Cy­ber­at­tack hero’s ar­rest a sur­prise

U.S. mal­ware case seen as slim by some se­cu­rity ex­perts

Northwest Arkansas Democrat-Gazette - - BUSINESS & FARM - DANICA KIRKA AND KEN RIT­TER

LON­DON — A com­puter law ex­pert on Fri­day de­scribed the ev­i­dence so far pre­sented to jus­tify the U.S. ar­rest of a British cy­ber­se­cu­rity re­searcher as be­ing prob­lem­atic — an in­dict­ment so flimsy that he said it could cre­ate a cli­mate of dis­trust be­tween the U.S. gov­ern­ment and the com­mu­nity of in­for­ma­tion-se­cu­rity ex­perts.

News of Mar­cus Hutchins’ Wed­nes­day ar­rest in the United States af­ter be­ing ac­cused of cre­at­ing and sell­ing ma­li­cious soft­ware able to col­lect bank ac­count pass­words has shocked the cy­ber­se­cu­rity com­mu­nity. Many had ral­lied be­hind the British hacker, whose quick think­ing helped con­trol the spread of the Wan­naCry ran­somware at­tack that crip­pled thou­sands of com­put­ers in May.

At­tor­ney Tor Eke­land said the facts in the in­dict­ment fail to show in­tent.

“This is a very, very prob­lem­atic prose­cu­tion to my mind, and I think it’s bizarre that the United States gov­ern­ment has cho­sen to pros­e­cute some­body who’s ar­guably their hero in the Wan­naCry mal­ware at­tack and po­ten­tially saved lives and thou­sands, hun­dreds of thou­sands, if not mil­lions, of dol­lars over the sale of al­leged mal­ware,” Eke­land said. “This is just bizarre, it cre­ates a dis­in­cen­tive for any­body in the in­for­ma­tion se­cu­rity in­dus­try to co­op­er­ate with the gov­ern­ment.”

Hutchins was de­tained in Las Ve­gas as he was re­turn­ing to his home in south­west

Bri­tain from an an­nual gath­er­ing of hack­ers and in­for­ma­tion se­cu­rity gu­rus. A grand jury in­dict­ment charged Hutchins with cre­at­ing and dis­tribut­ing mal­ware known as the Kronos bank­ing Tro­jan.

Such mal­ware in­fects Web browsers, then cap­tures user­names and pass­words when an un­sus­pect­ing user vis­its a bank or other trusted lo­ca­tion, en­abling cy­bertheft.

The in­dict­ment, filed in a Wis­con­sin fed­eral court last month, al­leges that Hutchins and an­other de­fen­dant — whose name was redacted — con­spired be­tween July 2014 and July 2015 to ad­ver­tise the avail­abil­ity of the Kronos mal­ware on In­ter­net fo­rums, sell the mal­ware and profit from it. The in­dict­ment also ac­cuses Hutchins of cre­at­ing the mal­ware.

The prob­lem with soft­ware cre­ation, how­ever, is that of­ten a pro­gram can in­clude code writ­ten by mul­ti­ple pro­gram­mers. Pros­e­cu­tors might need to prove that Hutchins wrote code with spe­cific tar­gets.

Eke­land said that what is no­table to him from the in­dict­ment

is that it doesn’t al­lege any fi­nan­cial loss to any vic­tims — or in any way iden­tify them. Be­sides that, laws cov­er­ing as­pects of com­puter crime are un­clear, of­ten giv­ing pros­e­cu­tors broad dis­cre­tion.

“The only money men­tioned in this in­dict­ment is … for the sale of the soft­ware,” he said. “Which again is prob­lem­atic be­cause in my opin­ion of this, if the le­gal the­ory be­hind this in­dict­ment is cor­rect, well then half of the United States soft­ware in­dus­try is po­ten­tially a bunch of felons.”

An­other ex­pert in com­puter crime, Orin Kerr from Ge­orge Wash­ing­ton Univer­sity’s law school, also took aim at the charges. Kerr said it’s un­usual, and prob­lem­atic, for pros­e­cu­tors to go af­ter some­one sim­ply for writ­ing or sell­ing mal­ware — as op­posed to us­ing it to fur­ther a crime.

“The in­dict­ment is pretty bare bones, and we don’t have all the facts or even what the gov­ern­ment thinks are the facts,” Kerr wrote in an opin­ion piece in the Wash­ing­ton

Post. “So while we can’t say that this in­dict­ment is clearly an over­reach, we can say that the gov­ern­ment is push­ing the en­ve­lope in some ways and may or may not have

the facts it needs to make its case.”

Jake Williams, a re­spected cy­ber­se­cu­rity re­searcher, said he found it dif­fi­cult to be­lieve Hutchins is guilty. The two men have worked on var­i­ous projects, in­clud­ing train­ing ma­te­rial for higher ed­u­ca­tion for which the Bri­ton de­clined pay­ment.

“He’s a stand-up guy,” Williams said in a text chat. “I can’t rec­on­cile the charges with what I know about him.”

The Elec­tronic Fron­tier Foun­da­tion, a San Fran­cis­cobased dig­i­tal rights group, said Fri­day that it was “deeply con­cerned” about Hutchins’ ar­rest and was at­tempt­ing to help him “ob­tain good le­gal coun­sel.”

Hutchins’ mother, Janet, who has been fran­ti­cally try­ing to reach her son, said she was “out­raged” by the ar­rest and that it was “hugely un­likely” her son was in­volved be­cause he spends much of his time com­bat­ting such at­tacks.

The curly-haired com­puter whiz and surf­ing en­thu­si­ast dis­cov­ered a so-called “kill switch” that slowed the un­prece­dented Wan­naCry out­break. He then spent the next three days fight­ing the worm that crip­pled Bri­tain’s

hos­pi­tal net­work as well as fac­to­ries, gov­ern­ment agen­cies, banks and other busi­nesses around the world.

Though he had al­ways worked un­der the moniker of Mal­wareTech, crack­ing Wan­naCry led to the loss of his anonymity and pro­pelled him to cy­ber star­dom. There were ap­pear­ances and a $10,000 prize for crack­ing Wan­naCry. He planned to do­nate the money to char­ity.

“I don’t think I’m ever go­ing back to the Mal­wareTech that ev­ery­one knew,” he said at the time.

AP/FRANK AUG­STEIN

Bri­ton Mar­cus Hutchins, cred­ited with de­rail­ing a global cy­ber­at­tack in May, has been in­dicted in the U.S. on charges of cre­at­ing and dis­tribut­ing mal­ware that can glean bank ac­count pass­words.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.