No Jail Time for “WannaCry Hero”

Jul 19

No Jail Time for “WannaCry Hero”

Marcus Hutchins, the “accidental hero” who helped arrest the spread of the global WannaCry ransomware outbreak in 2017, will receive no jail time for his admitted role in authoring and selling malware that helped cyberthieves steal online bank account credentials from victims, a federal judge ruled Friday.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image:

The British security enthusiast enjoyed instant fame after the U.K. media revealed he’d registered and sinkholed a domain name that researchers later understood served as a hidden “kill switch” inside WannaCry, a fast-spreading, highly destructive strain of ransomware which propagated through a Microsoft Windows exploit developed by and subsequently stolen from the U.S. National Security Agency.

In August 2017, FBI agents arrested then 23-year-old Hutchins on suspicion of authoring and spreading the “Kronos” banking trojan and a related malware tool called UPAS Kit. Hutchins was released shortly after his arrest, but ordered to remain in the United States pending trial.

Many in the security community leaped to his defense at the time, noting that the FBI’s case appeared flimsy and that Hutchins had worked tirelessly through his blog to expose cybercriminals and their malicious tools. Hundreds of people donated to his legal defense fund.

In September 2017, KrebsOnSecurity published research which strongly suggested Hutchins’ dozens of alter egos online had a fairly lengthy history of developing and selling various malware tools and services. In April 2019, Hutchins pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

At his sentencing hearing July 26, U.S. District Judge Joseph Peter Stadtmueller said Hutchins’ action in halting the spread of WannaCry was far more consequential than the two malware strains he admitted authoring, and sentenced him to time served plus one year of supervised release. 

Marcy Wheeler, an independent journalist who live-tweeted and blogged about the sentencing hearing last week, observed that prosecutors failed to show convincing evidence of specific financial losses tied to any banking trojan victims, virtually all of whom were overseas — particularly in Hutchins’ home in the U.K.

“When it comes to matter of loss or gain,” Wheeler wrote, quoting Judge Stadtmeuller. “the most striking is comparison between you passing Kronos and WannaCry, if one looks at loss & numbers of infections, over 8B throughout world w/WannaCry, and >120M in UK.”

“This case should never have been prosecuted in the first place,” Wheeler wrote. “And when Hutchins tried to challenge the details of the case — most notably the one largely ceded today, that the government really doesn’t have evidence that 10 computers were damaged by anything Hutchins did — the government doubled down and issued a superseding indictment that, because of the false statements charge, posed a real risk of conviction.”

Hutchins’ conviction means he will no longer be allowed to stay in or visit the United States, although Judge Stadtmeuller reportedly suggested Hutchins should seek a presidential pardon, which would enable him to return and work here.

“Incredibly thankful for the understanding and leniency of the judge, the wonderful character letter you all sent, and everyone who helped me through the past two years, both financially and emotionally,” Hutchins tweeted immediately after the sentencing. “Once t[h]ings settle down I plan to focus on educational blog posts and livestreams again.”

Tags: , , , ,

You can skip to the end and leave a comment. Pinging is currently not allowed.

Cloud Security is Overwhelming. AI and Machine Learning Can Help

As companies embrace cloud computing, most struggle to keep pace with the increasingly complex environment and an expanding attack surface that challenges long-standing security conventions.

The sheer volume of devices, applications, and users working in the cloud creates an ecosystem that is far too complex and high-volume to be safeguarded by human security analysts. Companies need to bolster their security teams and practices with machine learning and artificial intelligence (AI) capabilities in order to have the best chance at maintaining visibility, mitigating risk and optimizing for their most precious resource: human analysts.

Cloud growth creates new security threats, and organizations are struggling. According to Symantec’s first Cloud Security Threat Report (CSTR), which surveyed 1,250 security decision makers worldwide, an overwhelming majority of respondents (93 percent) confirm they are having trouble keeping tabs on all cloud workloads while over a third (34 percent) said expanding cloud infrastructure has made it more complex and difficult to effectively manage their environments.

Unfortunately, there is more troubling news: Eighty-three percent of global CSTR respondents report a negative impact due to lack of visibility in the cloud and nearly three-quarters (73 percent) say their organizations have experienced a cloud-based security incident due to immature security practices. Over half (54 percent) say cloud security maturity is not keeping pace with the rapid expansion of new cloud apps, and 71 percent report an increase in IoT devices connected to Infrastructure-as-a-Service (IaaS), at a pace of around 20 percent growth just this last year. The deluge of new connected devices only serves to broaden an already expansive attack surface.

Cloud growth creates new security threats, and organizations are struggling.

At the same time, the increased use of cloud apps to access and share private information is leading to increases in Shadow Data and oversharing of corporate files. Another indication of immature cloud security practices and inadequate protections is that 68 percent of responding firms report having “direct or likely evidence” that their data has been offered up for sale on the dark web.

The fact that companies have not the time or the bandwidth to keep up with the sheer volume and variety of on-going incidents is the root of the problem. Fewer than half (43 percent) of CSTR respondents report they analyzed all cloud security incidents encountered over the last year, and almost half (49 percent) said their organization’s cloud security team was far too overloaded to address the bulk of alerts they receive. Only one in 10 survey respondents say they can adequately analyze cloud traffic, while less than a third (27 percent) are confident all cloud security alerts are fully addressed by their security teams.

The primary culprit for the shortfall is a skills and security personnel shortage. CSTR respondents almost unanimously agreed that they need to enhance cloud security skills (92 percent) and add staff (84 percent) in order to close the gap.

Elevating Cloud Security

AI and machine learning can play a key role in enhancing the capabilities of security staff. An integrated security platform that utilizes AI and machine learning reduces the burden on security teams by automating the process of combing through telemetry data to find critical insights that will boost a security posture. Massive amounts of data like the 9 trillion rows of telemetry monitored daily by Symantec’s Global Intelligence Center, can be analyzed with AI to create context and relationships.  This task would be impossible for a human analyst.

In addition, machine learning and AI can also be used to facilitate a risk assessment of an organization’s security posture. By deploying the technologies to parse through vast amounts of disparate data, organizations can identify their most prominent areas of risk and prioritize resources accordingly.

Machine learning models learn from the telemetry and combine different events that are seemingly unrelated, but if combined together with enough context, can identify a critical incident that would likely go unnoticed by an individual. Using machine learning and AI, Symantec is able to identify dramatically more critical events as part of its own security services than it could prior to use of the technologies.

There’s a lot of moving parts in the cloud and you don’t necessarily have a full picture of what’s going on. To effectively harness AI and ML on the you need massive amounts of unbiased data. The recommended way to get this is by working with a partner that has global telemetry monitoring and analytics of cloud security incidents, and a proven track record with AI and ML. By doing so, you’ll have full confidence that the proverbial needle in the haystack won’t be missed, less obvious connections will be made, bad actors will be stopped, and that your company is properly safeguarded against potential risks.

Thankfully, prior research in this space arms us with optimism and the experience necessary to make this happen.

July 25th Webinar: Understand the Latest Cloud Security Trends

About the Author

Dr. Petros Efstathopoulos

Global Head of Symantec Research Labs

Petros joined Symantec Research Labs in 2009 and has focused on next-generation storage/backup systems, portable storage security, network security, privacy and identity. As the Global Head of SRL he is responsible for Lab strategy, direction, and growth.

Wanted: Cybersecurity Imagery

Wanted: Cybersecurity Imagery

Eli Sugarman of the Hewlettt Foundation laments about the sorry state of cybersecurity imagery:

The state of cybersecurity imagery is, in a word, abysmal. A simple Google Image search for the term proves the point: It’s all white men in hoodies hovering menacingly over keyboards, green “Matrix”-style 1s and 0s, glowing locks and server racks, or some random combination of those elements — sometimes the hoodie-clad men even wear burglar masks. Each of these images fails to convey anything about either the importance or the complexity of the topic­ — or the huge stakes for governments, industry and ordinary people alike inherent in topics like encryption, surveillance and cyber conflict.

I agree that this is a problem. It’s not something I noticed until recently. I work in words. I think in words. I don’t use PowerPoint (or anything similar) when I give presentations. I don’t need visuals.

But recently, I started teaching at the Harvard Kennedy School, and I constantly use visuals in my class. I made those same image searches, and I came up with similarly unacceptable results.

But unlike me, Hewlett is doing something about it. You can help: participate in the Cybersecurity Visuals Challenge.