Brian Krebs answers questions

IDCardForBlogBrian Krebs did an AMA on Reddit today answering a bunch of questions people had for him. I suggest taking a browse through his answers.
A few quotes stood out for me.
Q: Why do you think organizations seem to prefer “learning these lessons the hard way”? It doesn’t seem to be an information gap, as most IT executives say security is important and most individual contributors share risks upward with specific steps that can be taken to remediate risks. Given the huge costs for some breaches, why do you think more organizations don’t take the easy, preventative approach?

Security in general is a hard sell. It does nothing to contribute to the bottom line, and it very often gets in the way of productivity, or stands in the way of business getting done in the way that the business has always done it. Aside from the up-front investments required, it’s even more difficult to justify sustained expenditures on security, because it’s hard to put a price on a thing not happening (that thing being a breach or incident). Full Answer

Q: We saw what happened to big-box retail last year. What’s the next big vertical to be hit?

[…] my sense is that insurance firms and healthcare providers of all sizes will be the big target, if they’re not already; they have financial and identity data, and they are ripe targets for extortion (the pay-us-or-we’ll-leak-all-your-patient-data type extortion). Full answer

Q: Android Pay, Apple Pay, and any other emerging NFC payment technologies – Do you see these as friend or foe to financial institutions?

I think mobile payments is almost a distraction from the real issue: which is how are financial institutions maturing their ability to onboard new customers beyond requiring them to regurgitate static identifiers (name, dob, ssn, address, previous address, etc) — information, by the way, which is all for sale in the underground. If you’re an FI and you’re not going beyond that stuff, all these emerging payment technologies aren’t going to help much with your fraud losses; if anything, they will compound them. Full Answer

Q: What do you think about risk vs. prevention? Has everyone “already been breached” as some analysts say?

Good cybersecurity is not about eliminating risks, but rather about managing them to an acceptable degree. There are trade-offs between security and usability, for example, or between security and privacy to a degree. I don’t believe that everyone has already been breached — not to the degree they’ve had material losses. But give it time, sure. Full Answer

Q: What about “hacktivists”?

I have a grudging respect for a lot of people involved in traditional cybercrime activities; they may have predictable and highly suspect justifications for their actions, but a lot of these guys truly are pros and have really dedicated themselves to their profession. But that’s never stopped me from outing someone who has sloppy operational security. Full Answer

Go check out the whole thing.

Trawling through the junk folder
Weird Lashback listings

Related Posts

December 2014: The month in email

2014 has been a busy and exciting year at Word to the Wise (look for more on that in a year-end wrap-up post next week!) and this month was particularly thrilling for us as we officially doubled our size with the addition of Josh and Meri on our client services team.
If you’re a regular reader of our blog, you’ve probably spotted Josh’s byline on a few posts: Google’s Inbox Team answers questions on Reddit, which looks at what this new email client portends for both consumers and email marketers, and M3AAWG Recommends TLS, which reviews M3AAWG’s recommendation that mailbox providers phase out SSL encryption in favor of TLS. Look for more smart insights from Josh in 2015.
Steve contributed a post on the proper syntax for displaying a friendly email address, and a very helpful guide for generating useful test data that doesn’t compromise personally identifiable information from your actual customer data. He also detailed the brief DBL false positive from Spamhaus’ new “Abused-Legit” sub-zone and best practices for handling unrecognized responses.
I wrote about some of the subtleties inherent in how brands decide to “converse” with customers in email and other channels. We’ll just keep saying it: companies need to respect the inbox as personal space. I want to thank both Steve and Josh for picking up my slack on blogging. 7+ years is a long time to try and say new things on the blog and I needed a bit of a break.

Read More

AOL compromise

Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn’t provided any information as of yet as to what is going on.

Read More

Back from M3AAWG

Last week was the another M3AAWG meeting in San Francisco. The conference was packed full of really interesting sessions and things to learn. Jayne’s keynote on Tuesday was great, and brought up a lot of memories of just what it was like to be fighting spam and online abuse in the mid to late 90s. It’s somewhat amazing to me that many of the people I first met, or even just heard about are still actively working to fight abuse and make the Internet safer.
Wednesday was another great keynote from Facebook, discussing security. Facebook is committed to sharing threat information and has started the ThreatExchange website as a hub for sharing data among large companies.
One thing that was amusing was during one talk someone mentioned YubiKey for managing logins. They said many people were sharing long strings of random keys that sometimes happen because someone has accidentally triggered the one time passcode. YubiKey is awesome, if sometimes ccccccdkhjnbitklrrtnhjrdfgdlhektfnfeutgtdcib inscrutable.
As has become a bit of a M3AAWG tradition lately, Wednesday was also kilt day. There may be pictures. For those of you planning to go to Dublin, Wednesday will be kilt day as well.
The conference was great, but ended on a bit of a down note. We received word that Wednesday night a long time friend, Ellen R., passed away due to complications from a stroke. The conference held a moment of silence for her at the end. Ellen was a friend as well as a colleague. She was around on IRC when we started this crazy experiment called Word to the Wise and was always helpful and insightful. She volunteered with, and then worked for, Spamcop and then volunteered with Spamhaus. Ellen will be very missed.
I started off the conference remembering all the friends I made back in the late 90s and ended it remembering and missing those who are no longer around. Email has been one amazing journey, and doesn’t look like it’s going away anytime soon.

Read More