JUDY WOODRUFF: Major U.S. government agencies have been the target of cyber-attacks of late. The State Department is the latest. During the past week, officials had to temporarily shut down an unclassified e-mail system after a suspected hacking. In recent months, the White House, the Postal Service and the National Weather Service all have been targeted.
Meanwhile, as the holiday season approaches, retailers and the business world are on the lookout for breaches.
A new book breaks down the pervasiveness of what’s happening.
Jeffrey Brown has our conversation.
JEFFREY BROWN: Hardly a week goes by anymore without a report of some major cyber-breach, whether it’s targeting retailers, the government, or any and all of us. The attacks are generated in a new netherworld of crime, some of it individualized, even chaotic, other parts of it extremely well-organized.
Writer and journalist Brian Krebs has uncovered some major breaches, including the one on Target that compromised the credit card data of tens of millions of people. He writes about all of this on his blog Krebs on Security and now in his new book, “Spam Nation.”
And welcome to you.
BRIAN KREBS, Author, “Spam Nation”: Thank you.
JEFFREY BROWN: You are peering a world of cyber-crime that few of us ever see. What does it look like?
BRIAN KREBS: It’s a pretty dark place.
JEFFREY BROWN: It is?
BRIAN KREBS: Yes, absolutely.
But it’s not as dark as you might imagine. If you’re somebody who doesn’t know their way around, there are plenty of people willing to show you the way. They might take a cut of the action to help you do that, but it’s not as dark…
JEFFREY BROWN: You’re smiling as you say that.
I mean, there’s a lot of give and take, interplay, let me help you out. This is how you develop your sources in your work?
BRIAN KREBS: Absolutely, absolutely, yes.
JEFFREY BROWN: Yes. So, who are — you’re dealing with the bad guys here. Who are they? Do you see them changing, whether in terms of who they are or in their level of sophistication?
BRIAN KREBS: Sure.
So, I think, at a very basic level, a lot of these guys don’t see themselves as bad guys. So some of the individuals that I profile in the book “Spam Nation” that we have got coming out, it — it — these guys generally see themselves as a provider of service or product that people want.
And the stuff that they are advertising, say, in spam for the most part, they view this as something — it might be — violates some laws, some Western laws about things, but, at the end of the day, somebody’s going to buy their product and they’re going to make some money off it.
JEFFREY BROWN: So they’re providing the service which would be the service that somebody nefarious wants to use it, right, the services providing — are my data for example, your data.
BRIAN KREBS: Well, it’s really interesting to look at the dichotomy of spam.
Depending on where you are in the world, your experience of spam is probably going to be radically different. So, for instance, one of the individuals that I profile in this book was responsible for running one of the most sophisticated crime machines ever built, the Cutwail spam botnet.
And we’re talking about hundreds of thousands of computers that are infected with malicious software to infect other machines with malicious software and to send advertising via spam. If you’re an American and you get spam from Cutwail, there’s a very good chance it’s going to contain malicious software to turn your system into a spambot.
If you’re Russian and you get e-mail from — spam e-mail from Cutwail, there’s almost no chance it’s going to contain malware. It’s going to contain a commercial solicitation for a business near you. And, by the way, there will be a link at the bottom that says, hey, if you like this solicitation, if you want to advertise your own business this way, visit this link or call this phone number, and we can set that up for you. So…
JEFFREY BROWN: One of the issues that you write about here is companies, they’re not up front enough when things happen, often for very good reasons, right? Because the publicity of what happens can be worse than the crime itself.
But what do you see from companies these days? Are they changing?
BRIAN KREBS: Yes.
JEFFREY BROWN: Are they reacting differently, better?
BRIAN KREBS: No, and for one reason. And that is, there are more ways to tell when organizations have had a breach now.
So, if you look at the Target breach, the Home Depot breach, Sally Beauty, Michaels, the others that I have been able to break over the last year, the reason is, is because when that information hits the black market, when they go to sell 40 million credit cards, you can’t really hide that under a bucket.
You want to tell the world about this, right, because those cards, the things you’re trying to sell, they don’t get better with age. So they’re putting this out there. Once they put it out for sale, the race is on. So law enforcement knows immediately. Anybody who is looking hard enough, the banks, sometimes reporters, can find out pretty quickly who got breached.
JEFFREY BROWN: How do you — how do you find out?
BRIAN KREBS: Well, in the case of — in the case of Target and Home Depot, it was a matter of some crooks are basically saying, hey, look, we have got a whole bunch of these cards that we’re going to push out there in the next couple of days. Get your budgets ready, get your — fill up your balances, get ready to shop.
And when they do that, you just pay attention. And then I start reaching out to banks that I have developed resources with — sources with and saying, hey, look, we — there are 10,000 of your customers’ cards that just hit this network overnight.
You got any clue if there’s a common — commonality in these transactions? And they will come back to me and they will say, yes, they were all used at this organization between this time frame and that time frame. And you get that from enough organizations, enough different banks, the same thing, you feel pretty good about calling that organization up — organization up and saying, looks like you had a bad day.
JEFFREY BROWN: You know, the main question, I guess, for most of us, the main question still very much out there, is data protectable? Is that a sort of — is it ownable?
You know, are credit cards securable? I mean, we’re entering — we’re hearing more about this age of exchanges without cash, right, all kinds of electronic exchanges.
BRIAN KREBS: I think if — I think if the consumer — if the consumers and the business world has heard anything loud and clear — or I hope they have heard anything loud and clear over the last year, both from the revelations with the Edward Snowden scandal and the attacks on personal and financial information vis-a-vis major companies that hold this information, I hope it’s that, if you’re not encrypting this information, it’s as good as stolen, because, increasingly, these companies have to — they have to change their mind-set, but they haven’t yet.
That mind-set shift has to shift from one of, well, we have put all this stuff in place to keep them out. Let’s make sure we keep them out to, well, there’s no way we can keep them out. So, let’s — let’s make our defenses so that we realize they’re going to get in. How do we protect the data that we’re responsible for protecting when they get in? Not if, but when.
JEFFREY BROWN: Well, so what’s the — I mean, from all the work you have done over the years looking into this world, what’s the advice? Or has it changed your own habits or what’s the advice you give your loved ones?
BRIAN KREBS: Oh, my loved ones. Well, that’s quite a bit different.
BRIAN KREBS: It’s pretty simple, but it hasn’t really changed much over the years.
So it’s — it starts with the basic hygiene, security hygiene. And the stuff is not super sexy. It’s — unfortunately, it’s a pain. You know, keeping your operating system up to date with the latest software updates. Actually, almost as important, if not more important, is keeping your browser up to date.
So, all those — increasingly, the way companies and individuals get hacked is through the browser. So, they browse to a site that is malicious or itself is hacked. And if they’re not browsing that site with the latest, say, Adobe flash player, Java, PDF reader, whatever it is — there are updates for these things like once a month — if they’re not up to date, they’re going to have a bad day, and their computer’s not going to belong to them anymore.
So, I always tell people, if you installed it, update it.
JEFFREY BROWN: All right.
BRIAN KREBS: And if you didn’t go looking for it, don’t install it. Those two things keep most people out of a lot of trouble.
JEFFREY BROWN: All right, you know what? We’re going to continue this discussion online.
BRIAN KREBS: Yes.
JEFFREY BROWN: I’m going to ask you about some bad days that you have had, because you have been — you have been the target yourself.
JEFFREY BROWN: For now, the book is “Spam Nation.”
Brian Krebs, thank you very much.
BRIAN KREBS: Thanks a lot.