Ar­rest shines light on shad­owy com­mu­nity of good, bad hack­ers

Kuwait Times - - TECHNOLOGY -

WASH­ING­TON: Two months ago, Mar­cus Hutchins was an “ac­ci­den­tal hero,” a young com­puter whiz liv­ing with his par­ents in Bri­tain who found the “kill switch” to the dev­as­tat­ing Wanna Cry ran­somware. To­day, the 23year-old is in a US fed­eral prison, charged with cre­at­ing and dis­tribut­ing ma­li­cious soft­ware de­signed to at­tack the bank­ing sys­tem. His ar­rest this week stunned the com­puter se­cu­rity com­mu­nity and shines a light on the shad­owy world of those who some­times strad­dle the line be­tween le­gal and il­le­gal ac­tiv­i­ties.

Hutchins’ ar­rest fol­low­ing Def Con in Las Ve­gas, one of the world’s largest gath­er­ing of hack­ers, de­liv­ered “an ex­treme shock,” ac­cord­ing to Gabriella Cole­man, a McGill Univer­sity pro­fes­sor who stud­ies the hacker com­mu­nity. “The com­mu­nity at Def Con would not ad­mire a hacker who was do­ing hard­core crim­i­nal ac­tiv­ity for profit or dam­age-that is frowned upon,” Cole­man said. “But there are peo­ple who do se­cu­rity re­search... who un­der­stand that some­times in or­der to im­prove se­cu­rity, you have to stick your nose in ar­eas that may break the law. They don’t want to hurt any­one but they are do­ing it for re­search.”

Hack­ers are gen­er­ally clas­si­fied as “white hats” if they stay within the law and “black hats” if they cross the line. At gath­er­ings like Def Con, “you have peo­ple who dab­ble on both sides of the fence,” said Rick Hol­land, vice pres­i­dent at the se­cu­rity firm Dig­i­tal Shad­ows. An in­dict­ment un­sealed by US au­thor­i­ties charges Hutchins and a sec­ond in­di­vid­ual-whose name was redacted-of mak­ing and dis­tribut­ing in 2014 and 2015 the Kronos “bank­ing Tro­jan,” a ref­er­ence to ma­li­cious soft­ware de­signed to steal user names and pass­words used at on­line bank­ing sites.

Hacker mind­set

James Scott, a se­nior fel­low who fol­lows cy­ber­se­cu­rity at the In­sti­tute for Crit­i­cal In­fra­struc­ture Tech­nol­ogy, said it is some­times dif­fi­cult to sep­a­rate the white hats from the black hats. The hacker mind­set in­cludes “an in­sa­tiable need to sat­isfy their in­tel­lec­tual cu­rios­ity,” Scott said. “Hack­ers have that thing, they can’t sleep. It’s per­sis­tent and it’s con­stant and it can drive you nuts.” Scott said he did not know de­tails of the Hutchins case but that it is pos­si­ble he wrote code that some­one else “weaponized.”

Rob Gra­ham of Er­rata Se­cu­rity said he came to a sim­i­lar con­clu­sion, that Hutchins “wrote some code, but ev­ery­thing else was done by the other guy... As a writer of code some­times used in viruses, this wor­ries me.” Friends and col­lab­o­ra­tors of Hutchins-known by his on­line moniker “Mal­waretech”-said they found the al­le­ga­tions hard to be­lieve. “He worked with me on a project in 2014 he re­fused pay­ment for,” said a tweet from Jake Williams of Ren­di­tion In­foSec. “This is in­con­gru­ous with a black hat writ­ing code for money at the same time.” Se­cu­rity re­searcher An­drew Mab­bitt tweeted that Hutchins “spent his ca­reer stop­ping mal­ware, not writ­ing it.”

More cir­cum­spect

Re­gard­less of the out­come of the case, some se­cu­rity pro­fes­sion­als said the ar­rest could erode trust be­tween the hacker com­mu­nity and law en­force­ment. Cole­man said hack­ers and re­searchers al­ready tread care­fully in light of the Com­puter Fraud and Abuse Act, a law that makes it il­le­gal to ac­cess a com­puter sys­tem with­out au­tho­riza­tion and has been roundly crit­i­cized by some se­cu­rity pro­fes­sion­als. “The statute is very broad and it can be wielded as a tool against re­searchers,” Cole­man said.

She noted that many in the hacker com­mu­nity are still reel­ing over the 2013 sui­cide of ac­tivist Aaron Swartz, who was charged un­der the same law for il­le­gally down­load­ing aca­demic jour­nals.

Hutchins’ ar­rest “might ac­tu­ally drive cer­tain se­cu­rity re­searchers fur­ther un­der­ground,” said John Dick­son of Denim Group, a se­cu­rity con­sul­tancy. “I know sev­eral se­cu­rity re­searchers from Europe, whom I con­sider on the ‘white hat’ side of the house, who will no longer travel to the US to be on the safe side.”

Hol­land of Dig­i­tal Shad­ows added that the news “could make peo­ple more cir­cum­spect about who they may col­lab­o­rate with.” Scott said the ar­rest may be coun­ter­pro­duc­tive for cy­ber­se­cu­rity be­cause hack­ers like Hutchins help ex­pose se­cu­rity flaws in or­der to fix them. “The es­tab­lish­ment needs hack­ers more than hack­ers need the es­tab­lish­ment,” he said. Scott added that Hutchins’ ob­vi­ous tal­ents could make him an as­set for na­tional se­cu­rity in­stead of a li­a­bil­ity. “I wouldn’t be sur­prised if a fed­eral agency made him an of­fer he can’t refuse,” Scott said. “A guy like that should be at Fort Meade,” he added, re­fer­ring to the head­quar­ters of the Na­tional Se­cu­rity Agency.—AFP

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.