WannaCry hero Hutchins, now officially a convicted cybercriminal – Naked Security


the the selected image comes from @MalwareTechBlog, the Twitter feed from Marcus Hutchins.
Louise Mensch is an independent British and American journalist.

Remember the reluctant hero WannaCry?

WannaCry is a ransomware that made headlines in mid-2017 for two important reasons.

First, it was a real computer worm, or virus, that spread automatically to the next guy, and to the next guy …

… and so on, which means that even though he drew attention to himself very quickly, he was nevertheless able to spread very quickly.

SophosLabs estimated that it had infected 200,000 computers in 150 countries within four days of arriving in the wild.

Second, the WannaCry release mechanism used an exploit code called ETERNALBLUE, which was allegedly developed by the US National Security Agency for the purpose of secret intelligence gathering.

This exploit, as well as many others, was then stolen from a computer fault at the NSA, sold for a while at a derisory price, and eventually sold to anyone for him to do. use free in early 2017.

In early 2017, Microsoft released a patch that effectively immunized everyone who applied it, but those who neglected or refused the update were at risk.

Enter our hero

Among the panic WannaCry, a young British man quietly analyzed the behavior of the virus and quickly spotted what is called an "interlocker" in its programming.

If the ransomware software was able to connect to a specific server, named oddly, it would let you go and not scramble your files.

But if the call at home failed, the ransomware attack continued and you ended up with $ 300 extortion charges to recover your files.

For reasons we will probably never know, the scammers who wrote WannaCry did not bother to buy the domain name used by this safety valve; our hero has recorded the domain silently.

Then, he set up a web server that activated the safety valve, so that almost everyone in the world with almost decent internet connectivity is automatically protected from the data zapping payload of the attack WannaCry.

This prompt and decisive action has almost certainly saved many innocent users from paying $ 300 applications in Bitcoin now and has avoided a lot of heartache.

Reluctant celebrity

At first, our hero was low profile, but he was quickly identified by the British media – to a naturally warm welcome – as Marcus Hutchins.

His disarming sympathy made his initial reluctance seem a little more than youthful shyness, but a more serious reason for him to have avoided the spotlight soon appeared.

Raised suddenly to the glory of cybersecurity, Hutchins was invited to attend the 2017 convention of DEF CON on hackers. He flew to Las Vegas, Nevada, where the event takes place.

Unfortunately for Hutchins, US law enforcement forces, in the form of the FBI, had it already before the eyes; indeed, he seems to have been a "person of interest" to them for a while, despite his youth (he had just turned 23 when he was traveling to DEFON).

The FBI had formed the opinion that Hutchins had not only written malicious software while he was a young man, but had also sold it, knowing that buyers wanted it for criminal purposes.

Writing viruses may not be a crime, at least in the United States, but using malware to attack computers, steal data and make money is another problem.

Anyway, in the week that Hutchins was in Nevada, the feds put their papers in order and at the last moment – apparently, while waiting for his flight back to the McArran airport in Las Vegas – they introduced themselves to arrest Hutchins and take him into custody.

Presumption of innocence

The initial reaction of many members of the cybersecurity community has been an outburst of contempt and hatred against American law enforcement.

Even among those who knew him only by the way or via his online presence, Hutchins was a hero who had spent his own money helping others. He was therefore generally presumed to be innocent and the charges against him.

Investigative reporter Brian Krebs admits that he too wanted to believe in the innocence of Hutchins, but he said he'd better explore a little bit more. the background of Hutchins before forming an opinion.

After three weeks of "joining the points", Krebs published an article in which he said:

At first, I did not think that the charges against Hutchins would remain under surveillance. But as I began to deepen the story of dozens of nicknames, e-mails, and domains that he had apparently used on hacker forums, apparently over the last decade, a very different picture has emerged. started to emerge.

Recognition of guilt

Hutchins pleaded not guilty at the beginning of his trial and managed to obtain a bond, but had to surrender his passport and stay in the United States.

And that's what happened until last week, when Hutchins himself tweeted:

The article linked by the tweet is short and simple:

As you may know, I pleaded guilty to two counts of writing malware in the years prior to my career in the security sector. I regret these acts and accept responsibility for my mistakes. Having grown up, I have been using the same skills that I misused many years ago for constructive purposes. I will continue to devote my time to protecting people against malware attacks.

This is not the typical case mea culpa the admission of cybercriminals we have seen in the past.

Hutchins does not try to blame his victims for not patching, for example; or blame the vendors of operating systems for writing a wrong code; or to blame the world in general for not paying attention to bug reports instead of war; or pretend that cyberattacks do not really matter because they do not hurt anyone, unlike violent crimes.

Of course, we know that the words and structure of this concise and carefully worded statement were probably designed by Hutchins' lawyers as a formal requirement of his advocacy arrangement …

… But in this case, we are inclined to believe it.

He has not yet been sentenced, so we can not tell you what effect, if any, this statement will have.

Apparently, the maximum prison sentence for his offenses is five years, but many members of the cybersecurity community seem to want Hutchins to be treated leniently, even though he is now officially recognized as a cybercriminal.

And then?

We do not expect Hutchins to get off with a suspended prison sentence or a fine followed immediately by deportation to the UK, as effective as such a conviction may seem.

After all, US courts may want to be a clear deterrent to other young people embarking on the idea of ​​a "career" of attacking the online lives of innocent victims with malware.

We therefore believe that he will go to prison to serve a custodial sentence, although we can not see him serve a five-year term, and in view of his plea of ​​guilty and his public confession, we hope that he does not do it

Hutchins really seems sincerely remorseful and even appealed to Twitter with some wise advice for those who follow him:

Have your say

What do you think he'll get?

And what do you think he deserves, considering that he is now found guilty of having created and sold malicious software for criminal purposes?

Tell us in the comments below.

Source link