Today’s New York Times features a profile of this author — a story titled, “Reporting from the Web’s Underbelly”. The piece, written by The Times’s Silicon Valley reporter Nicole Perlroth, observes:
Mr. Krebs, 41, tries to write pieces that cannot be found elsewhere. His widely read cybersecurity blog, Krebs on Security, covers a particularly dark corner of the Internet: profit-seeking cybercriminals, many based in Eastern Europe, who make billions off pharmaceutical sales, malware, spam, frauds and heists like the recent ones that Mr. Krebs was first to uncover at Adobe, Target and Neiman Marcus….
…Unlike physical crime — a bank robbery, for example, quickly becomes public — online thefts are hushed up by companies that worry the disclosure will inflict more damage than the theft, allowing hackers to raid multiple companies before consumers hear about it.
“There’s a lot going on in this industry that impedes the flow of information,” Mr. Krebs said. “And there’s a lot of money to be made in having intelligence and information about what’s going on in the underworld. It’s big business but most people don’t want to pay for it, which explains why they come to someone like me.”
Read more here.
Update, 12:43 p.m., ET: Adding this as an update because my comment got buried, and because a sentence about my discovery of The Post’s payroll data has already led to one “Krebs has done a bit of illegal hacking himself,” story. The NYT piece makes it sound like I hacked my way into the Post’s payroll system, but in truth it was far less interesting/glamorous than that. Basically, the newly-hired guy in charge of Windows share security at washingtonpost.com had for some oddball reason undone all the security put in place by his predecessor, so all local shares on the network were more or less readable by anyone who had network credentials.
In short, I was able to see the salaries.xls file without even using my keyboard. Just open Windows Explorer, click…\\Finance….click…\\Accounting….click…\\Payroll…whoaaa!
The only reason I did not lose my job over that discovery was that I brought it to the attention of the Post.com’s security team immediately. They fired the guy responsible for undoing all the security that very day. The head of security showed up at his desk with a box and told him he had 15 minutes to clear out his stuff.
Has anyone considered issuing credit cards that could only be used in the U.S. and goods had to be delivered to a U.S. address?
That could take the incentive out of hacking – and you could get a separate card if you had to go abroad.
Use of a hacked number could be monitored.
Why do our banks refuse to implement Credit cards with chips in it like they have in Western Europe along with added security of a TAN creator.
I never have a problem with my European bank or their credit cards.
I am tired of hearing that it is too costly. If the same banks can issue safe cards in Europe why not here?
Once again, we here in the USA do not care what happens to our people.
Gerda, It’s not that the banks refuse to do it- banks actually take the majority of the losses. Some banks may think the increased cost of the chip cards outweighs the losses from these incidents, but more often than not I believe banks want to move to the chip. Merchants don’t have the systems to read such cards, and not taking much of the losses doesn’t incentivize them much. The big merchants like Target only lose some reputation value which is quickly recovered as most people forget about the breach. Smaller merchants don’t have the money to put in new card readers and have no incentive to pay for such thing anyway. So we won’t see EMV cards in the U.S. Until the fraud loss burden of these breaches falls more on merchants and consumers.
Actually, it looks like the payment card industry will be moving to EMV by October of next year.
I wouldn’t hold my breath. The banks and their billionaire royalty have all of congress in their pockets and have done quite well on shifting the blame and burden to the public. Every year you read about the massive breaches at the credit bureaus and the even more unregulated data brokers, and yet year after year they skate by unscathed. Banks are still out there making known bad loans, sending credit card offers to dogs, stashing all their profits overseas.
A full half the country recently voted for a job destroying, tax dodging narcissist who would have given even more of a pass to these types of cheapskates. I think any hopes of reform or responsible improvements in this arena is misplaced and naive.
Given the push to implement EMV in the same manner as was done overseas, I see little reason why it won’t be implemented in the US over the coming years.
The trick that the banks inserted into contracts & related laws is that the banks are no longer liable for fraud – the onus is on the owner of the card to prove fraud, since the EMV system is assumed to be absolutely perfect so therefore all fraud must have been committed by the cardholder.
Only problem is that EMV systems have been broken, at least in limited instances, leaving some cardholders on the hook for fraudulent charges.
When banks start assuming their systems are perfect, you know we’re in for stormy seas.
Europe leapfrogged the magstripe technology, partly because they were later to the party and partly because telecom costs for authentication were high. The US is stuck in this no-tech zone because VISA/MC/AMEX refuse to pay for the upgrades the retailers need to accept chip cards. The retailers are now suffering fraud losses that incent them to upgrade and force card issuers(banks+VISA/MC) to produce chip cards. This was all kinda predictable. I believe VISA/MC/AMEX will be forced to relegate magstripe cards to the trashbin…but it will take 3+ years to do it.
My bank calls me if there is any activity on my cards from any other city. When my wife went to visit her sister I got a call and had to OK the transactions.
Because a lot of the fraud still happens in the US. Take the recent Target breach for example. The breach was committed by someone in a foreign country, the stolen credit cards sold on the online black market in batches by zip code. At least one batch was purchased by some criminals in Mexico who crossed the border into Texas, made a bunch of purchases at multiple stores and attempted to cross back into Mexico. They were apprehended at the border with 96 counterfeit cards.
At least these 2 were caught…how many got away with it? Restricting the cards to the U.S., or even the state of Texas would not have helped.
I hope you are teaching two or three (or more) like-minded people to do what you are doing.The New Testament didn’t go viral before 70 scribes wrote the Greek translation of the Old Testament.
Very nice article… I hope the greater exposure of your site will encourage other people to follow your lead and write about the people and techniques used by cyber criminals. Most people that I talk to are shocked to learn that there are websites where stolen goods can be bought – they seem to have the idea that it happens in alleys or something.
I have two questions.
1) Did you have to clean up for the full room picture? It looks suspiciously like a room that was tidied up quickly.
2) Does it bother you to have to be that paranoid? I’m not being critical of it just wondering what you think about the steps you have to take.
Well, I’ve heard of Krebs on Security before, but the NY Times profile has made me read through some of it and bookmark it.
Thank you, Brian Krebs, for bringing this stuff to light. Unfortunately I work in an I.T. department where we have to pay attention to PCI, and it’s frightening to see what we’re up against. Half-assed is the same as not at all.
What a terrific article, Brian. You’ve come a long way since you were at summer camp in Southern Maryland almost 30 years ago! I read your blog regularly and am in awe of what you do. Thanks for helping keep the criminals on the run — maybe some day the cyber world will be a safe place. Keep fighting the good fight!
“The” Donna Sauer? How crazy! Nice to hear from you again. Thanks for your readership and for letting me know you’re there! Blast from the past!
Yes, the one and only. I sent the article to my sister Amy (who also worked at Camp) and to Father Glen (still Executive Director of Camp). I live in Arlington, so we’re practically neighbors. Blast from the past indeed — and Back to the Future!
What I’m going to talk about is likely going to be objectionable to BK and donna, but I consider it important enough to play ‘bad guy’.
One of the best things about the internet is being able to reconnect with old friends. But it’s also an area that is fertile grounds for hacking.
The above comments of brian and donna are a good example of how social customs, human emotion and security intersect. And it’s often the case this intersection presents opportunities for exploitation.
Grandma hears from her ‘grandson’, and it brings emotions that exceed caution. It’s human to want to show an old friend they are trusted. Similar to the law of asymmetric reciprocity, the old friend shows up and there is psychological pressure to demonstrate trust to the old friend.
The target will ‘authenticate’ the attacker based on some multi-factor authentication. It used to be maiden name, pet, etc. Often such details can be obtained in ways that the target thinks is unlikely, or impossible. Often they are right, but when they are wrong, they are very wrong.
We should employ a greater level of authentication for an elapsed certificate (an out of touch old friend) than one would with an unknown entity. Yet social norms, and human psychology demand we greet old friends and dispense with the proverbial ‘retina scan’.
The use of expired certificates (and old out of touch friend) creates an edge (the fake old friend) for the hacker who then leverages some details that could possibly (in retrospect it often seems obvious, doesn’t it?) be data mined, or if state sponsored, obtained from better background investigations of the target.
Trust is established for this revived entity; carried forward without the same ‘authentication’ one would use for a ‘new’ acquaintance like a backdoor access to a system resource.
It’s important to understand that whether or not the ‘old friend’ is legit or not, the policy breach IS a security breach. Even if Donna is ‘true’, it sets up a behavior pattern that could be exploited in the future. That in itself makes the recipient less secure.
Some historical examples: folks in an office that send around joke emails set up the office for the ‘i love you’ virus. The group of ‘grandma’s’ that send around cute pictures and stories from the ‘web’ set themselves up to be exploited. It’s that some, perhaps most of this behavior is benign that makes it so dangerous. Whether links, or websites that build a following only to sell out to malware, it’s all the same idea.
The social custom to expect that friendship is demonstrated by turning off security will take a lot of effort to change. But before I get to that, let’s understand a bit about how the ‘old friend’ exploits works.
So, how does the old friend scenario play out? well perhaps like this:
Perhaps the ‘old friend’, or perhaps a second ‘old friend’ appears, and develops the trust, based on BK’s authentication model of details of ‘camp’. Perhaps he is invited to lunch 3 months from now.. perhaps he agrees to meet somewhere less public. Given enough effort, perhaps the ‘bad guys’ even find someone who can play the part. There will be more ‘new data’ than ‘old data’ to catch up on.. and memories fade with time, so it’s not out of the question. And people do grow up and look differently than we remember, easily bridged with some transitional pics and self deprecating ‘getting older’ humor. So perhaps Brian finds he has made a big mistake in trusting “Donna”, perhaps not. If “Donna” turns out to be legit, Brian will have a faulty model to apply to the second ‘old friend’. That is what makes it so dangerous. The second old friend might have an easier time with ‘authentication’. It can be particularly effective if friend 1 and friend 2 work together.
The above isn’t new, it’s pretty obvious approach if one has a specific high value target. It’s not whether it is what WILL happen, it’s enough that it COULD happen.
What can be done?
For one thing, placing the entire burden on ‘defense’, or authentication is a mistake. Just as restraint from sending those cute pics and stories from the web makes us more secure, friends and allies can be more sensitive in asking for ‘authentication’. Think of it this way: Donna has boxed Brian in a corner (most likely unintentionally). Brian can force Donna to go through tremendous amounts of authentication and not display a socially welcoming poise, or he can demonstrate the degree of friendship by turning off the proverbial ‘firewall’. Both parties (assuming Donna is ‘true’) have worked together to compromise security.
Thus, one thing that can be done is better awareness of the ‘good actors’ of setting up the ‘grandma’s’ for later scams.
The problem itself isn’t solely ‘authentication’; it is vectored by the data and multiplied by scale. I once again urge folks to consider not collecting data they don’t really need. Just as sharing jokes and pictures in chain email is dangerous, businesses that collect unnecessary data for their business processes (and no, building a dossier/profile on Brian (or aggregated Brians) to sell it isn’t a legit business model, it’s just a form of spying). These unnecessary data collections magnify the problem of security just as folks sending joke emails or social pressure to whitelist authentication (the old friend problem above).
Put another way, if the brian dossier didn’t exist, the ability to fake authentication would be reduced, and the social norm of welcoming with open arms (no retina scan) would be less dangerous.
In general society has learned that sending joke chain emails is a bad idea. But society has not yet learned to deal with the social pressures which drive so many of these breaches. Nor have we learned that if the data never exists, it can’t be lost, hacked or stolen, and is thus the only ‘secure’ data. One wonders if all the big data and technology is really worth the price of not being able to safely welcome an old friend. That we feel loss that we have to be so negative on what should be joy is, when you think about it, part of the psychology of why it’s dangerous…raining on the parade isn’t fun.
Lee, don’t you remember me? It hasn’t been THAT long… Sorry, couldn’t resist. You are correct, of course. BK has my email address, so it’s his call if he wants to connect outside this forum. I am generally EXTREMELY cautious. This was the first blog comment I can recall ever posting. So, my being used as a posterchild for the need for cyber security is all well and good. Hats off to you and to BK for keeping us informed!
Thanks for giving me a laugh (The world can use more of that) and taking my comment constructively.
My chief concern is that even if both of you know the risk (and how to mitigate it) some folks may follow what they see here, thinking they are being ‘safe’. Brian is to his credit (and detriment) a role model, whether he wants to be or not.
Anyway, I think it’s a fair guess that every intelligence service in the world uses the ‘old friend’ exploit in some form. What has changed is the widespread availability to do so with a completeness that is unprecedented.
And thanks again for the humor. 🙂
Good point and well explained. Thank you for doing that.
The online exposure of private-life events and details is always very dangerous (speaking generally).
By the way these days Facebook, Google+, Linkedin and all the others make the “social engineering” job easier than before.
And you don’t need much effort to create fake profiles to match some old friends or old collegues.
Congratulations Brian on being recognized! Take care of yourself! You are needed.
Wahou ! Congrats ! Chapeau bas !
Now if B.K. got credit from a news site like say “ProPublica ” or “The Guardian” then that would be a huge honor in my opinion
Your intelligence, persistence, and courage deserve recognition. I hope it does not make you even more of a target than you already are. Thank you for fighting the good fight on behalf of all of us who could never do what you do.
Brian, thanks for posting part of the NYT article since I refuse to click onto their website for any reason.
Thanks for all you do. This crazy world is a much better place because of you. Stay safe.
Underbelly? I have not heard that term in a while. Thank you Mr. Krebs for your efforts. I posted the NYT link on my LinkedIn profile to further recognize you. Maybe your career will eventually turn into helping people like the CBS show: “Persons of Interest”. Best wishes!
Great Times’ article. And now you’re bookmarked so mebbe I can learn a thing or two and keep myself a bit safer [?]. Thanks.
I have been reading your Blog for years and use some of your articles (What use is a hacked Computer/Email account, etc).
Really appreciate your efforts on Cyber Security.
This seems to me a very good Article.
Hope to get to talk to you one day in person.
Can you please reply to Keith’s two Questions
1) Did you have to clean up for the full room picture?
2) Does it bother you to have to be that paranoid? I’m not being critical of it just wondering what you think about the steps you have to take
Interesting, Brian. I’d always assumed that you’d gotten swept away with the same brush that got rid of Ricks, Hunter, and the other top-tier (e.g., expensive) talent at the Post, not that they tried to make you a generalist first.
Reading salary data is not the same as pointing out a share without rights. How did the author extrapolate one from the other?
I wouldn’t be proud to be profiled in the New York Times. Th NYT is now an agent for the US government. Their new propaganda machine. NSA and the secret service punked from from releasing anything Snowden uncovered. That’s not journalism.
Virtual networking isn’t much different from the older mode of social networking we’ve come to know when you meet someone after work for a drink and decide whether you want to continue in some sort of relationship. What information you reveal or divulge to someone (e.g., family, business, etc.) is pretty much a given because you want to make a good impression and come across as friendly. For lack of a better word, I’ll call this sharing of information “transference” because each party reveals to the other and takes away from the other some bit of information even on the smallest scale. Another illustration of transference occurs when you step in mud before entering your house, and a bit of the mud ends up on your carpet or floor. You may not even be aware of it until you come back through the same area and see the mud clinging to the fibers of the carpet. There it is. An innocuous email or message passed on from someone who knows someone who knows someone who knows you is similar. How much information does the sender know about you? Casually and innocently or casually and sinister? Many viruses and malware are spread based on the concept of trust. We use all of the brainpower at our disposal but we often as not come back to who knows whom. And the backtracking can often be tortuous. When Target was breached it was due to somebody doing something for Target, in this case an HVAV company that provides “administrative services” to the retail giant. Target probably didn’t help itself when it made available unsecured data that it’s subcontractors can access, but the point is that Target left itself open to a cyber attack because it trusted the integrity of its subcontractors whether or not they had knowledge of the breach. Because Target didn’t check its shoes at the door they ended up with mud on the carpet.
Here, here! Well said!
I like your 4 computer monitor set up in the picture, you beat my act with only a 27 “LG monitor.
The story is also very prominent in the Sydney Morning Herald today (and no doubt many other newspapers). One reader believes you deserve a Nobel prize for your efforts.
Pulitzer, at least.
Get a Rotti!! Mine’s my best friend, he hangs with me all day long, he’s a mush, loves other dogs n kid’s, he’s over a 100 pounds. But………
He can sense aggressive behavior in a heart beat and his demeanor does a 180 instantly.
Be kind to him, give him treats and he will love you forever. A Rottweiler don’t need to be trained to be a guard dog. It’s bred into him since the Romans took them to Gaul and they were always used for herding cattle in Italy before that.
Chip & Pin is not secure. It just has different security issues. I read new stories weekly about the latest security breach for Chip & Pin systems.
The only thing Chip & Pin changes is that it makes it easier for the bank to refuse a refund in cases of suspected fraud. Any transaction that is validated with a Pin is automatically denied a refund, and it is up to the consumer to prove that fraud occurred. Which of course is nearly impossible, or prohibitively expensive, to do.
Chip & Pin has nothing to do with security. It has everything to do with shifting the cost of fraud to the consumer.
“security” IS about shifting “risk”.
Consider a system with three possible ‘risks’. Together they make up 100% of the risk profile (likelyhood and consequences), that is all consequences are contained in those three parties.
Let’s say we eliminate one of the possibilities. We have made those remaining two more significant. There may well be fewer events, but 100% of the consequences remain in those fewer events.
That’s why “when we harden the hard targets we soften the soft targets”, put another way “we don’t eliminate risk, we only moved”.
Anyway, shifting risk IS what security is about. It’s wack-a-mole with events, but unless we stop scaling up, the risk profile just pushes larger consequences to the tail events.
When security folks start discussing reducing the risk profile by only collecting the minimum data possible, and only collecting as much as necessary then we will be getting somewhere. Until then we are just ‘allocating it’, and as you point out.. usually to grandma.
But, if not for the grandmothers, would there be a “functioning ” internet. So there has to be someone out there that “looks after” the grandma’s. else…
But, should you trust the sender? Lets counter the question, reverse that to should you the reciever?
Kind of like your bit about the NYT. Actually firing someone, but, should they let him/them onto a network without initial supervision, or was he supposed to know everything about their network without proper training, I believe their security must be that poor that they trust what your resume says, and that you paid attention in class. Think someone in HR needs security training, or to go back to class, and stay awake this time.
It figures. The NY Trash rag mag going on a negative publicity stunt. I wonder if it has any underground ties that they owed favors to? Or are the people over there, mainly the wanna be reporters simply too thick to think for themselves ? I think they are just jealous that some one can make it by themselves.
What do you think Brian ? on seond thought, don’t answer that, as bored as they are over there, they are probably looking for a good fight = Þ
Sorry, I missed something. How is this negative publicity? I thought the story was quite flattering, actually. My update was regards to another publication’s coverage of the NYT story.
Its not you that deems negative publicity, it is others. They seem to be jealous IMO – and they seem to want to take a shot at someone who is making a blog standard bi-weekly reads.
I didn’t comprehend that the update was from another publication – I did a quick look and didn’t see a reference to another publication, named or unnamed.
Hats off there Krebs, keeping the bar at the same hieght or raised slightly is what it takes to make it, and you are doing a good job.
The guy that got fired, probably did a permission file from a root folder down, and used everyone, full control. Thats all it takes. Then the entire AD permission set is hosed, if it doesn’t have a good backup. Takes months to figure out who had what perms.
For people that don’t know what a “hack” is, they are clueless. maybe they should come here and read more often, they may learn something. = )
Maybe this has been commented on already:
Why are we allowing retailers to keep our credit card and personal information at all?
If people are climbing through your windows of your house to get the cash hidden in your mattress then get rid of the cash.
Why? If you simply want to get rid of the cash, let the crooks take it, less effort that way…hehehehehe.
As for shopping places, I choose a 3rd party processing agency that does not allow the business to see my credit card number(s). The business offers a 3rd party payment, I will use it. If not, I will go somewhere else.
A buddy of mine was once fired for “hacking”. The CEO at the company was having trouble logging in. So in order to help him login, my buddy asked him for his username…. Game over.
It just shows the maroons are in charge.
The big media companies still buy the crap that the TGT hack was some super sophisticated hack. What Brian has shown in gory detail is that many of the successful intrusions are preventable with some diligence.
Zeus should be one of the first things people are looking for on the network….
Obviously, security will never be perfect. I am not sure if I am happy there is still low hanging fruit out there for the bad guys or sad that that few people understand security is just layers of diligence one on top of the other.
Nice recognition article.
Protect this man and family.Keep his area of cyberspace clear of miscreants, and criminals.
Thank you Krebs on Security!
Hello to Brian and all you web warriors out there, just wanted to pass along Krebs mention on Law Technology News:
Meanwhile, keep your powder dry and keep the enemy in your sight!
Sorry! The link above only seems to work if you register. Maybe they’ll give you a clean (shorter) link, Brian to show your readers.
I found salary info at my very first employer. (BIG company.) I was poking around looking at published business reports just to improve my knowledge of the business. I found one with SS numbers so of course searched for my own. I saw all of my personal info plus my salary. I (cough) may or may not have looked at some other people’s salaries before reporting my find to my manager. I certainly wasn’t hacking. Who would think such info would be wide open? I was not punished. I wonder how many other people knew that info was available but said nothing.
Brian’s blog mentioned as recommended reading in “Security Lessons from RSA”, and article on CNET’s download.com :