Interviews: Ask Brian Krebs About Security and Cybercrime

Brian Krebs got his start as a reporter at The Washington Post and after having his entire network taken down by the Lion Worm, crime and cybersecurity became his focus. In 2005, Krebs started the Security Fix blog and Krebs On Security in 2009, which remains one of the most popular sources of cybercrime and security news. Brian is credited with being the first journalist to report on Stuxnet and one of his investigative series on the McColo botnet is estimated to have led to a 40-70% decline in junk e-mail sent worldwide. Unfortunately for Krebs, he's also well known to criminals. In 2013 he became one of the first journalists to be a victim of Swatting and a few months later a package of heroin was delivered to his home. Brian has agreed to give us some of his time and answer any questions you may have about crime and cybersecurity. As usual, ask as many as you'd like, but please, one per post.

Cowards as affiliates

[japa]

You appear dedicated on continuing reporting on cybercrime, even though it may result to harm you (swatting etc). How often have you come into situation where someone you work with states they don't want to work with you any longer as association to you may result them to being target for criminals or some such?

Long term solutions?

[mlts]

Right now, security is a purely defensive battle, at best we have the enemy at a stalemate, where their attacks are foiled. There is no way to "win", since the attacker usually is located in a country with little to no cyber-crime laws, or even in a hostile country that rewards it. At best, we tread water.

Would a long term solution be creating private networks like SIPRNet or NIPRNet, so that the barrier for entry is raised, so an attacker has to get onto that private network, and this might be something where physical access is needed. Not 100% secure, but it raises the bar so that attackers have to have "boots on the ground".

If not, what would be workable, other than just air-gapping as much as possible? Would it be wise for each nation to mimic China and have their own Great Firewall, so attacks have the ability to be be stopped well away from their intended targets?

Re:Long term solutions?

[gstoddart]

Awesome, we'll have a bunch of walled gardens, beholden to corporate interests, tightly controlled by governments, and which will still be full of security holes.

What could possibly go wrong?

Re:

[pseudorand]

Actually, that solution would work well. The hackers would be the only ones left with true internet access that could get to any host in the world. They'd then sell that access to the public. And once we're their customers, they'd be more reluctant to harm our computers since that would mean we'd use less of the service they're selling. We'd just have to make sure all those independent networks were insecure enough that lots of hackers could break in to all of them, thereby fostering competition and keeping

Re:

[Fnord666]

You do realize that the topic of this post is "questions for Brian Krebs", right? Not questions for random people at the bus station?

Re:

[gstoddart]

Since when the hell do we wait for the interviewee to discuss the damned questions? I'm supposed to care?

If Mr. Brian Krebs wants to answer it, go ahead .. but the idea of devolving the internet into a bunch of curated things which are safe and secure and under corporate control so we can all be looked over ... that's a stooopid idea.

It's giving up a free and open internet to prevent us from getting hacked,

You want to stop getting hacked?

Tell government to fuck off and stop demanding weakened security so t

Regrets

[Anonymous Coward]

Do you regret any of the investigative techniques or decisions you have made over the years in relation to your security reporting?

Blog Monetization

[chrisbischoff]

Your website seems to get a fair amount of traffic, how much revenue are you earning per month through the advertisements?

What is everyone doing wrong?

[whitelabrat]

My argument has always been if something is important and you want to keep it safe don't connect it to the internet. Obviously that's a tough sale. So what is one thing you think everyone is doing wrong and could improve on?

Public Disclosure

[Anonymous Coward]

Brian,

Are you generally in the Responsible Disclosure camp xor the Full Disclosure camp? And why?
(I recognize that you may handle this on a case by case basis. In that event, what determines your approach?)

-Bryant
a local Washingtonian.

Polls and Video Bytes?

[gatzke]

Is there any way you could break into Dice servers and move the /. polls back to the sidebar and maybe turn off the Video Bytes (or make it a slashbox?) Alternatively, could you suggest a black or white hat to do this for us?

payment processors

[sims 2]

before bitcoin became popular ransomware would often use visa or some other credit card

is there any easy way to report them to the cc company or their payment processor?

phone trees are a no

Oh No Moment

[btroy]

Besides the swatting - what was your biggest "OH NO!" moment in your reporting history.

China

[AdamD1]

Hello Brian. I'm a long time reader and fan.

I had a question regarding the frequency with which we hear about China being a major source of "state-sponsored" advanced persistent threat (APC) hacking. Many news outlets have referred to "Unit 61398" as a source for much of these attacks and data thefts.

Should we take Chinese hacks seriously as a threat? Do you feel it's an issue that will ever be resolved?

Thanks

ad

Re:

[amicusNYCL]

we hear about China being a major source of "state-sponsored" advanced persistent threat (APC)

APC? Is that Advanced Persistent Chinese?

Re:

[AdamD1]

Woops! Advanced Persistent Threat = APT.

ad

Should We Trust Kaspersky?

[Kagato]

As we seem to be heading back down into the familiar territory of the cold war I often wonder if nationalism is something we should consider when thinking about security. For instance I believe that Kaspersky is a very talented company but I can't help but to feel that they would be quite willing to turn a blind eye to malware from their own government. I hear commercials for Kaspersky threat detection software all the time but I would be hard pressed to actually use any of it. It certainly seems China, Russia and parts of Europe are taking country of origin into account when evaluating American security products. Am I wearing a tin-foil hat in feeling we should think twice about trusting Kaspersky?

Re:

[amicusNYCL]

I think that's kind of the point. We know that sometimes companies collaborate with their governments to add vulnerabilities, exploits, or data theft features to their products. The question is if Kaspersky is one of those companies.

Re:Kaspersky

[Fortran IV]

You recently blogged ("Malware Evolution Calls for Actor Attribution" [krebsonsecurity.com]) criticizing security companies that don't make the effort to identify the creators of malware. Do you think there are times when a company—such as Kaspersky in their recent attack—could be acting responsibly by deliberately suppressing (temporarily, one would hope) information they might have about the source of an attack?

Internet of Things

[Dr J. keeps the nerd]

Hi Brian,

Thanks for joining us.

What are the worst mistakes we are already making on connected devices, and what should we be doing to make them less desirable as targets?

J

Did you think all your Christmases had come

[ihtoit]

...at once when you took delivery of that package of opium?

White vs Grey Hat

[Midnight_Falcon]

Hey Brian,
I'm wondering what side of the fence you think you are on. Your readership and affilitations seem to be the mainstream "white-hat" security community; but many of your tactics can be described as grey-hat at best -- e.g. doxxing hackers/malware authors/spammers, using social engineering to obtain information, etc. It seems as though this is justified because it is used against targets you perceive as being immoral, unethical, and/or worthy of such intrusion. My question is: do you feel you are a white-hat hacker, or do you think your use of black-hat tactics against black hats makes you something different?

And Hilarity Ensued

[sanjacguy]

What's the dumbest thing you've seen black hat hackers do?

Washington Post and you

[benedictaddis]

Why did you leave the Washington Post?

defining "computer security" for your clients

[globaljustin]

Mr. Krebs, thank you for the time.

My question is about defining "computer security" in relation to public perceptions vs technical facts.

It was reported in 2006 that the NSA was keeping massive databases of American's phone calls and metadata: http://yahoo.usatoday.com/news... [usatoday.com]

Obviously, Snowden's revelations were much more heavily reported, and contained more info, but the public was shocked at information that was already public.

When it comes to cyber security customers, how do you explain and contextualiz

What about your personal security?

[AlchemyX]

Hello,

It seems that some people know your home address because you've been SWATted. Aren't you worried that something more dangerous can happen? It seems that malware and spam is multimillion buissness so you can make angry some powerful people.

Thanks