law and technology and rock and roll

recent | past | about | rss

Heartbleed, CRA and the Criminal Code

Posted by Matt on April 16, 2014         Tagged with: heartbleed

You may have heard of a little thing called the Heartbleed bug, which has basically absolutely devastated the Internet over the last few weeks. Basically, anyone who wasn't freaking out about this, either isn't paying attention or doesn't understand what's going on.

The gist of it is this: web servers which want to communicate securely with their users use a security protocol called TLS. Anytime you visit your bank's web site and you see that little padlock icon appear near the address bar, that's TLS in action. Well, it was recently discovered that there was a way to get servers using TLS to spew out some of what was being stored in the server's memory at the time. XKCD has an excellent illustrated explanation of how it works. This memory might contain nothing of interest, or it might contain really valuable pieces of information like usernames, passwords or even the keys which the server relies on to protect itself from eavesdroppers. There's no way for an attacker to know exactly what they're going to get when they exploit this bug, but since they can exploit it over and over, eventually a determined attacker will get something of interest.

One organization that discovered their servers were vulnerable was the Canada Revenue Agency. They disabled the affected servers quickly, but unfortunately not quickly enough: on April 11, it was discovered that the Social Insurance Numbers of over 900 Canadians had already been stolen.

Well, it's only 4 days later and they already have a suspect in custody. An Ontario teenager has been arrested and will be charged with violating ss. 342.1(1)(a) and 430(1.1) of the Criminal Code. Those sections read:

Unauthorized use of computer
342.1 (1) Every one who, fraudulently and without colour of right,
(a) obtains, directly or indirectly, any computer service...
is guilty of an indictable offence and liable to imprisonment for a term not exceeding ten years, or is guilty of an offence punishable on summary conviction.

Mischief in relation to data
430 (1.1) Every one commits mischief who wilfully
(a) destroys or alters data;
(b) renders data meaningless, useless or ineffective;
(c) obstructs, interrupts or interferes with the lawful use of data; or
(d) obstructs, interrupts or interferes with any person in the lawful use of data or denies access to data to any person who is entitled to access thereto.

The punishment for the mischief charge can be up to 10 years imprisonment, depending on how the prosecutor characterizes the "property" that the mischief was committed against. Typically (though not always), sentences arising from the same action are served concurrently, which means the accused in this case probably faces a maximum of ten years in prison.