Slashdot Mirror

An anonymous reader quotes a report from Ars Technica: The attacker who infected servers and desktop computers at the San Francisco Metropolitan Transit Agency (SFMTA) with ransomware on November 25 apparently gained access to the agency's network by way of a known vulnerability in an Oracle WebLogic server. That vulnerability is similar to the one used to hack a Maryland hospital network's systems in April and infect multiple hospitals with crypto-ransomware. And evidence suggests that SFMTA wasn't specifically targeted by the attackers; the agency just came up as a target of opportunity through a vulnerability scan. In an e-mail to Ars, SFMTA spokesperson Paul Rose said that on November 25, "we became aware of a potential security issue with our computer systems, including e-mail." The ransomware "encrypted some systems mainly affecting computer workstations," he said, "as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers." That description of the ransomware attack is not consistent with some of the evidence of previous ransomware attacks by those behind the SFMTA incident -- which Rose said primarily affected about 900 desktop computers throughout the agency. Based on communications uncovered from the ransomware operator behind the Muni attack published by security reporter Brian Krebs, an SFMTA Web-facing server was likely compromised by what is referred to as a "deserialization" attack after it was identified by a vulnerability scan. A security researcher told Krebs that he had been able to gain access to the mailbox used in the malware attack on the Russian e-mail and search provider Yandex by guessing its owner's security question, and he provided details from the mailbox and another linked mailbox on Yandex. Based on details found in e-mails for the accounts, the attacker ran a server loaded with open source vulnerability scanning tools to identify and compromise servers to use in spreading the ransomware, known as HDDCryptor and Mamba, within multiple organizations' networks.

Just last month Brian Krebs wrote "What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale," warning that countless ISPs still weren't implementing the BCP38 security standard, which was released "more than a dozen years ago" to filter spoofed traffic. That's one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen: PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding... Rather than attempting to prevent attack packets, instead PEIP provides a way to rate-limit all packets based on their router path to a destination.
I've also heard people suggest "just unplug everything," but on Friday the Wall Street Journal's Christopher Mim suggested another point of leverage, tweeting "We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure." Is the best solution technical or legislative -- and does it involve hardware or software? Leave your best thoughts in the comments. How can we prevent packet-flooding DDOS attacks?

Just last month Brian Krebs wrote "What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale," warning that countless ISPs still weren't implementing the BCP38 security standard, which was released "more than a dozen years ago" to filter spoofed traffic. That's one possible solution, but Slashdot reader dgallard suggests the PEIP and Fair Service proposals by Don Cohen: PEIP (Path Enhanced IP) extends the IP protocol to enable determining the router path of packets sent to a target host. Currently, there is no information to indicate which routers a packet traversed on its way to a destination (DDOS target), enabling use of forged source IP addresses to attack the target via packet flooding... Rather than attempting to prevent attack packets, instead PEIP provides a way to rate-limit all packets based on their router path to a destination.
I've also heard people suggest "just unplug everything," but on Friday the Wall Street Journal's Christopher Mim suggested another point of leverage, tweeting "We need laws that allow civil and/or criminal penalties for companies that sell systems this insecure." Is the best solution technical or legislative -- and does it involve hardware or software? Leave your best thoughts in the comments. How can we prevent packet-flooding DDOS attacks?

"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune: Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."

"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune: Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."

Earlier today, Dyn, an internet infrastructure company, was hit by several DDoS attacks, which interestingly affected several popular websites including The New York Times, Reddit, Spotify, and Twitter that were directly or indirectly using Dyn's services. The attack is mostly visible across the US eastern seaboard with rest of the world noticing a few things broken here and there. Dyn says it's currently investigating a second round of DDoS attacks, though the severity of the outage is understandably less now. In the meantime, the Homeland Security said that it is aware of the attack and is investigating "all potential causes." Much of who is behind these attacks is unknown for now, and it is unlikely that we will know all the details until at least a few days. The attacks however have revealed how unprepared many websites are when their primary DNS provider goes down. ZDNet adds: The elephant in the room is that this probably shouldn't have happened. At very least there's a lot to learn already about the frailty of the internet DNS system, and the lack of failsafes and backups for websites and tech companies that rely on outsourced DNS service providers. "It's also a reminder of one risk of relying on multi-tenant service providers, be they DNS, or a variety of many other managed cloud service providers," said Steve Grobman, chief technology officer at Intel Security. Grobman warned that because this attack worked, it can be exploited again. "Given how much of our connected world must increasingly rely upon such cloud service providers, we should expect more such disruptions," he said. "We must place a premium of service providers that can present backup, failover, and enhance security capabilities allowing them to sustain and deflect such attacks." And that's key, because even though Dyn is under attack, it's the sites and services that rely on its infrastructure who should rethink their own "in case of emergency" failsafes. It may only be the east coast affected but lost traffic means lost revenue. Carl Levine, senior technical evangelist for NS1, another major managed DNS provider, said that the size and scale of recent attacks "has far exceeded what the industry thought was the upper end of the spectrum." "Large companies need to constantly upgrade their flood defenses. Some approaches that worked just a few years ago are now basically useless," said Kevin Curran, senior member with IEEE.We also recommend reading security reporter Brian Krebs's take on this.

pdclarry writes: While all of the recent news has been about hacking the Democratic National Committee, apparently the Republicans have also been hacked over many months (since March 2016). This was not about politics, however; it was to steal credit card numbers. Brian Krebs reports: "a report this past week out of The Netherlands suggests Russian hackers have for the past six months been siphoning credit card data from visitors to the web storefront of the National Republican Senatorial Committee (NRSC). [...] If you purchased a 'Never Hillary' poster or donated funds to the NRSC through its website between March 2016 and the first week of this month [October 2016], there's an excellent chance that your payment card data was siphoned by malware and is now for sale in the cybercrime underground." Krebs says his information comes from Dutch researcher Willem De Groot, co-founder and head of security at Dutch e-commerce site byte.nl. The Republicans were not alone; theirs was just one of 5,900 e-commerce sites hacked by the same Russian actors. You can view De Groot's analysis of the malware planted on the NRSC's site and other services here. Krebs adds: "The NRSC did not respond to multiple requests for comment, but a cached copy of the site's source code from October 5, 2016 indicates the malicious code was on the site at the time (load this link, click 'view source' and then Ctrl-F for 'jquery-cloud.net')."

As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.

Remember that historically massive denial-of-service attack last month against security researcher Brian Krebs? The source code's just been leaked, Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices." An anonymous Slashdot reader quotes KrebsOnSecurity: The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them -- thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot...

The user who leaked the source code says "there's lots of eyes looking at IOT now... I usually pull max 380K bots from telnet alone. However, after the Krebs DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300K bots, and dropping"...
Now that the source code has been released online for that 620-Gbps attack, Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems." He points out that 5.5 million new things get connected to the internet each day, according to Gartner. And they're also predicting that 6.4 billion things will be connected to the internet by the end of the year -- reaching 20.8 billion over the next four years.

"After the massive 600gbps DDOS attack on KrebsOnSecurity.com that forced Akamai to withdraw their (pro-bono) DDOS protection, krebsonsecurity.com is now back online, hosted by Google," reports Slashdot reader Gumbercules!!.

"I am happy to report that the site is back up -- this time under Project Shield, a free program run by Google to help protect journalists from online censorship," Brian Krebs wrote today, adding "The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists...anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor." [T]he Internet can't route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the "The Democratization of Censorship...." [E]vents of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach...

Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company's paying customers, they explained that the choice to let my site go was a business decision, pure and simple... In an interview with The Boston Globe, Akamai executives said the attack -- if sustained -- likely would have cost the company millions of dollars.
One site told Krebs that Akamai-style protection would cost him $150,000 a year. "Ask yourself how many independent journalists could possibly afford that kind of protection money?" He suspects the attack was a botnet of enslaved IoT devices -- mainly cameras, DVRs, and routers -- but says the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks... the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing... What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale."

"After the massive 600gbps DDOS attack on KrebsOnSecurity.com that forced Akamai to withdraw their (pro-bono) DDOS protection, krebsonsecurity.com is now back online, hosted by Google," reports Slashdot reader Gumbercules!!.

"I am happy to report that the site is back up -- this time under Project Shield, a free program run by Google to help protect journalists from online censorship," Brian Krebs wrote today, adding "The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists...anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor." [T]he Internet can't route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the "The Democratization of Censorship...." [E]vents of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach...

Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company's paying customers, they explained that the choice to let my site go was a business decision, pure and simple... In an interview with The Boston Globe, Akamai executives said the attack -- if sustained -- likely would have cost the company millions of dollars.
One site told Krebs that Akamai-style protection would cost him $150,000 a year. "Ask yourself how many independent journalists could possibly afford that kind of protection money?" He suspects the attack was a botnet of enslaved IoT devices -- mainly cameras, DVRs, and routers -- but says the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks... the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing... What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale."

An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.

Long-time Slashdot reader pdclarry writes: Brian Krebs reports that the two youthful (18-year-old) alleged proprietors of vDOS, the DDOS service have been arrested in Israel on a complaint from the FBI. They have been released on $10,000 bond each, their passports lifted, and they have been placed under house arrest, and banned from using the Internet for 30 days. They were probably identified through a massive hack of the vDOS database recently [reported Friday morning on Slashdot].

Krebs also reports that vDOS's DNS addresses were hijacked by the firm BackConnect Security to get out from under a sustained DDOS attack, and that his site, krebsonsecurity.com has been under a sustained DDOS attack since his last article was published, with the packets containing the string "godiefaggot". Those attacks continue, but, as he has been the target of many DDOS attacks in the past, he's covered by a DDOS protection firm. The two teenagers coordinated more than 150,000 denial-of-service attacks over the last two years, according to Krebs, using at least four servers in Bulgaria.

Long-time Slashdot reader pdclarry writes: Brian Krebs reports that the two youthful (18-year-old) alleged proprietors of vDOS, the DDOS service have been arrested in Israel on a complaint from the FBI. They have been released on $10,000 bond each, their passports lifted, and they have been placed under house arrest, and banned from using the Internet for 30 days. They were probably identified through a massive hack of the vDOS database recently [reported Friday morning on Slashdot].

Krebs also reports that vDOS's DNS addresses were hijacked by the firm BackConnect Security to get out from under a sustained DDOS attack, and that his site, krebsonsecurity.com has been under a sustained DDOS attack since his last article was published, with the packets containing the string "godiefaggot". Those attacks continue, but, as he has been the target of many DDOS attacks in the past, he's covered by a DDOS protection firm. The two teenagers coordinated more than 150,000 denial-of-service attacks over the last two years, according to Krebs, using at least four servers in Bulgaria.

pdclarry writes: Brian Krebs writes that he has obtained the hacked database of an Israeli company that is responsible for most of the large-scale DDoS attacks over the past (at least) 4 years. The vDOS database, obtained by KrebsOnSecurity.com at the end of July 2016, points to two young men in Israel as the principle owners and masterminds of the attack service, with support services coming from several young hackers in the United States. Records before 2012 were not in the dump, but Krebs believes that the service has actually been operating for decades. The report starts by saying, "vDos -- a so-called 'booter' service has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock websites offline -- has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets." In regard to how long the service has been operating, Krebs believes the service has been operating for decades "because the data leaked in the hack of vDOS suggests that the proprietors erased all digital records of attacks that customers launched between Sept. 2012 (when the service first came online) and the end of March 2016."

New submitter alir1272 quotes a report from Krebs On Security: Clothing store chain Eddie Bauer said today it has detected and removed malicious software from point-of-sale systems at all of its 350+ stores in North America, and that credit and debit cards used at those stores during the first six months of 2016 may have been compromised in the breach. The acknowledgement comes nearly six weeks after Krebs On Security first notified the clothier about a possible intrusion at stores nationwide. "The company emphasized that this breach did not impact purchases made at the company's online store eddiebauer.com," reports Krebs On Security.

Long-time Slashdot reader Lauren Weinstein writes: I'm told that Social Security Administration has now removed the mandatory cell phone access requirement that was strongly criticized... I appreciate that SSA has done the right thing in this case. Perhaps in the future they'll think these things through better ahead of time!
The web site now describes the "extra security" of two-factor cellphone authentication as entirely optional -- but security researcher Brian Krebs had also warned that the bigger risk was how easy it was to impersonate somebody else when creating an account online. He wrote Thursday that now "the SSA is mailing letters if you sign up online, but they don't take that opportunity to deliver a special code to securely complete the sign up. Go figure."

Brian Krebs reports: A Russian organized cybercrime group known for hacking into banks and retailers appears to have breached hundreds of computer systems at software giant Oracle Corp., KrebsOnSecurity has learned. More alarmingly, the attackers have compromised a customer support portal for companies using Oracle's MICROS point-of-sale credit card payment systems. Asked this weekend for comment on rumors of a large data breach potentially affecting customers of its retail division, Oracle acknowledged that it had "detected and addressed malicious code in certain legacy MICROS systems." It also said that it is asking all MICROS customers to reset their passwords for the MICROS online support portal. MICROS is among the top three point-of-sale vendors globally. Oracle's MICROS division sells point-of-sale systems used at more than 330,000 cash registers worldwide. When Oracle bought MICROS in 2014, the company said MICROS's systems were deployed at some 200,000+ food and beverage outlets, 100,000+ retail sites, and more than 30,000 hotels.

Slashdot reader DERoss writes: Effective 1 August, the U.S. Social Security Administration (SSA) requires users who want to access their SSA accounts to use two-factor authentication. This involves receiving a "security" code via a cell phone text message. This creates two problems. First of all, many seniors who depend on the Social Security benefits to pay their living costs do not have cell phones [or] are not knowledgeable about texting.

More important, cell phone texting is NOT secure. Text messages can be hacked, intercepted, and spoofed. Seniors' accounts might easily be less secure now than they were before 1 August... This is not because of any law passed by Congress. This is a regulatory decision made by top administrators at SSA.
In addition, Krebs on Security reports that the new system "does not appear to provide any additional proof that the person creating an account at ssa.gov is who they say they are" and "does little to prevent identity thieves from fraudulently creating online accounts to siphon benefits from Americans who haven't yet created accounts for themselves." Users are only more secure after they create an account on the social security site -- and Krebs also notes that ironically, the National Institute for Standards and Technology already appears to be deprecating the use of SMS-based two-factor authentication.

An anonymous reader writes from a report via Krebs On Security: A new report from the nation's National Crime Agency (NCA) warns that cybercrime has now surpassed all other forms of crime in the United Kingdom. "Cyber enabled fraud" was found to make up 36 percent of all crime reported, with "computer misuse" accounting for 17 percent. The report calls for stronger law enforcement and business partnership to fight cybercrime. One explanation for the growth of cybercrime reports in the U.K. may be that the Brits are getting better at tracking it. The report notes that the U.K. Office of National Statistics only began including cybercrime for the first time last year in its annual Crime Survey for England and Wales. "The ONS estimated that there were 2.46 million cyber incidents and 2.11 million victims of cybercrime in the U.K. in 2015," the report's authors wrote. "These figures highlight the clear shortfall in established reporting, with only 16,349 cyber dependent and approximately 700,000 cyber-enabled incidents reported to Action Fraud over the same period." The increasing sophistication of organized cybercrime gangs that develop and deploy targeted, complex malicious software may also be to blame for the rise in cybercrime. Dridex and Dyre were specifically mentioned in the report, which are aimed at emptying consumer and business bank accounts in the U.K. and elsewhere.

Security reporter Brian Krebs writes:GoToMyPC, a service that helps people access and control their computers remotely over the Internet, is forcing all users to change their passwords, citing a spike in attacks that target people who re-use passwords across multiple sites. Owned by Santa Clara, Calif. based networking giant Citrix, GoToMyPC is a popular software-as-a-service product that lets users access and control their PC or Mac from anywhere in the world. On June 19, the company posted a status update and began notifying users that a system-wide password update was underway.

An anonymous reader writes: "We have investigated reports of Twitter usernames/passwords on the dark web, and we're confident that our systems have not been breached," posted the company's security office, Michael Coates. In a blog post, he wrote that Twitter use HTTPS "everywhere" and secures account credentials with bcrypt, while also watching for suspicious account activity based on location, device type, and login history. Responding to recent reports of 32 million compromised accounts, he blamed malware and also recycled passwords, which mean "a breach of passwords associated with website X could result in compromised accounts at unrelated website Y."

"When so many breaches are announced in a short window of time, it may be natural to assume that any mention of 'another breach' is true and valid. Nefarious individuals leverage this environment in order to either bundle old breached data or repackage accounts from a variety of breaches, and then claim they have login information and passwords for website Z."
A security expert gave the same explanation to InformationWeek. And Brian Krebs recently pointed out that a Tweet claiming 73 million compromised Dropbox accounts was actually just recycling credentials from a 2013 breach at Tumblr. A recent breach of Mark Zuckerberg's Twitter account was attributed to a low-security password.

Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.

An anonymous reader writes:Security expert Brian Krebs says more than half a dozen financial institutions contacted him, "all asking if I had any information about a possible credit card breach. Every one of these banking industry sources said the same thing: They'd detected a pattern of fraud on cards that all had one thing in common: They'd all been used in the last few months at various CiCi's Pizza locations... The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company's point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang."

The pizza chain referred Krebs to an outside firm managing their restaurants, who referred him to an outside PR firm, so he eventually just contacted the chain's point-of-sale provider, Datapoint. They confirmed that the Secret Service was investigating several different point-of-sale vendors in "one particular franchise... All of these attacks have been traced to social engineering/Team Viewer breaches because stores from several POS vendors let supposed techs in to conduct 'support'."

An anonymous reader writes: A Moscow court this week convicted and sentenced seven hackers for breaking into countless online bank accounts -- including "Paunch," the nickname used by the author of the infamous "Blackhole" exploit kit. Once an extremely popular crimeware-as-a-service offering, Blackhole was for several years responsible for a large percentage of malware infections and stolen banking credentials, and likely contributed to tens of millions of dollars stolen from small to mid-sized businesses over several years. According to Russia's ITAR-TASS news network, Dmitry "Paunch" Fedotov was sentenced on April 12 to seven years in a Russian penal colony. In October 2013, the then 27-year-old Fedotov was arrested along with an entire team of other cybercriminals who worked to sell, develop and profit from Blackhole."He was helping a lot of gangs that were robbing Russian banks," Krebs tweeted, "They tend not to have a sense of humor about that."

An anonymous reader writes: A customer database as well as information about Verizon security flaws were reportedly put up for sale by criminals this week after a data breach at Verizon Enterprise Solutions. According to KrebsOnSecurity, "a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise." The entire database was priced at $100,000, or $10,000 for each set of 100,000 customer records. "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon's Web site," security journalist Brian Krebs reported. Verizon has apparently fixed the security flaws and has reassured its customers by saying "our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers" and that "no customer proprietary network information (CPNI) or other data was accessed or accessible."

An anonymous reader quotes a report from CNBC: A Kentucky hospital is operating in an internal state of emergency following an attack by cybercriminals on its computer network, Krebs on Security reported. Methodist Hospital, based in Henderson, Kentucky, is the victim of a ransomware attack in which hackers infiltrated its computer network, encrypted files and are now holding the data hostage, Krebs reported Tuesday. The criminals reportedly used new strain of malware known as Locky to encrypt important files. The malware spread from the initial infected machine to the entire internal network and several other systems, the hospital's information systems director, Jamie Reid, told Krebs. The hospital is reportedly considering paying hackers the ransom money of four bitcoins, about $1,600 at the current exchange rate, for the key to unlock the files.

An anonymous reader writes: Hackers have breached DDoS protection firm Staminus, a US-based company that offers protection against a range of network security attacks including, well, DDoS. The fraudsters have also reportedly stolen sensitive data from Staminus' database and dumped it online. Apparently the company was using the same root password for all its servers, and had stored credit card details in plain text. The alleged security nightmare doesn't end there, unfortunately. Hackers managed to expose crucial services via external Telnet, and reset all of Staminus' routers to factory settings, causing a network and services downtime. Staminus acknowledged network and services issues, which apparently last for more than 20 hours, on Thursday, and later assured that its global services have been restored.

itwbennett writes: You can add Seagate to the growing list (now up to 7) of companies hit by malware seeking W2 data on employees. As reported on Slashdot, Snapchat disclosed the last weekend of February that someone had posed as the company's CEO and received payroll data on 700 employees. The other companies hit by similar phishing scams so far are Central Concrete Supply Co., Mercy Housing Inc., Magnolia Health Corporation, BrightView, and Polycom. Seagate learned of the incident on March 1, and the story was broken by Brian Krebs after a former employee received a notice and reached out to him.

itwbennett writes: Over the weekend, Brian Krebs reported that Sam Glines, CEO of threat intelligence vendor Norse Corp., was asked to step down by the board of directors and employees were told that they could report to work on Monday, but that there was no guarantee they'd be paid for their work. 'Less than a day after Krebs published his article, Norse Corp.'s website was offline, and attempts to email the company failed,' writes CSO's Steve Ragan. 'The ever-popular Norse attack map was online for some of the weekend, but that too had gone dark by Sunday evening.' In the aftermath of the company's disappearance, the topic of flawed data and assumptions once again resurfaced in a blog post written by ICS expert, Robert M. Lee.

An anonymous reader writes: Credit card numbers are constantly being stolen, but the people who take them don't usually use them. Instead, they sell them to others who will. Many cards are traded at online forums and markets. Law enforcement investigators know this, and they use these forums to gather intelligence on breaches. But Brian Krebs writes that one of the biggest markets, Rescator, has implemented methods to screen out suspected law enforcement agents. Krebs says of a law enforcement source of his: "The criminals running the fraud shop seized his carding store account and bitcoin balance after the pig alert flashed on my source's screen — effectively stealing hundreds of taxpayer dollars directly from the authorities. .. I found his case fascinating and yet another example of the growing sophistication of large-scale cybercrime operations."

tsu doh nimh writes: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime). Brian Krebs examines some of the pros and cons, and the story has some interesting feedback from some banks and others who have apparently taken DHS up on its offer.

JustAnotherOldGuy writes: A Ukrainian man who allegedly tried to frame cyber-security expert Brian Krebs has been extradited to the United States and is due in Newark federal court today, prosecutors said. Sergei Vovnenko, known as "Fly," "Flycracker" or "Flyck," is thought to have been behind a 2013 plot to send heroin to cyber-security blogger Brian Krebs, a plot Krebs himself said he foiled because he was monitoring the site where it was hatched. "Angry that I'd foiled his plan to have me arrested for drug possession," Krebs wrote on his blog, "Fly had a local florist send a gaudy floral arrangement in the shape of a giant cross to my home, complete with a menacing message."

An anonymous reader writes: Security experts have warned that barcodes contained on airplane boarding passes could offer a detailed stream of information to malicious individuals, including data on travel habits and future flight plans. Brian Krebs explained yesterday that by using an easily available online barcode reader, attackers can retrieve a person's name, frequent flyer number, and record locator — information needed to access an individual's account and details of past and upcoming flights, phone numbers, and billing information, along with options to change seats and cancel flights.

An anonymous reader writes: Researchers from the University of California, Santa Barbara and others studied the economy of how criminals monetize stolen credit cards by operating reshipping scams as means to cash out, KrebsOnSecurity reports: "A time-honored method of extracting cash from stolen credit cards involves "reshipping" scams, which manage the purchase, reshipment and resale of carded consumer goods from America to Eastern Europe — primarily Russia. A new study suggests that some 1.6 million credit and debit cards are used to commit at least $1.8 billion in reshipping fraud each year, and identifies some choke points for disrupting this lucrative money laundering activity. [...] disrupting the reshipping chains of these scams has the potential to cripple the underground economy by affecting a major income stream of cybercriminals. By way of example, the team found that a single criminal-operated reshipping service can earn a yearly revenue of over 7.3 million US dollars, most of which is profit."

tsu doh nimh writes: Brian Krebs has an interesting and entertaining three-part series this week on how he spent his summer vacation: driving around the Cancun area looking for ATMs beaconing out Bluetooth signals indicating the machines are compromised by crooks. Turns out, he didn't have to look for: His own hotel had a hacked machine. Krebs said he first learned about the scheme when an ATM industry insider reached out to say that some Eastern European guys had approached all of his ATM technicians offering bribes if the technicians allowed physical access to the machines. Once inside, the crooks installed two tiny Bluetooth radios — one for the card reader and one for the PIN pad. Krebs's series concludes with a closer look at Intacash, a new ATM company whose machines now blanket Cancun and other tourist areas but which is suspected of being connected to the skimming activity.

tsu doh nimh writes: Brian Krebs has an interesting and entertaining three-part series this week on how he spent his summer vacation: driving around the Cancun area looking for ATMs beaconing out Bluetooth signals indicating the machines are compromised by crooks. Turns out, he didn't have to look for: His own hotel had a hacked machine. Krebs said he first learned about the scheme when an ATM industry insider reached out to say that some Eastern European guys had approached all of his ATM technicians offering bribes if the technicians allowed physical access to the machines. Once inside, the crooks installed two tiny Bluetooth radios — one for the card reader and one for the PIN pad. Krebs's series concludes with a closer look at Intacash, a new ATM company whose machines now blanket Cancun and other tourist areas but which is suspected of being connected to the skimming activity.

tsu doh nimh writes: Brian Krebs has an interesting and entertaining three-part series this week on how he spent his summer vacation: driving around the Cancun area looking for ATMs beaconing out Bluetooth signals indicating the machines are compromised by crooks. Turns out, he didn't have to look for: His own hotel had a hacked machine. Krebs said he first learned about the scheme when an ATM industry insider reached out to say that some Eastern European guys had approached all of his ATM technicians offering bribes if the technicians allowed physical access to the machines. Once inside, the crooks installed two tiny Bluetooth radios — one for the card reader and one for the PIN pad. Krebs's series concludes with a closer look at Intacash, a new ATM company whose machines now blanket Cancun and other tourist areas but which is suspected of being connected to the skimming activity.

An anonymous reader writes: Security reporter Brian Krebs, who has been instrumental in breaking news about the Ashley Madison hack, is now being threatened by the website's former CTO with a libel suit. Contained in the leaked data was a series of emails from the ex-CTO, Raja Bhatia, to the CEO of Ashley Madison's parent company. In the emails, Bhatia noted a security hole in a competing website, saying that he downloaded their user database and was capable of modifying and exposing it. After reporting on these emails, Krebs received a letter from Bhatia's lawyer (PDF) saying the post was libelous and defamatory. They demanded a retraction, which Krebs is thus far unwilling to do.

An anonymous reader writes: Security reporter Brian Krebs, who has been instrumental in breaking news about the Ashley Madison hack, is now being threatened by the website's former CTO with a libel suit. Contained in the leaked data was a series of emails from the ex-CTO, Raja Bhatia, to the CEO of Ashley Madison's parent company. In the emails, Bhatia noted a security hole in a competing website, saying that he downloaded their user database and was capable of modifying and exposing it. After reporting on these emails, Krebs received a letter from Bhatia's lawyer (PDF) saying the post was libelous and defamatory. They demanded a retraction, which Krebs is thus far unwilling to do.

An anonymous reader writes: Security reporter Brian Krebs, who has been instrumental in breaking news about the Ashley Madison hack, is now being threatened by the website's former CTO with a libel suit. Contained in the leaked data was a series of emails from the ex-CTO, Raja Bhatia, to the CEO of Ashley Madison's parent company. In the emails, Bhatia noted a security hole in a competing website, saying that he downloaded their user database and was capable of modifying and exposing it. After reporting on these emails, Krebs received a letter from Bhatia's lawyer (PDF) saying the post was libelous and defamatory. They demanded a retraction, which Krebs is thus far unwilling to do.

Dave Knott writes: Following the recent hacks on the infidelity website Ashley Madison, Noel Biderman has stepped down as CEO of both AshleyMadison.com and its parent company. Avid Life Media Inc., the company that owns the site and many others, announced Biderman's move in a short press release on Friday: "Noel Biderman, in mutual agreement with the company, is stepping down as chief executive officer of Avid Life Media Inc. (ALM) and is no longer with the company. Until the appointment of a new CEO, the company will be led by the existing senior management team." Before the data hack, the company was planning an IPO in London that would have taken in as much as $200 million from investors. According to regulatory filings, the company had $115 million in revenue last year, more than four times the amount it obtained in 2009.

Meanwhile, in related news, Brian Krebs (the reporter who first uncovered the hack) says he has uncovered clues to the possible identity of the hacker. Krebs says he noticed the Twitter account operated by a known hacker recently posted a link to Ashley Madison's stolen proprietary source code before it was made public. Intrigued by the poster's apparent access, he examined the account's posting history and noticed a predilection for the music of Australian hard rock band AC/DC. This jibes with the behavior of the hacker(s), who had displayed threatening messages on the computers of Ashley Madison employees, accompanied by AC/DC song Thunderstruck. In a series of tweets, the owner of the account, one Thadeus Zu, appears to deny that he was behind the hack, and indeed makes several suggestions that the account itself isn't even run by one person, but is instead an amalgam of like-minded digital vigilantes. The NY Times also reports that people whose details were contained in the leak are beginning to face threats of blackmail.

tsu doh nimh writes: It was bound to happen: Brian Krebs reports that extortionists have begun emailing people whose information is included in the leaked Ashleymadison.com user database, threatening to find and contact the target's spouse and alert them if the recipient fails to cough up 1 Bitcoin. Krebs interviews one guy who got such a demand, a user who admits to having had an affair after meeting a woman on the site and who is now worried about the fallout, which he said could endanger his happily married life with his wife and kids. Perhaps inevitable: two Canadian law firms have filed a class action lawsuit against the company, seeking more than half a billion dollars in damages.

pdclarry notes that many news outlets are reporting that 9.7 GB of data stolen from cheating website AshleyMadison.com has been published online. "The dump contains files with titles including 'aminno_member_dump.gz,' 'aminno_member_email.dump.gz,' 'CreditCardTransactions7z,' and 'member_details.dump.gz,' an indication that the download could contain highly personal details." Brian Krebs questioned the way this has been reported without confirmation, but added that he's been contacted by several people who found their own accurate details within the data dump. Many of the reports note this detail: "Assuming the download turns out to be authentic, people should remember that it was possible for anyone to create an account using the name and e-mail address of other individuals."

An anonymous reader writes: Brian Krebs reports that Ubiquiti Networks, known for their wireless networking hardware, has lost $46.7 million to a scam in which thieves were able to impersonate employees and initiate fraudulent wire transfers. Ubiquiti was able to recover only $8.1 million of the amounts transferred, and an additional $6.8 million is subject to legal injunction. Krebs explains, "Known variously as 'CEO fraud,' and the 'business email compromise,' the swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. ... CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name." The theft was disclosed in Ubiquiti's quarterly financial report.

heretic108 writes: According to KrebsOnSecurity, the infamous Ashley Madison affairs hookup website has been hacked by a group calling itself The Impact Team. This group is demanding the immediate and permanent shutdown of Ashley Madison, as well as similar sites Cougar Life and Established Man, owned by the same company: Avid Life Media. If the sites aren't shut down, the hackers are threatening to publicly release personal data for 37 million users. ALM has confirmed that a hack took place, and the hackers posted snippets of account data, as well as bank and salary information from the company itself.

A few weeks ago you had a chance to ask Brian Krebs about security, cybercrime and what it's like to be the victim of Swatting. Below you will find his answers to your questions. Cowards as affiliates
by japa

You appear dedicated on continuing reporting on cybercrime, even though it may result to harm you (swatting etc). How often have you come into situation where someone you work with states they don't want to work with you any longer as association to you may result them to being target for criminals or some such?

Krebs: I don't think I've had anyone unfriend me or stop talking to me because of what you describe, but it happens fairly often that I hear from strangers who have some information to impart but who are nervous about anyone finding out it was them who shared it.

Mostly, this comes from researchers who say they want to share some findings about something -- a specific cybercrime actor, site or service -- but in no way do they wish to be named, cited, credited or in any way referenced. It's impossible to know how many people decide it's not worth reaching out because of such concerns, but I hope it's not many.



Long term solutions?
by mlts

Right now, security is a purely defensive battle, at best we have the enemy at a stalemate, where their attacks are foiled. There is no way to "win", since the attacker usually is located in a country with little to no cyber-crime laws, or even in a hostile country that rewards it. At best, we tread water.

Would a long term solution be creating private networks like SIPRNet or NIPRNet, so that the barrier for entry is raised, so an attacker has to get onto that private network, and this might be something where physical access is needed. Not 100% secure, but it raises the bar so that attackers have to have "boots on the ground".

If not, what would be workable, other than just air-gapping as much as possible? Would it be wise for each nation to mimic China and have their own Great Firewall, so attacks have the ability to be be stopped well away from their intended targets?

Krebs: I think I understand the premise of your question, and the desire to wall everything off and/or start over. And do I detect what may be a passing reference to the money quote from Joshua in the excellent 1983 film War Games: "Strange game. The only winning move is not to play."

But, I'd have to respectfully agree with several of the commenters here in saying that I think creating a whole bunch more secret or separate networks is very much not the answer here. As someone already stated, this is actually the reality that we have today with corporate intranets, which everyone seems to have and these don't seem to do much to stop the data (s)pillage or malicious hackers getting in and having their way with the target and all of its information.

What would be wise is if the United States made it a national goal to become the world leader in developing software that is far more secure and robust than anywhere else. Unfortunately, this will probably never happen unless the market demands it, and the market generally responds to what consumers want, which is usually convenience (ease-of-use) over security.

Anyways...how about a nice game of chess?



Public Disclosure
by Anonymous Coward

Brian, Are you generally in the Responsible Disclosure camp or the Full Disclosure camp? And why? (I recognize that you may handle this on a case by case basis. In that event, what determines your approach?)

Krebs: Yeah, this definitely depends. I find it endlessly fascinating and frustrating at the same time to watch how differently organizations respond to reports about security vulnerabilities in their products, services and their own infrastructure. How they respond speaks volumes about their security maturity. Companies and organizations that lack a mature process for handling and responding to threats and vulnerabilities tend to react negatively -- lashing out at the individual reporting the weakness, ignoring the reporter, or even taking legal steps against the researcher.

Companies that have a mature process for handling this kind of thing can comparatively be a joy to work with, and are quite often grateful for anyone who privately reports their findings. The best manifestation of this is the bug bounty program, versions of which many companies are now beginning to embrace to varying degrees.

It seems like the the phrases "responsible disclosure" and "full disclosure" are sort of loaded terms at this point in the debate. It's the journalistic equivalent of framing the abortion debate in camps of "anti-abortion" and "pro-rights". Disclosure is a two-way street, and it starts with organizations taking responsibility for security holes in software and hardware that they create, sell and/or give away. When companies fail to do this in a timely manner, I think it's perfectly reasonable for researchers to disclose what they've found -- hopefully exercising a modicum of restraint in the process. The disclosure debate usually kicks into high gear when a company responsible for a serious bug in widely-used software behaves like a child when presented with research into a vulnerability in its products.

I've been fortunate enough to be a fly on the wall, if you will, in several of these vulnerability reports, watching in disbelief as the vendor hems and haws and generally stalls for time, protesting that the bug is not remotely exploitable or isn't that big of a deal for such-and-such reasons, etc. That's frustrating and again speaks to the maturity level of the organization. In my experience, most security researchers are quite content to be agreeable on disclosure timelines if they feel like the vendor is taking seriously the time and effort the researcher has spent on his findings.

Granted, there's a great deal of room for debate over what constitutes a "reasonable" amount of time to wait for the vendor to respond before going public, but I do think it's important to give the vendor at least a few weeks to respond. However, in cases where the vulnerability is actively being exploited, disclosing immediately, publicly and completely is always in the public interest.



Should We Trust Kaspersky?
by Kagato

As we seem to be heading back down into the familiar territory of the cold war I often wonder if nationalism is something we should consider when thinking about security. For instance I believe that Kaspersky is a very talented company but I can't help but to feel that they would be quite willing to turn a blind eye to malware from their own government. I hear commercials for Kaspersky threat detection software all the time but I would be hard pressed to actually use any of it. It certainly seems China, Russia and parts of Europe are taking country of origin into account when evaluating American security products. Am I wearing a tin-foil hat in feeling we should think twice about trusting Kaspersky?

Krebs: I don't think you necessarily have a tin-foil hat on. I should preface my remarks by saying that I'm sure every security firm has all kinds of dirty laundry they would prefer never saw the light of day. And I personally know many of the security researchers at Kaspersky and find them to be some of the best at what they do, and very good people as well. If it means anything, I have, for many years, used Kaspersky's software to protect my own networks. It's about the best at what it does.

That said, allow me to share an observation that really struck me on my visit to Moscow in 2011. I was a guest of Kaspersky Lab and they were very gracious and hospitable. However, I went there in large part in the hopes of rounding out some information I'd compiled about several big time cybercriminals that I was tracking at the time -- probably a dozen or so guys that I knew were definitely in Moscow and would almost certainly be known to anyone even moderately interested in cybercrime (on either side). I sat down with probably 8 or 9 different researchers at Kaspersky and in my interviews with them asked each about various individuals who were quite well known in the hacker scene in Russia but also abroad. To my surprise, nobody there would talk to me about these individuals. I have no idea if this was because of a corporate policy about it or what, but I found it singularly amazing that these experts would have so little interest in the actors who were so clearly operating under their noses.



Internet of Things
by Dr J. keeps the nerd

Hi Brian, Thanks for joining us. What are the worst mistakes we are already making on connected devices, and what should we be doing to make them less desirable as targets?

Krebs: You mean, besides connecting them in the first place? Seriously, the main reason I keep a software firewall installed on one of my machines is to learn which programs or gadgets on my home network are phoning home or who-knows-where. For the most part, we've shown ourselves to be incapable of designing or at least releasing software for mass commercial use that is not Swiss Cheese from a security perspective. So why should we expect things to be any different when we talk about network-aware devices and embedded appliances? All we've done in that case is take the buggy software and stuffed it into something that is even more difficult (if not impossible) to update.

What should we be doing to make all these devices less desirable as targets? Quit connecting them to the internet! Seriously. It would be nice if more companies that shipped devices made them disconnected from the Internet by default, or at least minimally so. But in most cases the opposite is true; the thing tries to get an IP address and you have to remember to disable a raft of features in said thing.

A lot of security is determined by the default settings, because the vast majority of users/customers never alter the defaults. With stuff that falls under the "internet of things" category, we'd all be much better off if they were more like "things with internet optional."



White vs Grey Hat
by Midnight_Falcon

Hey Brian, I'm wondering what side of the fence you think you are on. Your readership and affiliations seem to be the mainstream "white-hat" security community; but many of your tactics can be described as grey-hat at best -- e.g. doxxing hackers/malware authors/spammers, using social engineering to obtain information, etc. It seems as though this is justified because it is used against targets you perceive as being immoral, unethical, and/or worthy of such intrusion. My question is: do you feel you are a white-hat hacker, or do you think your use of black-hat tactics against black hats makes you something different?

Krebs: Not sure specifically what "grey hat" and "black hat" techniques you're referring to in particular. Also, I take issue with your assertion that I somehow practice social engineering to gain information. I'll admit to once or twice useing Spooftel to get someone who is dodging my calls to answer the phone, but I've never misrepresented myself or what I'm doing. In all of my reporting and investigation -- even with black hats -- I am up front about who I am and what I'm after.

Now, it is true that some of my reporting has been based on hacked cybercrime forums and hacked cybercriminals, but I can't recall an instance wherein I was the one responsible for the hacking. My first book, "Spam Nation," would not have been possible if two of the biggest cybercrime kingpins had not employed their top spammers and cybercrooks to break into each other’s networks and steal several years’ worth of banking and customer data, and then leak that data to Yours Truly and to the authorities. In my experience, the only thing cybercrooks like better than breaking into databases and stealing/selling data for financial gain is hacking each other for profit/amusement/insert reason here.

If I approach people on cybercrime forums, it is always just to learn more about the services and products they have to offer and are quite willing to talk about. Will I register on cybercrime forums under my own name? Of course not! Then again, nobody on those forums does that!

Actually, I *did* try to do that several years back, in two different cases. In one instance, when I told the admin in charge that I wanted the nickname "briankrebs," he laughed and said basically, "good one!" The other time I tried to claim that nickname, it was already taken.

I'll confess, though, that I've been guilty of a certain schadenfreude when it comes to writing about the arrest, conviction and or other demise of people who have -- apparently apropos of nothing -- targeted me and/or my family publicly and at the same time hidden behind an assumed veil of anonymity. These kinds of cowards consistently ruin the Internet for everyone, and I won't apologize for calling them out.

On a more philosophical note, I find it fascinating that so many involved in black hat activities online are so horrible at operational security. That probably has more to do with the general lack of consequences for most actors involved in this type of activity -- particularly those in certain Eastern European countries.



defining "computer security" for your clients
by globaljustin

Mr. Krebs, thank you for the time. My question is about defining "computer security" in relation to public perceptions vs technical facts. It was reported in 2006 that the NSA was keeping massive databases of American's phone calls and metadata. Obviously, Snowden's revelations were much more heavily reported, and contained more info, but the public was shocked at information that was already public. When it comes to cyber security customers, how do you explain and contextualize what service you are providing given the vast differences in perception of "security"?

Krebs: I try, as much as I am able, to focus on reporting stories that you won't find anywhere else. As an independent reporter, I have the luxury of not spending a great deal of time chasing other reporters' stories. Also, I try not to practice "churnalism," which is just regurgitating stories that other reporters have written. As for a "service" I might be offering, all I can say is that my goal is to communicate in as simple and straightforward way as I can news that is not getting enough attention or is not being well served by other outlets.

To your question about the differences in perception about security, I couldn't agree more. But to paraphrase Tip O'Neil, all security is local: Security as a news subject means little unless you can communicate the complex stuff in a way that mere mortals can comprehend, appreciate and do something about. If I am able to do that well and consistently, I hope that's a service of a kind.

Brian Krebs got his start as a reporter at The Washington Post and after having his entire network taken down by the Lion Worm, crime and cybersecurity became his focus. In 2005, Krebs started the Security Fix blog and Krebs On Security in 2009, which remains one of the most popular sources of cybercrime and security news. Brian is credited with being the first journalist to report on Stuxnet and one of his investigative series on the McColo botnet is estimated to have led to a 40-70% decline in junk e-mail sent worldwide. Unfortunately for Krebs, he's also well known to criminals. In 2013 he became one of the first journalists to be a victim of Swatting and a few months later a package of heroin was delivered to his home. Brian has agreed to give us some of his time and answer any questions you may have about crime and cybersecurity. As usual, ask as many as you'd like, but please, one per post.

Brian Krebs asks: What makes one novel strain of malicious software more dangerous or noteworthy than another? Is it the sheer capability and feature set of the new malware, or are these qualities meaningless without also considering the skills, intentions and ingenuity of the person wielding it? Most experts probably would say it's important to consider attribution insofar as it is knowable, but it's remarkable how seldom companies that regularly publish reports on the latest criminal innovations go the extra mile to add context about the crooks apparently involved in deploying those tools.

pdclarry writes: mSpy sells a software-as-a-service package that claims to allow you to spy on iPhones. It is used by ~2 million people to spy on their children, partners, Exes, etc. The information gleaned is stored on mSpy's servers. Brian Krebs reports that mSpy has been hacked and their entire database of several hundred GB of their customer's data has been posted on the Dark Web. The trove includes Apple IDs and passwords, as well as the complete contents of phones that have mSpy installed. So much for keeping your children safe.