Informationweek Influencer

briankrebs (@briankrebs)

Twitter Bio:: computer, internet security journalist, writes about cyber crime. wrote for The Washington Post '95-'09
Location:: The Underweb
Website:: http://krebsonsecurity.com

What is This?

briankrebs's

Network

briankrebs's Selections From the Web

AT&T iPad Hacker's Real Crime Was Embarrassing the Wrong People | Wired ...

|5 Influencers

Disclosing a flaw in a widely used system without making someone at least a little angry requires a delicate touch. But Andrew Auernheimer, a.k.a. “Weev,” a 26-year-old finder of security vulnerabilities, is anything but delicate.Two years ago, Auernheimer and a friend made a surprising discovery about the way AT&T was protecting its web database of iPad cellular data accounts: That is, AT&T wasn’t protecting it at all. Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer

U.S., China Discuss Cyber Threats

|2 Influencers

WASHINGTON—Asserting that cyberattacks against the U.S. don't come only from China, the U.S. and Chinese defense ministers said they agreed Monday to work together on cyber issues to avoid miscalculations that could lead to future crises.

Defense Secretary Leon Panetta said that since China and the United States have advanced cyber capabilities, it is important to develop better cooperation.

"It's true, as the general pointed out, that obviously there are other countries, actors, others involved in some of the attacks that both of our countries receive," Mr. Panetta told reporters after an afternoon meeting in the Pentagon

New Java Exploit Fetches $5,000 Per Buyer — Krebs on Security

|8 Influencers

Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.On Sunday, Oracle rushed out a fix for a critical bug in Java that had been folded into exploit kits, crimeware made to automate the exploitation of computers via Web browser vulnerabilities. On Monday, an administrator of an exclusive cybercrime forum posted a message saying he was selling a new Java 0day to a lucky two buyers. The cost: starting

Black Hat conversation with Neal Stephenson and Brian Krebs

|2 Influencers

Like a lot of hackers, I have always found Neal Stephenson‘s works (especially Snow Crash, Diamond Age, Cryptonomicon, and REAMDE) particularly resonant. So when Black Hat announced that Stephenson would attend as a keynote speaker / interviewee, that provided half the reason I originally wanted to attend the conference. In my excitement, I didn’t even realize that they’d asked Brian Krebs to lead the conversation with him, so for me

DSL modem hack used to infect millions with banking fraud malware

|9 Influencers

Millions of Internet users in Brazil have fallen victim to a sustained attack that exploited vulnerabilities in DSL modems, forcing people visiting sites such as Google or Facebook to reach imposter sites that installed malicious software and stole online banking credentials, a security researcher said.The attack, described late last week during a presentation at the Virus Bulletin conference in Dallas, infected more than 4.5 million DSL modems, said Kaspersky Lab Expert Fabio Assolini, citing statistics provided by Brazil's Computer Emergency Response Team. The CSRF (cross-site request forgery) vulnerability allowed attackers to use a simple

Google Drive opens backdoor to Google accounts

|5 Influencers

After clicking on "Visit Google Drive on the web", users are automatically logged into their Google account without having to enter a password The Windows and Mac OS X desktop clients for Google's Drive file storage and synchronisation service open a backdoor to users' Google accounts which could allow the curious to access a Drive user's email, contacts and calendar entries.The sync tool includes a "Visit Google Drive on the web" link which opens Drive's web interface in the default browser and automatically logs the user in. Somewhat problematic is the fact that this session can then be used to switch to

Millions of Website Passwords Stored in Plain Text in Plesk Panel

|2 Influencers

After the theft of LinkedIn user database, there was a lot of buzz about how unthoughtful it was to store passwords as unsalted SHA-1 hashes.

Brian Kreb was recently shocked when his hosting provider sent him his password in plain text. He wrote a post about it and made

‘Project Blitzkrieg’ Promises More Aggressive Cyberheists Against U.S. Banks ...

|1 Influencers

Last week, security firm RSA detailed a new cybecriminal project aimed at recruiting 100 botmasters to help launch a series of lucrative online heists targeting 30 U.S. banks. RSA’s advisory focused primarily on helping financial institutions prepare for an onslaught of more sophisticated e-banking attacks, and has already received plenty of media attention. I’m weighting in on the topic because their analysis seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets.RSA wasn’t specific about where it got its intelligence, but the report’s

New White House cybersecurity chief largely an unknown

|2 Influencers

May 21, 2012 — CSO — Named late last week to replace Howard Schmidt as the top White House cybersecurity adviser, Michael Daniel is a 17-year veteran of the Office of Management and Budget (OMB) and has been its intelligence branch chief for the past 11 years. But he has stayed largely under the radar, even in the cybersecurity community.

Brian Krebs, a well-connected former Washington Post reporter and author of the respected blog KrebsonSecurity, said he did not know Daniel or what his politics are.

Krebs

Crimeware Author Funds Exploit Buying Spree — Krebs on Security

|3 Influencers

The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes.An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits