Brian Krebs answers questions

IDCardForBlogBrian Krebs did an AMA on Reddit today answering a bunch of questions people had for him. I suggest taking a browse through his answers.
A few quotes stood out for me.
Q: Why do you think organizations seem to prefer “learning these lessons the hard way”? It doesn’t seem to be an information gap, as most IT executives say security is important and most individual contributors share risks upward with specific steps that can be taken to remediate risks. Given the huge costs for some breaches, why do you think more organizations don’t take the easy, preventative approach?

Security in general is a hard sell. It does nothing to contribute to the bottom line, and it very often gets in the way of productivity, or stands in the way of business getting done in the way that the business has always done it. Aside from the up-front investments required, it’s even more difficult to justify sustained expenditures on security, because it’s hard to put a price on a thing not happening (that thing being a breach or incident). Full Answer

Q: We saw what happened to big-box retail last year. What’s the next big vertical to be hit?

[…] my sense is that insurance firms and healthcare providers of all sizes will be the big target, if they’re not already; they have financial and identity data, and they are ripe targets for extortion (the pay-us-or-we’ll-leak-all-your-patient-data type extortion). Full answer

Q: Android Pay, Apple Pay, and any other emerging NFC payment technologies – Do you see these as friend or foe to financial institutions?

I think mobile payments is almost a distraction from the real issue: which is how are financial institutions maturing their ability to onboard new customers beyond requiring them to regurgitate static identifiers (name, dob, ssn, address, previous address, etc) — information, by the way, which is all for sale in the underground. If you’re an FI and you’re not going beyond that stuff, all these emerging payment technologies aren’t going to help much with your fraud losses; if anything, they will compound them. Full Answer

Q: What do you think about risk vs. prevention? Has everyone “already been breached” as some analysts say?

Good cybersecurity is not about eliminating risks, but rather about managing them to an acceptable degree. There are trade-offs between security and usability, for example, or between security and privacy to a degree. I don’t believe that everyone has already been breached — not to the degree they’ve had material losses. But give it time, sure. Full Answer

Q: What about “hacktivists”?

I have a grudging respect for a lot of people involved in traditional cybercrime activities; they may have predictable and highly suspect justifications for their actions, but a lot of these guys truly are pros and have really dedicated themselves to their profession. But that’s never stopped me from outing someone who has sloppy operational security. Full Answer

Go check out the whole thing.

Related Posts

December 2014: The month in email

2014 has been a busy and exciting year at Word to the Wise (look for more on that in a year-end wrap-up post next week!) and this month was particularly thrilling for us as we officially doubled our size with the addition of Josh and Meri on our client services team.
If you’re a regular reader of our blog, you’ve probably spotted Josh’s byline on a few posts: Google’s Inbox Team answers questions on Reddit, which looks at what this new email client portends for both consumers and email marketers, and M3AAWG Recommends TLS, which reviews M3AAWG’s recommendation that mailbox providers phase out SSL encryption in favor of TLS. Look for more smart insights from Josh in 2015.
Steve contributed a post on the proper syntax for displaying a friendly email address, and a very helpful guide for generating useful test data that doesn’t compromise personally identifiable information from your actual customer data. He also detailed the brief DBL false positive from Spamhaus’ new “Abused-Legit” sub-zone and best practices for handling unrecognized responses.
I wrote about some of the subtleties inherent in how brands decide to “converse” with customers in email and other channels. We’ll just keep saying it: companies need to respect the inbox as personal space. I want to thank both Steve and Josh for picking up my slack on blogging. 7+ years is a long time to try and say new things on the blog and I needed a bit of a break.

Read More

AOL compromise

Lots of reports today of a security problem at AOL where accounts are sending spam, or are being spoofed in spam runs or something. Details are hazy, but there seems to be quite a bit of noise surrounding this incident. AOL hasn’t provided any information as of yet as to what is going on.

Read More

Compromises and phishing and email

Earlier this month, Sendgrid reported that a customer account was compromised and used for phishing. At the time Sendgrid thought that it was only a single compromise. However, they did undertake a full investigation to make sure that their systems were secure.
Today they released more information about the compromise. It wasn’t simply a customer account, a Sendgrid employee’s credentials were hacked. These credentials allowed the criminals to access customer data, and mailing lists. Sendgrid has a blog post listing things customers should do and describing the changes they’re making to their systems.
Last month it was Mandrill. Today it’s Sendgrid. It could be anyone tomorrow.
Security is hard, there’s no question about it. Users have to have access. Data has to be transferred. Every user, every API, every open port is a way for a bad actor to attempt access.
While it wasn’t said directly in the Sendgrid post, it’s highly likely that the employee compromise was through email. Most compromises go back to a phish or virus email that lets the attacker access the recipient’s computer. Users must be ever vigilant.
We, the email industry, haven’t made it easy for users to be vigilant. Just this weekend my best friend contacted me asking if the email she received from her bank was a phishing email. She’s smart and she’s vigilant, and she still called the number in the email and started the process without verifying that it was really from the bank. She hung up in the transaction and then contacted me to verify the email.
She sent me headers, and there was a valid DMARC record. But, before I could tell her it wasn’t a phishing email, I had to go check the whois record for the domain in question to make sure it was the bank. It could have been a DMARC authenticated email, but not from the bank. The whois records did check out, and the mail got the all clear.
There’s no way normal people can do all this checking on every email. I can’t do it, I rely on my tagged addresses to verify the mail is legitimate. If the mail comes into an address I didn’t give the sender, then it’s not legitimate – no matter what DMARC or any other type of authentication tells me. But most people don’t have access to tagged or disposable addresses.
I don’t know what the answers are. We really can’t expect people to always be vigilant and not fall for phishing. We’re just not all present and vigilant every minute of every day.
For all of you who are going to tell me that every domain should just publish a p=reject statement I’ll point out DMARC doesn’t solve the phishing problem. As many of us predicted, phishers just move to cousin and look alike domains. DMARC may protect citi.com, but citimarketingemail.com or citi.phisher.com isn’t.
We’ve got to do better, though. We’ve got to protect our own data and our customer’s data better. Email is the gateway and that means that ESPs, with their good reputations and authentication, are prime targets for criminals.

Read More