Information Warfare: “Breaking News” considered harmful
Eight years ago the stocks of UAL took a dive. Apparently a six year old news article resurfaced via Google. Googlebot, which is used to index news sites, confused one of the most popular web articles of The Sun-Sentinel with breaking news. The story contained the words United Airlines Files for Bankruptcy. Unfortunately a software error turned the date of the original story from 10 December 2002 to 6 September 2008. And so this little piece of misinformation due to the time travel caused a lot of havoc with UAL’s stock price. A little misunderstanding. Fortunately it was not a cyber attack, because the word was used rarely back then.
Breaking news can break things, hence the name. It happens with data leaks, password leaks/breaches (depending on which side you are), incomplete reports, social media, and many more channels we use on a daily basis. The fast spread of partial information wreaks a lot of havoc in information technology. Confusion starts to spread as well. Has it really happened? Where is the proof? Am I affected? Who needs to be warned? How can the problem be fixed? You often need to dig through a couple of sources to decide. This is not helpful. We already got plenty of bad news. There is no need to spread important pieces all over the network(s). Sadly a lot of vulnerabilities are still reported in this manner. And we haven’t even touched the every bug needs a logo discussion yet.
Information security needs hard facts, clear statements, and peer review. Especially when it comes to critical infrastructure we need to know what’s going on. Critical can be a pacemaker, energy supply, or even the software library everyone uses. The use of social media aggravates the problem. You simply cannot push sufficient information about a critical vulnerability out into the world by using 140 characters. Simplify all you want, sometimes your message won’t fit into the bottle (unless you like to hash the message; SHA-1 allows you to tweet the complete works of Charles Dickens). Do proper research, take your time, test, make sure what you see is real, then publish; and no one will accuse you of waging information warfare. DeepSec’s full description includes the term in-depth security conference. In-depth is what gets you out of the shallow waters and away from the rocks.