15
Mar 13

The World Has No Room For Cowards

It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home.

Well, as one gamer enthusiast who follows me on Twitter remarked, I guess I’ve now “unlocked that level.”

Things began to get interesting early Thursday afternoon, when a technician from Prolexic, a company which protects Web sites (including KrebsOnSecurity.com) from denial-of-service attacks, forwarded a strange letter they’d received earlier in the day that appeared to have been sent from the FBI. The letter, a copy of which is reprinted in its entirety here, falsely stated that my site was hosting illegal content, profiting from cybercriminal activity, and that it should be shut down. Prolexic considered it a hoax, but forwarded it anyway. I similarly had no doubt it was a fake, and a short phone call to the FBI confirmed that fact.

Around the same time, my site came under a series of denial-of-service attacks, briefly knocking it offline. While Prolexic technicians worked to filter the attack traffic, I got busy tidying up the house (since we were expecting company for dinner). I heard the phone ring up in the office while I was downstairs vacuuming the living room and made a mental note to check my voicemail later. Vacuuming the rug near the front door, I noticed that some clear plastic tape I’d used to secure an extension cord for some outdoor lights was still straddling the threshold of the front door.

Fairfax County Police outside my home on 3/14/13

Fairfax County Police outside my home on 3/14/13

When I opened the door to peel the rest of the tape off, I heard someone yell, “Don’t move! Put your hands in the air.” Glancing up from my squat, I saw a Fairfax County Police officer leaning over the trunk of a squad car, both arms extended and pointing a handgun at me. As I very slowly turned my head to the left, I observed about a half-dozen other squad cars, lights flashing, and more officers pointing firearms in my direction, including a shotgun and a semi-automatic rifle. I was instructed to face the house, back down my front steps and walk backwards into the adjoining parking area, after which point I was handcuffed and walked up to the top of the street.

I informed the responding officers that this was a hoax, and that I’d even warned them in advance of this possibility. In August 2012, I filed a report with Fairfax County Police after receiving non-specific threats. The threats came directly after I wrote about a service called absoboot.com, which is a service that can be hired to knock Web sites offline.

One of the reasons that I opted to file the report was because I knew some of the young hackers who frequented the forum on which this service was advertised had discussed SWATting someone as a way of exacting revenge or merely having fun at the target’s expense. To my surprise, the officer who took my report said he had never heard of the phenomenon, but promised to read up on it.

One of the officers asked if it was okay to enter my house, and I said sure. Then an officer who was dressed more like a supervisor approached me and asked if I was the guy who had filed a police report about this eventuality about six months earlier. When I responded in the affirmative, he spoke into his handheld radio, and the police began stowing their rifles and the cuffs were removed from my wrists. He explained that they’d tried to call me on the phone number that had called them (my mobile), but that there was no answer. He apologized for the inconvenience, and said they were only doing their jobs. I told him no hard feelings. He told me that the problem of SWATting started on the West Coast and has been slowly making its way east.

The cop that took the report from me after the incident said someone had called 911 using a Caller ID number that matched my mobile phone number; the caller claimed to be me, reporting that Russians had broken into the home and shot my wife. Obviously, this was not the case, and nobody was harmed during the SWATing.

Update, Apr. 29, 2013: As I noted halfway through this follow-up post, the police officer was misinformed: The 911 call was actually made via instant message chats using a relay service designed for hearing impaired and deaf callers, *not* via a spoofed mobile phone call.

Original story:

It’s difficult to believe the phony FBI letter that Prolexic received, the denial-of-service attack, and the SWATting were somehow the work of different individuals upset over something I’ve written. The letter to Prolexic made no fewer than five references to a story I published earlier this week about sssdob.ru, a site advertised in the cybercrime underground that sells access to Social Security numbers and credit reports. That story was prompted by news media attention to exposed.su, a site that has been posting what appear to be Social Security numbers, previous addresses and other information on highly public figures, including First Lady Michelle Obama and the director of the FBI.

Interestingly, there are strong indications that a site named booter.tw may have been involved in the denial-of-service attack on my site yesterday. For some bone-headed reason, the entire customer database file for booter.tw appears to be available for download if you happen to the know the link to the archive. A search through that record shows that on Thursday afternoon Eastern Time, someone paid booter.tw to launch a series of denial-of-service attacks against my Web site. The account that paid for the attack used the nickname “Starfall,” using the email address “starfall@gmail.com.”

Update, Mar. 16, 8:09 a.m. ET: It seems that I and several other folks who looked at the SQL file from booter.tw made the same mistake in misreading the table: The account that ordered the DDoS against KrebsOnSecurity.com was not Starfall but instead one that used the nickname “countonme,” and the email address “countonme@gmail.com.”

A screen grab of booter.tw

A screen grab of booter.tw

Thursday morning, Dan Goodin, a good friend and colleague at Ars Technica, published a story about my ordeal after a late night phone interview. Shortly thereafter, Ars Technica found itself on the receiving end of a nearly identical attack that was launched against my site on Thursday. Turns out, the records at booter.tw show clearly that a customer named “countonme” using that same Gmail address also paid for an attack on Arstechnica.com, beginning at approximately 11:54 a.m. ET. A snippet of the logs from booter.tw showing the attack on Ars Technica.com (a.k.a. ‘http://50.31.151.33‘ in the logs) is here.

According to Eric Bangeman, Ars Technica’s managing editor, their site was indeed attacked starting earlier this morning with a denial-of-service flood that briefly knocked the site offline.

“We’ve been up and down all morning, and the [content management system] was basically inaccessible for 2 hours,” Bangeman said, adding that he wasn’t aware of an attack of similar size that knocked the site offline. “If it did, it wasn’t enough to be registering in my memory, and I’ve been around for 10 years.”

I have seen many young hackers discussing SWATing attacks as equivalent to calling in a bomb threat to get out of taking exams in high school or college. Unfortunately, calling in a bomb threat is nowhere near as dangerous as sending a SWAT team or some equivalent force to raid someone’s residence. This type of individual prank puts peoples’ lives at risk, wastes huge amounts of taxpayer dollars, and draws otherwise scarce resources away from real emergencies. What’s more, there are a lot of folks who will confront armed force with armed force, all with the intention of self-defense.

The local police departments of the United States are ill-equipped to do much to stop these sorts of attacks. I would like to see federal recognition of a task force or some kind of concerted response to these potentially deadly pranks. Hopefully, authorities can drive the message home that perpetrating these hoaxes on another will bring severe penalties. Who knows: Perhaps some of the data uncovered in this blog post and in future posts here will result in the legal SWATing of those responsible.

This is a fast-moving and ongoing story. I will most likely update this post or file a follow-up sometime in the next 24-48 hours as more details and events unfold. Thanks to all those readers who’ve expressed concern for my safety and well-being via emails, Twitter and the blog: Your support and encouragement means a great deal. And a special note of thanks to security expert Lance James for his assistance in poring over the booter.tw logs.

Tags: , , , , , ,

199 comments

  1. Phobia disabled his twitter twitter.com/phobiathegod, he just told me hes support for ssndob and he attacked krebs with tw.

  2. Alexander Berkmn

    “…Andy Kwong. I have no idea at this point whether this is a real person or if he indeed has anything to do with this attack; just passing along the info.”

    WOW! So, you’re making public unverified information, about a (possibly real) person. And you wonder why you are being harassed??

    Hope your site & your business gets more of this. You deserve it.

    • I might better agree with your point Alex if the information Brian published had, in fact, been “unverified.” If I read the story correctly though, there is nothing unverified in Brian’s assertion that the Gmail account in question “is registered to a Facebook profile for an individual in the United Kingdom named Andy Kwong.” While much is unknown — most importantly, who in the physical world is pointed to by the Facebook profile in the virtual world — nothing is unverified.

      • Though I’m not Andy, Krebs redacted the information after realizing he’d made a mistake with the database. It may be a little too late for Andy though, since all the HackForums kids who hate me now think I’m him.
        Poor bastard. Hope no one gets hurt.

  3. fuck the haters, I think you are cool, and i hope all the articles about this story attract more attention to your site.

  4. Krebs is the hero of new times! We should support him and send a bit donations into paypal. i’ve just send 10$ from hacked account.

  5. Keep Calm and Carry On

  6. Must have been an interesting converstion over dinner Thursday.

    Seriously, I’m sorry for your trouble, Brian. There’s evil out there and I’m always glad to see people step forward and fight it.

  7. Your social links don’t work for me on Chrome/Linux. Wanted to subscribe to RSS.

    Hope the find whoever did this. It’s definitely no joke.

    • There are vague hints being dropped that it’s “PhobiaTheGod” but I would take this with a grain of salt. Kid deleted his Twitter account last night.

  8. So….What was for dinner, and what happened to the guests?!?

  9. Brian, got your story covered over in The Netherlands:

    http://www.dutchpolitics.org/2013/03/16/swating-attacks-brian-krebs/

    Keep up the good work and all the best.

  10. The Internet is unfortunately the favourite habitat of those craven cowards who throw their virtual missiles from the shadows and then sliver back under their stones.

    You have elected to put your head above the battlements and risked your own personal peace and safety for the greater good.

    I am grateful to you for your bravery. May you accrue rich rewards for what you do.

  11. Why, oh why, does the telecom systems allow you to spoof CallerID, especially to law enforcement? I just don’t understand. This is not possible in Australia as far as I am aware.

  12. Thanks for clearing my name Brian.

  13. Please continue your fight against these criminals. I read you stuff religiously and it has helped me enourmously: I still use the ‘limited user’ to access the internet as you suggested years ago.

    EB

  14. There is a such a thing as cry wolf: repeated attempts to SWAT targets like this means that law enforcement, especially warned in advance that this might happen, may not show up in the future. That may be the intended purpose of the attacker in the first place (get a window of opportunity to harass the target without law enforcement showing up). I would definitely be cautious.

  15. We now living in a police state where overzealous cops don’t thing about how the power they control ends up having very negative effects on society. If it was me, I would have not let any cops into where I live without a court signed search warrant . My opinion is that Mr Krebbs should have not gone through this whole ordeal without the proper due diligence on finding the true facts before rushing his front door.

    • Actually, if the cops get a call that there is an active shooter in my home I sort of want them to show up.

      I think these guys did well. The attempted to contact Brian and upon getting no response, acted accordingly.

  16. Maria Villafana

    Wow Brian! It’s been years since we sat next to each other at washingtonpost.com. What a way for me to catch up on your life. Glad you weren’t hurt.
    Regards….

  17. Sorry this happened. Glad you all are okay. Ever been in a public place (ie: a public school) during a bomb threat? Plenty more panic, wasted taxpayer dollars and diverted resources in those scenarios.

  18. Mr Kresbs, I am glad you and your family are safe! Keep fighting the crims and their lackeys…

    One day they will make a movie about you called, Krebs’ Super Cyber Fighter!

    Thank you for letting us know! God Bless!!

  19. A little tip for you…..
    NEVER ALLOW THE POLICE IN YOUR HOME.
    Even if you have nothing to hide.
    Why did he want entry?
    Why not discuss matters on the porch?
    You have the right to refuse, and it doesn’t make you guilty of anything for refusing entry.

    Even if they have probable cause, the 4th amendment requires them to get a signed search warrant from a judge to enter and search your home.
    SEARCH? They didn’t say they would search.
    They could have, and because YOU allowed them in,
    it holds up in court. Unless there is a serious emergency, they CANNOT come in without a search warrant.Period.
    Next time they knock on your door and they say we want to keep you safe, can we come in? You say
    “I’m sorry, I can’t let you in without a search warrant.”
    or just go outside, close the door behind you and talk to them outside.

    • This is true, but a little impractical to this particular situation.

    • Yes you would be correct about allowing cops into your home with your consent. Because of the “Plain View Doctrine ” section of the 4th amendment a police officer can and will arrest you if they find something illegal in plain site. Think if this happened to someone else and they had illegal drugs sitting on a coffee table or pictures of child porn on a computer screen the cops will then get a search warrant immediately and confiscate the evidence. I don’t think Mr Krebbs had anything illegal going on, so he thought I have nothing to hide here.

    • Pointlessly confrontational, Jake, unless there’s something in the house that one would rather not the police see. It’s understandable that the police would want to verify that everyone in the house is safe by actually stepping inside the house. There’s standing up for your rights, and there’s just being an unreasonable pain in the ass.

      Exigent circumstances here would legally justify an entry, regardless.

  20. I know that almost all of the web site readers have no doubt about the effectiveness of an important social websites effort. Moreover, plenty of people have no doubt about who promotional by social websites can certainly improve greatly your online listings in addition to boost your on-line reputation. Everything that almost all of the web do not know is definitely -how to utilize the effectiveness of social websites recommended to the tiny company’s gain. Mentioned are some suggestions which will aid you in your social websites interests. It is important to not overlook in regards to social websites is basically that you are thinking about creating a fun in addition to completely original unique user generated content. This can be a form of subject material exactly who need to offer your mates in addition to supporters on their communal information. Set up subject material that is definitely enlightening in addition to helpful, actually nobody need to write about this. Fascinating subject material http://www.garybirkenmdmedicalmysteries.com/ could travel the attention of the admirers in addition to visitors. They can possibly desire to write about the item, that is certain to enhance your probability to obtain more supporters in addition to prospects. Depart place intended to get trial offers in addition to flaws in your own social websites marketing strategy, a great first. Watch for that which is and what’s no longer working. Examine every thing. Cause alterations as critical. Whatever valuable intended to get many several other sorts of companies will not work out fine. You have to learn on your trial offers in addition to mistakes. When making use of this marketing, possibly you have to regulate in addition to refresh your concentrate in addition to plans frequently. Like this you might stay on target. Are available an important numerous causes that will have your promotional straight along surprising strategies. So it will be far better to re-evaluate the particular course it is going frequently. Do it right sometimes. Look at your ads and pay attention to what sort is among the most effective. xrtiu6fd8gf

    • I take it this one is a computer generated comment to get by the filters that block denial of service attacks?

      • Nope, just a standard run-of-the-mill spambot. No DoS here. Its creator is probably too stupid to flood anything.

  21. Well at least now I know where your column is and have it bookmarked.

    I missed reading you at The Washington Post.

  22. Try this Brian ..

    Пирог с ореховой начинкой

    Для рецепта вам потребуется:

    для теста:

    мука – 2 стакана
    маргарин – 3-4 ст.л.
    дрожжи – 50 г
    молоко – 2 ст.л.
    сметана – 2-3 ст.л.
    яйцо (желток) – 3 шт.
    яйцо (белок) – 1 шт.
    сахар – 1/2 стакана
    цедра лимона – по вкусу

    для начинки:

    вишневый джем – 400 г
    очищенные орехи – 150 г
    сухари молотые – 2 ст.л.
    яйцо (белки) – 2 шт.
    сахар – 1/2 стакана

    Маргарин смешать с мукой, влить дрожжи, разведенные в теплом молоке, добавить растертые с сахаром желтки, цедру, сметану и замесить тесто. 2/3 получившегося теста раскатать, выложить на смазанный жиром лист, наколоть вилкой, смазать джемом, положить смешанные с густым сахарным сиропом и белками измельченные орехи и сухари. Остаток теста нарезать узкими полосками и выложить решеткой. Смазать ее белком и выпекать при температуре 210 – 220С около 35-40 минут.

    You Welcome .

  23. SWATting works because cops don’t know the people in their communities. Even though Brian gave them advance notice, they weren’t prepared.

    It doesn’t help when people play Monday morning quarterback and get indignant about “overreaction” by the police (considering we might be saying something very different if the cops turned out to have been responding to a real hostage situation at Brian’s house). The solution is to improve the relationship of the cops with the community, not to dehumanize them further.

    I would suggest that Brian make a short video about SWATting that can be used for training the emergency personnel and 911 operators in Fairfax County. He might even visit them in person for training. That would make it considerably more difficult to SWAT him, since the 911 operators would know him and the perpetrator would have to imitate his voice and keep up the pretense throughout the call. (People imitating voices tend have difficulty keeping it up while answering questions, as they are stressed and there is an involuntary effect on the vocal cords.)

    • They will just take another route if SWATing is closed off. These kids know no boundaries.

      I’ve been in Skype calls in which people called up the FBI’s many regional offices and falsely reported me as being holed up in my room creating nuclear weapons. Not the same effect as a SWAT perhaps but it does cause issues in your life.

    • Right on Alpha!! We need to turn the community into the “small town” model!! Even the Army realized this in Iraq and Afghanistan, when they implemented the foot patrol and local human intelligence small unit tactics model.

      Old time law enforcement knew this a hundred years ago when everybody new everybody else! Technology and good implementation can make the small town model work in large urban communities, if properly instituted!

  24. Let’s call what happened for what it was: targeted individual terrorism with potentially tragic consequences.

    The people responsible, should they be brought to justice should be sentenced with severity something akin to attempted murder.

    Brian, love the site, and am glad all worked out ok, but please recognize you are a target. Please continue to do the good that you do, but please consider these events to be a wake-up call as to how you do it.

    I’m sure there is a way to reduce your profile somewhat.

  25. Great read. The task force is a good idea, but is there not already an elite cyberterrorism unit somewhere that can be leveraged in cases like this?

    • You assume much “Reader”; mostly the authorities could give a sh*t less about such things! Until they get totally out of hand that is!

      • JCitizen, your assumptions about the authorities not caring are naive and incorrect. They are just like you, some care, about doing their job in the face of hostile citizens and taxpayers demanding more better services while cutting budgets. Others care about getting a paycheck and staying alive to go home at night more than they care about the job. They’re human beings, just trained to do a job that entails putting a bulls eye on along with their uniform. Any task force that reduces the risk of somebody shooting at them will be something they care about, along with all the other priorities.

        take your anti-cynic pills and lighten up! 🙂

  26. Arrest, jail, prosecute, convict and throw away the key. No room for tolerance of this behavior. Form of cyber terrorism.

  27. Just picking up on this Brian…
    Dangerous games the children play, glad you’re okay and hopefully not overly rattled.
    You and yours are in our thoughts., keep up the good work.
    ~Cat~

  28. Wow, I get up late and miss all the action… 🙂

    My take.

    Brian: You handled it well, especially the prep letter in advance warning the police about the possibility. That DID come in handy as the supervisor bothered to check the records on you before showing up at the scene.

    As for allowing them to search, I’d say that was not a big problem. As long as you have no drugs or firearms in the premises, there’s not much they can ding you for, even if they’re pissed off at you for some reason.

    If I were in that situation, I would have held them up for a moment until the wife or anyone else in the building were called out first to prove they were safe. It’s not safe to let cops barge in with guns drawn – you don’t know what rookie is going to accidentally let off a round if he’s surprised by an occupant. So get them called out first, then let them search.

    In general, the militarization of the police force in this country is a serious risk to civilian safety. Their habit of surrounding a house first with drawn guns and inadequate surveillance first is tactically dangerous, given the number of times they get the situation wrong. Civilians have been repeatedly killed by drug busts hitting the wrong house. SWATing is just another opportunity for this to happen.

    All in all, I’m glad this worked out for you. Fortunately, now that it’s happened once, you may be immune to a repeat, now that the police have the incident on record as well as your previous warning letter.

    • good point about calling the occupants out first, also if you own dogs you might discuss with the police and try to take precautions to ensure all are safe. Surprising guys with guns who are in the habit of expecting attack and prepared to respond generally leads to bad outcomes. Eliminating possible surprises is good for them and you.

    • I’m not sure what having firearms in the house has to do with anything.

  29. Wow cant really say anything much but you really pissed someone off

  30. Something is wrong with your servers Brian; other people’s information is displaying in the comment box, this is not good for “innocent” folks who may wish to remain anonymous!!!

    I suspect someone is farming for email addresses to exact some kind of sick “retribution” for your activities.

    • I also noticed problems when submitting comments. When submitting post they end up not appearing, but when I try to resubmit it comes back that “your post has already been submitted”. I think this is more of a issue with a comment based plug-in in how it relates to the WordPress C.M.S. That is just my opinion since I have worked with WordPress in the last two years

      • This is more serious than that – I’m not supposed to see your email and web-site information – that is a violation of how things work on KOS and almost every forum site out there!

        • I think this is happening due to how Prolexic filters DDoS attacks. If it’s anything similar to what other DDoS protection providers do, there’s a set of load-balancing and filtering proxies between you and the site, and the people who’re seeing others’ contact information are seeing it due to their IP address (or rather, the load-balancer’s IP address) matching one who already posted. However I’m not quite sure how the contact info is stored and matched to people, so I may be completely wrong.

          • I suspect an XSS flaw or a goof up somewhere in the code – I just had it happen to me on the page for the latest story (Epoch)…Saw last posters email address and name.

            Brian, if you’d like, send me an email and I can send you a screenshot of what I saw if you don’t see anything in your logs and whatnot…Or whoever does your site.

          • Ah yea, sticky sessions (or lack thereof). That fits…I was thinking cookies being messed with but it’s hit and miss, so load balancing does sound like a closer fit…