Every now and then we come across one of those stories that just has all the ingredients to result in it being splashed across the prime time headlines:
Data breach: check!
And so it was yesterday morning when I awoke to news of an “ISIS hit list” which was the first story that greeted me on all the mainstream press. I find it particularly interesting when tech stories are presented to the general public as it gives some very interesting insights as to how the broader populous perceives technology. In this case, it was in a particularly sensational fashion.
I was especially intrigued with how the news outlets were presenting this story because to me, it didn’t really add up. I consequently spent the next few hours trawling through what was claimed to be a “hit list” of individuals predominantly from government organisations which ISIS would like to have knocked off. I wrote up the findings then true to the usual form of stories that make headlines like this, spent much of the rest of the day talking to the media, eventually finishing with CNN at something like 1am my time.
The hyperbole and the fear, uncertainty and doubt that spread over this was just off the scale compared to the significance of the actual data. Here we have what amounts to little more than easily discoverable information mostly already in the public domain and suddenly it’s become a huge terror hack. Why? Because there’s some extremist speak that incites violence before the list of actual data.
Now don’t get me wrong, I wouldn’t want to find myself on a list like this simply because it would make anyone feel a bit uncomfortable, but ultimately this amounted to little more than information a teenager could put together in their bedroom with a few spare hours. However, the legitimacy of the claims that this was an “ISIS hack” appear to have gotten in the way of a good story and the news has simply run with it.
The statement that really stood out to me though came courtesy of our very own prime minister when he said: “We've just discovered that it's actually able to launch cyber attacks in this country so this is a very sophisticated and deadly threat to us even here in Australia”. Hang on – are we still talking about a list of fifteen hundred odd people with a bunch of easily discoverable (and often very out of date) information? And this is now sophisticated and deadly?!
The problem with any sort of “leak” like this always comes back to attribution; how do we know ISIS is behind this? Because the page says so? This is the same problem we’ve seen over and over again with hacktivists too where they dump a bunch of data (and sometimes that’s actually a genuine attack), then they stand up and proclaim that they have leaked this as the hacker collective “Anonymous”. Then someone else stands up and says “No, we’re Anonymous and we didn’t hack this”. Of course each party is vehemently claiming to be Anonymous (big “A”) whilst also wishing to remaining anonymous (little “a”).
Attribution for this style of “attack” can be very difficult, particularly when it’s hard to verify that there was indeed an attack in the first place. In many cases it’s a fake of little or no significance and until someone can demonstrate with a reasonable degree of confidence that there’s actually any legitimacy to the data or the claimed attack vector, it can’t be taken particularly seriously. Unfortunately though, that doesn’t make for anywhere near as interesting headlines…