Computer law expert says British hacker's arrest problematic

A man types into a keyboard during the Def Con hacker convention in Las Vegas, Nevada, US on July 29, 2017. A computer law expert on Friday described the evidence so far presented to justify the US arrest of a notorious British cybersecurity researcher as being problematic. (REUTERS/Steve Marcus)
Updated 04 August 2017
0

Computer law expert says British hacker's arrest problematic

LONDON: A computer law expert on Friday described the evidence so far presented to justify the US arrest of a notorious British cybersecurity researcher as being problematic — an indictment so flimsy that it could create a climate of distrust between the US government and the community of information-security experts.
News of Marcus Hutchins’ arrest in the United States for allegedly creating and selling malicious software able to collect bank account passwords has shocked the cybersecurity community. Many had rallied behind the British hacker, whose quick thinking helped control the spread of the WannaCry ransomware attack that crippled thousands of computers in May.
Attorney Tor Ekeland told The Associated Press that the facts in the indictment fail to show intent.
“This is a very, very problematic prosecution to my mind, and I think it’s bizarre that the United States government has chosen to prosecute somebody who’s arguably their hero in the WannaCry malware attack and potentially saved lives and thousands, hundreds of thousands, if not millions, of dollars over the sale of alleged malware,” Ekeland said. “This is just bizarre, it creates a disincentive for anybody in the information security industry to cooperate with the government.”
Hutchins was detained in Las Vegas as he was returning to his home in southwest Britain from an annual gathering of hackers and information security gurus. A grand jury indictment charged Hutchins with creating and distributing malware known as the Kronos banking Trojan.
Such malware infects web browsers, then captures usernames and passwords when an unsuspecting user visits a bank or other trusted location, enabling cybertheft.
The indictment, filed in a Wisconsin federal court last month, alleges that Hutchins and another defendant — whose name was redacted — conspired between July 2014 and July 2015 to advertise the availability of the Kronos malware on Internet forums, sell the malware and profit from it. The indictment also accuses Hutchins of creating the malware.
The problem with software creation, however, is that often a program can include code written by multiple programmers. Prosecutors might need to prove that Hutchins wrote code with specific targets.
Ekeland said that what is notable to him from the indictment is that it doesn’t allege any financial loss to any victims — or in any way identify them. Besides that, laws covering aspects of computer crime are unclear, often giving prosecutors broad discretion.
“The only money mentioned in this indictment is ... for the sale of the software,” he said. “Which again is problematic because in my opinion of this, if the legal theory behind this indictment is correct, well then half of the United States software industry is potentially a bunch of felons.”
Another expert in computer crime, Orin Kerr from George Washington University’s law school, also took aim at the charges. Kerr said it’s unusual, and problematic, for prosecutors to go after someone simply for writing or selling malware — as opposed to using it to further a crime.
“The indictment is pretty bare bones, and we don’t have all the facts or even what the government thinks are the facts,” Kerr wrote in an opinion piece in the Washington Post. “So while we can’t say that this indictment is clearly an overreach, we can say that the government is pushing the envelope in some ways and may or may not have the facts it needs to make its case.”
Jake Williams, a respected cybersecurity researcher, said he found it difficult to believe Hutchins is guilty. The two men have worked on various projects, including training material for higher education for which the Briton declined payment.
“He’s a stand-up guy,” Williams said in a text chat. “I can’t reconcile the charges with what I know about him.”
Hutchins, who lives with his family in the town of Ilfracombe, England, and worked out of his bedroom, has until Friday afternoon to determine if he wants to hire his own lawyer. The Electronic Frontier Foundation, a San Francisco-based digital rights group, said Friday it was “deeply concerned” about Hutchins’ arrest and was attempting to help him “obtain good legal counsel.”
Hutchins’ mother, Janet, who has been frantically trying to reach her son, said she was “outraged” by the arrest and that it was “hugely unlikely” her son was involved because he spends much of his time combatting such attacks.
The curly-haired computer whiz and surfing enthusiast discovered a so-called “kill switch” that slowed the unprecedented WannaCry outbreak. He then spent the next three days fighting the worm that crippled Britain’s hospital network as well as factories, government agencies, banks and other businesses around the world.
Though he had always worked under the moniker of MalwareTech, cracking WannaCry led to the loss of his anonymity and propelled him to cyber stardom. There were appearances and a $10,000 prize for cracking WannaCry. He planned to donate the money to charity.
“I don’t think I’m ever going back to the MalwareTech that everyone knew,” he told The Associated Press at the time.
___
Ritter reported from Las Vegas. Associated Press writers Raphael Satter in Paris, Frank Bajak in Houston and Matt O’Brien in Providence, Rhode Island, contributed to this report.


KSA must become more resilient against cyberattacks

Updated 22 July 2018
0

KSA must become more resilient against cyberattacks

  • Healthcare data is of particular interest to hackers because it can be used to blackmail people in positions of power
  • A trained security professional cannot win the battle against cybercrime with just a mere knowledge of IT security

DUBAI: Cybercrime attacks could double over the next two years and cost Saudi Arabia’s economy up to SR30 billion ($8 billion) by 2020, according to security experts who warn the Kingdom is the most targeted county in the GCC for online fraudsters.
While Saudi Arabia is stepping up the war against cybercrime, the Kingdom must invest in training its own security professionals, expand its pool of skilled workers and strengthen its cybersecurity regulation to become more resilient against emerging attacks.
“Based on our relationship with key Saudi clients, we see that cybercrime in Saudi is growing faster than in most of the countries in the world, with more than a 35 percent increase in the number of attacks during the past year,” said Simone Vernacchia, a partner in Digital, CyberSecurity, Resilience and Infrastructure for PWC Middle East.
“Based on our experience in the GCC, Saudi is being targeted more frequently, and the cost of cyberattacks is 6 to 8 percent higher than in the rest of the GCC countries. The Saudi economy provides a more appealing target for cyberattackers.”
Vernacchia said it can be difficult to measure the true direct and indirect cost on Saudi Arabia’s economy each year.
“This said, we would expect direct and indirect costs arising from cyberattacks to total $3 to $4 billion (SR11.25 billion to SR15 billion) for 2018,” said Vernacchia.
“Assuming the growth will not be affected by large-scale events, we expect the direct and indirect impact of cyberattacks to grow up to $6 to $8 billion (SR22.5 billion to SR30 billion) by 2020. Among the major external events that can affect this figure, uncertainties in the region can result in an even more aggressive surge of cyberattacks.”
Vernacchia said there was a lack of willpower in organizations to invest in security measures, and urged them to invest in the manpower and technology that will enable them to become more resilient in the face of growing attacks. While Saudi is “not completely unprepared,” most businesses in the Kingdom are investing in cybersecurity far less than the leading countries.
“We see the average investment in cybersecurity awareness and capability to be on average about 60 percent lower in Saudi Arabia than what is invested by organizations of the same size in leading countries.
“This is a result of limited regulatory requirements for private entities, as private companies are trading the immediate benefit of spending less on cybersecurity protection with the high cost of one — or more — potentially highly effective targeted cyberattacks.”
An increase in cybersecurity regulation could also strongly limit the growth of cyberattacks, Vernacchia said. “The limited amount of cybersecurity-related regulation is a key issue, as it’s having two key effects. On one hand, some businesses are underestimating their exposure, and thus not investing in cybersecurity as they should — de facto increasing their risk. Other businesses are waiting for regulation to be drafted before investing in cybersecurity, in fear that the organization, processes and solutions they would implement may not be in line with the regulatory requirements which are coming.”
Amir Kolahzadeh, CEO of cybersecurity firm ITSEC, said Saudi-based business are reluctant to invest in adequate cybersecurity measures as they fail to recognize the long-term value of the initial investment needed.
“The core issues that every business is looking at in cybersecurity is a line item expense instead of looking what the cost would be if there is a breach,” he said. “This is a worldwide epidemic at the moment. However, it is much more evident in the GCC due to lack of truly trained IT security professionals who can show the business acumen, foresight and the communication skills to demonstrate that potential losses are exponentially greater than the cost of securing the enterprise.”
David Michaux, of online security company Whispering Bell, said as Saudi Arabia forges ahead with its knowledge-based economy and becomes “more online,” the potential for attacks will grow.
With Saudi Arabia’s Vision 2030 of a “knowledge economy,” growth in the ICT will be fueled by digitization — including IT innovation, big data projects, smart city initiatives, and cloud-based services. In addition, Saudis are among the most active social media users in the world — and largest adopters of Twitter in the Arab region.
Mathivanan V., vice president of ManageEngine, said while Saudi Arabia has taken “significant steps” to achieve cyber-readiness, including the introduction of the National Authority of Cyber Security which aims to enhance the protection of networks, IT systems, and data through regulatory and operational tasks, he warned that sophisticated cyberthreats have evolved in the wake of digitization and urged companies to better employ sustainable IT practices and state-of-the-art cybersecurity tools.
“A trained security professional cannot win the battle against cybercrime with just a mere knowledge of IT security,” he said. “What he needs is the right weapon to master the art of cybersecurity.”
James Lyne, head of R&D at SANS Institute, which specializes in information security, said given Saudi Arabia’s visible agenda to lead the charge in smart cities, connected industry and to develop a knowledge economy, it is key that the Kingdom also has an equally ambitious cybersecurity skills strategy.
“A gap between the two will lead to substantial attacks and reputation damage for the region,” he said.
“Firstly, Saudi Arabia needs more cybersecurity practitioners overall — particularly with the ambitious development projects being undertaken as part of the Kingdom’s 2030 Vision. Secondly, existing cybersecurity practitioners also have to continue to sharpen their skills to increase the depth of their expertise.”
He urged companies not to ignore the fact that employee behavior is a weak link in cybersecurity and is becoming an increasing source of risk.
“Many of the breaches that occur still take advantage of basic cybersecurity failures and, as such, education has to be a huge part of the solution. Everyone in Saudi Arabia has a role to play in making sure that cybercriminals get fewer clicks on their nasty emails, documents and phishing links.”
He said it was difficult to truly grasp the overall financial figures associated with cybercrime.
“That said, even the tip of the iceberg that we do see is very substantial and it has already been demonstrated that Saudi Arabia is a major target. Given attackers have already had success compromising facilities, it is extremely likely other cybercriminals will follow.”