"The CRA also declined to explain how it determined which SINs were hacked, since Heartbleed intrusions are hard to detect.²
My guess is he was probably quite proud of himself and went and told the agency. ³Hey you¹ve got Heartbleed, look at all the SIN¹s somebody can get.² and then they promptly turned around and arrested him. He¹ll be touted as the latest evil hacker and the CRA will bang on about how they ³detected and captured² him. Remember kids, if you don¹t have a signed authorization form, stay out or at the very least, keep your mouth shut. Joseph Pierini | CISSP, PCI: QSA, PA-QSA, QAE Director of Technical Services Security Assessor - Penetration Tester PSC - Business & Technology Experts in Payments, Security & Compliance On 4/16/14, 4:28 PM, "Andrew Klaus" <[email protected]> wrote: >I'm guessing he scripted to pull as many login/passes (or cookies) as >possible, then simply looped through them and grabbed the SIN data from >the >web interface. Needing to "login" to each. > >Indeed, what an idiot. > > >On Wed, Apr 16, 2014 at 12:27 PM, Justin Bull <[email protected]> wrote: > >> Some 19 year old kid used heartbleed to gain access to the CRA systems >>and >> purge 900 SINs (akin to SSN) from the agency. >> >> What a fool. >> >> >> >>http://www.theglobeandmail.com/news/national/rcmp-charge-teen-in-relation >>-to-alleged-heartbleed-bug-theft/article18041007/#dashboard/follows/ >> >> -- >> Best Regards, >> Justin Bull >> E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> > >_______________________________________________ >Sent through the Full Disclosure mailing list >http://nmap.org/mailman/listinfo/fulldisclosure >Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
