In a Feb. 6 blog, Gartner analyst Paul Proctor applauded NBC News for pointing out the “critical condition of cybersecurity” by showing how easy it is for a foreigner to get hacked in Russia.
He also excoriated NBC News and the non-technical press in general for demonizing hackers, overstating the danger of obvious spam and identifying as an epidemic the technological equivalent of drinking a test-tube-shot of cholera to see whether invisible pathogens might be dangerous.
In a video report posted Feb. 4, NBC News reporter Richard Engel, with the help of a security analyst, two fresh laptops, a new cell phone, and a fake identity, pretended to go online with the technical naiveté of a Neanderthal housepet. (Engel’s video blog is here. A text writeup in The Huffington Post is just as inaccurate but allows readers to skip some of the gormless anxiety of the video.)
Almost as soon as he turned on the phone in the Sochi airport, Engel reported hackers snooping around, testing the security of the machines. Engel’s story didn’t explain whether “snooping around” meant someone was port-scanning his device in particular with the intention of cracking its security and prying out its secrets, no matter how much effort it took, or if the “snooping” was other WiFi devices looking for access points and trying automatically to connect with those that were unprotected.
Judging from the rest of his story, it was more likely the latter.
Engel reported more snooping immediately after connecting one laptop to the Internet. Within minutes he’d received a suspicious, “customized phishing” email in his mailbox.
“I have 3 customized phishing emails sitting in my junk mail right now,” Proctor scoffed. “So do you.”
Spam actually decreased 2.4 percent, but still made up 68.3 percent of all email on the Internet during the the third quarter of 2013, according to Kaspersky Labs, a (Russian) security software-development firm. Malicious files were attached to 3.9 percent of all emails. Phishing emails were three times as numerous during the third quarter as the previous year, but still made up only 0.0071 percent of all email, the Kaspersky report found.
Exploring the threatening Russ0-Hacker fringe even further, Engel “did a little browsing and almost immediately landed on a site that infected our brand-new phone.”
“So they had to surf to an infected site for the demonstration. Those pesky Russian hackers!” Proctor wrote of NBC’s everything-in-your-home-will-kill-you approach to risk analysis.
Engel also reported hackers snooping around a honeypot set up by his security consultant which, as Proctor also pointed out, is like leaving the honey open and complaining when it attracts flies.
During a segment on NBC Nightly News, Engel told anchor Brian Williams “the State Department warns that travelers should have no expectation of privacy, even in their hotel rooms. And, as we found out, you are especially exposed as soon as you try to communicate with anything.”
Yes. You are. Because when you try to communicate with anything, it also tries to communicate with you. That’s how networked computers work. They communicate with each other.
None of the “hacks” or intrusions Engel created or sought out for himself have anything to do with Russia or Sochi, however. Every single “hack” Engel experienced could have happened in any Starbucks in the country, and does almost every day, Proctor wrote. That’s why there is antivirus software for phones and laptops. It’s why every expert, document, video, audio clip or even game that has anything at all to do with cybersecurity makes sure to mention you should never open attachments from spam email, or in email from people you don’t know, and you should set up your browser to keep random web sites from downloading and installing anything they want on your computer.
“NBC missed an opportunity to point out that you are not really ‘safe’ anywhere,” Proctor wrote.
Except it’s worse than that. Russia genuinely is a major source of cyberattacks – both state-sponsored espionage and criminally organized attacks for financial gain. The author of the BlackPOS malware variant that caused the Target data breach is alleged to have been a Russian teenager who sold the code on one of Moscow’s many online black-market hacker-supply marts, while the attackers themselves may have been Romanian.
Nothing Engel said had anything to do with the increasing volume of cyberattacks on the U.S. from Russia, on Russia from the U.S., and from China to everyone. It said nothing about the increased risk of attack on consumers using cryptography backdoored by the NSA for its own convenience.
Nothing Engel said hinted that, especially for Americans, having hackers eavesdrop on your cell-phone calls represents a net increase in privacy because the NSA is so much better at it within the U.S., but probably restrains itself in Russia.
Sochi does genuinely have a privacy problem, but hackers have nothing to do with it.
It is legal in Russia for the police to secretly monitor the telephone calls and Internet activity of people inside the country, with no warrant, National Security Letter or NSA whistleblower scandal required before approval.
Russia’s FSB secret police use a system called “Sorm” to monitor Internet and telephone calls nationwide. Last summer, to get ready for the sudden influx of interesting cellphone conversations and Internet connections the Olympics would bring, the FSB did a huge upgrade of the Sorm network in the regions around Sochi.
The system’s network backbone not only got an upgrade so it could handle the volume, it got a deep-packed-inspection capability and content recognition systems.
Sorm was authorized in 1995 and went into operation in 2000, according to the U.S. State Department. “Business travelers should be particularly aware that trade secrets, negotiating positions, and other sensitive information may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities,” according to agency warnings written long before NBC News discovered that spam exists or that downloading software from malicious sites leads to infections.
Surveillance is so pervasive in the area of Sochi, specifically, that the Russian deputy prime minister tried to rebut a Wall Street Journal story about incomplete or crumbling hotel rooms by claiming sabotage – which he could prove using video from surveillance cameras in hotel showers,” according to TheWire.
That qualifies as a privacy and security problem.
Backdoors and flaws purposely introduced into security products at the behest of state security agencies, or the convenience of vendor support techs, are privacy and security problems.
Script kiddies using packet sniffers and password collectors to eavesdrop on the latte-sipping hordes in Starbucks are a privacy and security problem.
A talking head discovering it’s possible to allow a phone and laptop to be compromised anywhere in the world if you try hard enough, might be a failure of judgment or IQ, an or indication that you don’t really care if a story is accurate, or even relevant, before you warn millions of consumers that it’s a fact.
It’s not whatever Engel and NBC News were trying to pretend it was, whether they understood that or not.