Information Warfare: “Breaking News” considered harmful

René Pfeiffer/ August 31, 2016/ Discussion, High Entropy

Eight years ago the stocks of UAL took a dive. Apparently a six year old news article resurfaced via Google. Googlebot, which is used to index news sites, confused one of the most popular web articles of The Sun-Sentinel with breaking news. The story contained the words United Airlines Files for Bankruptcy. Unfortunately a software error turned the date of the original story from 10 December 2002 to 6 September 2008. And so this little piece of misinformation due to the time travel caused a lot of havoc with UAL’s stock price. A little misunderstanding. Fortunately it was not a cyber attack, because the word was used rarely back then.

Breaking news can break things, hence the name. It happens with data leaks, password leaks/breaches (depending on which side you are), incomplete reports, social media, and many more channels we use on a daily basis. The fast spread of partial information wreaks a lot of havoc in information technology. Confusion starts to spread as well. Has it really happened? Where is the proof? Am I affected? Who needs to be warned? How can the problem be fixed? You often need to dig through a couple of sources to decide. This is not helpful. We already got plenty of bad news. There is no need to spread important pieces all over the network(s). Sadly a lot of vulnerabilities are still reported in this manner. And we haven’t even touched the every bug needs a logo discussion yet.

Information security needs hard facts, clear statements, and peer review. Especially when it comes to critical infrastructure we need to know what’s going on. Critical can be a pacemaker, energy supply, or even the software library everyone uses. The use of social media aggravates the problem. You simply cannot push sufficient information about a critical vulnerability out into the world by using 140 characters. Simplify all you want, sometimes your message won’t fit into the bottle (unless you like to hash the message; SHA-1 allows you to tweet the complete works of Charles Dickens). Do proper research, take your time, test, make sure what you see is real, then publish; and no one will accuse you of waging information warfare. DeepSec’s full description includes the term in-depth security conference. In-depth is what gets you out of the shallow waters and away from the rocks.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.