If you work for a corporation and you get a call or email from Brian Krebs, be prepared for a really bad day. That’s because Krebs, a journalist/security researcher, has made a specialty out of uncovering data breaches before businesses even know they have been compromised. He spent a solid hour at the CES gathering in Las Vegas this month making it clear to security professionals from around the world that as online criminals become increasingly more sophisticated in their methods and tools, more companies are going to get hacked and it will be even costlier.
“Most organizations want to spend and forget about security,” said Krebs, who is the editor of KrebsOnSecurity.
Krebs spoke at the CES CyberSecurity Forum, which in itself was a milestone because it marked the first time in the history of the huge CES trade show that an entire day-long session had been devoted to security. The session was put together by Amjed Saffarini, CEO of CyberVista, after he and his team traveled across the country last year to hear some of the top speakers on cybersecurity.
Krebs, one of the session’s headliners, has made his reputation by uncovering numerous hacking escapades involving credit card and personal data theft, including the notorious Target breach in 2013. More recently, he analyzed stolen data posted to various public sites and reported that fitness tracking giant Fitbit had become the latest victim of customer account takeovers.
Fitbit has been careful to point out that there is no evidence which shows direct hacking of their wearable devices. Rather, the latest breaches are coming from data stored in their customers’ computers which have been hacked. In the scam, criminals obtain customer data on the Fitbit device, then call the company’s customer service line, claim the product has ceased to work, and order a free replacement.
While Krebs expects this kind of warranty fraud to grow as even more connected products come onto the market, a key trend that Krebs said would be a dominant theme in 2016 is the escalation of ransomware, the practice among hackers of breaching a database and then locking access until the owner pays to regain control.
While this is a growing irritation for average computer users who find themselves locked out when malware attacks their home systems, Krebs believes that the real impact will be felt by businesses. He described a recent hack of one firm’s highly valuable proprietary code where the criminals, not fully realizing what they had stolen, demanded only $300 to unlock the information. The company quickly and gladly paid the paltry amount, but Krebs said that as hackers become more knowledgeable about the value of what they ransom, the cost to retrieve it will skyrocket.
“I don’t know what it’s going to take, but right now we are outgunned,” said Krebs.
This developing problem has even led some companies to hire middlemen who quietly purchase stolen data on a regular basis from criminals to avoid bad public relations or user inconvenience. Earlier this month, the San Francisco Chronicle reported that PayPal had begun to identify stolen data and buy it back for small (under $100) amounts.
Krebs has been vocal about the need for solutions and pointed to a couple of potential ways that key players in the online world could handle the growing problem. One is for the large Internet Service Providers (ISPs) such as AT&T or Comcast to develop better controls on attackers who successfully hide their identities using multiple hosting servers and phony accounts.
“The ISPs need to stop passing attack providers at their borders,” said Krebs.
The security researcher also called for a bounty process where companies take the step of offering money for catching criminal hackers. This worked a few years ago for Microsoft when they put up $250,000 to identify operators of the Rustock botnet and it resulted in a takedown of the spammers.
Krebs said he believed that there is enough evidence to show that this can work. He described the experience of one company who recently lost $2 million in a breach and then got it all back when they offered a five percent bounty for information leading to the criminal’s arrest.
Krebs has carved out a unique position for himself as a journalist/security expert who sees the flow of stolen data across underground websites on a daily basis. “It’s never a dull moment when you poke the bear as often as I do,” said Krebs. And now the bear has his hand out and a growing bank account too.