Today the Newspaper of Record published a front-page article about the recent “hacking” of banks in the United States. I usually like articles from NY Times technology writer Nicole Perlroth, but this article had a couple of serious flaws that I think should be addressed.
I knew this article was going to be problematic when my first impression was made:
I’m pretty sure it’s the editor (or web editor) who makes the call on summary text, but apparently elite hacking skills are clear-cut evidence of Iranian involvement. The language also gently suggests to the reader that this is a state-sponsored group, rather than non-state actors – after all, only a nation-state could be this powerful!
Of course, I immediately think of Moxie Marlinspike’s 2011 Black Hat talk, specifically where he discusses the Iranian attack on Comodo (the video is worth a watch – the part on Comodo starts at 5:00). Comodo went on and on about how the attacker had “clinical accuracy” and eventually came to the erroneous conclusion that this was a “state-driven attack.” The attacker landed on Moxie’s own site after watching a Hak5 entry-level tutorial on man-in-the-middle attacks, giving a strong indication that this person was not quite as talented as Comodo’s CEO asserted.
I don’t like critiquing writing style to start this off, but the cringe-worthy end to the second paragraph cannot be bargained with:
Security researchers say that instead of exploiting individual computers, the attackers engineered networks of computers in data centers, transforming the online equivalent of a few yapping Chihuahuas into a pack of fire-breathing Godzillas.
I get that the Times’ readership may not always fully grasp technical issues (and that’s okay!) but the Chihuahuas-into-Godzillas analogy is not helping anyone. Maybe explain why data centers are a more useful target than run-of-the-mill PCs and laptops?
The next couple of paragraphs underscore the Iran angle by quoting a former official, but then the article moves on to drop this bombshell:
American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.
So there’s no “technical evidence” yet (unless you count the “level of sophistication” as evidence). And despite this lack of evidence, apparently it’s already been determined that disruption is the goal rather than profit. And to take that a step further, that’s also an earmark of state-sponsored attacks! Except when it’s not, which is pretty much every Anonymous action ever (with a few exceptions). Say what you will about Anonymous, but if there’s one thing you wouldn’t call them, it’s state-sponsored.
Finally, in paragraph 15, mention is made of the group claiming responsibility for the attacks. And in paragraph 17, mention is made of the cyberweapons deployed by (presumably) the United States – Stuxnet, Duqu, and Flame. To be fair, there was mention earlier in the article that these recent attacks were retaliation for “online attacks” waged by the United States, but it does not mention these by name, which I think is an important fact to make readers aware of. If you believe that the state of Iran is behind this (definitely a possibility, though not as foregone a conclusion as this article implies), then this is retaliation, pure and simple – the banks are essentially paying for the cyberattacks waged against Iran.
As the article draws to a close, some additional insight is made as to why these are being called state-sponsored attacks: because they can’t easily find the command-and-control centers!
In an amateur botnet, the command and control center can be easily identified, but Mr. Herberger said it had been nearly impossible to do so in this case, suggesting to him that “the campaign may be state-sponsored versus amateur malware.”
In conclusion, writing this article without technical evidence of a crime (i.e. basing it off of what US officials are saying) is ridiculous, and reminds me of the same non-fact-based cheerleading done in the lead-up to a different war several years ago.