2017’s Cybersecurity Naughty or Nice List
The word “hacker” often has a negative connotation. Most of the time, the hackers we refer to or hear about are of the villainous variety, known as “blackhat” hackers. However, these malicious hackers aren’t the only “type” of hackers you will come across online. There are also “whitehat” hackers, for example, who use their hacking skills and talents for ethical purposes. Oftentimes whitehat hackers are hired to find vulnerabilities in computer systems or software so that the vulnerabilities can be patched before blackhat hackers have a chance to exploit them. Next, there are also hackers known as “grayhat” hackers who fall somewhere in-between, alternating between hacking for the “good” of the cybersecurity community and other times unethically, for their own gains. In this blog, we will look at the different individuals who made a buzz within the cybersecurity community in 2017 and let you, the reader, decide whether they fall under Santa’s naughty or nice list this year.
1. Marcus Hutchins, AKA MalwareTech
When the WannaCry ransomware was unleashed, organizations across different industries were at the edge of their feet, anticipating the worst. The effects were crippling, but luckily a killswitch was introduced by a young 22-year-old UK researcher named Marcus Hutchins, or better known by his Internet alias, MalwareTech. Though the killswitch wasn’t able to stop the ransomware entirely, it effectively slowed down the spread of infection. Many hailed Hutchins as an accidental hero. He discovered the killswitch after taking a look at samples of the ransomware and noticed something strange in a section of the source code. After testing out his theory, he found that the ransomware could be stopped during its installation process. While he played a vital role in slowing down the spread of WannaCry, he was taken into federal custody in early August on allegations of developing a major banking trojan, rendering him more of a grayhat hacker now.
2. Mathy Vanhoef and Frank Piessen, discoverers of KRACK
Two security researchers at the KU Leuven (University of Leuven) first submitted a paper on their research for a vulnerability found in the WPA2 (Wi-Fi Protected Access II) in May of this year but did not make the research paper fully public until October. Thanks to their findings, we now know that the vulnerability affects most, if not all, wireless devices that use the protocol. The vulnerability would allow hackers to eavesdrop on anyone that connects to Wi-Fi. The researchers built their findings on previous studies which focused on weaknesses within the WPA2 protocol. While the attacks disclosed in the paper were previously theorized, it was Vanhoef and Piessen who were able to turn the vulnerabilities into “proof-of-concept” code and demonstrate how the attacks could play out. They were meticulous with their research, even alerting major operating system vendors of the vulnerability some months prior to the publication date. This allowed companies to get a head-start on remedying it. These two probably fall squarely into whitehat territory.
3. Karim Baratov, the Yahoo “hacker-for-hire”
When we last heard of Karim Baratov, he was awaiting trial for his involvement in the massive Yahoo hack of 2014, which exposed 500 million user credentials. Baratov was once again the center of attention on November 29 when he pleaded guilty to one count of conspiracy to commit computer fraud and abuse as well as eight counts of aggravated identity theft. Baratov stood before a federal judge and admitted to hacking at least 11,000 email accounts on behalf of the FSB (Russian Federal Security Service). He reportedly hacked into the webmail accounts of individuals of interest to the FSB and handed them their passwords in exchange for monetary compensation. However, outside of court his attorneys stated their client only hacked eight accounts for the Russians but also claimed Baratov did not know who he was working for until the investigation opened up. He is scheduled for sentencing next year on February 20. For his crimes, Baratov would be considered a blackhat hacker by most.
4. Paras Jha and Josiah White, Mirai IoT botnet co-creators
As a refresher, when the Mirai botnet was unleashed last year, it knocked off major websites and entire networks offline, and the damage caused was devastating. Previously, the real identities behind the creators of the malware botnet were unknown. However, red flags came up when Brian Krebs found that one of the suspects published a skillset description on LinkedIn that was very similar to what was written on the profile of “Anna-senpai,” the Hackforums user that released Mirai’s source code. Soon, the true identities behind Anna Senpai came to light — they were 21-year-old Paras Jha and 20 -year-old Josiah White, who also co-founded Protraf Solutions LLC, which specializes in mitigating large-scale DDoS attacks. But their company wasn’t all it made itself out to be. Rather than defenders against DDoS attacks, they would launch attacks at other organizations and then extort them for money to fend off these attacks. The pair also pleaded guilty to using the botnet to conduct “click fraud,” racking up almost $180,000 from the scam. These two cybercriminals are now each facing up to five years in prison and a hefty fine. These two undoubtedly fall under the blackhat category.
5. Jordan Hamlett, “justified hacker”?
A Louisiana private investigator has pleaded guilty after attempting to misuse President Donald Trump’s Social Security number on six different occasions to obtain his federal tax information from the IRS. Though many were curious as to why Trump broke a longstanding tradition by former presidents in refusing to release his tax returns, it stirred controversy and perhaps inspired Hamlett to do what he did. Hamlett apparently wanted to access the tax returns out of “sheer curiosity,” but later changed his story and claimed he was simply attempting to test the federal systems for vulnerabilities. Failing in his attempts, Hamlett still faces charges after being caught by federal authorities. A federal judge overseeing the case ruled that a “good purpose” could not be used as a defense claim. Hamlett now faces a maximum sentence of five years in prison and a $250,000 fine following his guilty plea. If he’s not a whitehat hacker, perhaps some might consider label him a grayhat hacker.
So, who made the naughty list and the nice list?
The holidays are upon us but that doesn’t mean cybercriminals are taking a day off. Users of the web can count on cybercriminals to be prepared to spread their own version of “holiday cheer” too, from scheming up advanced phishing scams to launching botnets that steal sensitive information. Because cybercrimes are rampant all year long, those with poor cybersecurity hygiene may need to look back at our previous tips on staying safe this time of year!