Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/7/2017
05:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

WannaCry Hero Garners Security Industry Support Following Arrest

US law enforcement arrested British security researcher Marcus Hutchins for allegedly developing and selling the Kronos banking Trojan.

Many within the security community appear to be rallying behind British bug hunter and researcher Marcus Hutchins following his stunning arrest last Thursday for allegedly creating, advertising, and selling the Kronos banking Trojan.

Leading privacy and civil rights group the Electronic Frontier Foundation (EFF) Monday expressed its "deep" concern over the arrest of the man that just this May was widely hailed as a hero for shutting down the WannaCry ransomware pandemic.

"We are looking into the matter and attempting to help Mr. Hutchins obtain good legal counsel," the EFF said in a statement to Dark Reading.

New York City-based cyber law firm Tor Ekeland P.C. along with Symantec cybersecurity czar Tarah Wheeler have established a site for donating to Hutchins' legal defense citing the researcher's right to a fair trial. "We may all have opinions about what Marcus did and didn't do," Wheeler said in comments on the site.

"This is not about guilt or innocence; it is about the belief that all people deserve to be represented under American law with fervor and passion, and that includes security researchers."

The 23-year old Hutchins, who is better known as MalwareTech, has pleaded not guilty to the charges against him and was granted a $30,000 bail Friday. He is scheduled to make an appearance in federal court in Milwaukee on Tuesday. A prosecutor has claimed that Hutchins admitted to creating the banking malware and sold it. If convicted on all charges, Hutchins could spend years in prison.

But the relatively scant information in the indictment papers and the fact that Hutchins is one of two alleged conspirators in the scheme — the other has not yet been identified — have prompted questions about the strength of the government's case against him.

Some, who remember Hutchins' recent role in shutting down WannaCry, appear convinced that the arrest was unmerited and an overreach on the part of federal prosecutors. Others are reserving judgment till more information becomes available.

"As with others in the community, it was a bit of a shock, especially after a Black Hat with positive involvement from high-ranking members of DOJ, " says Jonathan Cran, vice president of research at bug bounty coordination firm BugCrowd.

"We're all trying to determine what this means for Hutchins, as well as what it means for ourselves, and for other researchers in the community. For better or worse, it is already having a chilling effect on research," he says.

Like many others, Cran says the activities that prosecutors have hit Hutchins with — at least based on what's in the indictment papers — were likely not as nefarious as the charges would lead one to believe. For instance, it is entirely possible that Hutchins' alleged act of selling a copy of Kronos and his offer of a "crypting" service to make it more invisible were simply tactics to build and maintain a reputation in underground markets.

In order for the US government to win the case, there needs to be more detail in the form of chat logs, and transactions that show Hutchins' intent when he allegedly hawked and sold the malware, Cran says.

"I think this is a wakeup call that while security research is carefully being welcomed, there are very fine lines for researchers, and it's extremely important to pay attention to the evolving case law. This is not the first case we've seen of this kind and it's not likely to be the last," he says.

Orin Kerr, a professor of law at the George Washington University Law School and a noted expert on cyber matters, is one of those who believes the government will have a hard time proving its case against Hutchins, based on what's known so far about the charges.

In an opinion piece in the Washington Post, Kerr held that based on a first look at the indictment, the government is being overly aggressive in its charges against Hutchins. For example, one of the charges against Hutchins is related to a statute that makes it illegal for anyone to intentionally send out a program or a command that damages a computer. However, in this case, the government's charge appears to be that Hutchins' sale of the software to a third-party is the same as his causing actual damage to a computer.

"For the charge to fit the statute, the government has to prove two things that it may or may not be able to prove," he said. First, prosecutors have to show that Hutchins and his unnamed conspirator had an intention to create damage. Secondly, they need to prove that the agreement between Hutchins and his conspirators was to cause damage to other computers via malware, Kerr said. He pointed to similar legal challenges with all of the other charges against Hutchins.

Ron Austin, an associate professor at Birmingham City University's School of Computing and Digital Technology in the U.K., says the case raises a number of issues between where the cybersecurity community is and where the law is in relation to researching and stopping attacks.  "There is a risk within security research where a researcher may release test code that is later used maliciously," Austin says.

"It’s a difficult balance between informing and the use of that information. The researcher needs to be able to inform the community in a responsible way," he says. "If it becomes an issue where research is stopped or delayed because the researchers are worried that they face a court case, it risks the unethical hackers gaining ground."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1817
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 contains an error in the api.php script which allows remote attackers to obtain sensitive information.
CVE-2013-2091
PUBLISHED: 2019-11-20
SQL injection vulnerability in Dolibarr ERP/CRM 3.3.1 allows remote attackers to execute arbitrary SQL commands via the 'pays' parameter in fiche.php.
CVE-2012-1257
PUBLISHED: 2019-11-20
Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor.
CVE-2013-1816
PUBLISHED: 2019-11-20
MediaWiki before 1.19.4 and 1.20.x before 1.20.3 allows remote attackers to cause a denial of service (application crash) by sending a specially crafted request.
CVE-2011-4455
PUBLISHED: 2019-11-20
Multiple cross-site scripting vulnerabilities in Tiki 7.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the path info to (1) tiki-admin_system.php, (2) tiki-pagehistory.php, (3) tiki-removepage.php, or (4) tiki-rename_page.php.