19-Year-Old Student Arrested for Exploiting Heartbleed Bug to Steal Data

Heartbleed vulnerability which was the headline from the last two weeks has once again made a new headline. 

19 years old, Stephen Arthuro Solis-Reyes a computer science student at Western University have been arrested by the Royal Canadian Mounted Police (RCMP). He is been charged with unauthorized access to the computer and criminal mischief in relation to the data breach of taxpayer’s private information from the Canada Revenue Agency (CRA) website.

Assistant Commissioner Gilles Michaud said in a statement-

“The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible,”

After the public disclosure of the  Hearbleed, Stephen exploited the vulnerability present on the Canada Revenue Agency (CRA) website and extract private and sensitive information, including the social insurance numbers from the company’s system, before the computers were patched.

“Investigators from the National division, along with our counterparts in ‘Ontario’ division have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations, and liaising with our partners,” Assistant Commissioner added.

Heartbleed is one of the critical and biggest vulnerabilities in recent history, which was found in the OpenSSL's implementation of the TLS/DTLS heartbeat extension. This vulnerability allows the hackers to steal major credentials data from the affected server. 

Exploiting the Heartbleed bug itself rarely leaves any traces, unless the attacker is not sending millions of heartbeats continuously from his own IP addresses. "The fact that they were able to trace it back to someone implies that it is not the work of organized crime or a professional hacker. It would be someone of very low skill," said Mark Nunnikhoven, Trend Micro.

Stephen Arthuro was arrested at his residence without incident on April 15 and is scheduled to appear in court in Ottawa on July 17, 2014, RCMP reported. The police also seized computer equipment from his residence, while the investigation is ongoing.