Brian Krebs answers questions

IDCardForBlogBrian Krebs did an AMA on Reddit today answering a bunch of questions people had for him. I suggest taking a browse through his answers.
A few quotes stood out for me.
Q: Why do you think organizations seem to prefer “learning these lessons the hard way”? It doesn’t seem to be an information gap, as most IT executives say security is important and most individual contributors share risks upward with specific steps that can be taken to remediate risks. Given the huge costs for some breaches, why do you think more organizations don’t take the easy, preventative approach?

Security in general is a hard sell. It does nothing to contribute to the bottom line, and it very often gets in the way of productivity, or stands in the way of business getting done in the way that the business has always done it. Aside from the up-front investments required, it’s even more difficult to justify sustained expenditures on security, because it’s hard to put a price on a thing not happening (that thing being a breach or incident). Full Answer

Q: We saw what happened to big-box retail last year. What’s the next big vertical to be hit?

[…] my sense is that insurance firms and healthcare providers of all sizes will be the big target, if they’re not already; they have financial and identity data, and they are ripe targets for extortion (the pay-us-or-we’ll-leak-all-your-patient-data type extortion). Full answer

Q: Android Pay, Apple Pay, and any other emerging NFC payment technologies – Do you see these as friend or foe to financial institutions?

I think mobile payments is almost a distraction from the real issue: which is how are financial institutions maturing their ability to onboard new customers beyond requiring them to regurgitate static identifiers (name, dob, ssn, address, previous address, etc) — information, by the way, which is all for sale in the underground. If you’re an FI and you’re not going beyond that stuff, all these emerging payment technologies aren’t going to help much with your fraud losses; if anything, they will compound them. Full Answer

Q: What do you think about risk vs. prevention? Has everyone “already been breached” as some analysts say?

Good cybersecurity is not about eliminating risks, but rather about managing them to an acceptable degree. There are trade-offs between security and usability, for example, or between security and privacy to a degree. I don’t believe that everyone has already been breached — not to the degree they’ve had material losses. But give it time, sure. Full Answer

Q: What about “hacktivists”?

I have a grudging respect for a lot of people involved in traditional cybercrime activities; they may have predictable and highly suspect justifications for their actions, but a lot of these guys truly are pros and have really dedicated themselves to their profession. But that’s never stopped me from outing someone who has sloppy operational security. Full Answer

Go check out the whole thing.

Trawling through the junk folder
Weird Lashback listings

Related Posts

AOL admits to security breach

According to Reuters AOL has admitted there was a breach of their network security that compromised 2% of their accounts. Users are being told to reset their passwords, and security questions.
AOL started investigating the attack after users started reporting an uptick in spam from aol.com addresses. This spam was using @aol.com addresses to send mail to addresses in that user’s address book.
According to the AOL mail team, they are still investigating the attack, but they do not believe financial information was compromised.  Their statement reads in part:

Read More

September 2014: The Month in Email

September was another busy month for us, but Steve stepped up and wrote a number of really interesting posts on email history, cryptography, and current technical issues in the email landscape.
We started the month with a look at the various RFCs that served as the technical specifications for developing message transfer protocols in the 1970s. It’s really fascinating to look at the evolution of these tools we use every day 40 years later. We followed up with a second post on the origins of network email, which is a great primer (or refresher) on the early days of email.
Steve’s four-part series on cryptography and email started with an in-depth look at how the industry is evolving with respect to encryption and privacy issues. He then introduced us to Alice and Bob (or reintroduced those of us who have been following the adventures of the first couple of cryptography), and described symmetric-key and public-key encryption. His next post described message signing, and how DKIM is used to manage this. He finished up the series with a post on PGP keys.
In industry news: Spamcop is shutting down its email service. There shouldn’t be any major impact on senders, but the post has some specific notes on DMARC implications. We also noted an interesting mail routing suggestion on Twitter, and wrote a post on using Mail.app for this.
In other DMARC news, we wrote about DMARC and report size limits, which might be useful information, depending on your configuration. We also launched a new DMARC tool to help senders understand who is publishing DMARC. Let us know what you think and if you’re finding it useful.
We couldn’t let a month go by without mentioning filters. We looked at a sector we don’t usually discuss, corporate filtering, and went in-depth on a much-misunderstood topic, content filtering.
Finally, Laura offered a webinar on a favorite topic, deliverability, in conjunction with the AMA and Message Systems. If you missed it, you can watch the recorded version here, or just take a peek at some of the reaction via Twitter.

Read More

December 2014: The month in email

2014 has been a busy and exciting year at Word to the Wise (look for more on that in a year-end wrap-up post next week!) and this month was particularly thrilling for us as we officially doubled our size with the addition of Josh and Meri on our client services team.
If you’re a regular reader of our blog, you’ve probably spotted Josh’s byline on a few posts: Google’s Inbox Team answers questions on Reddit, which looks at what this new email client portends for both consumers and email marketers, and M3AAWG Recommends TLS, which reviews M3AAWG’s recommendation that mailbox providers phase out SSL encryption in favor of TLS. Look for more smart insights from Josh in 2015.
Steve contributed a post on the proper syntax for displaying a friendly email address, and a very helpful guide for generating useful test data that doesn’t compromise personally identifiable information from your actual customer data. He also detailed the brief DBL false positive from Spamhaus’ new “Abused-Legit” sub-zone and best practices for handling unrecognized responses.
I wrote about some of the subtleties inherent in how brands decide to “converse” with customers in email and other channels. We’ll just keep saying it: companies need to respect the inbox as personal space. I want to thank both Steve and Josh for picking up my slack on blogging. 7+ years is a long time to try and say new things on the blog and I needed a bit of a break.

Read More