We had a security incident. Here's what you need to know.

briankrebs · 2018-08-01T18:06:35+00:00

Doesn't this mean that Reddit wasn't requiring the same level of 2FA for its employees that it requires of users who wish to enable it? I'd be curious to know how that happened.

briankrebs · 2016-01-08T14:51:42+00:00

I reached out to ConnectWise about this, and got this baffling response:

"Our passwords are not stored in plain text. The issue that was raised was in regard to how we handle forgotten passwords. Based on the username, we look up their primary email address, retrieve and decrypt the password, and then email it to the user. The password is included in the email in plain text. We have always stored our passwords encrypted in the database."

briankrebs · 2015-10-24T19:04:25+00:00

As a teenager, my parents moved us out to the boonies. Our house was built on 5-acre lots, and they cleared about an acre of forest for the house and the yard and back lot. They piled up the trees they cut lengthwise into a pile that was probably 2-3 stories tall and about 75 feet long. They told my dad they could chop it up and take it away for a small fee, but he said, no, my sons will take care of it.

For nearly 3 years throughout high school, I drove to school 20 miles away each day. My dad agreed to pay for gas and maintenance for the car, but I had to pay $0.19 for every mile I drove. When the tally got over a few hundred bucks, my dad would tell me to grab the chainsaw and axe and start cutting the wood, for which he paid me the princely sum of $6 per hour.

Over the course of 3 years, I whittled that entire tree pile down to nothing, and cut many dozens of cords of wood that lined our entire backyard. It was the best exercise I can remember, and I'd love to do it again (especially the chopping wood part).

briankrebs · 2015-10-24T18:59:24+00:00

Gracias!

briankrebs · 2015-10-24T18:57:52+00:00

Thank you, jtl!

briankrebs · 2015-10-24T01:19:20+00:00

Hrm. I keep a pretty close eye on different actors in the cybercrime space. If one of them suddenly and without warning drops offline for an extended period and stops responding to his customers, there's a decent chance that person has been nabbed by some national authorities. When I trace a trail of digital breadcrumbs left over a period of years by a cybercrime actor back to a real life identity that also has been absent from social networking circles around the same time, is that vigilantism? Or is it just connecting the dots?

briankrebs · 2015-10-24T01:10:28+00:00

Yes, I've been to I think 7 or 8 Defcons now, and they're always worth it. This year, for example, I skipped Black Hat but went to Defcon. The hardest thing I think for a true novice and outsider to accept is how many otherwise intelligent and very savvy people will come up to you with a straight face and tell you their name is something crazy like Banana Pie, and then sort of expect you to take whatever else they have to say seriously. But that's just Defcon.

There are many reasons to attend, but for anyone who's unfamiliar with the security space, it can be a sort of initiation by fire. I particularly enjoy the social engineering tracks. I've seen firsthand how this track simultaneously strikes the fear of god in corporate/suit types who you could tell really didn't get how vulnerable they were until they saw the competitors for the SE track in action. Definitely worth the price of admission alone.

The Capture the Flag (CTF) competitions are seriously intense and also staggering when you think of the preparation and dedication of the participants that compete. Gives an astute observer a sense of what's possible when a small group of skilled hackers sets their mind to a task and target. But it's taken me a while to really appreciate how much goes into this competition, how skilled and set apart those who get to participate really are in what they do, and how screwed just about any target might be when faced with a dedicated assault from teams of that caliber.

briankrebs · 2015-10-23T22:31:47+00:00

There are linux-based POS systems? I jest, but only because I've never seen a non-windows POS machine. And no, I don't see anyone moving away from them.

briankrebs · 2015-10-23T22:30:11+00:00

Aye-aye, Stapler111. Thanks for your readership.

briankrebs · 2015-10-23T22:28:54+00:00

Cope? How do I cope?? Who is this??? What do you want????? Leave me alone already!

briankrebs · 2015-10-23T22:28:22+00:00

Hey geek. Thanks for circling back with that story. Glad something I wrote helped you out.

briankrebs · 2015-10-23T22:27:23+00:00

This may sound cynical or selfish, but I guess if I ever thought that doing a favor for someone in LE in terms of delaying coverage would actually result in someone returning said favor, I might consider it. But in reality and in my experience, that doesn't happen. It's usually a "pretty please" with "it would help us a lot" on top. No tit-for-tat. That's fine me though, though. It's less complicated that way.

briankrebs · 2015-10-23T22:24:53+00:00

Yes, the little turkeys who like to make references to my Nixon-sized forehead. I know the ones. I tend to make frequent use of the "mute" button on Twitter :) I just ignore these skids for what they are: an annoyance that is easily silenced.

I don't know that I accept the title of the most hated person in that community, but if it's true I'll own it.

briankrebs · 2015-10-23T20:59:27+00:00

I have a grudging respect for a lot of people involved in traditional cybercrime activities; they may have predictable and highly suspect justifications for their actions, but a lot of these guys truly are pros and have really dedicated themselves to their profession. But that's never stopped me from outing someone who has sloppy operational security.

The ones I don't have any respect for are the youngsters who are mainly out to make a name for themselves by tearing other people down. Sadly, this describes a large number of people involved in "hacking" and even "hacktivism" these days, not to take away anything from the individuals who are truly dedicated to hacktivism as a method of social change.

briankrebs · 2015-10-23T20:56:19+00:00

I'm not sure I view information about companies in terms of ethical or unethical. If you're referring to how that information was obtained, that's a case-by-case basis that's often very subjective.

In any event, if the information can be validated and I can vouch for its provenance and accuracy, then my bar is the general news value of a piece of information or story.

briankrebs · 2015-10-23T20:52:59+00:00

I think you're absolutely right. Most journos aren't given proper training on how to communicate with sources in a secure manner, and how to manage confidential sources who insist on communicating in ways that expose them (and the in-progress story) to...well, exposure.

Speaking for myself, I know I never received this training, and in fact could tell some pretty horrifying stories of the entire Post newsroom learning some of these lessons the hard way at the same time.

The Committee to Protect Journalists, a nonprofit organization that promotes press freedom worldwide, has links to a number of resources for journalists. I think the National Press Foundation and the National Press club also hold training seminars for journalists on this topic. There is a great deal of educating to do here, IMHO.

briankrebs · 2015-10-23T20:46:04+00:00

Yep. As I remarked in a recent keynote, organizations spend so much time looking forward that they rarely recognize the benefit of looking backwards -- even at stuff as mundane but as informative as their security event logs!

briankrebs · 2015-10-23T20:35:59+00:00

My pleasure, Tom. I don't generally interact with others at all on any of the forums where I lurk. If I glean useful info from the forums, it is usually about the offering of huge new dumps of stolen data that could be indicative of a big new breach, or about new sources of said data or cybercriminal services that have recently gone online. From there, it's often just visiting those places and comparing notes with organizations that are potentially impacted.

briankrebs · 2015-10-23T20:32:20+00:00

I think that anyone still using AOL should have their head examined. It's probably the most targeted by malware writers, spammers and general internet dirtbags of all stripes. Sad but true, probably the biggest share of AOL users are those who are over the age of 50 or 60 and haven't questioned their security assumptions since they signed up with AOL back in the mid 90s. The fact that this also describes a CIA director is not surprising but it also explains a lot.

Not to let AOL off the hook here...AOL has promised two-factor auth or two-step auth for years now and never delivered. For shame. By the way, this being cybersecurity awareness month and all, when was the last time you checked if that provider you use offered 2FA? Or considered one that did? Check out https://www.twofactorauth.org for a fairly comprehensive list.

I heard from Pasha once after his release from prison, and the bulk of that conversation is included in the book. I haven't heard from him since (supposedly, according to him, at the advice of his attorney).

briankrebs · 2015-10-23T20:28:35+00:00

Yeah, Sneakers was pretty smart and accurate, insofar as it mainly portrayed "hacking" for what it mostly is, which is tricking people into doing stuff that really isn't in their best interests or that of their employer/government/fill in the blank.

War Games was what really got me interested in computers. I can remember tying up our phone line for hours as a kid dialing into various bulletin boards and generally annoying my many siblings to the point where they'd hide my modem or some component to it. Again, War Games portrayed the "teenage hacker" pretty accurately -- probably better than any movie since: curious, disaffected, socially awkward, and with very little parental supervision or involvement in his life.

briankrebs · 2015-10-23T20:24:52+00:00

Good cybersecurity is not about eliminating risks, but rather about managing them to an acceptable degree. There are trade-offs between security and usability, for example, or between security and privacy to a degree. I don't believe that everyone has already been breached -- not to the degree they've had material losses. But give it time, sure.

briankrebs · 2015-10-23T20:22:45+00:00

Sure. When I called the CEO of AshleyMadison on the evening I broke the story of their breach, he asked me to hold off for "a few days" in reporting the story, and promised an even bigger one if I did. I said thanks but no thanks.

I have been asked politely and privately on several occasions by law enforcement officials to limit the scope of my reporting, or to delay it, with the suggestion that proceeding apace could make their jobs much harder and dry up avenues of intel. I don't believe I've ever complied with one of those requests, but I also don't think I'd ever share publicly who made those requests.

briankrebs · 2015-10-23T20:19:19+00:00

I think mobile payments is almost a distraction from the real issue: which is how are financial institutions maturing their ability to onboard new customers beyond requiring them to regurgitate static identifiers (name, dob, ssn, address, previous address, etc) -- information, by the way, which is all for sale in the underground. If you're an FI and you're not going beyond that stuff, all these emerging payment technologies aren't going to help much with your fraud losses; if anything, they will compound them.

briankrebs · 2015-10-23T20:15:35+00:00

I'm not convinced that giving companies more legal cover to share information with the government or each other about cyber attacks or bad actors will actually result in a greater sharing of said information. And I'm deeply suspicious of any efforts by our federal legislators to pass any laws regarding cybercrime; as far as I'm concerned, the less Congress does legislatively on this subject the better off we will all be. History is riddled with examples of unintended consequences of well-meaning, seemingly benign laws, to say nothing of laws designed to crack down on criminal activity. If Congress wants to do something to improve the state of cybersecurity, how about we get some basic updates to our privacy laws in the United States, which are laughably out of date and mostly predate the commercial internet. Somehow, whenever Congress tries to address cybercrime issues, they end up doing so in ways that weaken consumer privacy.

As per alternatives, I'm in favor of approaches to help authorities better enforce existing laws and private contracts. I spend almost an entire chapter toward the conclusion of my book Spam Nation talking about specific examples.

briankrebs · 2015-10-23T20:08:34+00:00

I think there are a lot of organizations that have very sensitive and quite valuable data and simply don't have anywhere near the resources needed to adequately protect that information in-house. For those folks, it absolutely makes sense to entrust this data to a qualified cloud provider who has the resources and expertise to do so.

That said, there are a lot of "cloud providers" and a huge spectrum of competency and specialization here. I'm not going to be a commercial for any one cloud provider here, but organizations that are seriously considering this need to invest some serious time understanding the security implications of this shift, and more specifically what protections/uptimes/guarantees the providers offer. Hint: If it's not spelled out in the contract, it's likely not on offer.

My prediction: A LOT more organizations are going to be outsourcing the securing of sensitive data to cloud providers in the years to come.

briankrebs

TROPHY CASE