Is Ethical Hacking Legal or Illegal?
Spread the loveAs the world becomes increasingly reliant on technology, the risk of cyberattacks also rises. To combat this, many companies and organizations are turning to ethical hackers to test …
Tag Archive for: legal
A Legal Victory Against CryptBot Malware Distributors
Google is ramping up its efforts to combat cybercrime, as the tech giant recently announced a legal victory against the distributors of the notorious CryptBot malware.
Crackdown On Cybercriminals
In the latest move in its ongoing campaign against cybercriminals, Google has successfully filed a civil action against malware distributors responsible for CryptBot, a type of malicious software designed to steal sensitive information from users’ computers.
Google estimates that CryptBot has infected approximately 670,000 computers in the past year alone, primarily targeting users of Google Chrome.
A Southern District of New York federal judge unsealed the civil action. It represents Google’s continued commitment to disrupting cybercriminal ecosystems that seek to exploit online users.
This follows Google’s success last year in holding operators of the Glupteba botnet accountable.
Understanding CryptBot Malware
CryptBot, classified as an “infostealer,” can identify and extract sensitive data from victims’ computers, including authentication credentials, social media account logins, cryptocurrency wallets, and more.
The stolen data is then harvested and sold to bad actors for use in data breach campaigns.
Cybercriminals distributing CryptBot have been offering maliciously modified versions of popular software packages, such as Google Earth Pro and Google Chrome, to unsuspecting users.
The malware is designed to target users of Google Chrome, prompting Google’s CyberCrimes Investigations Group (CCIG) and Threat Analysis Group (TAG) to take action against the distributors.
Legal Strategy & Disruption
Google’s litigation targeted several major distributors of CryptBot, believed to be based in Pakistan and operating a worldwide criminal enterprise.
The legal complaint includes claims of computer fraud and abuse and trademark infringement.
To hinder the spread of CryptBot, the court granted a temporary restraining order that allows Google to take down current and future domains associated with the malware’s distribution.
This measure is expected to slow new infections and decelerate the growth of CryptBot while establishing legal precedent and placing those profiting from…
Industry launches hacking policy council, legal defense fund to support security research and disclosures
Google and other companies will develop and stand up a pair of new initiatives that will provide policy guidance to governments and legal protection to security researchers engaged in “good faith” vulnerability research and disclosure, while the tech giant also said it would formalize an internal policy to be publicly transparent when bugs in Google products are exploited in the wild.
The moves include the establishment of an industry-led Hacking Policy Council, which would be designed to bring “like minded organizations and leaders who will engage in focused advocacy new policies and regulations support best practices for vulnerability management and disclosure and do not undermine our user’s security,” as well as a planned nonprofit that would fund legal costs for security researchers who are sued or prosecuted while conducting vulnerability research and disclosure, according to a blog published alongside the announcements Wednesday.
The council will include representatives from bug bounty firms HackerOne, BugCrowd, Intigriti and Luta Security, as well as Venable, a law firm that specializes in cybersecurity law and policy matters, and Intel.
“I think it’s very much a coalition of the willing,” said Charley Snyder, head of security policy at Google, when asked how the council chose its initial membership. “There was no real criteria [for membership]…this is a fairly specialized area of policy, and these companies are ones that are really invested in getting it right.”
Snyder and Tim Willis, head of Google’s Project Zero, which conducts research on zero-day vulnerabilities, mentioned a trio of information security standards from the International Organization for Standardization (ISOs 27001, 27002 and 30179) as examples of the kind of standards and best practices that will guide the council’s recommendations.
The formation of the council comes at a time when the United States and other nations are showing an increased willingness to regulate the cybersecurity choices of businesses and other entities to prevent cyberattacks from significantly disrupting or spreading through a particular sector, critical infrastructure and other essential services.
The use of…
Recent legal developments bode well for security researchers, but challenges remain
Despite the hoodie-wearing bad guy image, most hackers are bona fide security researchers protecting users by probing and testing the security configurations of digital networks and assets. Yet the law has often failed to distinguish between malicious hackers and good-faith security researchers.
This failure to distinguish between the two hacker camps has, however, improved over the past two years, according to Harley Geiger, an attorney with Venable LLP, who serves as counsel in the Privacy and Data Security group. Speaking at Shmoocon 2023, Geiger pointed to three changes in hacker law in 2021 and 2022 that minimize security researchers’ risks.
“Over the past couple of years, these developments have changed the sources of greatest legal risk for good faith security research,” he said. Specifically in the US, the Computer Fraud and Abuse Act (CFAA), the most controversial law affecting hackers, the Department of Justice’s (DOJ’s) charging policy under the CFAA, and the Digital Millennium Copyright Act have evolved in favor of hackers. However, laws at the US state level affecting hackers and China’s recently adopted vulnerability disclosure law pose threats to security researchers and counterbalance some of these positive changes.
Computer Fraud and Abuse Act changes
The CFAA was enacted in 1986 as an amendment to the Comprehensive Crime Control Act and was the first US federal law to address hacking. “The CFAA has been the boogeyman for the community for quite a long time,” Geiger said. “It’s maybe the most famous anti-hacking law. This is a criminal law and a civil law, and that’s important to remember. You can be prosecuted under the CFAA criminally, and you can also be threatened with private lawsuits.”
The CFAA prohibits several things, including accessing a computer without authorization and exceeding authorized access to a computer. “That phrase, exceeding authorized access to a computer, is really important,” Geiger said. “It used to mean that if you were authorized to use a computer for one thing, but then you used it for another purpose, something that you weren’t authorized to do on the computer that you were allowed to use, then that may…