Slashdot Mirror
Interviews: Ask Brian Krebs About Security and Cybercrime
Brian Krebs got his start as a reporter at The Washington Post and after having his entire network taken down by the Lion Worm, crime and cybersecurity became his focus. In 2005, Krebs started the Security Fix blog and Krebs On Security in 2009, which remains one of the most popular sources of cybercrime and security news. Brian is credited with being the first journalist to report on Stuxnet and one of his investigative series on the McColo botnet is estimated to have led to a 40-70% decline in junk e-mail sent worldwide. Unfortunately for Krebs, he's also well known to criminals. In 2013 he became one of the first journalists to be a victim of Swatting and a few months later a package of heroin was delivered to his home. Brian has agreed to give us some of his time and answer any questions you may have about crime and cybersecurity. As usual, ask as many as you'd like, but please, one per post.
You appear dedicated on continuing reporting on cybercrime, even though it may result to harm you (swatting etc). How often have you come into situation where someone you work with states they don't want to work with you any longer as association to you may result them to being target for criminals or some such?
Right now, security is a purely defensive battle, at best we have the enemy at a stalemate, where their attacks are foiled. There is no way to "win", since the attacker usually is located in a country with little to no cyber-crime laws, or even in a hostile country that rewards it. At best, we tread water.
Would a long term solution be creating private networks like SIPRNet or NIPRNet, so that the barrier for entry is raised, so an attacker has to get onto that private network, and this might be something where physical access is needed. Not 100% secure, but it raises the bar so that attackers have to have "boots on the ground".
If not, what would be workable, other than just air-gapping as much as possible? Would it be wise for each nation to mimic China and have their own Great Firewall, so attacks have the ability to be be stopped well away from their intended targets?
Do you regret any of the investigative techniques or decisions you have made over the years in relation to your security reporting?
Your website seems to get a fair amount of traffic, how much revenue are you earning per month through the advertisements?
My argument has always been if something is important and you want to keep it safe don't connect it to the internet. Obviously that's a tough sale. So what is one thing you think everyone is doing wrong and could improve on?
To a kid, looking up to Krebs. .... ?
Life is
Brian CyberKrebs got his cyberstart as a reporter at The Washington CyberPost and after having his entire cybernetwork taken down by the CyberLion Worm, cybercrime and cybersecurity became his focus. In 2005, CyberKrebs started the Security Fix Cyberblog and CyberKrebs On CyberSecurity in 2009, which remains one of the most popular cybersources of cybercrime and cybersecurity news. Brian is credited with being the first cyberjournalist to report on Stuxnet and one of his cyberinvestigative series on the McColo botnet is estimated to have led to a 40-70% decline in cyberjunk e-mail sent worldwide. Unfortunately for CyberKrebs, he's also well known to cybercriminals. In 2013 he became one of the first cyberjournalists to be a victim of CyberSwatting and a few months later a cyberpackage of cyberheroin was delivered to his cyberhome. Brian has agreed to give us some of his cybertime and answer any cyberquestions you may have about cybercrime and cybersecurity. As usual, ask as many as you'd like, but please, one per cyberpost.
Brian,
Are you generally in the Responsible Disclosure camp xor the Full Disclosure camp? And why?
(I recognize that you may handle this on a case by case basis. In that event, what determines your approach?)
-Bryant
a local Washingtonian.
Is there any way you could break into Dice servers and move the /. polls back to the sidebar and maybe turn off the Video Bytes (or make it a slashbox?) Alternatively, could you suggest a black or white hat to do this for us?
before bitcoin became popular ransomware would often use visa or some other credit card
is there any easy way to report them to the cc company or their payment processor?
phone trees are a no
Minimum threshold fixed. Thanks!
Besides the swatting - what was your biggest "OH NO!" moment in your reporting history.
Which vendors are actually not slimeballs, meaning which product work? If none of them work then please describe the current situation.
Hello Brian. I'm a long time reader and fan.
I had a question regarding the frequency with which we hear about China being a major source of "state-sponsored" advanced persistent threat (APC) hacking. Many news outlets have referred to "Unit 61398" as a source for much of these attacks and data thefts.
Should we take Chinese hacks seriously as a threat? Do you feel it's an issue that will ever be resolved?
Thanks
ad
Because I can! [Brainrub.com]
WIth a nice and large readership you'd have a good chance to get a bit of a fresh wind going in the security industry cottage industry. You could even try.
Instead you're helping perpetuating the industry best practice of calling bloody everything "hacking" to the point that even the "cyber computer cyber security cyber experts" can but bicker and argue about who's more ETHICAL than the other and whether this particular virtual hat colour is closer to white or to black. It doesn't mean anything any longer. Except to signal both the nitwittery of the writer and the intent of scaring the audience by serving up designated scare-words.
It's destructive in many ways, large and small. It's a far cry indeed from the constructive creativity of great technological skill that the term originally was a merit badge for. So it isn't surprising that despite all the often deliberate ruckus, the industry hasn't produced anything of lasting value since its inception. Unless you count all the drama as lasting value, because we can be sure there'll be more of that next week.
So how about it? Will you remain in your comfy position as a computer security industry pundit, a cybersmurf cybersmurfily cybersmurfing with the rest of the little electric blue fellas, or will you stop abusing those terms now entirely devoid of any meaning, "hack", "hacker", "hacking" and any and all variants, entirely, for at least a full year?
As we seem to be heading back down into the familiar territory of the cold war I often wonder if nationalism is something we should consider when thinking about security. For instance I believe that Kaspersky is a very talented company but I can't help but to feel that they would be quite willing to turn a blind eye to malware from their own government. I hear commercials for Kaspersky threat detection software all the time but I would be hard pressed to actually use any of it. It certainly seems China, Russia and parts of Europe are taking country of origin into account when evaluating American security products. Am I wearing a tin-foil hat in feeling we should think twice about trusting Kaspersky?
What do you think about the recent attack on Kaspersky, and their declining to name an attacker?
What are your thoughts on the hording of zero-day exploits that the US Government (that is the NSA) currently do, and other Governments almost certainly do. Obviously for offensive reasons these Governments have an interest in keeping these secret as vectors for attack/retaliation, but it's a 2-edged blade if you know zero-day X your adversary may also know zero-day X, sure you can try to filter for it in firewall rules/IDS but that's not feasible all the time. It seems to me that they deem the reward of having this capability to be greater than the risk of themselves and everyone else being vulnerable to the same exploit. To me this is so insanely short sighted it's sickening, it's great you have this capability that you may never use, while keeping it secret could result in massive losses to yourself, your citizens, and/or innocent bystanders(other Governments/citizens of other Governments).
Just curious to get your opinion on this topic.
2013 was the year of the breach (finishing with Target), 2014 was the year of the mega breach, and 2015 is already the year of the super-duper-mega breach, and we're not even halfway through yet!
Will 2016 be even bigger? Or will we reach a turning point in the next few years where breaches will slow down?
Hi Brian,
Thanks for joining us.
What are the worst mistakes we are already making on connected devices, and what should we be doing to make them less desirable as targets?
J
...at once when you took delivery of that package of opium?
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
What you do is pretty badass, "real men" stuff. Thanks for your work. Much respect.
Hey Brian,
I'm wondering what side of the fence you think you are on. Your readership and affilitations seem to be the mainstream "white-hat" security community; but many of your tactics can be described as grey-hat at best -- e.g. doxxing hackers/malware authors/spammers, using social engineering to obtain information, etc. It seems as though this is justified because it is used against targets you perceive as being immoral, unethical, and/or worthy of such intrusion. My question is: do you feel you are a white-hat hacker, or do you think your use of black-hat tactics against black hats makes you something different?
What's the dumbest thing you've seen black hat hackers do?
What do you see that the future holds that may end up being shocking new ways that security will be breached, that will change the way we look at products or subjects going forward?
Why did you leave the Washington Post?
How should the US react when foreign governments hack private business and government networks for an immense trade advantage?
Have you ever had to deal with attempting to thwart an APT? E.g. help a place out that was actively under state-sponsored or organized crime targeted attacks? What did fixes entail?
Mr. Krebs, thank you for the time.
My question is about defining "computer security" in relation to public perceptions vs technical facts.
It was reported in 2006 that the NSA was keeping massive databases of American's phone calls and metadata: http://yahoo.usatoday.com/news...
Obviously, Snowden's revelations were much more heavily reported, and contained more info, but the public was shocked at information that was already public.
When it comes to cyber security customers, how do you explain and contextualize what service you are providing given the vast differences in perception of "security"?
Thank you Dave Raggett
Hello,
It seems that some people know your home address because you've been SWATted. Aren't you worried that something more dangerous can happen? It seems that malware and spam is multimillion buissness so you can make angry some powerful people.
Thanks
If you were to have a dessert treat named after you, what would you want it to be?
How would you characterize your treatment by law enforcement during arrest, detainment, and release? Any thoughts on persons facing similar situations?