18
Jan 14

The Adventures of a Cybercrime Gumshoe

I was fortunate to spend several hours this past week with two reporters whose work I admire. Both wanted to learn more about my job as an independent investigative reporter. Their stories about my story are below.

bbwMark Stencel, a former colleague at Washingtonpost.com who similarly worked his way up from an entry-level job at the publication, wanted to hear about the challenges and rewards of going solo. Stencel’s piece, Reporter Brian Krebs Hacks it on His Own, One Scoop at a time, was written for poynter.org, an online publication for and about journalists.

Stencel writes:

“All of this reporting pays off with loyal readers, even at companies who fear finding themselves covered on his site. “As someone who does payment card security for a brick and mortar retailer, ‘Brian Krebs’ is a name I never ever want to see flash across my Caller ID,” one admirer wrote in a recent reader comment.”

Separately, I spent half a day with with Business Week reporter Karen Weise, whose profile, The Cybersecurity Blogger Hackers Love to Hate, appears in this coming week’s print edition. Weise observes:

“Krebs’s talent for exposing the weaknesses in online security has earned him respect in the IT business and loathing among cybercriminals. His track record of scoops, including the Dec. 18 revelation that hackers stole tens of millions of customers’ financial data from Target (TGT), has helped him become the rare blogger who supports himself on the strength of his reputation for hard-nosed reporting.”

My favorite part of both these stories are the observations from readers. For instance, Weise quoted Lance James, head of intelligence at Deloitte, with whom I co-presented last year at the Black Hat conference in Las Vegas.

“No intelligence agency could get as much as Brian Krebs does,” BW quotes James as saying. “Everybody wants to share with him.”

Fortunately, that’s very true: Key information that informs some of my best scoops is just as likely to come from people actively engaged in cybercrime as it is industry experts working to fight fraud. So, once again, a sincere thank you to all of my readers — lovers and haters alike.

Tags: , , , , , , ,

54 comments

  1. The co-presented link is broken. Thanks, Brian

  2. Brian Fiori (AKA The Dean)

    Great stuff, Brian. That’s what makes this one of the very few blogs I count as a “must read” as soon as an update is posted.

  3. I check your site daily for new and interesting stories.

    I find your knowledge to be unsurpassed. I’m just a user who has taken your advice many times and kept my system clean (I think) of any of the malware out there.

    You have received some very well deserved praise.

  4. Thanks for posting this article, as I would never have found it – I don’t even read the Washington Post anymore, now that Brian left.

  5. Simply want to second that — “a ‘must read’ as soon as an update is posted” — even if that email arrives in the middle of the night. I now know first-hand of the dangers associated with checking email during a moment of insomnia. Putting the pieces of the “$9.84 Hustle” puzzle together was the most fun I’ve had in a long time staying up all night.

  6. You do a great job explaining subject matter that can be extremely technical and arcane in a way that the uninitiated can understand.

  7. Brian, so nice to see this recognition.

    I am a former Gartner analyst and have blogged and authored several books on tech enabled innovation for 8 years now.

    it is always nice to see “independents” who raise the bar for the “institutional” types and also other independents.

    Stay brave!!

  8. Congratulations.

    You are the true ‘cyberpunk warrior’ of our time.

  9. Nice to see you get some well-deserved recognition. I do believe I heard your name mentioned on The Evening News in a report about the Target Fiasco, as well.
    I read every one of your newsletters– they have alerted me to many issues I would have missed otherwise.
    Therefore — I was not surprised when my bank informed me that my debit-card was compromised, yesterday. (No loss for me, thankfully– just inconvenience)

  10. Are your parents Scandinavian Brian? Wikipedia says you were born in Alabama but there are some very Norwegian characteristics about you.

    Sorry to hear about the shit in the post. I guess the Russians couldn’t get the BTCs together on that one.

  11. Excellent Job Brian . :). C

  12. Congratulations on these and your recent anniversary. Best praise is from others in the field.

  13. I am reading more stories in the mainstream press these days about the Target hack and others that mention an obscure blogger named Brian Krebs who first broke the story. I just hope there is money in it as well as fame!

  14. TheOreganoRouter.onion

    His the ” Joe Friday” of cyber-security

  15. Hey Brian, congrats, two really nice articles 🙂

    Glad to hear you got a little persuader in the corner there, I personally don’t like guns, but if I had your name and rep. I would do the same. Here’s to hoping you never need it!

  16. Nice photo at Target 🙂 Brian, thank you for being a shining example to all of us trying to make our professional way in these uncertain times. The biggest breaking new for me today is that you have a forthcoming book … am very eager to read it! Best wishes.

  17. Brian, you rock! I am a loyal reader.

  18. Really glad to hear you’ve made it work financially. And just think, the folks on crutop.nu who were celebrating you getting fired from WaPo four years ago were a lot of the same people who have provided subjects for the reporting that has made you successful. Sweet!

  19. In the Poynter article, Stencyl mentions you have turned down some corporate webinar work, it tending towards being skeevy, and it occurred to me that you would probably give a very interesting Ted Talk…. though you may need to have no coffee beforehand and maybe even take a Valium, if the speed at which you talk is always like the BlackHat 2013 session you did(saw it on YouTube the other day). Or maybe writing really is your preference; you certainly do it well. I’m enjoying learning about cybercrimes and security since coming across one of your blog posts on the Target epic

    • Folks from the big city talk faster than some of us from slower walks of life – they are compressed into an accelerated time continuum! If it is too fast, use your video controls to slow it into bite sized chunks! HA! 😀

  20. Brian, your writing style is so damn engaging, interesting and informative, and you are one of the worldly news sources of this new digital age. You have shown the light for many of the rest of your foot-soldiers in technology, and I am fortunate to have you as an information provider and security teacher. I hope your spirit stays strong as you stay the course of investigating the dark underbelly of a wonderful tool (the web) given to us by our government who has so summarily and heinously abandoned their stewardship and control. Imagine the gift of an information society turned loose to the criminal underworld and sneaky politicos and spies and nobody gave a shit. It’d be a crying shame if it weren’t for you and your efforts. Thanks for bearing the torch. I’ll be following you for a long time. Peace, brother.

    • I find you post very engaging, until you seem to think some kind of intrusive government needs to intervene; I would like to limit the participation of government to as little as possible, as they already have their hands in our shorts, thanks to the NSA and other gubbamint snoops. So no thank you on encouraging that – I can only hope the organizations of the world can do as little as possible to help the public coordinate solutions to the banking crisis, that seems to be enveloping us. Only friendly cooperation and open discussion can guide the world wide web organizations to promote standards all countries can acceptably abide by.

      Bad enough that we’ve lost net-neutrality, we don’t need any more busybodies cramping our style. We only need enough tweaks to make security a reality in commerce, not a dictatorial fiat, that rarely results in successful solutions.

  21. Let me join the chorus of congratulations.

    Of all the blogs out there Brian’s is the only one I read regularly.
    I do not work in security, or in IT, nor do I always understand what is being described or opined.
    Yet, I find all of it fascinating and learn a lot.

    Have been following Brian since years of his work at WaPo.

  22. Kim in Minnesota

    I consider you one of my best finds for 2014, Mr. Krebs. Thank you for taking the time to explain the most recent MS and Flash player updates. That’s how I found you. I am fearful (and rightfully so considering the many, many hours of work I’ve lost in the MS update processes) of all things MS. I can’t tell you how nice it is to have found a trusted pro to shed some light on the dark, dark, and darker shadows of greed lurking behind my screen.
    That in itself was reason enough for me to add your column to my morning news, but then I discovered something else,- I found out why I had so many problems at that damn Murphy station last fall.
    And I found out why Target hasn’t notified me when I clearly recall shopping there in early December. (I’ve never given them an email address. And a damn stamp costs 4 bits nowdays.) But I digress. I know Target is getting the brunt of the heat on this breach when in reality there should be a few other big players standing up there beside them taking the heat.
    Thank you.
    Kim, in Minnesota

  23. Kudos, Mr. Krebs. Really glad to see you get recognized by your peers. Best wishes! Love your blog —

  24. Well deserved recognition. One of a handful of sites where I have AdBlockPlus disabled.

  25. This is a question not related to the topic here.

    I would like to know what Brian and others think of this AARP Fraud Watch Network. Here is the link:

    https://action.aarp.org/site/SPageNavigator/FWN_Registration_Page.html

    • I have no experience with this Network, but do have experience with AARP. Be sure to read their privacy policy. If you decide to proceed anyway, opt out of their widespread sharing of your information with third parties. You’ll be glad you did.

  26. As an ISO at a community-based bank, Brian has been my primary “go to” blogger the past few years. Most reporters couldn’t get a story right if their lives depended on it. What I read on Brian’s blog is always right. I’ve seen it repeatedly which is proof-positive that I can believe what he posts.

    When the Target breach hit, I was able to inform senior management before it hit mainstream media which helped us in doing early recon on our clients who used their cards at Target during the affected time. We had reports in our hands by the end of the business day. Our FI was one of the few with fully informed personnel when the news broke. When client calls came in, we were prepared and clients felt reasonably reassured in spite of this breach.

    When the bad guys send a SWAT team to your home, send heroin in the mail, attempt multiple DDoS attacks, etc…it means one thing…Brian is on the right track.

  27. First of all who gives a crap where you origins are or what fricking country your name is from.

    Otherwise, I have told you directly and I will say it on your blog. Prior to your blog, the amount of this type of reporting was very limited. But as I have found out, your type of reporting didn’t exist at all. You sire have raised the bar and it’s possibly to high for most of us to meet.
    I have and always will provide your link to all of my contacts, customers, people I meet in the grocery store……..seriously. Just ran into a detective that I started talking to in the line at the store, and before I knew it we were talking about the Target breach. Turns out, he is the detective in charge of fraud investigations for one of my sister cities. Asked if he had ever read your blog….”Nope”….next thing I was writing down your site address on my business card for the detective.
    He sent me an email last night to tell me thanks. He found your information very useful.

    In any case, great stuff sir, and I look forward to being a loyal follower of your info in the up coming years.

    Do us all one favor…….please? Find out what the actual point of every was at Target and Niemen Marcus…please? LOL!!!

    The Human Defense
    “Security is not a technology solution. It’s a human resolution”

  28. It’s great to be able to read your work, especially when it’s not chained down by an editor of a dying media model. WaPo did you a favor and did us a favor.

  29. I can’t help but chuckle at all the gushing. I guess all of the handsomely paid IOs, IT experts and Al Gore’s of the internet on this blog who are in charge of the financial future of the world have never picked up a copy of “2600” at their local magazine stand. It’s a shame. Disgruntled and sociopathic underlings of their corporate underbelly have been letting the cheshire cat out of the bag for years. (Sprint, Verizon, Blockbuster, lol, dept. store and restaurant chains, etc.) So slow to catch on…TG for Brian’s blog.

    Hopefully, he’ll bring all you mastermind mainstreamers up to speed before we rapidly tumble into the collective cyberspace abyss (again), like an Olympic luge course that’s too fast to run. Going for the gold takes on new meaning when you’re teetering over the edge of the track and staring at a 1000ft drop. Lives are at stake here, folks. Forget about the NSA. Just look to any 17-year-old punk hacking a PlayStation to get free movies and porn.

    • Whats wrong with hacking a playstation for movies and porn if it will allow it? If you own the playstation, and you’re using hardware you paid for in a perfectly legal way (minus maybe the beancounter’s conceptualized use of it).. It is a different story if you are using someone else’s stuff.

  30. I fully agree with most of the people here. Well done Brian, you are the best.