briankrebs

briankrebs, 3 months ago to random

The late great Doug Feaver was executive editor at Washingtonpost.com when I had my first A1 (front page) scoop. It took months of acting on a hunch and then scraping the websites of a bunch of big companies to see if and when new language was added about taxing online sales.

Mr. Feaver was a veteran editor and reporter and well respected. He also was very gruff and curmudgeon-y, and he didn't mince words.

The morning my A1 story ran, Mr. Feaver called me into his office and closed the door. He wanted to discuss why my scoop had been handed over to a more experienced reporter. I'll never forget what he said: "Brian, you're a great reporter. But you're a shitty writer." I didn't know to respond at the time, so he said, "It's okay, hardly any reporters are good at both to start with. But keep at it. That is all."

https://www.washingtonpost.com/archive/politics/2003/02/07/big-stores-to-charge-sales-taxes-online/362f73d5-fbf8-4d74-941c-27770f3ed96d/

briankrebs, 3 months ago to random

Interesting and informative writeup about a recent wallet drainer that started with fake journalists and targeted some Discord admins. IDK if it's the same scam, but this sounds very similar to a series of attacks I wrote about last summer:

https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/

https://twitter.com/dragonsnctuary/status/1756417572591833569?s=46&t=Rnkx4_006OoD2tfAl1hCnQ

briankrebs, 3 months ago to random

The 0day dumpster fire that is the security hardware industry rn continues unabated this week.

From Rapid7:

"Critical Fortinet FortiOS CVE-2024-21762 Exploited
Feb 12, 2024

On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests.

According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is “potentially being exploited in the wild.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred."

https://www.rapid7.com/blog/post/2024/02/12/etr-critical-fortinet-fortios-cve-2024-21762-exploited/

https://www.cisa.gov/news-events/alerts/2024/02/09/cisa-adds-one-known-exploited-vulnerability-catalog

briankrebs, 3 months ago to random

Something to consider in your threat modeling. IDK how common this is, but the gear to do effective wifi signal jamming is not hard to find and works. They're illegal as hell to use in the US, but that isn't going to stop thieves. Argues in favor of direct IP cams or POE-type cams. And cams that allow backup of a certain amount of recording to an SD card.

Edina residents warned burglars could be using 'WiFi jammers'

https://www.kare11.com/article/news/local/edina-burglars-could-be-using-wifi-jammers/89-838f08f6-8e13-4577-8a88-628d757207a2

briankrebs, 3 months ago to random

This comment from a NYT story on Trump's various legal woes made me LOL.

briankrebs, 3 months ago to random

I wonder what kind of discussions went on in the WH before they decided the Biden campaign needed to be on TikTok.

flexghost, 3 months ago to random

$7 million for a Super Bowl as paid for by people like Tim Mellon—a huge Trump donor.

Of course the ad skips his racist and antivaxxer takes

RFK jr is a disgrace to the Kennedy name

Video in 60s style for RFK jr RFK was an inspiration. This is repulsive.

briankrebs, 3 months ago to random

The best part of Super Bowl Sunday is here! Puppy Bowl on Animal Planet FTW!

briankrebs, 3 months ago to random

I think if I were a movie director or writer I would definitely make the story take place before cell phones. There's like 1000x more plausible plots available when everyone involved doesn't know everything all the time, in real time. It's almost like the demarcation between when the world used candlelight to see and the adoption of the electric lightbulb.

briankrebs, 3 months ago to random

I think from here on out I'll just use the auto-response options.

mastodonmigration, 3 months ago to journalism

Want to find ACTIVE journalists on Mastodon? This spreadsheet is just amazing. A couple days ago Martin Holland @mho posted a project of his to promote journalists. It starts with known journalism accounts from the @tchambers list, but also tracks their activity, so you can see who is actually posting regularly.

This is an absolutely wonder resource, and a great asset for the fediverse!

Check it out!

⏩https://docs.google.com/spreadsheets/d/1uWj0j_AL6YQMK87U7_CFpvudK-Aygtx7Bea3fbjxgyo/edit#gid=1993864896

Martin's Feb. 7th post: https://social.heise.de/@mho/111891959279804843

#journalism #lists

briankrebs, 3 months ago to random

Just had another breach notification/quote request go sideways in an icky way. I'm only mentioning it because this has happened to me more times than I care to remember, and it infuriates me every time.

Here's the scenario. I hear from a researcher who finds bad thing, data exposure, etc. If I can confirm the researcher's findings, I'll then seek comment from the organization in question. Mind you, this effort usually includes both written and oral communications clearly stating that I am a journalist, and that I am working on a story about the problem and its hopeful resolution.

The response in this scenario involves a reply from a senior executive -- often the CEO -- thanking me for the information, and in the same breath asking if I do any consulting work.

I can't pretend to know what's going on in the mind of the person who asks me this question in this situation, but as a journalist it always sounds and feels like a thinly veiled bribe offer.

To my mind, it's bit like getting pulled over for plowing through a red light, and then handing the cop a $100 bill along with your license.

I always try to respond charitably, by politely declining and explaining that's not really something I do. If I'm not totally insulted at that point, I may even suggest some competent experts. Because god knows anyone who responds this way needs all the help they can get.

briankrebs, 3 months ago to random

Scoop: Juniper Networks Support Portal Exposed Customer Device Info

Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including the exact devices each customer bought, as well as each product's warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal.

https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer-device-info/

briankrebs, 3 months ago to random

Just notified a company specializing in email security that their internal email -- and that of their customers -- was sitting out on the web.

Each inbox -- whether for company customers or employees of those companies -- was viewable just by visiting a link with a web browser and clicking links. Everything was exposed in basically one big file index.

This level of ineptitude is remarkable, and somehow they have a lot of customers (think state/local govs). To their credit, they took everything offline within a few minutes of my notifying them. But their entire business schtick is about how all your email is encrypted and protected and scanned and blah blah. Meanwhile, no it's not. At all.