Daily Archives: April 19, 2019

Marcus Hutchins: UK ransomware ‘hero’ pleads guilty to US hacking charges

Hutchins says he regrets his actions and will continue ‘keeping people safe from malware attacks’

A British computer security researcher once hailed as a “hero” for helping stem a ransomware outbreak and later accused of creating malware to attack the banking system said on Friday he had pleaded guilty to US criminal charges.

Marcus Hutchins, whose arrest in 2017 stunned the computer security community, acknowledged in a statement pleading guilty to criminal charges linked to his activity in 2014 and 2015.

Related: UK hacker jailed for six years for blackmailing pornography site users

Continue reading...

Marcus “MalwareTech” Hutchins Pleads Guilty to Writing, Selling Banking Malware

Marcus Hutchins, a 24-year-old blogger and malware researcher arrested in 2017 for allegedly authoring and selling malware designed to steal online banking credentials, has pleaded guilty to criminal charges of conspiracy and to making, selling or advertising illegal wiretapping devices.

Marcus Hutchins, just after he was revealed as the security expert who stopped the WannaCry worm. Image: twitter.com/malwaretechblog

Hutchins, who authors the popular blog MalwareTech, was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before.

In August 2017, Hutchins was arrested by FBI agents in Las Vegas on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. A British citizen, Hutchins has been barred from leaving the United States since his arrest.

Many of Hutchins’ supporters and readers had trouble believing the charges against him, and in response KrebsOnSecurity published a lengthy investigation into activities tied to his various online personas over the years.

As I wrote in summary of that story, the clues suggested “Hutchins began developing and selling malware in his mid-teens — only to later develop a change of heart and earnestly endeavor to leave that part of his life squarely in the rearview mirror.” Nevertheless, there were a number of indications that Hutchins’ alleged malware activity continued into his adulthood.

In a statement posted to his Twitter feed and to malwaretech.com, Hutchins said today he had pleaded guilty to two charges related to writing malware in the years prior to his career in security.

“I regret these actions and accept full responsibility for my mistakes,” Hutchins wrote. “Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins pleaded guilty to two of the 10 counts for which he was originally accused, including conspiracy charges and violating U.S.C. Title 18, Section 2512, which involves the manufacture, distribution, possession and advertising of devices for intercepting online communications.

Creating malware is a form of protected speech in the United States, but selling it and disseminating it is another matter. University of Southern California law professor Orin Kerr‘s 2017 dissection of the government’s charges is worth a read for a deep dive on this sticky legal issue.

According to a copy of Hutchins’ plea agreement, both charges each carry a maximum of up to five years in prison, up to a $250,000 fine, and up to one year of supervised release. However, those charges are likely to be substantially tempered by federal sentencing guidelines, and may take into account time already served in detention. It remains unclear when he will be sentenced.

The plea agreement is here (PDF). “Attachment A” beginning on page 15 outlines the government’s case against Hutchins and an alleged co-conspirator. The government says between July 2012 and Sept. 2015, Hutchins helped create and sell Kronos and a related piece of malware called UPAS Kit.

Despite what many readers here have alleged, I hold no ill will against Hutchins. He and I spoke briefly in a friendly exchange after a chance encounter at last year’s DEF CON security conference in Las Vegas, and I said at the time I was rooting for him to beat the charges. I sincerely hope he is able to keep his nose clean and put this incident behind him soon.

Yours Truly shaking hands with Marcus Hutchins in Las Vegas, August 2018.

Do you have 1 minute? Check out our New weekly Quick Privacy Ref-erence series.

At Privacy Ref we are always thinking of ways to improve the experience of our followers and clients alike. Weekly on our YouTube channel you will find a relevant privacy topic being discussed in a 1-minute video such as:  Cookies walls and the Dutch DPA – Ben Siegel discusses his research on the Dutch Personal […]

The post Do you have 1 minute? Check out our New weekly Quick Privacy Ref-erence series. appeared first on Privacy Ref Blog.

Five Reasons You Need Identity Governance & Administration

Demands on organizations continue to intensify – the precarious balance of requests for more access with the need to be more secure is difficult to maintain. Additionally, all of this is to be achieved faster, with fewer resources. It is more important than ever for each organization to develop a strategy for managing and governing user access in an automated manner. A well-defined Identity Governance Administration (IGA) program is becoming an increasingly critical piece of an organization’s security portfolio.

Small organizations with employees numbering in the double digits will be able to easily manage granting, removing, and reviewing access, and may even have predefined roles or access templates. Larger businesses, on the other hand, greatly benefit from implementing an IGA solution in order to effectively manage access to systems, applications, and devices. Read on to find out the many benefits of IGA and determine if it’s time for your organization to explore the world of IGA.

1. Regulatory Compliance

With regulations like the GDPR (General Data Protection Regulation), SOX (Sarbanes-Oxley), and HIPAA (Health Insurance Portability and Accountability Act) prioritizing and mandating data privacy, industries are focusing on access issues more than ever. Limiting and monitoring access to only those that need it is not only a crucial security measure, but one that is becoming critical to staying in compliance with these regulations.

IGA solutions not only help ensure that access to sensitive information like patient records or financial data is strictly controlled, they also enable organizations to prove they are taking these actions. Organizations can receive audit requests at any time. An effective IGA solution makes the required periodic review and attestation of access business friendly, effective, and comes with built-in reporting capabilities to meet relevant government and industry regulations. Taking a visual approach to the data can make this whole process more accurate and easier to deploy to the business.

2. Risk Management

The news cycle is dominated by stories of massive data breaches, with the organizations involved having to spend time and money on remediation efforts, while also dealing with the damage done to their reputation. IGA solutions take a proactive approach, reducing the exposure of sensitive data by rigorously limiting and guarding access to begin with, reducing the risk in the environment.

IGA solutions enable a robust approach to managing and governing access by focusing on three aspects of access. First, they practice the principle of least privilege, eliminating excess privileges and granting access to only those who absolutely need it in order to do their jobs. Secondly, they terminate ‘orphaned’ accounts as quickly as possible. These accounts that are no longer being used, either because an employee is no longer with the company, or any other reason, are perfect targets for those looking to breach the environment. Finally, IGA solutions monitor for segregation of duty (SoD) violations. This critical risk management concept dictates that no single individual should be able to complete a task, creating a built-in system of checks and balances. For example, in a financial transaction, whoever creates a payee should not be the one to authorize payment.

3. Business Changes

Organizations grow and change continually, and an IGA solution can make those changes more efficient and less risky. Small changes, like individual promotions, transfers, and layoffs, can quickly be implemented, since IGA solutions can provision access based on roles, and not on individual accounts. This strategy of Role Based Access Control (RBAC) works equally well for larger changes, like mergers, acquisitions, and corporate reorganizations. IGA solutions can greatly shorten the timeline for executing bulk additions or transitions of user accounts by automating and streamlining provisioning and approvals.  It is critical to develop roles in an accurate and intuitive manner.

4. Streamlining Budget

We all need to do more with less. Managing identity and access manually can be an unsustainable burden on IT. Provisioning access manually takes far more time, and often comes with additional help desk calls or tickets if these changes take too long or are done incorrectly. Documentation and reporting requirements add more effort and complexity. Certifying privileged access also becomes time consuming for managers and can result in rubber-stamping approvals in order to get on with more pressing matters. Carelessness in any of these tasks can lead to costly mistakes.

Of course, this also means that IT teams are sacrificing time that could be spent on other projects or improvements. IGA solutions minimize these time management issues and can also accomplish these tasks with higher accuracy.

5. Service Delivery

At its core, IGA solutions are designed to make life easier. Their usefulness impacts everyone within an organization. Establishing roles and streamlining provisioning makes for a much more efficient on-boarding process. The inefficiencies of a new-hire having to wait for access, sometimes for days or weeks, can be eliminated. Their accounts will be created with access already in place, based on their assigned role. Managers don’t have to waste time requesting access for employees, nor do they need to worry about making sure that former employees no longer have access. Ultimately, everyone will have the access they need when they need it, allowing everyone to get to work that much faster.

With these clear, measurable benefits, it’s easy to see why IGA solutions are quickly becoming an essential component in many organizations’ security strategy. Core Security, a HelpSystems Company, has developed multiple integrated IGA solutions to tailor fit your organization, since no two IT environments look alike. While these solutions have different approaches to IGA, they all provide these five critical benefits, and more. To find out which IGA solution is right for you, request a personalized demo from one of our experts today.

Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs

Weekly Update 135

Weekly Update 135

It's another episode with Scott Helme this week as he's back in town for NDC Security on the Gold Coast (still a got a week to get those tickets, folks!) The timing actually works out pretty well as there was this week's announcement around Let's Encrypt transition of their root cert which is right up his alley. There's also the whole TicTokTrack kids watch situation which aligns very well with many of both our prior experience. And just on that, when we recorded the video they were planning on getting the service back up and running that day (Thursday Aus time when we recorded). Turns out that didn't happen and frankly, kudos to them for taking a little more time to get things right:

All that and more in this week's update:

Weekly Update 135
Weekly Update 135
Weekly Update 135

References

  1. We're at NDC Security on the Gold Coast week after next (Scott's doing the World's Best TLS Training, I'm doing Hack Yourself First)
  2. Let's Encrypt's transition to ISRG root (that post of Scott's went to number 1 on Hacker News so good work on that mate!)
  3. TicTocTrack had an absolute zinger of an IDOR vulnerability (they're not the only watch in this class to have serious flaws either)
  4. Twilio are sponsoring my blog this week, big thanks to them! (check our how you can use Authy to add 2FA to your app)