With the recent buzz arround the pwnage of the fist Belgian telco operator, media are again surfing the wave of cyber-[threats|criminality|espionage|*]. They know that, today, an article with the word “cyber” in the title will attract more people! Usually, I try to not trust (or at least to be very careful) with the stories reported by media. When I see how they treat a subject that I understand, I’m really scared about what they tell me about topics that I don’t master.
This new story is feeding the press with “honeyed cakes” and we see more and more papers or reportages about “hacking“. Yesterday, VTM, a TV channel broadcasting in the Dutch part of Belgium, released a reportage about a vulnerable website of a Belgian city and the Russian Visa Handling Services (link to the video here - in Dutch). Shocking but that’s a fact. Today, they released an interview of a bad guy (I won’t call him a “hacker“!) who explained how easy it is to break into a vulnerable website. The second video is here.
Showing a (very basic) SQL injection, a hidden face and distorded voice, I call this sensationalism! I can imagine that journalists are looking for stuff like hackers in a dark room eating pizzas in front of screens showing scrolling text files. But let’s focus on the bad guy now… I suppose he was contacted by a journalist who asked him if he would accepted an interview and to “play” a little bit in front of his camera.
There are two aspects that can be discussed here. The first one is called “ethic“. Yes, infosec professionals have ethical codes. Most of us follow them. Never, I’ll “hack” something (which does not belong to me) for fun or profit. The second one is the Belgian law. What demonstrated the guy is simply forbidden in Belgium. This guy could be prosecuted if the Belgian city decides to go to Court. Which connectivity was used? The VTM network or a Belgian ISP? There are great chances that the guy will be discovered. If the journalist asked to perform the illegal stuff, it could be prosecuted too. If you need to demonstrate attacks, do this in a closed environment and not directly on public resources. If you need to break stuff, train yourself in one of the multiple CTF (“Capture The Flag”) games organized online or during conferences.
Conclusions: Dear journalists and “bad guys“, please do not cross the red line!