I’ve been found myself over the other side of the world lately doing a bunch of talks on all sorts of different security things. One of them has been about lessons learned running the data breach service known as Have I been pwned. There’s a whole bunch of interesting things I’ve come across in my travels, but what really seems to be resonating with people is how the media tends to represent these incidents compared with the underlying reality. Let me share a examples from the talk here.
One that immediately comes to mind is the sensationalism of the malicious actor. No longer content with merely acknowledging that a “hacker” was to blame, we see headlines such as TalkTalk hacked by 'cyber jihadi' group. In fact that particular piece goes on to quote a “former cyber crime cop” as stating the perpetrators were “from Russia and are an Islamic cyber jihadi group”. This is pretty much your most fearsome possible combination of buzzwords all rolled into one statement and it completely belies what we ultimately came to know as the truth…
It turns out that the “Russian Islamist cyber jihadis” amounted to a 15 year old kid in his bedroom in Belfast. He didn’t act alone, mind you, there were also a couple of 16 year olds and a 20 year old too. The only thing they actually have in common with those initial media reports is the “cyber” bit.
Another issue that tends to come up goes entirely in the opposite direction – painting a picture that suggests hackers who’ve well and truly overstepped the mark are merely innocent whitehat security researchers. One example of this was a few years back when the headlines screamed Security researcher found guilty of conspiracy and identity fraud in 'hackless' AT&T iPad hack. But what wasn’t immediately apparent in those headlines was that the “researcher” didn’t just find an enumeration risk that allowed him to pull someone else’s recorded when a different ID was sent to the app, he checked it against 114,000 different IDs. Then sent the data to the press.
It was a similar deal again closer to home where the headlines claimed that First State set police on man who showed them how 770,000 accounts could be ripped off. Yes, he did demonstrate that there was a risk in their application and that like in the previous example, it allowed identifiers to be enumerated and other customer data to be accessed. Then but he did it 770k times to make a point! Once would have been enough and had he stopped there the situation would have been quite different.
In all of these examples, the truth has turned out to be quite different and all the headlines really achieved was to either make people more fearful of hackers or more resentful of law enforcement, neither of which is in any of our best interests. Unfortunately though, headlines rate and whilst there’s an appetite for sensationalism, I doubt we’ll see any of that changing any time soon.