nation.

    Just shows how modern police can do their jobs with old fashioned warrants naming an individual instead of the Star Chamber justice from south of the border.

  14. EJ

    Hacker? Or more likely...

    Computer student who through curiosity tested and discovered the issue was real, then was naively excited by the possibility that his actions could somehow propel him to notoriety and fame in his field?

    1. Stevie
      Thumb Down

      Re: Hacker? Or more likely...

      Meh. 19 years old. Many horror stories of what happens when you are caught breaking into other people's computers. Shoulda known better.

      Unless ...

  15. Anonymous IV

    It's in the name

    Surely someone called Stephen Arthuro Solis-Reyes must be up to no good.

    Dammit, much of his name sounds foreign!


  16. Stevie


    Let's start a pool on how long it will be from arrest to public announcement of Asperger's Defense.

    I call two days.

    1. Anonymous Coward
      Anonymous Coward

      Re: Bah!

      He should tell people he was looking for aliens.

      I believe the bloke who hacked mumsnet was also conducting a search for intelligent signs of life.

  17. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like