Over nine-hundred Canadian taxpayers identity numbers stolen and thousands of more are potentially at risk. Canada Revenue Agency’s (CRA) online services were closed for five days from what was called, a devastating “Heartbleed bug”. Never before has the Canadian Government lost so much information in so little time. Who is responsible and what happened? Join us as we unravel the mystery of what could be the greatest cyber heist on a government agency’s online service in Canadian history and visit their final moments of disaster.
Heartbleed: Starts with OpenSSL
To unlock the key, we must learn where Heartbleed began. A software called “OpenSSL” is where investigators believed the issue began. What is OpenSSL? Wikipedia states that “The OpenSSL project was founded in 1998 to invent a free set of encryption tools for the code used on the Internet. As of 2014 two thirds of all web-servers use it.”. Now the question is, is this the price for using free software?
To achieve a greater understanding, we must ask a professional about the free software library — OpenSSL. Steven Chui is a graduate from the University of British Columbia specializing in Computer Science and is an expert in protecting documents. He is an information technology professional in the Software industry, and an expert in this field.
Many large companies including Google, Instagram, and Amazon use this software. Since the source code is open to the public, that means anyone, security professionals and hackers alike, can easily analyze this software for security holes. This places web services companies who use OpenSSL in a dangerous position if hackers found some unknown vulnerability in the library.” — Steven Chui BSc
So now when we piece together the chain of events that lead to the loss of nine hundred Canadian taxpayers’ identity numbers, we can find out what happened, and how CRA lost so much tax information in so little time.
The Turn of events of Heartbleed 2014
March 21, 2014 – Google Security official, Neel Mehta discovers a vulnerability in OpenSSL, and named this vulnerability “Heartbleed”. Later, Google starts looking into creating a patch to its web services servers across the globe to prevent intruders from exploiting information from this vulnerability.
March 31, 2014 – Cloudflare, a content network distributor finds out about Heartbleed and applies a patch against it. They post on a blog about this issue and impresses their clients on how they fixed it.
April 1, 2014 – Google then sends the message to OpenSSL about the issue. OpenSSL initially thought this was just an April fool’s joke from Google. They continued to study the facts and finally agree there was an exploit.
April 4, 2014 – Akamai, another content network distributor finds outs out that their server was susceptible to Heartbleed and begins coordinating a remedy on their server. Rumours pick up speed about heartbleed on OpenSSL’s server.
April 7, 2014 – Facebook finds out about their vulnerabilities to Heartbleed and patches their servers.
April 8, 2014 – the Finish communication regulation authorities issues a warning on their website.
April 10, 2014 – Canada Revenue Agency ( CRA) is informed about this vulnerability and shut down their web service, Netfile. 900 ids were already stolen.
April 15, 2014 – CBC releases an article summarizing that 900 Canadian Tax payers has been stolen and that the CRA was slow to respond to this issue. This bug does not leave a trail on the computer and it is hard to do forensic analysis.
April 16, 2014 – CTVnews states in an article, “19-year-old Stephen Arthuro Solis-Reyes was arrested at his house. He faced charges related to the unauthorized use of a computer and one count of mischief concerning data.” It is now clear that he was the perpetrator who stole 900 ids.
Story of Heartbleed 2014
With the loss of 900 Canadian Taxpayers Social Insurance Number, the government will provide access to credit protection services to those affected. CRA has also stated that some businesses information may have been removed, and ask the Royal Canadian Mountain Police investigation to begin their investigation. They manage to trace the internet hacker to London, Ontario on a possible lead. They stormed the front of a 19-year-old young man’s house, Stephen Arthuro Solis-Reyes at 1 am eastern time. What they found next was heart bleeding to the masses. The RCMP discovered that the young man was able to extract information from CRA by exploiting the Heartbleed bug and gather 900 tax payer’s social insurance numbers.
The details of the extent of the CRA breach has emerged into one of the most devastating cybercrimes in history. A young nine-teen-year-old man was able to breach Canada’s secure servers. Rumours have it, that the NSA knew about the Heartbleed exploit for at least two years. If these allegations are true about the NSA knowing about the heartbleed for at least two years, they could have easily taken information from the Canada Revenue Agency as part of their intelligence network. Canadian officials now state that the Heartbleed exploit is now closed, and reopens their services to Canadian Taxpayers. But this leaves the people with more open-ended questions. Is the Heartbleed incident’s the price CRA must pay for using free open source software? Are there many more exploits in OpenSSL we do not know yet? And how will CRA prevent these internet breaches from happening in the future?