First Heartbleed-related attack carried out by University student

by Charles Leaver

April 21, 2014

access_time 6 min read

When news of the Heartbleed bug broke, there were many articles that pointed out that it was only a matter of time before hackers started exploiting it. After all, Heartbleed is a bug that found its way into OpenSSL, a piece of which is used by many sites and services across the Web. As it turns out, the world did not have to wait long for an attack to happen.

First documented attack targets Canadian Revenue Agency
For a while after the revelation about Heartbleed surfaced, the global computing community anxiously lay in waiting for the inevitable attacks to surface. Now they have begun in earnest. In the first recorded breach directly stemming from the bug, the Canadian Revenue Agency found itself under attack, according to CNET. The attack happened despite vigorous efforts on the part of the CRA to protect itself in the wake of the Heartbleed news. In an official statement from the CRA, Commissioner Andrew Treusch wrote that his agency had taken proactive measures following the news to safeguard its data.

"The CRA acted quickly to protect taxpayer information by removing public access to its online services," he wrote, adding that, "Since then, the CRA worked around the clock to implement a "patch" for the bug, vigorously test all systems to ensure they were safe and secure.

Unfortunately, though, these measures did little to prevent the attack that hit the agency, and the CRA regrettably reported that Social Insurance Numbers for 900 taxpayers had been stolen. The attack reportedly occurred during a six-hour period when the patch was not in place.

Man behind CRA attack is reported "A" student
Hackers exist in the shadows. When their identities are uncovered, it is perhaps surprising that these criminals lead otherwise upstanding lives without any offense history. Such was the case with the alleged CRA hacker, a 19-year-old university student with consistent A grades, according to CBC. The student, Stephen Arthuro Solis-Reyes, turned himself in to police when he learned he was facing impending arrest.

"He is an A student and a very, very bright young man," the man's lawyer said, adding that his client was highly distressed and felt "sucker-punched" by authorities.

If Solis-Reyes did carry out the attack, that fact points to the ease with which anybody - even a teenage student - can penetrate a vulnerable organization's infrastructure in the wake of the Heartbleed news. That should give all enterprises cause to examine their data leak prevention methods, and make sure they have the tools in place to stave off a malicious incursion.

The solution lies in better endpoint security and control
After the CRA was breached, it did the right thing: promptly inform customers, and offer them the requisite free credit monitoring services that can prevent an individual's financial data from getting exploited. In addition, the agency was upfront about its effort to boost security following the attack.

"The CRA responded aggressively to successfully protect our systems," Treusch wrote. "We have augmented our monitoring and surveillance measures, so that the security of the CRA site continues to meet the highest standards.:

But despite its proactive steps, the CRA will now have to cope not only with a recovery from the breach, but with the inevitable loss of trust that such an attack leads to. However, enterprises that take the most stringent measures to protect themselves will likely never have to deal with a breach of customer trust. When businesses enact a strong system of endpoint threat detection and response software, they take a major step toward defeating hackers at the gates, and never letting them attack the company's internal infrastructure.