Interviews: Brian Krebs Answers Your Questions 33
A few weeks ago you had a chance to ask Brian Krebs about security, cybercrime and what it's like to be the victim of Swatting. Below you will find his answers to your questions.
Cowards as affiliates by japa
You appear dedicated on continuing reporting on cybercrime, even though it may result to harm you (swatting etc). How often have you come into situation where someone you work with states they don't want to work with you any longer as association to you may result them to being target for criminals or some such?
Krebs: I don't think I've had anyone unfriend me or stop talking to me because of what you describe, but it happens fairly often that I hear from strangers who have some information to impart but who are nervous about anyone finding out it was them who shared it.
Mostly, this comes from researchers who say they want to share some findings about something -- a specific cybercrime actor, site or service -- but in no way do they wish to be named, cited, credited or in any way referenced. It's impossible to know how many people decide it's not worth reaching out because of such concerns, but I hope it's not many.
Long term solutions?
by mlts
Right now, security is a purely defensive battle, at best we have the enemy at a stalemate, where their attacks are foiled. There is no way to "win", since the attacker usually is located in a country with little to no cyber-crime laws, or even in a hostile country that rewards it. At best, we tread water.
Would a long term solution be creating private networks like SIPRNet or NIPRNet, so that the barrier for entry is raised, so an attacker has to get onto that private network, and this might be something where physical access is needed. Not 100% secure, but it raises the bar so that attackers have to have "boots on the ground".
If not, what would be workable, other than just air-gapping as much as possible? Would it be wise for each nation to mimic China and have their own Great Firewall, so attacks have the ability to be be stopped well away from their intended targets?
Krebs: I think I understand the premise of your question, and the desire to wall everything off and/or start over. And do I detect what may be a passing reference to the money quote from Joshua in the excellent 1983 film War Games: "Strange game. The only winning move is not to play."
But, I'd have to respectfully agree with several of the commenters here in saying that I think creating a whole bunch more secret or separate networks is very much not the answer here. As someone already stated, this is actually the reality that we have today with corporate intranets, which everyone seems to have and these don't seem to do much to stop the data (s)pillage or malicious hackers getting in and having their way with the target and all of its information.
What would be wise is if the United States made it a national goal to become the world leader in developing software that is far more secure and robust than anywhere else. Unfortunately, this will probably never happen unless the market demands it, and the market generally responds to what consumers want, which is usually convenience (ease-of-use) over security.
Anyways...how about a nice game of chess?
Public Disclosure
by Anonymous Coward
Brian, Are you generally in the Responsible Disclosure camp or the Full Disclosure camp? And why? (I recognize that you may handle this on a case by case basis. In that event, what determines your approach?)
Krebs: Yeah, this definitely depends. I find it endlessly fascinating and frustrating at the same time to watch how differently organizations respond to reports about security vulnerabilities in their products, services and their own infrastructure. How they respond speaks volumes about their security maturity. Companies and organizations that lack a mature process for handling and responding to threats and vulnerabilities tend to react negatively -- lashing out at the individual reporting the weakness, ignoring the reporter, or even taking legal steps against the researcher.
Companies that have a mature process for handling this kind of thing can comparatively be a joy to work with, and are quite often grateful for anyone who privately reports their findings. The best manifestation of this is the bug bounty program, versions of which many companies are now beginning to embrace to varying degrees.
It seems like the the phrases "responsible disclosure" and "full disclosure" are sort of loaded terms at this point in the debate. It's the journalistic equivalent of framing the abortion debate in camps of "anti-abortion" and "pro-rights". Disclosure is a two-way street, and it starts with organizations taking responsibility for security holes in software and hardware that they create, sell and/or give away. When companies fail to do this in a timely manner, I think it's perfectly reasonable for researchers to disclose what they've found -- hopefully exercising a modicum of restraint in the process. The disclosure debate usually kicks into high gear when a company responsible for a serious bug in widely-used software behaves like a child when presented with research into a vulnerability in its products.
I've been fortunate enough to be a fly on the wall, if you will, in several of these vulnerability reports, watching in disbelief as the vendor hems and haws and generally stalls for time, protesting that the bug is not remotely exploitable or isn't that big of a deal for such-and-such reasons, etc. That's frustrating and again speaks to the maturity level of the organization. In my experience, most security researchers are quite content to be agreeable on disclosure timelines if they feel like the vendor is taking seriously the time and effort the researcher has spent on his findings.
Granted, there's a great deal of room for debate over what constitutes a "reasonable" amount of time to wait for the vendor to respond before going public, but I do think it's important to give the vendor at least a few weeks to respond. However, in cases where the vulnerability is actively being exploited, disclosing immediately, publicly and completely is always in the public interest.
Should We Trust Kaspersky?
by Kagato
As we seem to be heading back down into the familiar territory of the cold war I often wonder if nationalism is something we should consider when thinking about security. For instance I believe that Kaspersky is a very talented company but I can't help but to feel that they would be quite willing to turn a blind eye to malware from their own government. I hear commercials for Kaspersky threat detection software all the time but I would be hard pressed to actually use any of it. It certainly seems China, Russia and parts of Europe are taking country of origin into account when evaluating American security products. Am I wearing a tin-foil hat in feeling we should think twice about trusting Kaspersky?
Krebs: I don't think you necessarily have a tin-foil hat on. I should preface my remarks by saying that I'm sure every security firm has all kinds of dirty laundry they would prefer never saw the light of day. And I personally know many of the security researchers at Kaspersky and find them to be some of the best at what they do, and very good people as well. If it means anything, I have, for many years, used Kaspersky's software to protect my own networks. It's about the best at what it does.
That said, allow me to share an observation that really struck me on my visit to Moscow in 2011. I was a guest of Kaspersky Lab and they were very gracious and hospitable. However, I went there in large part in the hopes of rounding out some information I'd compiled about several big time cybercriminals that I was tracking at the time -- probably a dozen or so guys that I knew were definitely in Moscow and would almost certainly be known to anyone even moderately interested in cybercrime (on either side). I sat down with probably 8 or 9 different researchers at Kaspersky and in my interviews with them asked each about various individuals who were quite well known in the hacker scene in Russia but also abroad. To my surprise, nobody there would talk to me about these individuals. I have no idea if this was because of a corporate policy about it or what, but I found it singularly amazing that these experts would have so little interest in the actors who were so clearly operating under their noses.
Internet of Things
by Dr J. keeps the nerd
Hi Brian, Thanks for joining us. What are the worst mistakes we are already making on connected devices, and what should we be doing to make them less desirable as targets?
Krebs: You mean, besides connecting them in the first place? Seriously, the main reason I keep a software firewall installed on one of my machines is to learn which programs or gadgets on my home network are phoning home or who-knows-where. For the most part, we've shown ourselves to be incapable of designing or at least releasing software for mass commercial use that is not Swiss Cheese from a security perspective. So why should we expect things to be any different when we talk about network-aware devices and embedded appliances? All we've done in that case is take the buggy software and stuffed it into something that is even more difficult (if not impossible) to update.
What should we be doing to make all these devices less desirable as targets? Quit connecting them to the internet! Seriously. It would be nice if more companies that shipped devices made them disconnected from the Internet by default, or at least minimally so. But in most cases the opposite is true; the thing tries to get an IP address and you have to remember to disable a raft of features in said thing.
A lot of security is determined by the default settings, because the vast majority of users/customers never alter the defaults. With stuff that falls under the "internet of things" category, we'd all be much better off if they were more like "things with internet optional."
White vs Grey Hat
by Midnight_Falcon
Hey Brian, I'm wondering what side of the fence you think you are on. Your readership and affiliations seem to be the mainstream "white-hat" security community; but many of your tactics can be described as grey-hat at best -- e.g. doxxing hackers/malware authors/spammers, using social engineering to obtain information, etc. It seems as though this is justified because it is used against targets you perceive as being immoral, unethical, and/or worthy of such intrusion. My question is: do you feel you are a white-hat hacker, or do you think your use of black-hat tactics against black hats makes you something different?
Krebs: Not sure specifically what "grey hat" and "black hat" techniques you're referring to in particular. Also, I take issue with your assertion that I somehow practice social engineering to gain information. I'll admit to once or twice useing Spooftel to get someone who is dodging my calls to answer the phone, but I've never misrepresented myself or what I'm doing. In all of my reporting and investigation -- even with black hats -- I am up front about who I am and what I'm after.
Now, it is true that some of my reporting has been based on hacked cybercrime forums and hacked cybercriminals, but I can't recall an instance wherein I was the one responsible for the hacking. My first book, "Spam Nation," would not have been possible if two of the biggest cybercrime kingpins had not employed their top spammers and cybercrooks to break into each other’s networks and steal several years’ worth of banking and customer data, and then leak that data to Yours Truly and to the authorities. In my experience, the only thing cybercrooks like better than breaking into databases and stealing/selling data for financial gain is hacking each other for profit/amusement/insert reason here.
If I approach people on cybercrime forums, it is always just to learn more about the services and products they have to offer and are quite willing to talk about. Will I register on cybercrime forums under my own name? Of course not! Then again, nobody on those forums does that!
Actually, I *did* try to do that several years back, in two different cases. In one instance, when I told the admin in charge that I wanted the nickname "briankrebs," he laughed and said basically, "good one!" The other time I tried to claim that nickname, it was already taken.
I'll confess, though, that I've been guilty of a certain schadenfreude when it comes to writing about the arrest, conviction and or other demise of people who have -- apparently apropos of nothing -- targeted me and/or my family publicly and at the same time hidden behind an assumed veil of anonymity. These kinds of cowards consistently ruin the Internet for everyone, and I won't apologize for calling them out.
On a more philosophical note, I find it fascinating that so many involved in black hat activities online are so horrible at operational security. That probably has more to do with the general lack of consequences for most actors involved in this type of activity -- particularly those in certain Eastern European countries.
defining "computer security" for your clients
by globaljustin
Mr. Krebs, thank you for the time. My question is about defining "computer security" in relation to public perceptions vs technical facts. It was reported in 2006 that the NSA was keeping massive databases of American's phone calls and metadata. Obviously, Snowden's revelations were much more heavily reported, and contained more info, but the public was shocked at information that was already public. When it comes to cyber security customers, how do you explain and contextualize what service you are providing given the vast differences in perception of "security"?
Krebs: I try, as much as I am able, to focus on reporting stories that you won't find anywhere else. As an independent reporter, I have the luxury of not spending a great deal of time chasing other reporters' stories. Also, I try not to practice "churnalism," which is just regurgitating stories that other reporters have written. As for a "service" I might be offering, all I can say is that my goal is to communicate in as simple and straightforward way as I can news that is not getting enough attention or is not being well served by other outlets.
To your question about the differences in perception about security, I couldn't agree more. But to paraphrase Tip O'Neil, all security is local: Security as a news subject means little unless you can communicate the complex stuff in a way that mere mortals can comprehend, appreciate and do something about. If I am able to do that well and consistently, I hope that's a service of a kind.
Where is Jodl? (Score:2)
I must speak to Keitel, Jodl, Krebs, and Borgdorf.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I was disappointed by the full-length version of the movie. It wasn't funny at all.
rotfl "Can't recall" vs "never happened" (Score:5, Funny)
Great answers but, when I got to this: "Now, it is true that some of my reporting has been based on hacked cybercrime forums and hacked cybercriminals, but I can't recall an instance wherein I was the one responsible for the hacking."
I couldn't help but laugh at the lack of a true denial. I have trouble imagining not being able to recall something like this. Hell, I can recall times I was tempted to put on a dark hat and attack someone's box (I was pretty sure he was the guilty party I was helping track down as a favor for someone....pro-tip: if you are going to engage in cybercrime, don't use the same screen name known to your victims to post youtube videos showing your IP address ... best part is, I didn't even know the screen name until I told them who I thought it was, and they said I just named one of their suspects)
Re: (Score:1)
Re: (Score:2)
In general nothing. However, in this particular case the implications are amusing.
Note he very specifically said:
Now..... I would believe a hacker who was breaking into forums and stealing data might forget who he hacked and when. Similarly, if Magic Johnson told me "I don't recall sleeping with that woman", I might be
Kaspersky (Score:5, Interesting)
That's interesting about Kaspersky. I wonder if that's an indication that they may be working with criminals, or if it's just some sort of sense of patriotic pride (we have the best criminals, AND the best researchers!), or even if the researchers feel like there would be repercussions if they said anything. I have no doubt that cybercriminals in Russia are probably receiving some sort of direction, support, or protection from their government.
Re: (Score:2)
Re: Kaspersky (Score:5, Insightful)
Re:Kaspersky (Score:5, Insightful)
I would have to imagine some of it has to do with not tempting fate. Physical security companies don't generally like it publicly known when one of their higher profile clients gets broken into. The armored car services don't like to talk about their drivers being held up etc. Prior to FDIC banks frequently names themselves after heavy stones like granite to give the impression they were secure.
So much of security is people and process. The people part basically boils down to trust and often simple faith. Would you be more or less likely to purchase security software from a firm that had just been hacked themselves. I suspect Kaspersky might not have wanted to out a bunch of criminals because it paints a target on them. They know like most of the folks here know sooner or later given enough time the bad guys will probably accomplish something significant enough to get you in the news for the wrong reasons, should they be motivated to do so.
Re: (Score:2)
I'd imagine it's also because the Kaspersky guys spend much less time than Krebs trying to dox various malware authors and so on. The real life identities of those people are just much less relevant. So if a journalist comes and starts asking questions about various people who "anyone in the business should know" etc, and if your job is just analyzing malware all day but you don't much care about the real names of the people who make it, then you might come across as evasive when really they're just thinkin
Re: (Score:2)
Given what's pretty well known about the overlap between FSB/KGB and Russian organized crime, the generally corrupt nature of Russian government and the cronyism in Russian business, it's hard not to see Kaspersky being reticent about talking with a foreign reporter about Russian cybercriminals.
That being said, it may have more subtle influences. Maybe they're in social scenes that overlap? Maybe there's a certain nationalism or national pride going on where they want to talk about something OTHER than th
Re: (Score:2)
That's interesting about Kaspersky. I wonder if that's an indication that they may be working with criminals, or if it's just some sort of sense of patriotic pride (we have the best criminals, AND the best researchers!), or even if the researchers feel like there would be repercussions if they said anything. I have no doubt that cybercriminals in Russia are probably receiving some sort of direction, support, or protection from their government.
Or because they live in the same place? (don't throw stones when you live in a glasshouse?).
Ask the people who live/work near gangsters what they think of their infamous neighbors - be sure to tell them their comments will be made public. Few are likely to lack the sense of self-preservation that stops them from putting dog shit in their mouth to test whether it really tastes as bad as they've been led to believe. That's not a phenomena that only occurs in Russia. Same in Melbourne [theage.com.au] as it is in Chicago - the
Swatting? (Score:1)
I read the whole thing and didn't see a thing about what it is like to be a victim of swatting...
Re: (Score:2)
... what it is like to be a victim of swatting...
I don't want to know.
Full disclosure (Score:2)
in cases where the vulnerability is actively being exploited, disclosing immediately, publicly and completely is always in the public interest.
Usually an admin can solve the problem with a firewall, or by temporarily disabling a feature, or something similar. Don't leave people open to attack.
Re: (Score:2)
Usually an admin can solve the problem with a firewall, or by temporarily disabling a feature
A lot of problems would be fixed if we disabled Internet Exploder permanently, and Java, and Shockwave/Flash/Silverlight.
Most exploits these days are not the type that can be solved by closing a port: unless by that you mean closing outgoing ports such as port 80, and port 443.
It would also be great if we could permanently disable e-mail clients that allow you to double click an attachment.
Microsoft's "Mark
Bad for Business (Score:2)
On Kaspersky:
I have no idea if this was because of a corporate policy about it or what, but I found it singularly amazing that these experts would have so little interest in the [bad] actors who were so clearly operating under their noses.
Put the bad actors out of business, and the threat disappears. No threat, no need for their software. Perhaps they were not openly collusive, but it isn't so difficult to imagine that they look the other way at the hand that indirectly feeds them.
TwIO (Score:2)
things with internet optional.
Yes, that would be a brilliant coup of common sense, but alas, marketing dipshits world wide will be rewarded yet again by mandating idiotic default settings of no security on IoT devices, inviting an avalanche of security issues as more of these devices are connected to the internet.
Re: Kaspersky... it's semi-obvious, isn't it? (Score:2)
Kaspersky isn't "in bed" with the Kremlin, but they DO have to exist and operate in the same country as those agencies, AND the cyber criminals.
Whether or not the Kremlin is directly in bed with the cyber criminals is someone else's thesis, but Kaspersky approaches those subjects cautiously.
If at all.
Because if the cyber actors are doing something for local interests, fucking with that would be asking for retaliation and infiltration by said local interests.
Kaspersky is wise IMO to do their thing without di
White vs Grey hat cont'd (Score:2)
Private networks (Score:2)
Thank you for the answer on private WANs or government extranet firewalls. If used properly, even a private IP MPLS shared between a few businesses would add a layer of security. However, if not used correctly, it provides little to no protection. Just one machine with IP forwarding turned on can negate the protection.
It might just be that the core of security against hacks will continue being the core/edge network fabric, because it is a lot harder to secure individual devices than it is to lock down ne
Why Kaspersky Labs' folks wouldn't talk (Score:2)
Brian,
You might consider they wouldn't talk about cyber gangs with big money who live in the same metro area might be a matter of literal self-preservation.
mark "that's a nice life you got dere, be a shame if sometin' were to happen' to it"