Slashdot Mirror
Interviews: Brian Krebs Answers Your Questions
A few weeks ago you had a chance to ask Brian Krebs about security, cybercrime and what it's like to be the victim of Swatting. Below you will find his answers to your questions.
Cowards as affiliates
by japa
You appear dedicated on continuing reporting on cybercrime, even though it may result to harm you (swatting etc). How often have you come into situation where someone you work with states they don't want to work with you any longer as association to you may result them to being target for criminals or some such?
Krebs: I don't think I've had anyone unfriend me or stop talking to me because of what you describe, but it happens fairly often that I hear from strangers who have some information to impart but who are nervous about anyone finding out it was them who shared it.
Mostly, this comes from researchers who say they want to share some findings about something -- a specific cybercrime actor, site or service -- but in no way do they wish to be named, cited, credited or in any way referenced. It's impossible to know how many people decide it's not worth reaching out because of such concerns, but I hope it's not many.
Long term solutions?
by mlts
Right now, security is a purely defensive battle, at best we have the enemy at a stalemate, where their attacks are foiled. There is no way to "win", since the attacker usually is located in a country with little to no cyber-crime laws, or even in a hostile country that rewards it. At best, we tread water.
Would a long term solution be creating private networks like SIPRNet or NIPRNet, so that the barrier for entry is raised, so an attacker has to get onto that private network, and this might be something where physical access is needed. Not 100% secure, but it raises the bar so that attackers have to have "boots on the ground".
If not, what would be workable, other than just air-gapping as much as possible? Would it be wise for each nation to mimic China and have their own Great Firewall, so attacks have the ability to be be stopped well away from their intended targets?
Krebs: I think I understand the premise of your question, and the desire to wall everything off and/or start over. And do I detect what may be a passing reference to the money quote from Joshua in the excellent 1983 film War Games: "Strange game. The only winning move is not to play."
But, I'd have to respectfully agree with several of the commenters here in saying that I think creating a whole bunch more secret or separate networks is very much not the answer here. As someone already stated, this is actually the reality that we have today with corporate intranets, which everyone seems to have and these don't seem to do much to stop the data (s)pillage or malicious hackers getting in and having their way with the target and all of its information.
What would be wise is if the United States made it a national goal to become the world leader in developing software that is far more secure and robust than anywhere else. Unfortunately, this will probably never happen unless the market demands it, and the market generally responds to what consumers want, which is usually convenience (ease-of-use) over security.
Anyways...how about a nice game of chess?
Public Disclosure
by Anonymous Coward
Brian, Are you generally in the Responsible Disclosure camp or the Full Disclosure camp? And why? (I recognize that you may handle this on a case by case basis. In that event, what determines your approach?)
Krebs: Yeah, this definitely depends. I find it endlessly fascinating and frustrating at the same time to watch how differently organizations respond to reports about security vulnerabilities in their products, services and their own infrastructure. How they respond speaks volumes about their security maturity. Companies and organizations that lack a mature process for handling and responding to threats and vulnerabilities tend to react negatively -- lashing out at the individual reporting the weakness, ignoring the reporter, or even taking legal steps against the researcher.
Companies that have a mature process for handling this kind of thing can comparatively be a joy to work with, and are quite often grateful for anyone who privately reports their findings. The best manifestation of this is the bug bounty program, versions of which many companies are now beginning to embrace to varying degrees.
It seems like the the phrases "responsible disclosure" and "full disclosure" are sort of loaded terms at this point in the debate. It's the journalistic equivalent of framing the abortion debate in camps of "anti-abortion" and "pro-rights". Disclosure is a two-way street, and it starts with organizations taking responsibility for security holes in software and hardware that they create, sell and/or give away. When companies fail to do this in a timely manner, I think it's perfectly reasonable for researchers to disclose what they've found -- hopefully exercising a modicum of restraint in the process. The disclosure debate usually kicks into high gear when a company responsible for a serious bug in widely-used software behaves like a child when presented with research into a vulnerability in its products.
I've been fortunate enough to be a fly on the wall, if you will, in several of these vulnerability reports, watching in disbelief as the vendor hems and haws and generally stalls for time, protesting that the bug is not remotely exploitable or isn't that big of a deal for such-and-such reasons, etc. That's frustrating and again speaks to the maturity level of the organization. In my experience, most security researchers are quite content to be agreeable on disclosure timelines if they feel like the vendor is taking seriously the time and effort the researcher has spent on his findings.
Granted, there's a great deal of room for debate over what constitutes a "reasonable" amount of time to wait for the vendor to respond before going public, but I do think it's important to give the vendor at least a few weeks to respond. However, in cases where the vulnerability is actively being exploited, disclosing immediately, publicly and completely is always in the public interest.
Should We Trust Kaspersky?
by Kagato
As we seem to be heading back down into the familiar territory of the cold war I often wonder if nationalism is something we should consider when thinking about security. For instance I believe that Kaspersky is a very talented company but I can't help but to feel that they would be quite willing to turn a blind eye to malware from their own government. I hear commercials for Kaspersky threat detection software all the time but I would be hard pressed to actually use any of it. It certainly seems China, Russia and parts of Europe are taking country of origin into account when evaluating American security products. Am I wearing a tin-foil hat in feeling we should think twice about trusting Kaspersky?
Krebs: I don't think you necessarily have a tin-foil hat on. I should preface my remarks by saying that I'm sure every security firm has all kinds of dirty laundry they would prefer never saw the light of day. And I personally know many of the security researchers at Kaspersky and find them to be some of the best at what they do, and very good people as well. If it means anything, I have, for many years, used Kaspersky's software to protect my own networks. It's about the best at what it does.
That said, allow me to share an observation that really struck me on my visit to Moscow in 2011. I was a guest of Kaspersky Lab and they were very gracious and hospitable. However, I went there in large part in the hopes of rounding out some information I'd compiled about several big time cybercriminals that I was tracking at the time -- probably a dozen or so guys that I knew were definitely in Moscow and would almost certainly be known to anyone even moderately interested in cybercrime (on either side). I sat down with probably 8 or 9 different researchers at Kaspersky and in my interviews with them asked each about various individuals who were quite well known in the hacker scene in Russia but also abroad. To my surprise, nobody there would talk to me about these individuals. I have no idea if this was because of a corporate policy about it or what, but I found it singularly amazing that these experts would have so little interest in the actors who were so clearly operating under their noses.
Internet of Things
by Dr J. keeps the nerd
Hi Brian, Thanks for joining us. What are the worst mistakes we are already making on connected devices, and what should we be doing to make them less desirable as targets?
Krebs: You mean, besides connecting them in the first place? Seriously, the main reason I keep a software firewall installed on one of my machines is to learn which programs or gadgets on my home network are phoning home or who-knows-where. For the most part, we've shown ourselves to be incapable of designing or at least releasing software for mass commercial use that is not Swiss Cheese from a security perspective. So why should we expect things to be any different when we talk about network-aware devices and embedded appliances? All we've done in that case is take the buggy software and stuffed it into something that is even more difficult (if not impossible) to update.
What should we be doing to make all these devices less desirable as targets? Quit connecting them to the internet! Seriously. It would be nice if more companies that shipped devices made them disconnected from the Internet by default, or at least minimally so. But in most cases the opposite is true; the thing tries to get an IP address and you have to remember to disable a raft of features in said thing.
A lot of security is determined by the default settings, because the vast majority of users/customers never alter the defaults. With stuff that falls under the "internet of things" category, we'd all be much better off if they were more like "things with internet optional."
White vs Grey Hat
by Midnight_Falcon
Hey Brian, I'm wondering what side of the fence you think you are on. Your readership and affiliations seem to be the mainstream "white-hat" security community; but many of your tactics can be described as grey-hat at best -- e.g. doxxing hackers/malware authors/spammers, using social engineering to obtain information, etc. It seems as though this is justified because it is used against targets you perceive as being immoral, unethical, and/or worthy of such intrusion. My question is: do you feel you are a white-hat hacker, or do you think your use of black-hat tactics against black hats makes you something different?
Krebs: Not sure specifically what "grey hat" and "black hat" techniques you're referring to in particular. Also, I take issue with your assertion that I somehow practice social engineering to gain information. I'll admit to once or twice useing Spooftel to get someone who is dodging my calls to answer the phone, but I've never misrepresented myself or what I'm doing. In all of my reporting and investigation -- even with black hats -- I am up front about who I am and what I'm after.
Now, it is true that some of my reporting has been based on hacked cybercrime forums and hacked cybercriminals, but I can't recall an instance wherein I was the one responsible for the hacking. My first book, "Spam Nation," would not have been possible if two of the biggest cybercrime kingpins had not employed their top spammers and cybercrooks to break into each other’s networks and steal several years’ worth of banking and customer data, and then leak that data to Yours Truly and to the authorities. In my experience, the only thing cybercrooks like better than breaking into databases and stealing/selling data for financial gain is hacking each other for profit/amusement/insert reason here.
If I approach people on cybercrime forums, it is always just to learn more about the services and products they have to offer and are quite willing to talk about. Will I register on cybercrime forums under my own name? Of course not! Then again, nobody on those forums does that!
Actually, I *did* try to do that several years back, in two different cases. In one instance, when I told the admin in charge that I wanted the nickname "briankrebs," he laughed and said basically, "good one!" The other time I tried to claim that nickname, it was already taken.
I'll confess, though, that I've been guilty of a certain schadenfreude when it comes to writing about the arrest, conviction and or other demise of people who have -- apparently apropos of nothing -- targeted me and/or my family publicly and at the same time hidden behind an assumed veil of anonymity. These kinds of cowards consistently ruin the Internet for everyone, and I won't apologize for calling them out.
On a more philosophical note, I find it fascinating that so many involved in black hat activities online are so horrible at operational security. That probably has more to do with the general lack of consequences for most actors involved in this type of activity -- particularly those in certain Eastern European countries.
defining "computer security" for your clients
by globaljustin
Mr. Krebs, thank you for the time. My question is about defining "computer security" in relation to public perceptions vs technical facts. It was reported in 2006 that the NSA was keeping massive databases of American's phone calls and metadata. Obviously, Snowden's revelations were much more heavily reported, and contained more info, but the public was shocked at information that was already public. When it comes to cyber security customers, how do you explain and contextualize what service you are providing given the vast differences in perception of "security"?
Krebs: I try, as much as I am able, to focus on reporting stories that you won't find anywhere else. As an independent reporter, I have the luxury of not spending a great deal of time chasing other reporters' stories. Also, I try not to practice "churnalism," which is just regurgitating stories that other reporters have written. As for a "service" I might be offering, all I can say is that my goal is to communicate in as simple and straightforward way as I can news that is not getting enough attention or is not being well served by other outlets.
To your question about the differences in perception about security, I couldn't agree more. But to paraphrase Tip O'Neil, all security is local: Security as a news subject means little unless you can communicate the complex stuff in a way that mere mortals can comprehend, appreciate and do something about. If I am able to do that well and consistently, I hope that's a service of a kind.
by japa
You appear dedicated on continuing reporting on cybercrime, even though it may result to harm you (swatting etc). How often have you come into situation where someone you work with states they don't want to work with you any longer as association to you may result them to being target for criminals or some such?
Krebs: I don't think I've had anyone unfriend me or stop talking to me because of what you describe, but it happens fairly often that I hear from strangers who have some information to impart but who are nervous about anyone finding out it was them who shared it.
Mostly, this comes from researchers who say they want to share some findings about something -- a specific cybercrime actor, site or service -- but in no way do they wish to be named, cited, credited or in any way referenced. It's impossible to know how many people decide it's not worth reaching out because of such concerns, but I hope it's not many.
Long term solutions?
by mlts
Right now, security is a purely defensive battle, at best we have the enemy at a stalemate, where their attacks are foiled. There is no way to "win", since the attacker usually is located in a country with little to no cyber-crime laws, or even in a hostile country that rewards it. At best, we tread water.
Would a long term solution be creating private networks like SIPRNet or NIPRNet, so that the barrier for entry is raised, so an attacker has to get onto that private network, and this might be something where physical access is needed. Not 100% secure, but it raises the bar so that attackers have to have "boots on the ground".
If not, what would be workable, other than just air-gapping as much as possible? Would it be wise for each nation to mimic China and have their own Great Firewall, so attacks have the ability to be be stopped well away from their intended targets?
Krebs: I think I understand the premise of your question, and the desire to wall everything off and/or start over. And do I detect what may be a passing reference to the money quote from Joshua in the excellent 1983 film War Games: "Strange game. The only winning move is not to play."
But, I'd have to respectfully agree with several of the commenters here in saying that I think creating a whole bunch more secret or separate networks is very much not the answer here. As someone already stated, this is actually the reality that we have today with corporate intranets, which everyone seems to have and these don't seem to do much to stop the data (s)pillage or malicious hackers getting in and having their way with the target and all of its information.
What would be wise is if the United States made it a national goal to become the world leader in developing software that is far more secure and robust than anywhere else. Unfortunately, this will probably never happen unless the market demands it, and the market generally responds to what consumers want, which is usually convenience (ease-of-use) over security.
Anyways...how about a nice game of chess?
Public Disclosure
by Anonymous Coward
Brian, Are you generally in the Responsible Disclosure camp or the Full Disclosure camp? And why? (I recognize that you may handle this on a case by case basis. In that event, what determines your approach?)
Krebs: Yeah, this definitely depends. I find it endlessly fascinating and frustrating at the same time to watch how differently organizations respond to reports about security vulnerabilities in their products, services and their own infrastructure. How they respond speaks volumes about their security maturity. Companies and organizations that lack a mature process for handling and responding to threats and vulnerabilities tend to react negatively -- lashing out at the individual reporting the weakness, ignoring the reporter, or even taking legal steps against the researcher.
Companies that have a mature process for handling this kind of thing can comparatively be a joy to work with, and are quite often grateful for anyone who privately reports their findings. The best manifestation of this is the bug bounty program, versions of which many companies are now beginning to embrace to varying degrees.
It seems like the the phrases "responsible disclosure" and "full disclosure" are sort of loaded terms at this point in the debate. It's the journalistic equivalent of framing the abortion debate in camps of "anti-abortion" and "pro-rights". Disclosure is a two-way street, and it starts with organizations taking responsibility for security holes in software and hardware that they create, sell and/or give away. When companies fail to do this in a timely manner, I think it's perfectly reasonable for researchers to disclose what they've found -- hopefully exercising a modicum of restraint in the process. The disclosure debate usually kicks into high gear when a company responsible for a serious bug in widely-used software behaves like a child when presented with research into a vulnerability in its products.
I've been fortunate enough to be a fly on the wall, if you will, in several of these vulnerability reports, watching in disbelief as the vendor hems and haws and generally stalls for time, protesting that the bug is not remotely exploitable or isn't that big of a deal for such-and-such reasons, etc. That's frustrating and again speaks to the maturity level of the organization. In my experience, most security researchers are quite content to be agreeable on disclosure timelines if they feel like the vendor is taking seriously the time and effort the researcher has spent on his findings.
Granted, there's a great deal of room for debate over what constitutes a "reasonable" amount of time to wait for the vendor to respond before going public, but I do think it's important to give the vendor at least a few weeks to respond. However, in cases where the vulnerability is actively being exploited, disclosing immediately, publicly and completely is always in the public interest.
Should We Trust Kaspersky?
by Kagato
As we seem to be heading back down into the familiar territory of the cold war I often wonder if nationalism is something we should consider when thinking about security. For instance I believe that Kaspersky is a very talented company but I can't help but to feel that they would be quite willing to turn a blind eye to malware from their own government. I hear commercials for Kaspersky threat detection software all the time but I would be hard pressed to actually use any of it. It certainly seems China, Russia and parts of Europe are taking country of origin into account when evaluating American security products. Am I wearing a tin-foil hat in feeling we should think twice about trusting Kaspersky?
Krebs: I don't think you necessarily have a tin-foil hat on. I should preface my remarks by saying that I'm sure every security firm has all kinds of dirty laundry they would prefer never saw the light of day. And I personally know many of the security researchers at Kaspersky and find them to be some of the best at what they do, and very good people as well. If it means anything, I have, for many years, used Kaspersky's software to protect my own networks. It's about the best at what it does.
That said, allow me to share an observation that really struck me on my visit to Moscow in 2011. I was a guest of Kaspersky Lab and they were very gracious and hospitable. However, I went there in large part in the hopes of rounding out some information I'd compiled about several big time cybercriminals that I was tracking at the time -- probably a dozen or so guys that I knew were definitely in Moscow and would almost certainly be known to anyone even moderately interested in cybercrime (on either side). I sat down with probably 8 or 9 different researchers at Kaspersky and in my interviews with them asked each about various individuals who were quite well known in the hacker scene in Russia but also abroad. To my surprise, nobody there would talk to me about these individuals. I have no idea if this was because of a corporate policy about it or what, but I found it singularly amazing that these experts would have so little interest in the actors who were so clearly operating under their noses.
Internet of Things
by Dr J. keeps the nerd
Hi Brian, Thanks for joining us. What are the worst mistakes we are already making on connected devices, and what should we be doing to make them less desirable as targets?
Krebs: You mean, besides connecting them in the first place? Seriously, the main reason I keep a software firewall installed on one of my machines is to learn which programs or gadgets on my home network are phoning home or who-knows-where. For the most part, we've shown ourselves to be incapable of designing or at least releasing software for mass commercial use that is not Swiss Cheese from a security perspective. So why should we expect things to be any different when we talk about network-aware devices and embedded appliances? All we've done in that case is take the buggy software and stuffed it into something that is even more difficult (if not impossible) to update.
What should we be doing to make all these devices less desirable as targets? Quit connecting them to the internet! Seriously. It would be nice if more companies that shipped devices made them disconnected from the Internet by default, or at least minimally so. But in most cases the opposite is true; the thing tries to get an IP address and you have to remember to disable a raft of features in said thing.
A lot of security is determined by the default settings, because the vast majority of users/customers never alter the defaults. With stuff that falls under the "internet of things" category, we'd all be much better off if they were more like "things with internet optional."
White vs Grey Hat
by Midnight_Falcon
Hey Brian, I'm wondering what side of the fence you think you are on. Your readership and affiliations seem to be the mainstream "white-hat" security community; but many of your tactics can be described as grey-hat at best -- e.g. doxxing hackers/malware authors/spammers, using social engineering to obtain information, etc. It seems as though this is justified because it is used against targets you perceive as being immoral, unethical, and/or worthy of such intrusion. My question is: do you feel you are a white-hat hacker, or do you think your use of black-hat tactics against black hats makes you something different?
Krebs: Not sure specifically what "grey hat" and "black hat" techniques you're referring to in particular. Also, I take issue with your assertion that I somehow practice social engineering to gain information. I'll admit to once or twice useing Spooftel to get someone who is dodging my calls to answer the phone, but I've never misrepresented myself or what I'm doing. In all of my reporting and investigation -- even with black hats -- I am up front about who I am and what I'm after.
Now, it is true that some of my reporting has been based on hacked cybercrime forums and hacked cybercriminals, but I can't recall an instance wherein I was the one responsible for the hacking. My first book, "Spam Nation," would not have been possible if two of the biggest cybercrime kingpins had not employed their top spammers and cybercrooks to break into each other’s networks and steal several years’ worth of banking and customer data, and then leak that data to Yours Truly and to the authorities. In my experience, the only thing cybercrooks like better than breaking into databases and stealing/selling data for financial gain is hacking each other for profit/amusement/insert reason here.
If I approach people on cybercrime forums, it is always just to learn more about the services and products they have to offer and are quite willing to talk about. Will I register on cybercrime forums under my own name? Of course not! Then again, nobody on those forums does that!
Actually, I *did* try to do that several years back, in two different cases. In one instance, when I told the admin in charge that I wanted the nickname "briankrebs," he laughed and said basically, "good one!" The other time I tried to claim that nickname, it was already taken.
I'll confess, though, that I've been guilty of a certain schadenfreude when it comes to writing about the arrest, conviction and or other demise of people who have -- apparently apropos of nothing -- targeted me and/or my family publicly and at the same time hidden behind an assumed veil of anonymity. These kinds of cowards consistently ruin the Internet for everyone, and I won't apologize for calling them out.
On a more philosophical note, I find it fascinating that so many involved in black hat activities online are so horrible at operational security. That probably has more to do with the general lack of consequences for most actors involved in this type of activity -- particularly those in certain Eastern European countries.
defining "computer security" for your clients
by globaljustin
Mr. Krebs, thank you for the time. My question is about defining "computer security" in relation to public perceptions vs technical facts. It was reported in 2006 that the NSA was keeping massive databases of American's phone calls and metadata. Obviously, Snowden's revelations were much more heavily reported, and contained more info, but the public was shocked at information that was already public. When it comes to cyber security customers, how do you explain and contextualize what service you are providing given the vast differences in perception of "security"?
Krebs: I try, as much as I am able, to focus on reporting stories that you won't find anywhere else. As an independent reporter, I have the luxury of not spending a great deal of time chasing other reporters' stories. Also, I try not to practice "churnalism," which is just regurgitating stories that other reporters have written. As for a "service" I might be offering, all I can say is that my goal is to communicate in as simple and straightforward way as I can news that is not getting enough attention or is not being well served by other outlets.
To your question about the differences in perception about security, I couldn't agree more. But to paraphrase Tip O'Neil, all security is local: Security as a news subject means little unless you can communicate the complex stuff in a way that mere mortals can comprehend, appreciate and do something about. If I am able to do that well and consistently, I hope that's a service of a kind.
I must speak to Keitel, Jodl, Krebs, and Borgdorf.
Support my political activism on Patreon.
Great answers but, when I got to this: "Now, it is true that some of my reporting has been based on hacked cybercrime forums and hacked cybercriminals, but I can't recall an instance wherein I was the one responsible for the hacking."
I couldn't help but laugh at the lack of a true denial. I have trouble imagining not being able to recall something like this. Hell, I can recall times I was tempted to put on a dark hat and attack someone's box (I was pretty sure he was the guilty party I was helping track down as a favor for someone....pro-tip: if you are going to engage in cybercrime, don't use the same screen name known to your victims to post youtube videos showing your IP address ... best part is, I didn't even know the screen name until I told them who I thought it was, and they said I just named one of their suspects)
"I opened my eyes, and everything went dark again"
That's interesting about Kaspersky. I wonder if that's an indication that they may be working with criminals, or if it's just some sort of sense of patriotic pride (we have the best criminals, AND the best researchers!), or even if the researchers feel like there would be repercussions if they said anything. I have no doubt that cybercriminals in Russia are probably receiving some sort of direction, support, or protection from their government.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I read the whole thing and didn't see a thing about what it is like to be a victim of swatting...
in cases where the vulnerability is actively being exploited, disclosing immediately, publicly and completely is always in the public interest.
Usually an admin can solve the problem with a firewall, or by temporarily disabling a feature, or something similar. Don't leave people open to attack.
"First they came for the slanderers and i said nothing."
On Kaspersky:
I have no idea if this was because of a corporate policy about it or what, but I found it singularly amazing that these experts would have so little interest in the [bad] actors who were so clearly operating under their noses.
Put the bad actors out of business, and the threat disappears. No threat, no need for their software. Perhaps they were not openly collusive, but it isn't so difficult to imagine that they look the other way at the hand that indirectly feeds them.
Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
Kaspersky isn't "in bed" with the Kremlin, but they DO have to exist and operate in the same country as those agencies, AND the cyber criminals.
Whether or not the Kremlin is directly in bed with the cyber criminals is someone else's thesis, but Kaspersky approaches those subjects cautiously.
If at all.
Because if the cyber actors are doing something for local interests, fucking with that would be asking for retaliation and infiltration by said local interests.
Kaspersky is wise IMO to do their thing without directly trying to get their hands dirty, they just point where the clues lead and let the chips fall where they may.
If law enforcement knows about the cyber actors and they aren't being arrested as Krebs muses, that's a BIG clue isn't it?
But does that mean Kaspersky is going to "look the other way" on Russian malware?
Well, if KGB can turn Kaspersky they can turn about 3/4 of the A/V industry without even trying, so yeah.
things with internet optional.
Yes, that would be a brilliant coup of common sense, but alas, marketing dipshits world wide will be rewarded yet again by mandating idiotic default settings of no security on IoT devices, inviting an avalanche of security issues as more of these devices are connected to the internet.
We play the game with the bravery of being out of range
Thank you Brian for taking the time to reply to my question. Perhaps including the "social engineering" language was a bit strong for the work you do, but "doxxing" is still very much something you do; and I didn't get much of a response on the ethics of doxxing. Let's use your Rescator doxx for example -- what makes these people OK to dox? Is it different when you dox them as opposed to a witch-hunt on Reddit, etc? Does having poor operational security make it OK to dox someone?
Thank you for the answer on private WANs or government extranet firewalls. If used properly, even a private IP MPLS shared between a few businesses would add a layer of security. However, if not used correctly, it provides little to no protection. Just one machine with IP forwarding turned on can negate the protection.
It might just be that the core of security against hacks will continue being the core/edge network fabric, because it is a lot harder to secure individual devices than it is to lock down network appliances. The fundamental "heavy armor" just at the firewall will fundamentally change to a fabric that assumes an attack can come from any network segment... well, pretty much any network segment but the management network. The management network will be ever more prized for a target of attack, since that is where the SAN controllers live, and dumping logical disks and destroying data may become part of a security breach as hacker groups with the will, but not the way (extremist groups) make deals with groups with the means (the 0-days), but not the interest to wreak havoc.
Or, it might be that we return to a mainframe and glass-house IT architecture for security reasons. Even though the IRS had a breach, it wasn't their systems specifically that allowed it, but was an unauthorized query through an authorized source. The equivalent of someone seeing a key in the car's ignition and driving off, even though the ignition key has a state of the art transponder system. The IRS is still running on a mainframe architecture, and this seems to have provided a decent amount of security because all the data is in one place, and unless an authorized query takes place that shouldn't, it is pretty well secured.
Long term, I can see businesses moving to a system where all data is physically stored in one (or perhaps two locations using async replication), the data manipulation is all done by a server in the glass room, and access to the data is done by the next generation of JavaStations/X terminals/VT100s, which provide a monitor and HIDs, and that's it. I would not be surprised to see this happen, as it is the other end of the pendulum, as we swing away from cloud computing as the buzzword choice. It has been a while since thin clients have been touted at the Next Best Thing (tm), so I will be genuinely surprised if I don't see a return to having Citrix, RDP or some other remote desktop access done for a work desktop. Even though it isn't a fad, VDI has been gaining steam, so it wouldn't be surprising to wind up with physical terminals on the desktop, access going to the HP MoonShot farm with 45 VDI blades, and from there, RDP or App-V sessions going to where the data is.
I've seen a bunch of youtube videos that show what you should have done.
Why didn't you start punching the cops when you got close to them and then run away?
Also, you could have run back into your house and grabbed a knife from the kitchen or maybe hid in the attic.
They won't respect you if you don't make them work for it.
Brian,
You might consider they wouldn't talk about cyber gangs with big money who live in the same metro area might be a matter of literal self-preservation.
mark "that's a nice life you got dere, be a shame if sometin' were to happen' to it"
Rather funny to read all these comments about poor guys from Kaspersky being afraid to talk to Krebs. Good job Krebs! Nazi Gebbels would have been happy!
Because the reality is quite opposite to that. What we know is that Kaspersky has in fact been feeding lots of info and research on so called cyber criminals to Krebs and that explains most of surprising Krebs heroic acts and brilliant investigations, that explains as well Krebs ability to get hacked forums and easily see internal web money accounts info. Kaspersky was happy doing that because exploiting cyber threat was good for sales.
What happened next is that they rather soon got lazy and ran out of real cyber criminals, so they started making up things, eventually it became rather obvious and immensively hit Kaspersky's own reputation internally in Russia. It has never been published but people speak to each other, word gets around.
So now Krebs has to share this bulkshit here about scared experts, the main point for Krebs is not to say that they were afraid, the point is to claim they never cooperated. Smart Gebbels bastard.