Information Security - A Shared Responsibility

A Connecticut College blog dedicated to education in the cybersecurity landscape

The Moral Code of Marcus Hutchins, a Hacker Who Saved the Internet


The Attack

Marcus Hutchins, a computer security researcher from the UK, was just 22 years old when he discovered the kill-switch for WannaCry, a malware infection that quickly took over the globe. When it hit in 2017, WannaCry was one of the fastest-spreading computer worms the world had seen. The National Health Service, the UK’s largest publicly-funded healthcare system, was the first target hit by the worm. Human lives were at stake, with one third of NHS hospital trusts infected and 19,494 patient appointments canceled as a result. In short time, the malware had spread to a multitude of other industries around the globe, causing damages estimated between $4 billion and $8 billion.

WannaCry was a form of ransomware, malicious software designed to block access until a sum of money is paid. It was able to spread easily from machine to machine using a piece of code called EternalBlue. This code originated with the NSA and was stolen and leaked by a group of hackers known as the “Shadow Brokers.” The code exploited outdated versions of Windows machines, which are commonly found in the healthcare system.

On the day that WannaCry hit in May of 2017, Marcus gained access to the malware’s code and quickly began testing it in his quarantined environment. Inside the code, he found a request being made to an unregistered website, so he registered the obscure domain. This was a type of built in “kill-switch,” something normally designed by the creator as a safeguard from backfire. Sure enough, after Marcus had registered that website, reported cases of WannaCry began to decline, but Marcus knew there was still a risk of the domain being attacked and brought down. He worked for weeks to communicate with victims and actively protect the domain he had registered while it was being pummeled with useless traffic (an attack known as distributed denial of service, or DDoS). Marcus received help from cybersecurity firm Kryptos Logic and DDoS mitigation firm Cloudflare to protect the domain. After weeks of mitigation and very little sleep, Marcus could finally celebrate his accomplishments. This incident had made international headlines, and the media quickly identified Marcus as the person behind his online alias MalwareTech. Though a bit uncomfortable with this overnight fame, he came to appreciate the support. Later that summer he celebrated with friends at DEF CON, the famous annual hacker conference that takes place in Las Vegas, NV. It was at the end of this trip when Marcus would encounter the toughest period of his life.


A Dark Past

Before Marcus’s real name was discovered from his heroic efforts, he was known by the online alias “MalwareTech.” Under this handle he published vulnerability research and reverse-engineering security blog posts, and used Twitter to communicate to followers and tech enthusiasts. At age 17 he became involved in cyber-criminal affairs, most notably with development of the banking malware “Kronos.” This malware was sold to multiple “black-hat” (malicious) hacking groups and used to obtain sensitive personal information from users’ online banking activity. According to his interview with Wired, Marcus’s perception of his own moral code was shifting the more he communicated with colleagues in the dark web. The better he got at developing his own malware, the more reputable he became in these communities, and the tougher it became to turn down monetary offers in exchange for his code. When he initially refused to develop the banking trojan, he was threatened to be exposed to the FBI by the requester. He contributed to the development of Kronos in 2014, and his exposure from WannaCry would later uncover his past mistakes.

Vegas, 2017

His real identity now public as a result of his fame, the FBI eventually caught up with Marcus. He was interrogated at McCarran Airport after a week of partying at the hacker convention in Vegas. Charged with creation of the Kronos malware, he was jailed, but the online community of supporters quickly came to his aid and posted a $30,000 bond. He was relocated permanently to the U.S. and placed on house arrest until further notice, while his lawyers began chipping away at the terms of his detainment. In July of 2019, Marcus was set to have his sentence hearing  in Milwaukee. He had pleaded guilty to charges two months prior and released a short public statement approved by attorneys, shown below:



Fair Judgment

“In my career I’ve found few people are truly evil, most are just too far disconnected from the effects of their actions…until someone reconnects them.” ~Hutchins

The judge assigned to Marcus’s case took a broad view of his life, noting that Marcus had “turned the corner” from his earlier conduct. The judge recognized that Marcus would be a valuable asset in protecting society from future malicious cyber attacks. Marcus was sentenced only to “time served, with a one year period of supervised release.” His visa had expired, and Marcus spent his last year in the U.S. hoping to get back to work, and  “to put the weight of all those feats and secrets, on both sides of the moral scale, behind him.” This is Marcus’s story of reckoning. He remains pained by his past responsibility for malice, but his story sheds a new light for the hacker community; one that might guide their purpose toward making the world a better place.


To read more:

Multi-Factor Authentication With Duo Security


Connecticut College now requires multi-factor authentication from all faculty and staff when logging into college services from off campus. This means that in addition to entering your password, you must also have a second factor to help ensure you are the owner of the account being logged into. This second factor can be in the form of a push to your phone through the Duo app, SMS text or call, or even a USB token.

In addition, once enrolled you can change your own settings for multi-factor at any time through a portlet in camelweb. Simply log into and head to the drop-down menu under your name in the top right corner. You’ll see the “Duo Login Devices” option which you can use to change your second factor device out (e.g. if you have a new phone)

NOTE: You still need the current (old) device to log into this Management Portal, so don’t throw away your old phone before registering your new one with Duo!




**UPDATE – Spring, 2020:

Students at Conn are now required to use MFA for their college account. IF you need help setting this up, simply contact the IT Service Desk (860-439-HELP) or submit a ticket request via

Password to Passphrase



Following the implementation of Multifactor Authentication (MFA), along with recent security trends regarding password policy, Connecticut College has made a few changes to the requirements for our users:

  • Passwords now have a 12-character minimum
  • Passwords now only expire after a full year, extending the previous timeline by 6 months
  • Character complexity is no longer enforced, but still allowed.

The 12-character minimum encourages users to create “pass phrases” that are unique to you and your way of thinking. Consider it a “secret memory.” This is in line with the change in guidelines implemented by the National Institute of Science and Technology in June of 2017. The NIST found that longer passwords are cryptographically tougher to break than shorter ones, regardless of the character complexity.

In addition, as FTC Chief Technologist Laurie Cranor points out, research heavily suggests that the more frequently users are forced to change their password, the more likely they are to make only a slight modification. This makes their patterns predictable, and leaves their account less secure in the end. We recommend creating a unique phrase that you can remember…you can even use spaces to separate words!

NOTE: To clarify the expiration further, your current password will expire 365 days from the last time you changed it. Consider the change an “extension” for each user.



Gone Phishin’

The Information Security Team at Connecticut College wishes to remind all of our users to be cautious in opening and responding to emails. Phishing, a practice involving email communication inducing individuals to reveal personal or sensitive information, has become increasingly sophisticated and deceptive. These emails can be strictly based on social engineering (manipulating the user with the message itself), or may also contain links to harmful sites with data entry forms.


We have seen many targeted phishing threats here at the college, with attackers purporting to be either a colleague, authority figure, or any other known member of the campus community. We want you to be well-equipped to identify and halt malicious e-mail communication.

A couple of quick tips to help you identify malicious activity:

  • Always check the actual e-mail address that has contacted you (click the “show details” drop-down underneath the bold name of sender).
  • You can use Gmail to hover over a link contained within a message. This will provide you more detailed information (including the full URL) at the bottom left of your Gmail screen.
  • If the sender purports to be someone you know, always observe the tone and context of the message, looking for anomalies and other cues that they are not who they claim to be.
  • If you are suspicious or hesitant to interact with a particular message or sender, please contact our Service Desk 860-439-HELP (4357)
As a reminder, the Information Services staff will never ask you for your password or any other form of sensitive personal information via e-mail.

Something In The Air

Imagine a remote smartphone takeover that can happen with neither party being connected to the internet.

Blueborne, a Bluetooth vulnerability revealed by security firm Armis Labs, makes that possible. It is an attack vector that leverages Bluetooth connections to infiltrate and gain complete control over targeted devices. All platforms that have implemented the technology are affected, including Android, iOS (pre-version 10), Windows and Linux systems. Due to various vendor interpretations of Bluetooth implementation, the threat potential is different on each platform.


In short, someone with a computer that has a Bluetooth connection can type a few lines in a terminal and connect to your device. Permission protections and application security are easily bypassed here because the attacker acts as you, the fully authorized user on the device.

For more information and demos on how this attack works, visit

How can a seemingly simple, short-range pairing technology be a vector for such havoc?

There are a couple of things to consider here.  First, the Bluetooth process takes high privilege in any system on which it runs. This effectively provides full control over the target device during an attack. Second, an attack of this nature is truly airborne, making it undiscoverable, unpreventable and more contagious. It is easily able to defeat traditional network security methods. These characteristics push the threat beyond the consumer base. Blueborne’s ability to beat the “airgapped” network puts larger enterprises, industries and government agencies at risk. Lastly, the researchers at Armis note that Bluetooth technology is recently much less explored by the research community than WiFi, and is therefore a more vulnerable technology.


What You Can Do To Protect Yourself

  • Keep your software up to date on mobile devices. The most recent version of iOS is not affected by this vulnerability. Android users can verify they have the 9/9/2017 Security Patch Level on their devices. Armis also released a “BlueBorne Vulnerability Scanner” app for Android users that can be found in the Google Play Store.
  • Turn Bluetooth off whenever you are not using it. The attack can be executed even if the device is “not discoverable.” If Bluetooth is enabled, your device is constantly searching for connections even outside of its paired partner history.
  • Put a lock screen on your phone. One caveat of the exploit is that it cannot bypass a lock screen. The screen will also light up as an indicator that the attack is occurring.
  • Stay up to date on new information regarding BlueBorne and other security vulnerabilities. There is a haven of reputable cybersecurity sources on the web, many of which you can embed into your social media newsfeeds. The resources to learn are out there; it just takes curiosity and vigilance to discover and use them.



Mobile Device Encryption

In a time when smartphones have become so entrenched in our daily activity, it is important to consider how to protect your data on these  devices.lockedphone

Encryption, a way to protect data at rest, is easier explained in terms of a bank vault. Once an attacker has breached the vault door, the cash is available and unprotected. Think of encryption as a “dye pack” that explodes and renders the cash useless behind the vault. Though less permanent than my example, encryption further protects the data on your hardware by essentially scrambling it to an unreadable form. The good news is that it is fairly easy to enable on your smartphone, as you will read below.

There is certainly no global encryption standard or method for all smartphones, and in this article I will briefly compare and contrast stock encryption methods offered on the two most popular platforms: iOS and Android.



The iOS platform uses a file-based encryption (FBE) standard, and therefore requires minimal effort for an iPhone user to encrypt their device. As long as the user has a lock screen passcode set, content on the device is encrypted. Every file and keychain item is protected to some degree while the screen is locked. On your phone, open Settings, then select “Touch ID & Passcode” to turn this on.


Taking a slightly deeper dive for the tech enthusiasts, there are four protection classes that each file on the phone is assigned, and this “class” method allows users to see certain data when the phone is locked. One of the four classes even allows you to create files behind a locked screen, i.e. the camera functionality. Due to the camera application’s encryption class, you can take a photo when the phone is locked, but once you close out of the photo it is encrypted.

To provide another example, notice that when the phone is locked and you receive a phone call, the phone can retrieve data from your contacts to identify and display the information correctly. This is because the class of encryption used here is not tied to the PIN the user enters.



In contrast to iOS, Android uses Full-Disk Encryption (FDE), an all-or-nothing approach that encrypts disks at the sector level. A bit more effort is required to set up this encryption, but it is fairly simple. In Android version 7, you can find this under Settings > Lock Screen and Security > Secure Startup



Since the release of Android 7, named “Nougat,” File-Based Encryption (similar to that used in iOS) is actually available and automatically turned on with most new phones that are shipped. It is called “Direct Boot,” and contains only two categories (short of Apple’s four classes). One category allows access to files before entering a PIN or passcode, and the other allows access only after a successful login. This is not as extensive as Apple’s FBE, and therefore encryption is not provided by default after the user first unlocks their phone. It is, however, a step in a new direction for Google, and an acknowledgement to a balance between functionality and security for their platform.


Which platform offers a more secure solution?

The answer depends on how you value and measure security. Only Android offers a sector-level full disk encryption method. This renders your phone a useless “brick” while it is off, until you decrypt by entering the pin or password upon startup. Even with the new file-based encryption however, there is no protection enforced after the first login. The only protection is your lock screen, acting as a “single locked door between the thief and the room of treasure.”

In contrast, iPhone users have some degree of encryption on all of their data when the phone is on and screen-locked. This speaks to Apple’s predetermined focus on addressing the sacrifice of functionality for security. If you’re up against a sophisticated attacker with enough resources and forensic expertise, however, a powered down FDE-enabled Android phone would fare better than an iPhone.

It is also important to discuss the relationship these platforms hold with their app developers. With its class assignment system, Apple has provided developers with a simple and useful tool set to protect what they create. Google has less of a handle on this, but the open-source nature and abundant size of the Android knowledge community provides developers and engineers with solid and expansive security insight.



The Rise of Ransomware


A new threat called “ransomware” has become increasingly notorious in recent years. This is computer malware which in its simplest form encrypts all or some of the victim’s data, denying access usually until the victim presents some form of payment. Ransomware is cropping up in many different environments, with education being a new hotspot vector. It can be acquired through email attachments, fake software upgrade downloads, peer-to-peer platforms, propagated via external drives, etc.

Below is an example of the message a user might receive once infected:




Payment has traditionally been requested through the Bitcoin medium, and full decryption of the files is never guaranteed once payment is received by the attacker. This makes ransomware tough to recover from once affected.

Following the trend of any thriving tech entity, ransomware has become increasingly sophisticated in its packaging, execution, and its “bargain” requirements for the hostage data to be released. Below is a closer look at just a few of the new flavors that have been observed in the past year:



Zcryptor drops a file labeled autorun.inf on any removable drive (e.g. usb flash) that is mounted on the infected computer. It therefore self-propagates, exhibiting worm characteristics.

“The ransomware targets numerous file types, encrypts them and adds the .zcrypt extension to them, while also creating the zcrypt1.0 mutex on the infected machines, which is meant to denote that an instance of the malware is already running. The ransomware also connects to specific servers to exchange information with them, but researchers say that these servers were inactive during their analysis.”

From <>


A close cousin of Zcryptor, Locky is known to also encrypt files on network shares that the infected user has permissions to. This one is initiated when the victim opens a Microsoft Office document and enables macros for that document. This kicks off a script which encrypts most of the files in the user profile in just minutes, along with any attached peripheral drives or network shares they are permitted to access. The malware is fairly good at covering its tracks too, removing any executables it creates under the hidden %AppData% folder, as well as changes and additions to the Windows registry.

“Remember also, that like most ransomware, Locky doesn’t just scramble your C: drive. It scrambles any files in any directory on any mounted drive that it can access, including removable drives that are plugged in at the time, or network shares that are accessible, including servers and other people’s computers, whether they are running Windows, OS X or Linux.”

From <>


This one takes the traditional ransomware attack a big step further by threatening to release private information (personal or organizational) to the public.  This includes private conversations, photos and other sensitive information, and only increases the pressure on the victim to pay the ransom. Due to the in-depth nature of this attack, DarkReading suggests that attackers would likely use this for more specialized targets.

“Doxware requires strategic end-to-end planning, which means hackers will target their victims more deliberately. Therefore, malicious players will be more intentional in whom they attack, giving corporate leaders, politicians, celebrities, and other public figures cause for concern.”

From <>

Popcorn Time

This is actually considered a mutation of “Doxware,” but the requirements to decrypt become even more interesting. With a cynical twist on the “word-of-mouth” marketing approach, the victim can choose to infect two of their affiliates in lieu of paying the ransom.


Database Threats

Folks over at BinaryEdge have seen a surge in ransomware hitting a handful of database technologies, including MongoDB, Redis, ElasticSearch, Hadoop, Cassandra and CouchDB. Click here to access their blog and read more on this.



How Do I Get This, and What Can I Do To Prevent?

 Be Cautious with Software Updates and Download Prompts: Ransomware and other types of malware have a knack for getting in via fake software updates; Adobe Flash sits at the top of this list. Avoid using these pop-ups and prompts as a medium to acquire downloads. If you feel that you are due for an upgrade, visit the official site of the corresponding product to download. Most software also offers you the ability to see the current version and check for updates from its main menu.

Be Careful with Unsolicited Attachments: Know your email senders. If something looks suspicious, your best bet is to assume that it is. Trust me, it is well worth the time cost of an extra minute or two to verify something that could do some serious damage to you or your organization if infected. Visit or call the IT Service Desk at 860-439-HELP (4357) if you have any questions or would like to further investigate an email message.

Back Up, Back Up, Back Up: The best thing you can do to work against these threats is to back up your data regularly. Many flavors of ransomware actually disable the built-in VSS (Windows Restore) services on the machine during the time of infection, so it is important to back up your critical data frequently to a cloud service or some form of external drive. All users in the domain have unlimited storage in Google Drive, making this a favorable option.

Do not enable Macros: Microsoft turned off auto-execution of macros by default many years ago, and for good reason. If you or your department needs a particular macro, please call the Service Desk or Information Security office to verify the legitimacy of a particular macro or file type. Also, take a look at the document you just opened before hitting that “enable” button (shown below). The contents of the document can tell you it is not what you were looking for or what you expected, and you should close out and remove the file altogether.




NOTE: Remember that the biggest vector for all computer-related attacks is you, the human. Hackers of this decade are carefully analyzing social behaviors and engineering their delivery in ways that exploit these behaviors. In a society that heavily favors social media and the immediate public sharing of even the smallest ideas, people have become significantly more trusting. In order to stay protected it is important to think carefully, ask questions and educate yourself.