briankrebs

@briankrebs@infosec.exchange

Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Twitter: https://infosec.exchange/@briankrebs Linkedin: https://www.linkedin.com/in/bkrebs/

This profile is from a federated server and may be incomplete. Browse more on the original instance.

briankrebs, to random

The late great Doug Feaver was executive editor at Washingtonpost.com when I had my first A1 (front page) scoop. It took months of acting on a hunch and then scraping the websites of a bunch of big companies to see if and when new language was added about taxing online sales.

Mr. Feaver was a veteran editor and reporter and well respected. He also was very gruff and curmudgeon-y, and he didn't mince words.

The morning my A1 story ran, Mr. Feaver called me into his office and closed the door. He wanted to discuss why my scoop had been handed over to a more experienced reporter. I'll never forget what he said: "Brian, you're a great reporter. But you're a shitty writer." I didn't know to respond at the time, so he said, "It's okay, hardly any reporters are good at both to start with. But keep at it. That is all."

https://www.washingtonpost.com/archive/politics/2003/02/07/big-stores-to-charge-sales-taxes-online/362f73d5-fbf8-4d74-941c-27770f3ed96d/

briankrebs, to random

The 0day dumpster fire that is the security hardware industry rn continues unabated this week.

From Rapid7:

"Critical Fortinet FortiOS CVE-2024-21762 Exploited
Feb 12, 2024

On February 8, 2024 Fortinet disclosed multiple critical vulnerabilities affecting FortiOS, the operating system that runs on Fortigate SSL VPNs. The critical vulnerabilities include CVE-2024-21762, an out-of-bounds write vulnerability in SSLVPNd that could allow remote unauthenticated attackers to execute arbitrary code or commands on Fortinet SSL VPNs via specially crafted HTTP requests.

According to Fortinet’s advisory for CVE-2024-21762, the vulnerability is “potentially being exploited in the wild.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21762 to their Known Exploited Vulnerabilities (KEV) list as of February 9, 2024, confirming that exploitation has occurred."

https://www.rapid7.com/blog/post/2024/02/12/etr-critical-fortinet-fortios-cve-2024-21762-exploited/

https://www.cisa.gov/news-events/alerts/2024/02/09/cisa-adds-one-known-exploited-vulnerability-catalog

briankrebs, to random

Interesting and informative writeup about a recent wallet drainer that started with fake journalists and targeted some Discord admins. IDK if it's the same scam, but this sounds very similar to a series of attacks I wrote about last summer:

https://krebsonsecurity.com/2023/05/discord-admins-hacked-by-malicious-bookmarks/

https://twitter.com/dragonsnctuary/status/1756417572591833569?s=46&t=Rnkx4_006OoD2tfAl1hCnQ

briankrebs, to random

Something to consider in your threat modeling. IDK how common this is, but the gear to do effective wifi signal jamming is not hard to find and works. They're illegal as hell to use in the US, but that isn't going to stop thieves. Argues in favor of direct IP cams or POE-type cams. And cams that allow backup of a certain amount of recording to an SD card.

Edina residents warned burglars could be using 'WiFi jammers'

https://www.kare11.com/article/news/local/edina-burglars-could-be-using-wifi-jammers/89-838f08f6-8e13-4577-8a88-628d757207a2

briankrebs, to random

I wonder what kind of discussions went on in the WH before they decided the Biden campaign needed to be on TikTok.

briankrebs, to random

This comment from a NYT story on Trump's various legal woes made me LOL.

briankrebs, to random

The best part of Super Bowl Sunday is here! Puppy Bowl on Animal Planet FTW!

briankrebs, to random

I think if I were a movie director or writer I would definitely make the story take place before cell phones. There's like 1000x more plausible plots available when everyone involved doesn't know everything all the time, in real time. It's almost like the demarcation between when the world used candlelight to see and the adoption of the electric lightbulb.

briankrebs, to random

I think from here on out I'll just use the auto-response options.

briankrebs, to random

Just had another breach notification/quote request go sideways in an icky way. I'm only mentioning it because this has happened to me more times than I care to remember, and it infuriates me every time.

Here's the scenario. I hear from a researcher who finds bad thing, data exposure, etc. If I can confirm the researcher's findings, I'll then seek comment from the organization in question. Mind you, this effort usually includes both written and oral communications clearly stating that I am a journalist, and that I am working on a story about the problem and its hopeful resolution.

The response in this scenario involves a reply from a senior executive -- often the CEO -- thanking me for the information, and in the same breath asking if I do any consulting work.

I can't pretend to know what's going on in the mind of the person who asks me this question in this situation, but as a journalist it always sounds and feels like a thinly veiled bribe offer.

To my mind, it's bit like getting pulled over for plowing through a red light, and then handing the cop a $100 bill along with your license.

I always try to respond charitably, by politely declining and explaining that's not really something I do. If I'm not totally insulted at that point, I may even suggest some competent experts. Because god knows anyone who responds this way needs all the help they can get.

briankrebs, to random

Just notified a company specializing in email security that their internal email -- and that of their customers -- was sitting out on the web.

Each inbox -- whether for company customers or employees of those companies -- was viewable just by visiting a link with a web browser and clicking links. Everything was exposed in basically one big file index.

This level of ineptitude is remarkable, and somehow they have a lot of customers (think state/local govs). To their credit, they took everything offline within a few minutes of my notifying them. But their entire business schtick is about how all your email is encrypted and protected and scanned and blah blah. Meanwhile, no it's not. At all.

briankrebs, to random

Scoop: Juniper Networks Support Portal Exposed Customer Device Info

Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including the exact devices each customer bought, as well as each product's warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal.

https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer-device-info/

briankrebs, (edited ) to random

Google is too big to fail, and yet they seem to be failing at basic things they used to do well (like search) while removing useful features (like cache) and adding a bunch of crap nobody needs or wants.

Want to know if a given domain name shows up anywhere in search? Well screw you, we're not going to tell you that anymore, but here's 1,400 completely useless and irrelevant results that could possibly have some info (but don't). When the search engine could have done what it's done for years, and admit that it doesn't know WTF you're talking about and say "no results found." Now it just makes shit up if it doesn't know the answer.

Hey cool! My search result shows the term I was looking for is present on 7 websites. Shoot! None of them are online anymore. How about showing us your cached version of the site, you know the one that was used to create this search result? Oh wait, no, you can't see that anymore. Why? Here's Danny Sullivan's dismissive and mystifying explanation: "“It was meant for helping people access pages when way back, you often couldn’t depend on a page loading,” Sullivan wrote on X. “These days, things have greatly improved. So, it was decided to retire it.”

Want software? Great, Google will serve a malicious ad on top that looks a lot like an organic search result but which is paid for by scammers and installs malware.

briankrebs, to random

Just hopped on the hellsite to see what's happening over at Xitter. Yeah, that sounds about right.

briankrebs, to random

If Tucker Carlson wasn't already compromised by the Russians....

https://www.dailymail.co.uk/news/article-13054849/tucker-carlson-vladimir-putin-interview-moscow.html?ico=related-replace

briankrebs, (edited ) to random

Today's story offers insight into the connections between Russia's intelligence agencies and its domestic criminal hackers.

From Cybercrime Saul Goodman to the Russian GRU

In 2021, the exclusive Russian cybercrime forum Mazafaka was hacked. The leaked user database shows one of the forum's founders was an attorney who advised Russia's top hackers on the legal risks of their work, and what to do if they got caught. A review of this user's hacker identities shows that during his time on the forums he served as an officer in the special forces of the GRU, the foreign military intelligence agency of the Russian Federation.

https://krebsonsecurity.com/2024/02/from-cybercrime-saul-goodman-to-the-russian-gru/

briankrebs, to random

I get so much spam and email that sometimes I get suspicious when suddenly there are stretches of several hours in which no email arrives. You'd think I would cherish those rare moments, like adult swim time or something. But most times I am just nagged by a feeling that something is broken, and there's a huge bag of S#!+ w/ my name on it spooling up somewhere.

briankrebs, to random

A Finnish court has decided to let alleged mass extortionist Julius "Zeekill" Kivimaki free pending the rest of his trial, without even an ankle bracelet. This is a guy who was hiding in France under an assumed name and passport when police arrested him and sent him back to Finland to face charges that he extorted thousands of patients of the Vastaamo psych practice in 2020.

https://www.hs.fi/kotimaa/art-2000010206299.html

"The processing of the data breach and blackmail case is scheduled to continue on Wednesday at 9 o'clock.

"The trial will continue, even if he doesn't show up," Vainio formulates Kivimäki's arrival for the upcoming hearings."

They've taken away his passport, but it's not hard to walk out of Finland. Hope they're following him around wherever he goes.

https://krebsonsecurity.com/2023/11/alleged-extortioner-of-psychotherapy-patients-faces-trial/

briankrebs, to random

Another unhappy customer of BriansClub who got phished complains to me, as if in my spare time I run the underground's biggest stolen credit card shop.

https://krebsonsecurity.com/?s=briansclub

briankrebs, to random

You almost have to try to screw up this badly. The "leak" puns here are legion.

briankrebs, to random

Finally sitting down to compose some thoughts on what we can and probably should do about the swatting problem in the US. I'm finding I have quite a bit to say, and a lot of it involves mythbusting around this issue (e.g. that most of these swatting calls come through 911).

Another example: recent legislation to make swatting specifically a federal offense w/ real jail time for those convicted (introduced by a GOP lawmaker who was swatted). That might feel like a solution, but I doubt it's much of a deterrence for the sim-swatters.

Make it explicitly a federal offense with federal consequences, okay sure. But the feds have prosecuted these cases just fine using existing laws. The problem is, until the feds are aware of swatting incident, it remains effectively a local issue, which means the cops are less likely to investigate because these crimes are generally inter-state crimes They are usually by definition federal crimes for that reason, but they are still mostly dealt with by local authorities and local laws. One way a federal anti-swatting law could help is to require state and local law enforcement to report these crimes as violent crimes to some entity responsible for tracking them as such. Right now, there is no specific designation for swatting, and reporting is only required for federal law enforcement agencies. Reporting also serves an important accountability check on law enforcement responding to these incidents.

briankrebs, to random

There's a huge disconnect for me rn in the IT space. Companies love to talk about an increasing deficit of smart, talented and skillful people available to help defend the cybers. Welp, a lot of those people are somehow now seeking gainful employment bc they've been laid off. Which is just nuts to me given the sheer scale, resources and effort our adversaries are throwing at everything now.

p.s. AI isn't going to fix anyone's security problems. If anything, it's going to compound them by orders of magnitude (at least in terms of data governance).

briankrebs, to random

All the reviews I've read of the new Apple VR headset have a similar critique: That entering text -- via the on-screen keyboard -- is clunky and not very useful.

I haven't seen any reviews that focus on the speech-to-text capabilities of this device. Seems to me this thing could actually read your lips if it wanted to. W/ a half-dozen or so built-in mics, It certainly can hear you just fine. Seems like Apple should be focusing a lot more on improving speech recognition because Siri has been underwhelming (esp. since she started requiring an internet connection to work at all). Maybe someone knows of a review that is focused on this aspect?

I've played with apps on several existing VR systems that do virtual desktop and other things that claim to be productivity apps, but they all suck when it comes to entering and/or displaying text. Which seems like kind of a big fail, and really limits the utility of these apps.

briankrebs, to random

Had to get a loaner vehicle from a local dealership because a 10 y/o car that I love needed a lot of work. So they gave me the latest model of the same car -- brand new -- which was vastly less powerful than ours, and kept trying to steer me between the lines and cause the steering wheel to rumble when I hit a line and all kinds of crap that just annoyed me.

The dealership probably thought they would entice me to buy the newer model, but driving it just made me more convinced I made the right decision to put the money into the old car.

briankrebs, to random

Ever since a Chinese hacking group compromised Barracuda's email security appliance so badly they could no longer be safely patched and had to be removed and/or replaced, I've been worried that this might become a trend (which is bad news for a ridiculous number of organizations hoping to still wring yet more life out of aging security hardware).

https://krebsonsecurity.com/2023/06/barracuda-urges-replacing-not-patching-its-email-security-gateways/

Like, forget about patching in a race against the bad guys trying to reverse engineer the fix. Consider how tough it's going to be when ripping out hardware and replacing it becomes more of a thing.

It sort of seems like that's where things may be headed with Ivanti. The company disclosed 3 weeks ago that hackers were already exploiting zero-days in its security products, but it took weeks for them to issue patches and their mitigation in the meantime was weaksauce. And then this week, Ivanti disclosed two more zero-days. Federal agencies have until midnight tonight to disconnect the vulnerable devices.

https://arstechnica.com/security/2024/02/agencies-using-vulnerable-ivanti-products-have-until-saturday-to-disconnect-them/

"The directive went on to say that before agencies can bring their Ivanti products back online, they must follow a long series of steps that include factory-resetting their system, rebuilding them following Ivanti’s previously issued instructions, and installing the Ivanti patches."

Meanwhile, the FBI/DOJ this week say they disrupted a Chinese cyber-spying operation that targeted critical American infrastructure entities and could be used against the United States in a future geopolitical crisis. They did so by remotely uninstalling malware from a botnet of older IoT gear, including routers, modems and internet connected security cameras.

https://www.reuters.com/world/us/us-disabled-chinese-hacking-network-targeting-critical-infrastructure-sources-2024-01-29/

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • thenastyranch
  • rosin
  • GTA5RPClips
  • osvaldo12
  • love
  • Youngstown
  • slotface
  • khanakhh
  • everett
  • kavyap
  • mdbf
  • DreamBathrooms
  • ngwrru68w68
  • provamag3
  • magazineikmin
  • InstantRegret
  • normalnudes
  • tacticalgear
  • cubers
  • ethstaker
  • modclub
  • cisconetworking
  • Durango
  • anitta
  • Leos
  • tester
  • JUstTest
  • All magazines
    •