Harry Potter Real-World PSYOPS
Information was recently leaked to a number of security mailing lists claiming that the unpublished manuscript for the upcoming Harry Potter and the Deathly Hallows (due for release in July) had been stolen via the compromise of a system at the publishing company that will be responsible for the eventual release of the book.
Claiming to have used nothing more than freely available exploit information and a little bit of social engineering, the individual claiming to have stolen the manuscript claims that they found the manuscript after looking around the system and network that they gained access to as a result of a publishing company employee interacting with a malicious email that the attacker sent.
Accompanying the claim on the security mailing lists were key plot points that were being kept hidden until after the books were to be released. To complete the appearance of a legitimate breach, the message that presented the claim had enough grammatical and spelling errors mixed in with the self-confident hubris that tends to be displayed when previously unknown individuals are going for fame or infamy and respect from Information Security researchers.
The only problem was that it was all fake.
Such wild claims presented in a believable manner were guaranteed to attract a lot of attention from a wide variety of sources, with a very large number being completely fooled by the 'disclosure'. This list included:
- More than 200 media outlets (including BBC, CNN, Reuters)
- 10,000+ blogs, and
- Numerous global television reports
Even noted security experts such as Bruce Schneier and the ISC have been somewhat taken in by the claims, though they do express their doubts about the veracity of the claims. The ISC use it as an example as to why it is important to apply appropriate protection to Intellectual Property and how easy it can be to have everything completely compromised.
In a followup posting, from a different account, the people behind the hoax identified that the manuscript had not been stolen, it was a very well created experiment in Psychological Operations (PSYOPS) as applied to Information Security / Warfare. The key elements that were used to create the hoax were:
- A futile but really widespread subject for which an high expectation is already set worldwide
- A salad of religion, technology and language
- An accurate choice of the entry point in the information flow.
Other significant historical cases where a system compromise has led to the loss of commercially sensitive information includes Valve, when early stage code and artwork for Half Life 2 was stolen after a system was compromised; Cisco, where it was claimed that source to IOS was stolen; and Microsoft, where partial source to Windows 2000 was stolen after a 'shared source' partner suffered a system compromise.
Who was behind the unique PSYOPS operation? From clues scattered throughout the messages released up until now, it appears that whoever was responsible is from Europe. Having said that, someone who is careful enough to create such a believable operation should know enough about the idioms, phrasing, spelling, and formatting conventions of various regions to know how to fake their location as well.
As an example, consider the different methods that can be used to represent numbers of greater than 1,000. Some countries will use a comma as the separator between each group of thousands, while others will use a period - saving the comma for the decimal separator. The following numbers are equivalent, just differing in representation:
Other formatting variations can include using a space as the thousands separator and placing the currency symbol after the value, rather than before it.
There are already enough hoaxes and fake manuscripts circulating about the final volume of Harry Potter - readers who are actively awaiting the release of the book should just wait until the book is actually released to find out the key plot secrets they are so keenly awaiting.
25 June 2007
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.