Another BIG hack that wasn’t

No time to do a full analysis but the basics are a story out of Israel of a tunnel that was hit by a sophisticated cyber attack that caused a… traffic jam. The story went out on the Associated Press newswire on a Sunday afternoon so by Monday morning it was pretty much everywhere you looked.

The “attack” was supposedly a “classified matter” involving “a Trojan horse attack” that targeted the security camera system in the Carmel Tunnels toll road on Sept. 8. The attack caused an immediate 20-minute lockdown of the roadway and then an eight hour shutdown the next day causing a pretty big traffic jam. Supposedly the attack was the work of “unknown, sophisticated hackers” which were then compared to Anonymous but not sophisticated enough to be nation state funded attackers from Iran.

Even just by reading this it sounds like a run of the mill malware infestation and not some targeted sophisticated state sponsored cyber attack. I mean why would anyone specifically target a tunnel? There is no money there, no intellectual property to be stolen, so unless your goal is to create an isolated traffic jam, whats the point? But there is more. The tunnel operators, CarmelTun, issued a statement saying Nope, no cyber attack here. And blamed the traffic jam on a “an internal component malfunction” and went on to say “this was not a hacker attack.”

@snd_wagenseil @4Dgifts @WeldPond more than one source confirmed.

— Daniel Estrin (@DanielEstrin) October 28, 2013

According to @DanielEstrin whose name is on the byline of the story, more than one source confirmed this Trojan Horse attack story and yet he did not bother to confirm with the people most likely to know, the actual operators of the tunnel.

So we can either believe the unnamed “cybersecurity experts” who warned of a sophisticated “Trojan horse attack” that was compared to Anonymous and was conducted for no monetary gain or intelectual property theft or we can believe the operators of the actual tunnel system itself. Who has more to gain here?

Late Update:
Looks like I am not the only one to think this might not have been a cyber attack.
“Cyberattack Against Israeli Highway System? Maybe Not”

Beyond Hype

Sometime an article comes along that is just beyond the traditional sort of hype I usually rant about. In other words its just plain wrong. “How They Popped The Penguin: The Bash Attack And What It Means For Linux Data Security” by Michael Venables, which somehow got posted to Forbes, of all places, is one of those rare pieces of…well, I’m even going to call it journalism. There is absolutely no fact checking whatsoever and according to the person interviewed for the article some of the facts are just entirely made up. Instead of me ripping this article apart line by line like I usually do I will instead share with you a list of a few of many many tweets that were posted in response.

“this is the most ridiculous, breathtakingly stupid article I read this year.”

“not even trying to do basic research or reach out to verify facts is failing at doing your one job.”

“I’m afraid I am putting @mpvenables on my bad list of journalists to never talk to. This also affects Forbes rank.”

“how did you guys read that? I got bored around paragraph 2″

“the new journalism: get the twitterverse to fact check, issue a correction later. #clownshoes”

“holy shit, I think I know what we’re submitting to hackin9 next time!”

“L M F A O”

“I’ve not seen a more clueless piece of journalism ever. Pwnie nomination”

“You are kidding right? This is not news.”

“Most retarded security article ever. When you don’t know, stfu ! WTF Forbes ??”

“that article made me want to open a vein. Thanks, @mpvenables.”

“PR person sends me a Bash Attack story on Forbes. I read it. I’m sorry I did. The hacker in me will sit and rage in silence.”

“I feel dumber for having read (half of) that”

“This is a great example of really really bad security journalism. Look upon it and weep.”

“”Dot so Good Anymore: The ‘ls -a’ Tactic and What It Means For Linux Hidden Files” #UpcomingForbesArticles”

“OMG that Forbes article. Facepalm city.”

“BRB OWNING SOME LINUX BOXES WITH A SOPHISTICATED BASH ATTACK”

“Good that Plaestinian hackers did not use the bash attack!”

 

 

UPDATE:
Perhaps a little late but the glorious Tumblr blog @sec_reactions has several posts on this article here, here, here, and here.

Some twitter quotes collected by @quine.

Anatomy of Hype, Take 2

I almost wasn’t going to write about the supposed cyber attack at the New York Times last week as reported by Fox Business because I just haven’t had the time but after the NASDAQ went down today and everyone and their brother started to speculate as to the nature of the ‘technical glitch’ I figured I should throw something together.

In my talk ‘Hackers and Media Hype or Big Hacks That Never Really Happened’ I mention that I see this sort of thing every day. That it is rampant throughout the tech press and often leaches over into traditional media outlets as well. I’ve detailed this sort of thing before as in this blog post ‘Anatomy of Hype’ however this time reporters Matt Egan and Jennifer Booton published their unconfirmed ‘cyber attack’ on the FOX Business website and while FOX takes a lot of shit for their style of nearly tabloid journalism they have a much greater reach than tech news outlets like ZDNet.

So lets see if we can piece together what happened here. At approximately 11:30 on August 14th 2013 the New York Times website went down. And by down I mean down hard, nytimes.com and nytco.com were both throwing up 503 site unavailable errors. Hey, shit happens, sites go down, they get fixed they come back up. As anyone who has ever worked on-call for an IT department will tell you despite backups, failovers and triple redundancies this happens ALL THE TIME.

tweet

By 11:53am, about half hour into the outage the official verified New York Times twitter account cited technical difficulties as the reason for the outage.

At 11:55am Matt Egan Matt Egan (@MattEgan5) and Jennifer Booton (@jbooton) pushed the first version (screenshot) of their story “Source: New York Times Website Hit by Cyber Attack”. Their entire basis for the story was ‘a source close to the matter’. A source they fail to identify. A source as it turns out wasn’t all that close to the matter after all.

By 12:31am, internal New York Times employees start referencing an internal email that cites a malfunctioning system patch as the cause for the outage. While Microsoft’s Patch Tuesday was the day before, which may or may not have been the cause of the outage, it made much more sense than a cyber attack.

At 12:47pm, a little over an hour into the outage the New York Times Official twitter account finally offers up an explanation citing a ‘server issue’.

In the face of all this new evidence did FOX Business pull the erroneous story about a cyber attack? Did Matt Egan and Jennifer Booton update their story to reflect the new information?

Well, they did update their story (screenshot), put they updated it with quotes that make it sound like there was still some sort of cyber attack, quotes that are obviously of a hypothetical nature. Quotes that appear to be taken completely out of context but which support the original erroneous hypothesis of a cyber attack.

One of the people who was quoted in the article said afterwards that the reporters came to him saying that they had already confirmed the cyber attack which was the only reason he agreed to speak with them. I have to ask, where was the confirmation? I have never been to journalism school but I suspect that Matt Egan and Jennifer Booton must have slept through the class on confirmation. I always thought you needed two independent sources to confirm a story. A lone ‘source close to the matter’ does not count as confirmation. Where were the FOX Business editors that reviewed this tripe before it was posted to the FOX Business website?

As I did with ZDNet I call on FOX Business to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether. Leaving a story such as this to fester on their website reflects poorly not just on FOX Business Matt Egan and Jennifer Booton but on the InfoSec industry as a whole, not to mention the damage that it is doing to the New York Times.

The excuse that it fast breaking new story does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. FOX Business has updated this story, several times, but the information is entirely skewed to support the original erroneous hypothesis.

So how about FOX, Matt, and Jennifer, can you take the high road and report the facts or do you prefer to wallow in the muck of fear, uncertainty, and doubt?

Update: Dave Lewis at CSO Magazine has also blogged about this story.

Anatomy of Hype

Lets see if I can break this down chronologically.

On July 12, 2012 a third party marketing firm hired by Verizon had a large database of Verizon user information ‘copied’. Verizon claims the incident was reported to authorities but no breach actually happened.

This statement from Verizon raises several questions. 1. Why did a 3rd party marketing firm have possession of this data which contained much more than just names and addresses. 2. How exactly was the data copied and 3. If there was no breach why were the authorities involved?

On Friday December 21st a twitter user with the handle @TibitXimer (since removed) posts to Twitter and Pastebin that he was in possession of 3 million leaked accounts including plaintext passwords of Verizon Wireless customers. ZDNet publishes an ‘exclusive’ Exclusive: Hacker nabs 3m Verizon customer records (title has since been changed) covering the supposed breach. Of course the original story had no comment from Verizon or any verification of the data.

With a little digging around I find the link to the original Pastebin post by @TibitXimer and his link to the data. A link that goes to a pay for download site. I thought that was a little odd and wasn’t about to pay to download a breach database. After making a few posts to Twitter I got a sample of the data.

I could tell right away that it was not Verizon Wireless data and it looked to me like possibly Verizon FiOS data. I also did not see any passwords, plaintext or otherwise. After sharing the data with some other security people we decided pretty quickly amongst ourselves that the data was very similar to some other data that had been floating around the net for a few months.

After attempting to get a response from @TibitXimer via twitter to confirm this new information his twitter account, pastebin link and download link all quickly disappeared.

By Saturday December 22nd Forbes writes an article Verizon Denies Hacker Leaked 300,000 Customers’ Data-UPDATE with an actual update from Verizon. ZDNet does not bother to update their article until 8:00PM EST that evening with nothing but a one-sentence denial from Verizon.

On Sunday December 23rd The Next Web seems to put all the pieces together After hacker disappears from Twitter, Verizon reveals customer data was leaked by a marketing firm and examines the
Verizon statement, the now disappeared @TibitXimer twitter feed and the statements from security professionals on the veracity of the data.

It is pretty obvious at this point that ZDNet has been trolled; while the results were spectacular (from a troll point of view) the troll itself was not very complicated or sophisticated. Now on Wednesday December 26th the original ZDNet story still stands with a one-sentence disclaimer from Verizon and a brief mention that the pastebin link no longer works. However, the still posted story makes no mention of the incorrectness of the data, its original source, its apparent age, the disappearance of the original poster and still alludes that this is a new Verizon breech.

I reached out to Charlie Osborne @ZDNetCharlie, the first name on the byline of the story, and asked if the story would be updated. She said that despite being listed first on the story she was not the lead contributor and therefore had no way to make edits. I’m not really sure I understand this, if my name was on the story I would want to make sure it was correct and would be calling my editor immediately even if it meant waking him up. I guess some people don’t care what their name gets attached to.

I shouldn’t be surprised at this as ZDnet has gotten rid of or lost all of their seasoned reporters. Charlie Osborne seems to have only recently begun writing technology after graduating with a medical anthropology degree. Zack Whittaker, who I presume is the lead contributor to the story hasn’t responded to my tweets asking for an update. He to has only recently started his writing career and it would appear that most of his stories lately have been centered on smartphones.

While I understand that new reporters need to start somewhere I would hope that ZDNet would have seasoned editors in place that would force fact checking, verification and confirmation of a story before publishing. Leaving a story such as this to fester on their website reflects poorly not just on ZDNet but on the InfoSec industry as a whole, not to mention the damage that it is doing to Verizon.

The excuse that it is Christmas does not fly; a news website has a responsibility to the public to publish accurate and timely information. There is no excuse in this modern age not to update stories with new information as it becomes available. ZDNet did update this story, twice, but the information they provided was inadequate and is now outdated.

I ask ZDNet to either completely rewrite the story on their site to reflect the currently known facts or to remove it altogether.

For those of you who have seen my talk ‘Media Hype in the Information Security Industry’ you should recognize that this is just another example of a big hack that never really happened. Unfortunately it will not be the last.

LATE UPDATE: It looks like I wasn’t the only one to notice the sloppy reporting at ZDNet on this story. Dissent at the Dataloss DB has published Fool us once, shame on you. Fool us twice, we implement policies!

Hackers and Media Hype or Big Hacks That Never Really Happened

I have been giving my talk “Hackers and Media Hype or Big Hacks That Never Really Happened” for a few months now and I think it is time to retire it. You may have seen it at Shmoocon Epilogue, Source Boston or Hope 9. If not catch the video below. I also have the entire slide deck available including the bibliography if anyone is looking to check sources.

Here is the slide deck MediaHypeinInfoSec2012_HOPE.pptx

OMG the SCADA is Falling!!!

Let me say first that SCADA (supervisory control and data acquisition) attacks are real, they do happen and should be a real concern. But if we look at the recent press surrounding such attacks we see little in the way of any hard evidence that such an attack actually occurred. Instead we see rumor and accusation and a hell of of a lot of theory.

The most recent example is the report, first reported on by The Register that someone broke into a local water utility and caused a pump to fail by turning it off and on repeatedly. This is a completely plausible scenario but when we look a little closer at the report some holes start to develop.

The media gabbed a hold of this story and quickly spread it around, over sixty different articles that I can find so far, yet none of them cite ANY primary sources for the incident. That’s Journalism 101 folks, and I didn’t even take journalism class. The Register article quotes Joe Weiss, a managing partner for Applied Control Solutions talking about the attack. This would seem to lend provenance to the story and that the attack actually happened, but Weiss was not a primary source. Most of his quotes are hypothetical and refer to an ‘official government report’ that he refused to name. Weiss refused to state which water district was targeted other than to say the report was released on November 10th. According to Weiss a software vendor lost control of its customer username and password database which allowed attackers, who had been traced back to Russia, access to the systems.

The Register at least got a comment from the US Department of Homeland Security indicating the utility in question was located in Springfield, Illinois. I’m not sure why the Register did not pick up the phone and call Springfield but Kim Zetter from Wired did call. The Springfield water department denied it was them and said the attack took place in the Curran-Gardner water district. When she called Curran-Gardner they hung up on her.

By the time the story made it to C|Net they actually had a quote from DHS.


“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield Ill.,”
DHS spokesman Peter Boogaard said in a statement. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

The key words that I see are ‘no credible corroborated data’ – Bingo! Now, it is possible that DHS is downplaying this so as to not cause widespread panic but lets face it, this is DHS, their whole reason for existing is wide spread panic. So if they say there is ‘no credible corroborated data’ I’m going to go with that.

So what facts do we have that can be confirmed? I think it is pretty safe to say that a water pump somewhere in Illinois failed. I also think it is pretty safe to say that some secret government report blamed that failure on Russian hackers. Thats it. Everything else is pure speculation.

Now lets read between the lines shall we? Lets assume that a pump somewhere in Illinois, over the course of several weeks or even months turned itself off and on and failed. Pumps fail all the time, it happens, doesn’t mean they were hacked. Unfortunately we don’t know what kind of pump, who manufactured it or how long it had been turning off and on before someone noticed. Now what if the code controlling this system was flawed in such a way that the control loop code wasn’t working properly? Control loops are tricky things and it is easy to screw them up, especially if your a pump manufacturer and don’t really pay attention to closely to the software that controls them. Now I have no more evidence to say that this was a software glitch than I do to prove it was an external intrusion. But doesn’t a control software glitch sound a hell of a lot more possible than a russian breaking into a small Illinois township water district?

I think @Jack_daniel said it best “No one sentient doubts the vulnerability of SCADA systems, but for the love of $DEITY SHARE REAL DETAILS or crank up the skeptic settings.”

Late Update:

“Whether the burnout of that pump was related to this what might or might not have been a hacking, we don’t know,” said Don Craven, a water district trustee.”

That pretty much settles that in my book.

Although I have to share one last quote from the Curran-Gardner Water District trustee “I drank the water this morning.”

- SR

2011.11.25 – Update
One last update, looks like those strange Russian IP addresses actually came from Russia! Via a contractor who had authorized remote access. Imagine that. Yup, blame the contractor.

- SR