Hackers and Media Hype: Big Hacks that Never Really Happened

If you combine the dictionary definitions for 'media' and 'hype' you come up with "A meansof communication that widely influences people with dramatic and questionablemethods" which is a definition that perfectly fits much of what I see when itcomes to reporting in the Information Security space. Screen Shot 2012-09-04 at 2.51.11 PM
Screen Shot 2012-09-04 at 2.51.28 PM
I find hyped up stories on an almost daily basis. Sometimesit is a simple speculation on the part of the reporter, maybe a misquote orother minor infraction and other times it just plain made up facts. The problemis that hype lives forever but the reality dies a quick and merciful death.

EXAMPLES

In 1994 the New York Times reported that Kevin Mitnick "useda computer and a modem to break into NORAD" this of course was often repeatedin several outlets including the St Petersburg Times and elsewhere for severalyears. Even as late as 1999 CNN was still reporting this bit of information asfact claiming the Mitnick had actually inspired the 1983 movie "War Games".

Of course the reality is much more mundane. Despite CNNstating this as a fact in 1999, it was actually disproved in 1996 by KatieHafner, a Newsweek Senior Editor, who, according to the Chicago Tribune, "couldfind no evidence that the NORAD story was anything but myth." But it wasn'tuntil Mitnick himself published his own book "Ghost in the Wires" in 2010 do wefind out that the whole NORAD myth was the result of an over zealous federalprosecutor who claimed Mitnick could "whistle into a telephone and launch anuclear missile." Which was one of the many absurd reasons why Mitnick spent somuch time in solitary confinement.

In 1999 a small weekly paper in the UK called the Sunday Businessran a small little story entitled "Satellite Held for Ransom" that claimed anintruder had actually been able to "seized control of one of Britain's militarysatellites", had altered its course and issued blackmail threats. Of course thestory was printed on Sunday and by Monday morning it had hit the Reuters wireservices spreading it all over the world. The problem was the story wasbasically completely made up. It took a couple of days but Reuters was finallyable to get an official quote denying the allegation from the British DefenseMinistry. Of course few, if any of the newspapers that picked up the originalstory ran the follow up. But this storydoesn't end there. Nine years later an article on PCMag.com listed what itcalled "The 10 Most Mysterious Cyber Crimes" and the number two 'crime' on thatlist was an attack on a British military satellite that never actuallyhappened. It is obvious that PCMagdidn't do much fact checking on that story.

A very popular story that was repeated over and over innumerous outlets and was really big just before the September 11 attacksclaimed that Al-Queda terrorists where using steganography to transmit messagesback and forth. Steganography is an ancient technique that uses pictures orgraphics files to hide messages. The earliest reference to the story I couldfind was in February of 2001 by USAToday but I know the story is older thanthat. It was repeated in Wired later that month and even on the Cryptogramnewsletter in September. The problem isthere is absolutely no evidence to support any of these claims. In fact inAugust 2001 (a month before The Cryptogram Newsletter repeated the originalstory) two researchers published a paper basically debunking the entireclaim. They downloaded over two millionimages from the Internet, analyzed them all for steganographic content andfound nothing. The researchers got their research published in one place, NewScientist magazine, compared to the dozens of original articles claiming thatterrorists did use steganography.

Two other points to this story, first when Bin Laden waskilled in 2011 it was reported that he was found with a large stash ofpornography, both printed and digital, and yet no mention anywhere that I couldfind that there was any steganography involved. And second, a weird report froma magazine in Germany called Zeit Online claiming that investigators had foundhundreds of Al-Queda documents embedded into a video file. The problem was thatthere was no official source for this information, the entire story seemed tobe based on the claims of one reporter with no other evidence, that and the languagebarrier make it hard to figure out exactly what happened.

President Obama gave a speech in May of 2009 about securingthe countries Infrastructure in which he casually mentioned that hackers hadplunged entire cities into darkness. By November of 2009 the TV news magazine60 Minutes grabbed onto this and did an entire segment claiming that the cityin question was in fact Brazil. They claimed to have "a half dozen sources inthe military, intelligence and private security communities" confirming that itwas in fact Brazil's power infrastructure that had been hacked. The problem isthat in January 2009, five months before the Presidents speech and almost ayear before the 60 Minutes segment The National Agency for Electric Energy inBrazil had concluded in its own investigation that the power outage wasactually caused by sooty insulators. In fact they fined Furnas, the electriccompany, $3.27 Million dollars for not properly maintaining their equipment. Sohow do we go from sooty insulators in January, to a presidential speech in Mayto six unnamed but confirmed sources in November?

One of my favorites is the story of the Illinois waterutility with the failed water pump in November of 2011. For some reason waterutilities need to report pump failures to DHS and the ensuing investigationhappened to find IP address from Russia in the network logs. Everyone immediately jumped to conclusionsand the 'fact' that the Russians were hacking the US utilities was published ina DHS Fusion Center report. When the press got second hand information aboutthe report (the first reporters never even saw a copy of the report) they wentnuts. I think I like the Wired headline the best "H(ackers)2O:Attackon City Water Station Destroys Pump". The craziest thing about this story isthat way down at the bottom of the better articles there was actually a quotefrom DHS officials saying they had no evidence supporting the attack, and theyhad no confirmation or denial directly from the utility in question. Thedenials and lack of confirmation did not stop them from using 2ndhand information to run sensationalist hyped up stories. All the hype was basedon a draft report from a DHS Fusion Center that the reporters hadn't even seen.

The reality was that a contractor, who had legitimate remoteaccess, but was no longer under contract, was on vacation in Russia when hedecided to check on the pumps and the pumps just happened to fail, as pumpssometimes do, at about the same time. Don't ask me why a contractor was givenremote access, or why that access wasn't revoked when the contract was up orwhy no one matched the IPs to the login credentials and then called thecontractor on vacation to verify if he was using them. That is whole otherstory.

Another example of how the media takes stuff out of contextand runs with it come from Secretary of State Clinton. Back in may of 2012 shegave a speech at a dinner and said "our team plastered the same [web]siteswith altered versions of the ads that showed the toll al-Qaida attacks havetaken on the Yemeni people. " From this ABC news reported "US hacked Yemenal-Qaida sites" and the Huffington Post reported "Al Qaeda Websites hacked byUS State Department". Both of those titles would be rather amazing allegationsif true. It would indicate an admitted overt offensive act by US cyber forces,something that has not yet been admitted by anyone in authority. Not to mentionthat the US officials have said that an offensive cyber attack on the US may bemet with a conventional counter attack. Does this mean that Yemen can now bombthe US in retaliation for hacking them? Thankfully all we really did is do aGoogle Ad buy, the press however may have accidentally started the next shootingwar.

ON PURPOSE

The examples above can be easily blamed on ignorance,inexperience, over aggressive reporting, the rush to be first, etc. I wouldn'tsay any of those examples show the media actually going out of their way tocreate hype on purpose. There is however at least one confirmed example of suchan event happening that I call "The Michelle Madigan Affair"

Michelle Madigan was an Associate Producer for NBC Universalworking specifically for Dateline NBC, the same folks who produced the "ToCatch a Predator Series". She was working on a piece to show Middle America thecriminal hacker underground and whatbetter place to find criminal hackers than at DEF CON. So in 2007 she attended DEF CON 15 but did not get press credentials in direct violation of Defcon'sstrict Press policy. The story varies as to how but the Defcon organizers foundout about her plans. The approached her privately and politely asked her to getpress credentials. She reportedly refused this request several times. So TheDark Tangent (Jeff Moss) got on stage, pointed to her in the crowd and outedher. She ran out of the conference hall and was immediately chased down by allthe other reporters (there is video on Youtube of this). Now Michelle couldhave handled this situation much better, she could have accepted thecredentials when offered, or when pointed at in the conference hall she couldhave stood up, laughed, and said, "Shucks, you got me." Regardless of how shereacted this shows how sometimes is might be manufactured on purpose.

STATISTICS

The dollar losses of cyber crime are numbers that are battedaround in the media like tennis balls. Most of the time they are taken at facevalue and seldom challenged. But an article in April 2012 New York Times Sundayreview set out to actually look at some of the published overly hyped numbersthat are often repeated over and over in regards to cyber crime. They foundthat most cybercrime estimates use bad statistical methods and are often basedon subjective surveys as opposed to actual facts. The surveys often usepolitical survey techniques and then get extrapolated to the whole givingoutliers undue weight. Many times theestimates come from the answers of just one or two people.

Cyber crime losses are often estimated in the $100s of billionsof dollars. Stolen credit card information is often sold for just pennies onthe dollar because they are hard to monetize and turn back into cash. I don'tknow about you but I don't know any cyber crime billionaires nor do I know anycompany that has admitted to billions in losses.

THE REALITY OF HYPE

A hyped up Information Security story has but one good use,it can be used to help raise awareness of a specific issue. Unfortunately thereare a lot of bad things that go along with hype as well. It can cause theChicken Little Effect, or cause people to worry about non-existent threats thatwill never or are extremely likely to ever happen. It can cause the Boy WhoCried Wolf Effect or desensitization to actual threats. The media aren't theonly sources of hyped stories; often PR departments of InfoSec companies willpeddle hype like its crack hoping to get people hooked on their sensationalismas they suffer from the Look What I Can Do Syndrome. Politicians often rely on Hype and FUD to getbudgets passed or new laws enacted. The big problem as I see it is all thishype makes us (Hackers, Security Professionals, etc) look bad, look really bad.

IDENTIFYING HYPE

As great as it would be to pass down an edict from on Highthat says "No More Hype" we all know it is not that easy. Hype is here to stayand is something that we have to learn to live with. So, it would be veryhelpful to be able to identify when we see it. First, just because a story shows up in a hundred news outlets and ispublished everywhere does not mean that it is true. Look for a named sourcesomewhere inside the story that offers some sort of confirmation; don't justblindly trust the 'unnamed government source' without some supporting facts.Hyped stories will often blame some unknown or amorphous entity that can notdefend themselves like 'It must have been hackers' or 'China did it' knowingfull well that there is no way to prove or disprove such a statement so it mustbe true. Sensational claims, likehackers control satellites, usually are. And trusted sources may not be, justbecause a story appears on CNN, or 60 Minutes or the Washington Post or the NewYork Times does not mean that it is above reproach, weigh each story individuallyon its merits not the news outlet that reported it.

It comes down to questioning everything.

I have presented the above information in a talk of the same name at various conferances over the last few months. The slides from that talk are here and a video version of the talk from the HOPE 9 conference is here:

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.