The Heartbleed bug has dominated the security headlines for the past week as organizations around the world scramble to limit the risk. Although the impact of Heartbleed globally is still being calculated, the first arrest in the world related to the Secure Sockets Layer encryption flaw has now been made.
On April 16, the Royal Canadian Mounted Police (RCMP) announced that it had arrested a 19-year-old student in connection with exploitation attacks against the Canadian Revenue Agency (CRA) targeting the Heartbleed flaw.
“The RCMP treated this breach of security as a high-priority case and mobilized the necessary resources to resolve the matter as quickly as possible,” the RCMP noted in a statement.
Charged with one count of Unauthorized Use of Computer and one count of Mischief in Relation to Data is Stephen Arthuro Solis-Reyes. The police seized Solis-Reyes’ computer equipment on April 16, and he is scheduled to appear in an Ottawa, Canada, courtroom on July 17.
The actual Heartbleed flaw was first publicly revealed on April 7 by the OpenSSL project. The flaw is technically a vulnerability in the Heartbeat SSL monitoring function in the open-source OpenSSL cryptographic library. OpenSSL is widely deployed on Linux servers, Websites and technologies around the world to secure data in transit.
While patches for the Heartbleed flaw did emerge quickly after the initial disclosure on April 7, there was a window of exploitability. For the Canada Revenue Agency (CRA), which is the Canadian equivalent of the U.S. Internal Revenue Service (IRS), the window of exploitability was in fact a real risk. The CRA admitted on April 14 that its Website was attacked with the Heartbleed bug over a six-hour period, before the site was shut down and patched. During the six-hour attack, the information of approximately 900 Canadian taxpayers was stolen.
It is not clear at this stage what the intent of the alleged attacker Solis-Reyes was in relation to the stolen data or the attack on the CRA.
The speed with which the RCMP first reported the attack on the CRA and then announced an arrest in connection with the Heartbleed attack is quite stunning. The early speculation is that Solis-Reyes was not a professional hacker and did not properly take the necessary steps to hide his identity or IP address, which is what enabled the RCMP to act quickly.
While the incident in Canada is the first in the world to result in an arrest, given the global impact of Heartbleed, it is likely that other organizations around the world were in fact exploited, as well. Whether those exploitations will ever be discovered and publicly disclosed is something that only time will tell us.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.