These days he works as threat intelligence manager for Trustwave's SpiderLabs, but he has been tracking hacking events for many years. One thing has long bothered him: hacks get mis-reported and blown up until the stories get legs of their own and become hyped out of all reality. Last Sunday afternoon he delivered a talk at the hacker conference, Hope Number 9: Hackers and Media Hype - big hacks that never really happened.
He started his talk with Kevin Mitnick and NORAD. “As a teenager he used a computer and a modem to break into a North American Air Defense Command computer, foreshadowing the 1983 movie 'War Games’,” wrote the New York Times. “Mitnick first received national attention in 1982 when he hacked into the North American Defense Command (NORAD), a feat that inspired the 1983 film ‘War Games’,” said CNN. Fact is, it didn't happen and wasn't true.
Other examples: the UK's Sunday Business newspaper reported that hackers had taken over a military satellite; in 2001 it was claimed that Al Qaeda hid its plans inside pornography; the Chinese interfered with US government satellites; and so on until “Hackers destroyed a pump used by a US water utility...” last year. None of these are true – they were all fed by the media’s need for sensational headlines and the public’s readiness to believe the worst.
In conversation, Infosecurity asked Space Rogue if any such stories came from government sources. “Oh yes,” he answered. In 2009 there was a big blackout in Brazil. Obama claimed that hackers had plunged foreign states into darkness. Intelligence sources confirmed this had been Brazil. But again, it wasn’t hackers – it was actually caused by pollution: soot on the insulators. One of the problems is that when different parts of government want additional budget or new laws, they roll out the threat of cyberterrorism. “That,” admitted Space Rogue, “is a connection you can easily make in your head, but one that is difficult to prove in practice.”
The moral of his thesis, however, is easy to see. When you come across the more sensational hacking claims, it may be worth questioning ulterior motives before immediately believing the worst. A lot of it didn’t happen, and isn’t true. I don’t even have a hamster.