Hacker Who Helped Stop Global Cyber-Attack Arrested in US

Hacker Who Helped Stop Global Cyber-Attack Arrested in US

Marcus Hutchins, a young British researcher credited with derailing a global cyber-attack in May, was arrested for allegedly creating and distributing malicious software designed to collect bank-account passwords, US authorities said Thursday.

News of Hutchins’ detention came as a shock to the cyber-security community. Many had rallied behind the researcher whose quick thinking helped control the spread of the WannaCry ransomware attack that crippled thousands of computers.

Hutchins was detained in Las Vegas on his way back to Britain from an annual gathering of hackers and information security gurus. A grand jury indictment charged Hutchins with creating and distributing malware known as the Kronos banking Trojan.

Such malware infects Web browsers, then captures usernames and passwords when an unsuspecting user visits a bank or other trusted location, enabling cyber-theft.

The indictment, filed in a Wisconsin federal court last month, alleges that Hutchins and another defendant – whose name was redacted – conspired between July 2014 and July 2015 to advertise the availability of the Kronos malware on internet forums, sell the malware and profit from it. The indictment also accuses Hutchins of creating the malware.

Authorities said the malware was first made available in early 2014, and “marketed and distributed through AlphaBay, a hidden service on the Tor network.” The US Department of Justice announced in July that the AlphaBay “darknet” marketplace was shut down after an international law enforcement effort.

Hutchins’ arraignment was postponed Thursday in US District Court in Las Vegas by a magistrate judge who gave him until Friday afternoon to determine if he wants to hire his own lawyer.

Hutchins was in Las Vegas for Def Con, an annual cyber-security conference that ended Sunday. On Wednesday, Hutchins made comments on Twitter that suggested he was at an airport getting ready to board a plane for a flight home. He never left Nevada.

Jake Williams, a respected cyber-security researcher, said he found it difficult to believe Hutchins is guilty. The two men have worked on various projects, including training material for higher education for which the Briton declined payment.

“He’s a stand-up guy,” Williams said in a text chat. “I can’t reconcile the charges with what I know about him.”

A Justice Department spokesman confirmed the 22-year-old Hutchins was arrested Wednesday in Las Vegas. Officer Rodrigo Pena, a police spokesman in Henderson, near Las Vegas, said Hutchins spent the night in federal custody in the city lockup.

Andrew Mabbitt, a British digital security specialist who had been staying in Las Vegas with Hutchins, said he and his friends grew worried when they got “radio silence” from Hutchins for hours. The worries deepened when Hutchins’ mother called to tell him the young researcher hadn’t made his flight home.

Mabbitt said he eventually found Hutchins’ name on a detention center website. News of his indictment Thursday left colleagues scrambling to understand what happened.

“We don’t know the evidence the FBI has against him, however we do have some circumstantial evidence that he was involved in that community at the time,” said computer security expert Rob Graham.

The big question is the identity of the co-defendant in the case, whose name is redacted in the indictment. Why was it blacked out? “Maybe the other guy testified against him,” said Graham.

The co-defendant allegedly advertised the malware online. Hutchins is accused of creating and transmitting the program.

Williams, the president of Rendition Infosec, speculated that the co-defendant might have been caught up in the takedown of AlphaBay and framed Hutchins in exchange for a plea deal.

The problem with software creation is that often a program includes code written by multiple programmers. Prosecutors might need to prove that Hutchins wrote code with specific targets.

Williams pointed to a July 13, 2014 tweet by Hutchins, whose moniker is @MalwareTechBlog, asking if anyone had a sample of Kronos to share.

“I’ve written code that other people have injected malware into,” said Graham. “We know that large parts of Kronos were written by other people.”

One legal scholar who specializes in studying computer crime said it’s unusual, and problematic, for prosecutors to go after someone simply for writing or selling malware – as opposed to using it to further a crime.

“This is the first case I know of where the government is prosecuting someone for creating or selling malware but not actually using it,” said Orin Kerr, a law professor at George Washington University. Kerr said it will be difficult to prove criminal intent.

“It’s a constant issue in criminal law – the helping of people who are committing a crime,” Kerr said. “When is that itself a crime?”

HBO Hackers Threaten to Leak More Data on Sunday

HBO Hackers Threaten to Leak More Data on Sunday: Report

The hackers behind the recent HBO breach earlier this week, who claim to have leaked unaired episodes of the network’s shows, including the highly popular fantasy drama Game Of Thrones, have now threatened to release additional content from the hack on the coming Sunday.

In an automated email reply sent to Variety, the hackers wrote that they will “release the leak gradually every week,” adding that the next release may come on “Sunday”.

The group also repeated its claim that it had obtained a total of 1.5 terabytes of data when it broke into HBO’s computer networks.

The news first broke out on Tuesday when the hackers released a handful of unaired episodes of HBOshows, as well as other internal data, online.

The network has acknowledged the hack, but has not given out any details about the types of files hackers were able to obtain.

On Tuesday, a company called IP-Echelon filed a report with Google on behalf of HBO, noting that the named website “shares thousands of Home Box Office (HBO) internal company documents.” IP-Echelon. regularly files such copyright-infringement notices on behalf of large media entertainment companies, including HBO.

Federal law requires Internet companies like Google to remove links to sites that infringe copyright once they receive such notifications. Google routinely forward such notices to the longstanding public-interest repository Lumen, formerly known as Chilling Effects, once it has complied.

Google Offered to Buy Snapchat Parent for $30 Billion

Google Offered to Buy Snapchat Parent for $30 Billion: Report

Search engine giant Google had offered $30 billion (roughly Rs. 1,91,044 crores) to buy Snap – the parent company of popular messaging app Snapchat – in 2016 and a similar offer is still open, a media report said.

Google had held informal dialogue with Snap and floated an offer of $30 billion before the latter’s last funding round, said a report in Business Insider on Thursday.

“One person claimed Google and Snap also had discussions about a potential buyout just ahead of Snap’s initial public offering earlier this year, and that an offer in the ballpark of $30 billion has continued to be on the table since the IPO. Chatter that Snap passed up a chance to sell to Google for at least twice its current value could be especially painful for investors and employees grappling with the company’s sinking stock,” the report notes.

Snap’s CEO Evan Spiegel, who is widely considered as being independent, apparently did not show interest in selling his firm to Google or anybody else.

Spiegel also values running Snap in Southern California and outside of Silicon Valley, where Alphabet – Google’s parent company is headquartered.

Earlier, in 2013, Google was rumoured to have been tried to acquire Snapchat for $4 billion after Spiegel refused an offer from Facebook CEO Mark Zuckerberg, the report added.

Snap is set to announce earnings report next week, its second since going public at $17 just four months ago.

This Website Lets You Check Password Strength Against 320 Million Leaked Passwords

This Website Lets You Check Password Strength Against 320 Million Leaked Passwords

There have been plenty of data breach cases where a large amount of personal information including passwords, usernames, and email addresses have been compromised. The stolen data is often leaked online, resulting in an enormous stash of stolen credentials. But, a website that goes by Have I Been Pwned (HIBP) is coming to the rescue by making that data publicly available, so that the companies that require any sort of sign-in information from users can match the entered passwords with those in the collection, and thereupon warn users if they have been compromised before.

Troy Hunt, the mastermind behind HIBP, has revealed over 320 million passwords in his blog to help the companies secure their online network. These passwords have been aggregated from several data breaches that happened overtime, and are now available to everyone on HIBP website. However, Hunt says that the ‘pwned-passwords’ that are publicly available on his website do not disclose the email addresses and usernames that they were associated with. The website Have I Been Pwned, or HIBP, generally lets users see if their email addresses have been breached without revealing the passwords, but Hunt has created the inverse of the concept this time, in an effort to intimate Internet users and companies about passwords that can be easily hacked.

The sole motive behind HIBP’s new password service is to supply different companies about the compromised passwords, so that when any user tries to enter anything that matches they will be warned by the company to use a more secure password instead. Alternatively, since the HIBP website is open for all, any user can voluntarily go to the website and check if the password they’ve been thinking to use has not been already breached. Nevertheless, Hunt advises such users to be cautious before checking any passwords that they currently use. “The point of the web-based service is so that people who have been guilty of using sloppy passwords have a means of independent verification that it’s not one they should no longer be using,” he notes in his blog.

While this service can be more securely accessed over an Internet connection, Hunt has also made the entire collection of passwords that is almost 5.3GB in size available for offline download through a ZIP file.

Since its inception, this concept of this service has been asserted positively by institutions like National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre, which agree with Hunt’s ideology that compromised passwords should not be brought into use again by any user.