The Royal Canadian Mounted Police announced today that a 19-year-old man has been arrested for allegedly taking advantage of the Heartbleed bug to steal tax information from a government website. He is believed to have compromised some 900 social insurance numbers (Canada’s equivalent of Social Security numbers).
This marks the first arrest related to the Heartbleed bug, which was discovered earlier this month, but it probably won’t be the last. The bug is thought to have left up to two-thirds of the Internet vulnerable to attack — while many companies have rushed to update their OpenSSL implementation, many websites, Android smartphones, and Wi-Fi routers are still vulnerable.
The Canadian government previously warned its citizens to avoid electronic filing systems after the bug’s revelation. The United States Department of Homeland Security issued its own warning shortly after — a slightly disingenuous warning given the possibility that the National Security Agency knew about and exploited the bug for at least two years, according to one report (which the NSA refutes).
It’s unclear what this first attack — or at least the first attack that we know about — means for Internet security when so many systems are still affected by Heartbleed. Some have said that the equipment needed to perform damaging attacks would be out of most hackers’ reach; but if they do have that equipment, there’s nothing most consumers can do to protect their data.
Reactions from around the Web
Reuters believes that more attacks are coming:
Internet companies, technology providers, businesses and government agencies have been scrambling to figure out whether their systems are vulnerable to attack since the flaw was disclosed a week ago.
Security experts have warned that more attacks will follow.
Gizmodo wonders how the Mounties found their suspect:
Since Heartbleed is undetectable by definition, this arrest raises the question of how exactly he was caught. Maybe he was using the data he stole, but so far the details aren’t clear. What’s more, we also have no idea whether the exploit happened before or after the bug went public. Either way, though, it’s highly unlikely this is going to be an isolated case. So if you haven’t already, please, let this be a reminder—change your damn password.
The Calgary Herald reports that several government sites were shut down and the tax deadline was extended in Heartbleed’s wake:
The revenue agency has said it will notify everyone involved in the security breach by registered letter and will offer access to credit-protection services.
Because of the five-day shutdown of its E-file and Netfile services, the revenue agency has effectively extended the tax filing deadline for the same length of time. Returns filed by May 5 will not incur penalties or interest.
Pando weighs in
I wrote about the shaky idea that the Internet can ever truly be secure after the bug was revealed:
The bug is said to have been around since 2012. The sheer number of websites that use OpenSSL — including Yahoo, Imgur, and OKCupid — means that many millions of Internet users may have potentially had their privacy compromised over the last two years. Combine that with the news that Apple had failed to implement a security tool in its mobile and desktop operating systems for more than a year and the idea that anyone can ever be truly secure online seems permanently out of reach.
I then wrote about why being able to change your passwords is a good thing:
The good news is that passwords for services like Facebook and Gmail can be changed. It would be much harder to protect against compromised biometric security measures — what are you gonna do, burn your finger tips and tattoo some new patterns onto them?
Having to change all of your passwords sucks. Not being able to adapt to compromises in the security measures that protect all of your personal information, however, would be even worse.
Then I explored about how small mistakes can have enormous consequences on the modern Web:
Finding these errors would be like finding a typo in “Infinite Jest” – it’s not going to be easy unless you know just what you’re looking for.
But the ramifications of these mistakes aren’t quite so minuscule. Hundreds of millions of people rely on Apple’s products to browse the Web. Even more interact with a large number of websites that use OpenSSL. It’s impossible to know how many people have been affected by these mistakes, but the threat itself has been enough to put security experts on high alert.
That’s the truth of Internet security. All it takes is for a team of professionals to miss two words, or for two unpaid volunteers to miss a “quite trivial” mistake in a widely-used utility, for the privacy of essentially everyone who uses the Internet to be threatened. Welcome to the Web, where a single misplaced strand can cause a disaster few will notice until years later.
This led me to wonder why Internet security is entrusted to people working in their spare time:
It’s time for Internet security to be handled by people who can afford to devote their entire lives to it, not people who in their spare time are forced to carry “an enormous burden” that affects basically anyone who uses the Internet. We wouldn’t force the doctors charged with handling real heart attacks to operate on donations or in their spare time — why delegate the task of preserving the health of the Internet to people asked to work that way?
And finally, I wrote about the problem many consumers will face when trying to defend their privacy after Google revealed that millions of Android smartphones are affected by the bug:
The discovery follows reports that the Heartbleed bug has been found in Wi-Fi routers from Cisco and Juniper Systems. The fix for that problem, according to one security expert, is going to involve “a trash can, a credit card, and a trip to Best Buy.” There’s little else people can do.
These warnings demonstrate the Heartbleed bug’s lasting impact. Large companies can and have fixed their websites or updated their infrastructure to protect their users’ information. But when consumers are using devices that have long since been abandoned by their creators or are difficult to upgrade, the only recourse seems to be either living with the possibility of being affected by Heartbleed or upgrading to new hardware unaffected by the vulnerability.