Original URL: https://www.theregister.com/2003/02/07/security_experts_duped_by_slammer/

Security experts duped by Slammer ‘jihad’ rot

It's a jungle out there

By Thomas C Greene

Posted in Security, 7th February 2003 23:01 GMT

Tech writer Brian McWilliams, who often covers the security beat, has seen an experiment of his blow up in someone else's face, with a decent shower of egg to boot.

Posing as the operator of a radical Islamic Web site called Harkat-ul-Mujahideen (HUM), McWilliams, aka Abu Mujahid, persuaded Computerworld security hack Dan Verton that he had authored and unleashed the notorious Slammer worm against the world's computing infidels in the name of Allah.

As evidence of the Slammer cyber-attack, 'Brian Mujahid' offered a hilarious numerological insight, to the effect that the worm's first push command contains the number 42, which is a signature. If we assign numerical values to the alphabet in order, the letters HUM added together would yield 42. (Douglas Adams fans kindly stop snickering.)

Verton catches that one, checking with geeks at iDefense who assure him that the worm's code is too lean for signatures, and further that he's not thinking about it quite right; there's no 42 just sitting there at the end of a line.

So the money's on Verton at this point; he's just caught his Mr Mujahid in one of those not-quite-right claims that send up signal flares to experienced journos -- which Verton definitely is.

Ah, but the cyber-terrorism angle is just too sexy. So Verton covers himself by re-capping the iDefense skepticism in his copy, and presses on.

These Harkat-ul-Mujahideen ninjas are some bad dudes, Verton later learns.

"U.S. intelligence officials allege that HUM, formerly known as Harkat-ul-Ansar, has ties to al-Qaeda and Ahmad Omar Sheikh, who was arrested for the January 2002 kidnapping and murder of Wall Street Journal reporter Daniel Pearl. The group operates primarily in Pakistan and the Kashmir region, but it has also run terrorist training camps in eastern Afghanistan, according to a U.S. Navy profile," Verton explains.

Even the FBI's crack force of cyber-braniacs at the National Infrastructure Protection Center (NIPC) worry about them.

"Bill Murray, a spokesman for the FBI's National Infrastructure Protection Center, would not call members of HUM suspects, but he did say that an NIPC analyst has looked into the group in connection with the Slammer investigation."

At this point Verton may, or may not, have uncovered the world's first genuine act of al-Qaeda cyber-terrorism.

Meahwhile, McWilliams defaced his own Web site in the true script-kiddie tradition, making it appear that pro-Western patriots had attacked it. On the basis of that little gem, self-proclaimed security experts mi2g promptly declared the start of yet another cyber-war in the true media-whore tradition.

The Inquirer tells us that "according to mi2g, HuM is linked to al-Qaeda and to terrorist attacks in Kashmir. Murdered Wall Street Journalist Daniel Pearl was investigating this organization, it says."

Meaty stuff to be sure, until McWilliams 'fessed up to his cyber-shenanigans. He had originally registered the site harkatulmujahideen.org after its registration expired in quest of insight into the ways and means of terrorists, but ended up getting over on mi2g and Verton, and in the process creating a very good object-lesson for journalists.

"I wondered if Verton, a former Marine intelligence officer and a self-proclaimed security expert, would attempt to verify whether harkatulmujahideen.org was actually operated by the Harkat. Would he rely exclusively on information fed to him by e-mail without some other corroboration: telephone, for example? Would he check the headers of those e-mails to see if they were sent from Pakistan or some other place in the Middle East?

"Would he even do a Google search on harkatulmujahideen.org and find a citation of a Newsbytes article I wrote in Feb. 2002 about how the domain's registration had lapsed and was picked up by a Tennessee company? Would he pay attention to the red flags, or would he brush them aside because he wanted to believe what he saw?

"I also wondered how mi2g and other security firms would react to an apparent defacement of Harkatulmujahideen.org. Would they pitch the event to reporters as the start of a cyber-war on Islamic extremists? Would those reporters simply parrot back what mi2g told them without doing any real digging of their own?

"As my bungled experiment proved, even Verton -- whose book about teenage hackers claims he is 'one of the leading technology journalists in the country' -- can apparently be fooled by fake e-mails, phony web sites, and wild claims, in a desire to get a big scoop on a hot topic."

While McWilliams half-apologizes for what he did, and says he regrets that the hoax on Verton went as far as publication, a number of people think he did a service to tech journalism, particularly to those of us who cover security and hacking. In one sense, McWilliams has done a bit of investigative journalism on journalism, and that's not a bad thing, even if it wasn't quite his intention. He's demonstrated the inclination of journos and security consultants to jump on any dessicated scrap of hacker drivel and try to sell it.

As BK DeLong wrote in a post to the Politech mailing list, "I think Brian McWilliams did have a successful result in his registration of the domain name: he exposed yet another reporter and so-called "security intelligence" company who will eat up anything and regurgitate it as either news or resellable intel sans any verification at all. Kudos to Brian."

As for Verton, he's since posted his own explanation, largely blaming McWilliams for being mean and underhanded, and giving short shrift to his own palpable failure to apply the essential lessons of journalism 101.

Admittedly, there are pressures: journos deal with tight deadlines and have to juggle multiple stories simultaneously, an absolute recipe for careless mistakes. And I'd be hypocritical if I failed to note that I've been the victim of my own carelessness, as I'm sure every one of my colleagues has been.

But when it happens, the reader deserves an apology. Unfortunately, Verton doesn't apologize: he explains and whines and accuses McWilliams of "an elaborate scheme to dupe security companies and journalists." He then goes on to dish more dirt on McWilliams, regarding his surreptitious monitoring of a private conference call and subsequent spilling of secret beans in his column. I call that aggressive reporting, though definitely a bit over the line. Verton calls it despicable, and hopes you'll forget that he's the one who failed to check his facts here.

We can all feel sympathy towards Verton; we've all been there, caught petting the puppy when we should have been working, and it's painful to confess in public that you've been taken in by a hoax. But I find my sympathy dissipating rapidly when I read his whiny explanation. When it comes time for a journalist to face up to his own failure to check basic facts, it needs to be done in a straightforward manner, without the window-dressing of scapegoats and appeals to pity. 'The Devil made me do it' just doesn't cut it. ®