Lionel Messi wants Barcelona

What is the Computer Misuse Act?

The Computer Misuse Act (CMA) officially became law in 1990 after passing through Parliament.

The act came into force following a high-profile hack which saw emails leaked belonging to the Duke of Edinburgh. This was carried out by journalists Robert Schifreen and Stephen Gold, who were trying to show the limitations of an ageing security system around BT's Prestel service. They managed to access the login details of 50,000 Prestel customers at the same time. Despite this, since there was no relevant legislation at the time, the pair could not be properly prosecuted. Instead they were charged and convicted of forgery (by forging the password for sysadmin privileges) but the verdict was later overturned on appeal.

The 1990 act was created to close this loophole and provide greater controls over the prosecution of cybercrime. The CMA criminalises the unauthorised access of computer systems, which means accessing one in order to commit or facilitate further offences. It also applies to anyone accessing a system to impair the operation of any program as well as modifying any data that doesn't belong to you.

Most importantly, in order for there to be an offence under the CMA, the prosecutors must be able to show intent. For example, it wouldn't be a crime for someone to accidentally connect to a server or network they don't have permission to access. On the other hand, it is illegal for someone intending to access a system with the knowledge that they don't have permission to do so.

Penalties

Under the act, unauthorised access to computer material carries a penalty of up to £5,000 and/or up to two years in prison. Unauthorised access to a computer in order to commit another offence carries a penalty of up to £5,000 and/or up to five years in prison. Unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer, carries a penalty of up to £5,000 and/or up to 10 years in prison.

Furthermore, unauthorised acts causing, or creating risk of, serious damage could result in life imprisonment.

Expansion and controversy

In its most basic form, the CMA didn’t criminalise other objectionable things one can do with a computer. This means that it has had to be revised a number of times, each time refinind and expanding its rules.

One such addition has been section 37 of the Police and Justice Act of 2006. This inserts a new section, 3A, into the CMA of making, supplying or obtaining articles for use in computer misuse offences. It is controversial because it criminalises hacking tools and exploits used in legitimate security research with the aim on increasing IT security. Although again, intent needs to be proven here to make a case stand up. A prosecutor has to take into account legitimate usage and the motivation behind creating such tools. 

Another controversial addition to the law was one made in 2015. This gave police and intelligence personnel immunity from existing cybercrime legislation. While this could make the lives of those investigating criminals easier, organisations such as Privacy International were concerned that this immunity could be abused and that not enough checks and balances were in place.

Kronos malware: What is the banking Trojan linked to WannaCry hero?

The earliest mentions of the Kronos malware date back to 2014 but the banking Trojan has entered the mainstream following the arrest of Marcus Hutchins.

Hutchins, who was thrust into the spotlight when he “accidentally” stopped the WannaCry virus in May, is said to have been charged by the FBI following a two-year cybercrime investigation.

In particular, Hutchins is accused of selling and maintaining Kronos malware from his home in Devon, UK with an unnamed accomplice. Court filings suggest there are six indictments that relate to this supposed crime. 

What is the Kronos banking Trojan?

Kronos was spotted for sale on a Russian cybercrime forum in 2014 for a staggering US$7,000. This price piqued the interest of many security researchers because malware is typically sold for hundreds, not thousands, of dollars.

Regular malware is also commonly offered for free or distributed via malware source code leaks. For this US$7,000 price, the hacker was offering free upgrades as well as bug fixes.

According to the ad, Kronos was designed to run on similar so-called “injects” to those seen in the Zeus banking Trojan. Zeus is one of the most well-known Trojans and was first spotted in 2007 before later being taken offline.

What is a Trojan?

A Trojan is a form of malware that masquerades as a benign application. Its strength lies in tricking victims into downloading and running malicious code via dodgy attachments on emails, for example.

The name, like many security-related software, comes from mythology. Specifically, Trojan viruses are named after the Trojan horse which brought about the end of the Trojan war in which soldiers hid inside a large wooden horse and attacked the Greeks.

In security terms, the Trojan virus remains hidden in an app or attachment until it's ready to attack the infected computer.

In addition to email attachments, Trojans are often bundled with legitimate software or bookmark bars downloaded online.

The original software works as it should, to avoid suspicion, while the Trojan uses it to wreak havoc on the victim's PC. Once installed, a Trojan can be used by hackers to install other malicious software, steal usernames and passwords, log keystrokes and much more.

How does the Kronos malware spread?

Kronos' behaviour is typical of a banking Trojan. In November 2016, security researchers at Proofpoint spotted several large email campaigns sending tens of thousands of messages, targeting various industries, from universities to banks and hospitals.  

These campaigns were sent globally, but primarily targeted the UK and North America. The Kronos malware was sent via attachments that looked legitimate. If an email recipient clicked on the attachment, the Trojan infected their machine.

The original ad seen on the Russian forum in 2014 revealed that Kronos can steal credentials from browsing sessions in Internet Explorer, Firefox and Chrome using so-called "form-grabbing" and HTML content injection techniques.

Form-grabbing is a more sophisticated alternative to keylogging. Keylogging targets keystrokes, which can often miss sensitive data that a user may paste into a form or select from a dropdown menu, rather than typing.

By comparison, form grabbers capture all form data before it's sent. What's more, Kronos was engineered to be compatible with the “web injects” developed for Zeus. This was said to have been deliberate, to make it possible for hackers to easily transition from Zeus to using Kronos.  

As well as being able to steal information, the Kronos malware was found to contain what's known as a “user-mode rootkit” that runs on both 32-bit and 64-bit Windows systems and which helps the Kronos malware protect itself against rival malware, as well as stay out of sight of antivirus software.