Canadian Police Make First Heartbleed Hack Arrest

Thomas Brewster,
heartbleed security, latch chain link door © Sergios Shutterstock

The first arrest over attacks using the Heartbleed vulnerability has been announced in Canada following a hit on the country’s tax agency

A man has been arrested as part of an investigation into a breach of Canada’s tax authority that used the infamous Heartbleed bug.

Stephen Arthuro Solis-Reyes, a 19-year-old from Ontario, was arrested on Tuesday by the Royal Canadian Mounted Police (RCMP) and charged with two separate offences relating to the Canada Revenue Agency attack.

More Heartbleed

Heartbleed T-Shirt
You can support the open source OpenSSL project, by buying this T-shift (not a TechWeek project or affiliated to OpenSSL).

“The RCMP treated this breach of security as a high priority case and mobilised the necessary resources to resolve the matter as quickly as possible,” said Assistant Commissioner Gilles Michaud.

“Investigators from National Division, along with our counterparts in ‘O’ Division have been working tirelessly over the last four days analysing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners.”

Solis-Reyes has been scheduled to appear in court in Ottawa on 17 July.

Just a week after disclosure of the Heartbleed bug, which was resident in the OpenSSL encryption standard, the Canada Revenue Agency warned as many as 900 citizens’ social insurance numbers had been compromised as a result of the breach.

UK website Mumsnet was also targeted, but it appeared the attackers had not sought to do anything malicious with the usernames and passwords they acquired.

The Heartbleed fallout has continued throughout this week, with various organisations pushing out OpenSSL patches to protect customers.

It’s believed encryption keys could now be stolen from any VPN service running the OpenVPN protocol, according to reports. Many popular services, including HideMyAss, let users run supposedly secure connections over OpenVPN.

For anyone who wants to contribute to the OpenSSL fund to help ensure epic mistakes like the one that caused Heartbleed don’t happen again, t-shirts (pictured) are currently on sale, proceeds from which go to the open source effort.

Update: we stumbled on this Heartbleed T-shirt. All proceeds go to the OpenSSL project, say the creators, who describe themselves as “a bunch of people who want to help create a safer Internet”. 

Love IT security? Try our quiz!