A student of 19 years of Western University in Ontario was arrested on charges of exploiting the Heartbleed bug to steal data from over 900 Canadian tax payers from the Revenue Agency's servers.
His name is Stephen Arthuro Solis - Reyes, the son of a computer science professor who teaches at his own university, was arrested by the Royal Canadian Mounted Police and this is the first arrest related to Heartbleed vulnerability of the library openSSL.
The boy's lawyer, Faisal Joseph, describes his client as "a very bright but also very emotional student“, For this reason he did not feel like issuing a declaration on his arrest, moreover - continues the lawyer - he voluntarily surrendered to the authorities, after the officers threatened to arrest him in the middle of one of his university courses.
Joseph also claims that the police locked the student in jail for over five hours without being able to request an interview with his lawyer, and that he will file a complaint about it.
The officials Canadian Revenue Agency stated that they blocked public access to online tax services one day after the Heartbleed vulnerability was discovered, but evidently it was too late by giving Solis - Reyes the opportunity to steal private encryption keys, passwords and others sensitive data from one of the tax agency's servers running vulnerable versions of the openSSL library.
The Heartbleed vulnerability takes its name from the hearthbeat protocol used by openSSL to guarantee the continuity of a service, specifically: the server hosting the service queries another server with a keyword with a specific length, if the other server does not reply, the requesting server will understand that it is out of order and will perform specific operations.
It has been discovered that by querying the server with a longer keyword (containing more characters than the real one) the other server responds by showing everything it has in its memory: ID, Password and other sensitive data. (for more information on the bug read on)
Second Netcraft, two thirds of websites use OpenSSL to implement HTTPS encryption, although not all of them have Heartbleed enabled.
And what do you say, the Italian Inland Revenue will have taken the right precautions? 🙂