Hackers and Media Hype: Big Hacks that Never Really Happened
If you combine the dictionary definitions for 'media' and 'hype' you come up with "A means of communication that widely influences people with dramatic and questionable methods" which is a definition that perfectly fits much of what I see when it comes to reporting in the Information Security space.
I find hyped up stories on an almost daily basis. Sometimes it is a simple speculation on the part of the reporter, maybe a misquote or other minor infraction and other times it just plain made up facts. The problem is that hype lives forever but the reality dies a quick and merciful death.
EXAMPLES
In 1994 the New York Times reported that Kevin Mitnick "used a computer and a modem to break into NORAD" this of course was often repeated in several outlets including the St Petersburg Times and elsewhere for several years. Even as late as 1999 CNN was still reporting this bit of information as fact claiming the Mitnick had actually inspired the 1983 movie "War Games".
Of course the reality is much more mundane. Despite CNN stating this as a fact in 1999, it was actually disproved in 1996 by Katie Hafner, a Newsweek Senior Editor, who, according to the Chicago Tribune, "could find no evidence that the NORAD story was anything but myth." But it wasn't until Mitnick himself published his own book "Ghost in the Wires" in 2010 do we find out that the whole NORAD myth was the result of an over zealous federal prosecutor who claimed Mitnick could "whistle into a telephone and launch a nuclear missile." Which was one of the many absurd reasons why Mitnick spent so much time in solitary confinement.
In 1999 a small weekly paper in the UK called the Sunday Business ran a small little story entitled "Satellite Held for Ransom" that claimed an intruder had actually been able to "seized control of one of Britain's military satellites", had altered its course and issued blackmail threats. Of course the story was printed on Sunday and by Monday morning it had hit the Reuters wire services spreading it all over the world. The problem was the story was basically completely made up. It took a couple of days but Reuters was finally able to get an official quote denying the allegation from the British Defense Ministry. Of course few, if any of the newspapers that picked up the original story ran the follow up. But this story doesn't end there. Nine years later an article on PCMag.com listed what it called "The 10 Most Mysterious Cyber Crimes" and the number two 'crime' on that list was an attack on a British military satellite that never actually happened. It is obvious that PCMag didn't do much fact checking on that story.
A very popular story that was repeated over and over innumerous outlets and was really big just before the September 11 attacks claimed that Al-Queda terrorists where using steganography to transmit messages back and forth. Steganography is an ancient technique that uses pictures or graphics files to hide messages. The earliest reference to the story I could find was in February of 2001 by USA Today but I know the story is older than that. It was repeated in Wired later that month and even on the Cryptogram newsletter in September. The problem is there is absolutely no evidence to support any of these claims. In fact in August 2001 (a month before The Cryptogram Newsletter repeated the original story) two researchers published a paper basically debunking the entire claim. They downloaded over two million images from the Internet, analyzed them all for steganographic content and found nothing. The researchers got their research published in one place, New Scientist magazine, compared to the dozens of original articles claiming that terrorists did use steganography.
Two other points to this story, first when Bin Laden was killed in 2011 it was reported that he was found with a large stash of pornography, both printed and digital, and yet no mention anywhere that I could find that there was any steganography involved. And second, a weird report from a magazine in Germany called Zeit Online claiming that investigators had found hundreds of Al-Queda documents embedded into a video file. The problem was that there was no official source for this information, the entire story seemed to be based on the claims of one reporter with no other evidence, that and the language barrier make it hard to figure out exactly what happened.
President Obama gave a speech in May of 2009 about securing the countries Infrastructure in which he casually mentioned that hackers had plunged entire cities into darkness. By November of 2009 the TV news magazine60 Minutes grabbed onto this and did an entire segment claiming that the city in question was in fact Brazil. They claimed to have "a half dozen sources in the military, intelligence and private security communities" confirming that it was in fact Brazil's power infrastructure that had been hacked. The problem is that in January 2009, five months before the Presidents speech and almost a year before the 60 Minutes segment The National Agency for Electric Energy in Brazil had concluded in its own investigation that the power outage was actually caused by sooty insulators. In fact they fined Furnas, the electric company, $3.27 Million dollars for not properly maintaining their equipment. So how do we go from sooty insulators in January, to a presidential speech in May to six unnamed but confirmed sources in November?
One of my favorites is the story of the Illinois water utility with the failed water pump in November of 2011. For some reason water utilities need to report pump failures to DHS and the ensuing investigation happened to find IP address from Russia in the network logs. Everyone immediately jumped to conclusions and the 'fact' that the Russians were hacking the US utilities was published in a DHS Fusion Center report. When the press got second hand information about the report (the first reporters never even saw a copy of the report) they went nuts. I think I like the Wired headline the best "H(ackers)2O:Attackon City Water Station Destroys Pump". The craziest thing about this story is that way down at the bottom of the better articles there was actually a quote from DHS officials saying they had no evidence supporting the attack, and they had no confirmation or denial directly from the utility in question. The denials and lack of confirmation did not stop them from using 2ndhand information to run sensationalist hyped up stories. All the hype was based on a draft report from a DHS Fusion Center that the reporters hadn't even seen.
The reality was that a contractor, who had legitimate remote access, but was no longer under contract, was on vacation in Russia when he decided to check on the pumps and the pumps just happened to fail, as pumps sometimes do, at about the same time. Don't ask me why a contractor was given remote access, or why that access wasn't revoked when the contract was up or why no one matched the IPs to the login credentials and then called the contractor on vacation to verify if he was using them. That is whole other story.
Another example of how the media takes stuff out of context and runs with it come from Secretary of State Clinton. Back in may of 2012 she gave a speech at a dinner and said "our team plastered the same [web]sites with altered versions of the ads that showed the toll al-Qaida attacks have taken on the Yemeni people. " From this ABC news reported "US hacked Yemenal-Qaida sites" and the Huffington Post reported "Al Qaeda Websites hacked by US State Department". Both of those titles would be rather amazing allegations if true. It would indicate an admitted overt offensive act by US cyber forces, something that has not yet been admitted by anyone in authority. Not to mention that the US officials have said that an offensive cyber attack on the US may be met with a conventional counter attack. Does this mean that Yemen can now bomb the US in retaliation for hacking them? Thankfully all we really did is do a Google Ad buy, the press however may have accidentally started the next shooting war.
ON PURPOSE
The examples above can be easily blamed on ignorance ,inexperience, over aggressive reporting, the rush to be first, etc. I wouldn't say any of those examples show the media actually going out of their way to create hype on purpose. There is however at least one confirmed example of such an event happening that I call "The Michelle Madigan Affair"
Michelle Madigan was an Associate Producer for NBC Universal working specifically for Dateline NBC, the same folks who produced the "To Catch a Predator Series". She was working on a piece to show Middle America the criminal hacker underground and what better place to find criminal hackers than at DEF CON. So in 2007 she attended DEF CON 15 but did not get press credentials in direct violation of Defcon's strict Press policy. The story varies as to how but the Defcon organizers found out about her plans. The approached her privately and politely asked her to get press credentials. She reportedly refused this request several times. So The Dark Tangent (Jeff Moss) got on stage, pointed to her in the crowd and outed her. She ran out of the conference hall and was immediately chased down by all the other reporters (there is video on You tube of this). Now Michelle could have handled this situation much better, she could have accepted the credentials when offered, or when pointed at in the conference hall she could have stood up, laughed, and said, "Shucks, you got me." Regardless of how sheer acted this shows how sometimes is might be manufactured on purpose.
STATISTICS
The dollar losses of cyber crime are numbers that are batted around in the media like tennis balls. Most of the time they are taken at face value and seldom challenged. But an article in April 2012 New York Times Sunday review set out to actually look at some of the published overly hyped numbers that are often repeated over and over in regards to cyber crime. They found that most cybercrime estimates use bad statistical methods and are often based on subjective surveys as opposed to actual facts. The surveys often use political survey techniques and then get extrapolated to the whole giving outliers undue weight. Many times the estimates come from the answers of just one or two people.
Cyber crime losses are often estimated in the $100s of billions of dollars. Stolen credit card information is often sold for just pennies onthe dollar because they are hard to monetize and turn back into cash. I don't know about you but I don't know any cyber crime billionaires nor do I know any company that has admitted to billions in losses.
THE REALITY OF HYPE
A hyped up Information Security story has but one good use, it can be used to help raise awareness of a specific issue. Unfortunately there are a lot of bad things that go along with hype as well. It can cause the Chicken Little Effect, or cause people to worry about non-existent threats that will never or are extremely likely to ever happen. It can cause the Boy Who Cried Wolf Effect or desensitization to actual threats. The media aren't the only sources of hyped stories; often PR departments of InfoSec companies will peddle hype like its crack hoping to get people hooked on their sensationalism as they suffer from the Look What I Can Do Syndrome. Politicians often rely on Hype and FUD to get budgets passed or new laws enacted. The big problem as I see it is all this hype makes us (Hackers, Security Professionals, etc) look bad, look really bad.
IDENTIFYING HYPE
As great as it would be to pass down an edict from on High that says "No More Hype" we all know it is not that easy. Hype is here to stay and is something that we have to learn to live with. So, it would be very helpful to be able to identify when we see it. First, just because a story shows up in a hundred news outlets and is published everywhere does not mean that it is true. Look for a named source somewhere inside the story that offers some sort of confirmation; don't just blindly trust the 'unnamed government source' without some supporting facts. Hyped stories will often blame some unknown or amorphous entity that can not defend themselves like 'It must have been hackers' or 'China did it' knowing full well that there is no way to prove or disprove such a statement so it must be true. Sensational claims, like hackers control satellites, usually are. And trusted sources may not be, just because a story appears on CNN, or 60 Minutes or the Washington Post or the New York Times does not mean that it is above reproach, weigh each story individually on its merits not the news outlet that reported it.
It comes down to questioning everything.
I have presented the above information in a talk of the same name at various conferences over the last few months. The slides from that talk are here and a video version of the talk from the HOPE 9 conference is here:
ABOUT TRUSTWAVE
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.