@briankrebs@infosec.exchange avatar

briankrebs

@briankrebs@infosec.exchange

Independent investigative journalist. Covers cybercrime, security, privacy. Author of 'Spam Nation,' a NYT bestseller. Former Washington Post reporter, '95-'09. Signal: briankrebs.07 Twitter: @briankrebs Linkedin: https://www.linkedin.com/in/bkrebs/

This profile is from a federated server and may be incomplete. View on remote instance

briankrebs , to Random stuff
@briankrebs@infosec.exchange avatar

Reason #2,391 why revisiting security assumptions is always a good idea.

[Bimi] No cryptographic connection between VMC and DKIM key

https://mailarchive.ietf.org/arch/msg/bimi/Ba3jFfJ8K6ic7qg4DzPsIsGW5UY/

My favorite part:

"I guess some may consider what I just said as an unimportant or a merely theoretical issue, so I would like to illustrate it with an example. Let's take the domain entrust.com. It has a DKIM key
configured at "dkim._domainkey.entrust.com". The TXT record is the following:

"v=DKIM1; k=rsa;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCyGF0xzO7Eig1H8QdIErjEKOGnIVvoLU5VjcMRBRWZK65NinL+gVnjuMD2mYdjC3f+7sQCWxGDSKIFn/bB+iXxO2x1/ktkwXHQfQ/9FcFuy+LE0Snsm0SwXN/2l1m5f9e1xdswC+dzHt6DIpDSDENsRal019YKQTqwVyB++7QORwIDAQAB"

This is a 1024 bit RSA key, which is not up to modern standards. But breaking 1024 bit RSA is still only feasible for very powerful attackers. However, this key has another problem: it is vulnerable to
the Debian OpenSSL bug (CVE-2008-0166). It is trivially possible to
find the private key (you can use my tool badkeys -
https://badkeys.info/ - to do that):

https://github.com/badkeys/debianopenssl/blob/main/rsa1024/ssl/le32/25731-rnd.key"

briankrebs , to Random stuff
@briankrebs@infosec.exchange avatar

So, back in 2016 I wrote a story about Dell customers getting inundated with spam spoofing the company and referencing the recipient's real name and actual Dell service tag ID for the recipient's computer. Dell responded by asking customers who receive these messages to report them.

https://krebsonsecurity.com/2016/02/dell-to-customers-report-service-tag-scams/

Today, Dell disclosed a breach involving "a Dell portal" which contained customer names, physical addresses, and Dell hardware and order information, including service tag, item description, date of order and related warranty info."

I've asked Dell when they discovered this and how long they believe the intruders had access.

An important message about your Dell information Hello, Dell Technologies takes the privacy and confidentiality of your information seriously. We are currently investigating an incident involving a Dell portal, which contains a database with limited types of customer information related to purchases from Dell. We believe there is not a significant risk to our customers given the type of information involved. What data was accessed? At this time, our investigation indicates limited types of customer information was accessed, including: * Name « Physical address « Dell hardware and order information, including service tag, item description, date of order and related warranty information The information involved does not include financial or payment information, email address, telephone number or any highly sensitive customer information. What is Dell doing? Upon identifying the incident, we promptly implemented our incident response procedures, began investigating, took steps to contain the incident and notified law enforcement. We have also engaged a third-party forensics firm to investigate this incident. We will continue to monitor the situation. What can | do? Our investigation indicates vour information was accessed during this incident. but we do not
ALT
  • Reply
  • Expand (13)
  • Collapse (13)
    • briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    Actually, now that I'm re-reading my own story I see that scammers were mostly calling people directly and pretending to be Dell.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    Dell said they recently identified the incident, and that the investigation is ongoing. They sent me a kind of boilerplate response:

    "Dell Technologies has a cybersecurity program designed to limit risk to our environments, including those used by our customers and partners. Our program includes prompt assessment and response to identified threats and risks. We recently identified an incident involving a Dell portal with access to a database containing limited types of customer information including name, physical address and certain Dell hardware and order information. It did not include financial or payment information, email address, telephone number or any highly sensitive customer data. Upon discovering this incident, we promptly implemented our incident response procedures, applied containment measures, began investigating, and notified law enforcement. We have also engaged a third-party forensics firm to investigate this incident. We continue to monitor the situation and take steps to protect our customers’ information. Although we don’t believe there is significant risk to our customers given the type of information involved, we are taking proactive steps to notify them as appropriate."

    james , to Random stuff
    @james@bne.social avatar

    @briankrebs - with regard to your latest blog post (para here in the graphic): it’s a very pedantic point, but the attacker would only be able to see domain names and not full “site addresses” in your example. So, an attacker wouldn’t see the full URL of example.com/krebs-is-nice or example.com/krebs-is-nasty - the domain name is never encrypted, but the rest of the address is.

    briankrebs ,
    @briankrebs@infosec.exchange avatar

    @james okay. thanks.

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    So has Amazon stopped sending SMS for 2FA via Google Voice? Can't find much else in the way of discussion about this.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @jrsofty I had it set up that way. But was working w/ one of their top security engineers, who suggested I try their enhanced 2FA via SMS, which I did in order to report a story. But I guess I never changed it back. Doh.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @astralcomputing Right, but to add a new authentication method, even if you're already logged in, it requires the 2FA to the same number.

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.

    The leader of Lockbit of course denies they got the right guy.

    https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @argv_minus_one Yes. Now that we know his real ID, it is easy to see he left a very wide and long trail. And his opsec was $#!+. Stay tuned.

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    Wow, the US govt finally made good on its doxing threat against the Lockbit ransomware group administrator LockbitSupp. This just released by OFAC:

    SPECIALLY DESIGNATED NATIONALS LIST UPDATE
    The following individual has been added to OFAC's SDN List:
    KHOROSHEV, Dmitry Yuryevich (a.k.a. KHOROSHEV, Dmitrii Yuryevich; a.k.a. KHOROSHEV, Dmitriy Yurevich; a.k.a. YURIEVICH, Dmitry; a.k.a. "LOCKBITSUPP"), Russia; DOB 17 Apr 1993; POB Russian Federation; nationality Russia; citizen Russia; Email Address khoroshev1@icloud.com; alt. Email Address sitedev5@yandex.ru; Gender Male; Digital Currency Address - XBT bc1qvhnfknw852ephxyc5hm4q520zmvf9maphetc9z; Secondary sanctions risk: Ukraine-/Russia-Related Sanctions Regulations, 31 CFR 589.201; Passport 2018278055 (Russia); alt. Passport 2006801524 (Russia); Tax ID No. 366110340670 (Russia) (individual) [CYBER2].

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    Here's the full press release;

    https://home.treasury.gov/news/press-releases/jy2326

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar
    CYBERCRIMINAL RESPONSIBLE FOR THE LOCKBIT RANSOMWARE VARIANT EXPOSED Dmitry Yuryevich Khoroshev (Khoroshev), a Russian national and a leader of LockBit, is the primary operator of the well-known and public-facing LockBit-related cybercrime moniker, “LockBitSupp.” As a core LockBit group leader and developer of the LockBit ransomware, Khoroshev has performed a variety of operational and administrative roles for the cybercrime group, and has benefited financially from J the LockBit ransomware attacks. In addition, Khoroshev has facilitated the upgrading of the LockBit infrastructure, recruited new developers for the ransomware, and managed LockBit affiliates. He i also responsible for LockBit's efforts to continue > operations after their disruption by the U.S. and its Y3 allies earlier this year.
    ALT
  • Reply
    • briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @Fringedcrow Well, LockbitSupp said he would pay $15M to anyone who doxed him successfully. I'm waiting for his reply about whether he plans to send the USG the $15M. :)

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    Just filed a fairly straightforward story on today's action: https://krebsonsecurity.com/2024/05/u-s-charges-russian-man-as-boss-of-lockbit-ransomware-group/

    tl;dr: LockbitSupp of course denies being the person thoroughly doxed by three different governments today.

    "I've been in intermittent contact with LockBitSupp for several months over the course of reporting on different LockBit victims. Reached at the same ToX instant messenger identity that the ransomware group leader has promoted on Russian cybercrime forums, LockBitSupp claimed the authorities named the wrong guy.

    “It’s not me,” LockBitSupp replied in Russian. “I don’t understand how the FBI was able to connect me with this poor guy. Where is the logical chain that it is me? Don’t you feel sorry for a random innocent person?”

    LockBitSupp, who now has a $10 million bounty on his head from the U.S. Department of State, has been known to be flexible with the truth. The Lockbit group routinely practiced “double extortion” against its victims — requiring one ransom payment for a key to unlock hijacked systems, and a separate payment in exchange for a promise to delete data stolen from its victims.

    But Justice Department officials say LockBit never deleted its victims data, regardless of whether those organizations paid a ransom to keep the information from being published on LockBit’s victim shaming website."

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    Basically all of the speaking requests I've received over the last six months, all any of them want to talk about is AI, b/c everyone is trying to position themselves as being the perfect partner to usher companies through the madness. I'm probably not going to be asked to do speaking much longer, b/c I find I am fairly hawkish on all the AI hype.

    I guess I come from a pretty old-fashioned point of view on technology vs security, which is basically that the more you complexify something, the harder it is to secure. And most of the AI visions that companies are espousing would increase the complexity of security efforts by several orders of magnitude. The issue of data governance is just one small microcosm of that (one in which most fail at miserably already).

    I think it's also safe to predict that first movers here (beyond the now entrenched big ones) are going to get clobbered by regulation soon.

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    LOL @ "alternative clouds." IDK why, but I just think of "alternative facts" when I hear this phrase. Oh wait, it means former crypto mining operations converting their GPU armies to feed the AI dreams of companies that can't compete with or afford other options? That makes a lot more sense.

    https://techcrunch.com/2024/05/05/coreweaves-1-1b-raise-shows-the-market-for-alternative-clouds-is-booming/

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    Random PSA: If you own a motor vehicle that has a spare tire, it's a good idea to check every once in a while that the spare actually has air in it enough to support the car. Had to get the spare out from under my truck (a hugely complicated maneuver that would be really unfun to do for the first time in an emergency), and found it had about 10 percent of the necessary air.

    If you can't be bothered to check the pressure once a year or so, better keep an air pump in the trunk as well.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @donholloway This was the result of my having spent hours watching youtube videos on how to unlock the safety latch on the spare tire, and how to thread together the 3 part tool needed reach the winch that lowers the spare, and how to unlatch the winch from the tire, etc. etc. Got up one morning and the tire I had patched was flat. Inflating it again saw it flat in a minutes.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @breizh Yeah I got one of those deals you plug into the lighter and it makes this unholy racket for like 10 minutes while it inflates the tire. But hey it works.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @almad Yikes. America has a lot of problems, but that definitely isn't one of them!

    dnsprincess , to Random stuff
    @dnsprincess@infosec.exchange avatar

    About to pay off my absolutely crushing debt!!!

    I'll be free. No more paycheck to paycheck!!

    I did it y'all!!

    I'll only have a small student loan left, can be it off in about a year.

    BITCHES I'M FREEEEEEEEEEEE

    briankrebs ,
    @briankrebs@infosec.exchange avatar

    @dnsprincess Congrats! That's a huge milestone. Now for the hard part: Remaining debt-free!

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    Researchers at Leviathan Security have released some interesting findings that illustrate why your VPN service may not be as secure as it claims.

    From the story:

    "VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP protocol so that other users on the local network are forced to connect to a rogue DHCP server.

    “Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”"

    More here: https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it-claims/

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @Natanox @stealthisbook @mullvadnet I fully intended to share this research with them prior to publication, but I ran out of time.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    Doh! I guess saying "DHCP protocol" is a bit like saying "ATM machine." Changed to "DHCP standard."

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @nikatjef I don't believe any of the individual components of this research are particularly new, it's just that they've demonstrated using a number of techniques in concert to show that the way many VPNs are being marketed is misleading, and possibly risky for important people who may not understand the implications.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @anselmschueler Yes, but that would assume some basic knowledge on the part of the reader, which is always a dangerous assumption, unless you're only writing for a technical audience.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @anselmschueler BTW the reason that is risky (at the risk of stating the obvious) is that most readers will stop reading the moment you take them for granted.

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    Nothing like spending $1700 to fix an obnoxious noise in your car, only to hear the sound again when you're halfway home from the dealership.

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    What a surprise.

    "The auditor for former president Donald Trump’s media company was charged with “massive fraud” Friday by the Securities and Exchange Commission, which accused the firm of being a “sham audit mill” whose failures put investors at risk."

    https://www.washingtonpost.com/technology/2024/05/03/trump-media-auditor-borgers-suspended-permanently/

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @tellyworth Who's to say who's buying this stock? Why should we expect that the money is coming from normal investors here in the US?

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    It's always amazed me that ID.me, which you have to use in order to interact w/ the IRS online these days, has a top level domain from the country of Montenegro. Ublock Origin says they're injecting tracking links from Italy's TLD when you login at the irs.gov website.

    What's next? Cookies from Colombia? AI from Anguilla?

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @alex @eb IDK anything about Montengegrin IT capabilities, so I'll take your word for it. But it's worth pointing out that poorly secured or maintained IT resources can be commandeered to do crazy stuff. So your statement fills me with more dread. Thank you.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    To be clear, I have nothing against private companies or citizens using whatever TLD they want. But we need to stop doing this on important .gov stuff. And I would consider the IRS to easily qualify there.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    How about this? Lawmakers pass a law (gasp!) that says if you're a private company providing services to the entire populace on behalf of .gov, your site will use com/net/org only when it is interacting with the government. Full stop.

    Probably even the extreme wingnuts in the GOP could get behind this, in a kind of "buy American" way.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @mcfly far as I can tell they're just using a trendy tracking service whose domain ends in .it ("postmark it").

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @max No way in hell I would encourage the further use of .us until someone in charge at the GSA or whatever started giving a damn about how the tld is completely overrun with abuse, phishing and spam domains -- in near total contravention to the tld's charter, I might add.

    https://krebsonsecurity.com/2023/09/why-is-us-being-used-to-phish-so-many-of-us/

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @grumpasaurus You mean Rep., not Senator?

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @grumpasaurus I'm gonna need a minute, lol

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @jtk Why would you assume that? I guess I'm less interested in the fairness arguments, or the globalist view here.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @marley @Jessicascott09 @bogdrakonov The issue isn't that the site is compromised. I have no information to suggest that it is.

    Here's the thing: If for some reason control over the .me TLD were to be subverted, hacked or undermined in some way, it might be hard to tell, and it could mean traffic is diverted or compromised. I have no idea how likely that would be, but it's an aspect of any transaction with the IRS that this is not strictly under the US government's direct control. Same with .IT.

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    This is the 2nd time in a week it's happened: Force-quitting Sonos on a Mac causes the OS to go to a lock screen, requiring biometric or password. WTH?

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    I'll add that forcing quitting Sonos on my Mac seems to be a more common requirement, especially on my laptop when it wakes from being shut or offline.

    Edent , to Random stuff
    @Edent@mastodon.social avatar

    You receive a call on your phone.
    The caller says they're from your bank and they're calling about a suspected fraud.

    "Oh yeah," you think. Obvious scam, right?

    The caller says "I'll send you an in-app notification to prove I'm calling from your bank."

    Your phone buzzes. You tap the notification This is what you see.

    Still think it is a scam?

    briankrebs ,
    @briankrebs@infosec.exchange avatar

    @Edent This is a great scam, and probably effective a good percentage of the time.

    It reminds of a story I wrote about a tech expert who got scammed b/c he refused to hang up when the scammers called. Instead, he put the scammers on hold and called his bank and asked them if they were in support call with him already, and they checked and said yes. Feeling better, he went back to the original caller and proceeded to give them what they needed to take over the account.

    What he didn't count on was that the scammers were also on the phone with his bank at the same time --- pretending to be him! So the bank was answering truthfully, from their perspective.

    This wrinkle just seems to add some app magic into it, which is brilliant.

    https://krebsonsecurity.com/2020/04/when-in-doubt-hang-up-look-up-call-back/

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    Dropbox has disclosed a cybersecurity incident, in filing with the SEC:

    https://www.board-cybersecurity.com/incidents/tracker/20240501-dropbox-inc-cybersecurity-incident/#8-k-filed-on-2024-05-01

    On April 24, 2024, Dropbox, Inc. (“Dropbox” or “we”) became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. We immediately activated our cybersecurity incident response process to investigate, contain, and remediate the incident. Upon further investigation, we discovered that the threat actor had accessed data related to all users of Dropbox Sign, such as emails and usernames, in addition to general account settings. For subsets of users, the threat actor also accessed phone numbers, hashed passwords, and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication. Based on what we know as of the date of this filing, there is no evidence that the threat actor accessed the contents of users’ accounts, such as their agreements or templates, or their payment information. Additionally, we believe this incident was limited to Dropbox Sign infrastructure and there is no evidence that the threat actor accessed the production environments of other Dropbox products. We are continuing our investigation.

    Brandi_Buchman , to Random stuff
    @Brandi_Buchman@mstdn.social avatar

    Judge Cannon reminds Trump to redact witness names in docs on heels of contempt ruling in NY

    https://lawandcrime.com/high-profile/cannon-reminds-trump-to-redact-witness-names-as-former-president-faces-gag-hearing-in-different-venue/

    briankrebs ,
    @briankrebs@infosec.exchange avatar

    @Brandi_Buchman Who will take bets w/ me on whether 45's lawyers end up doxing witnesses anyway?

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    Scenario: The (non chaotic evil) sysadmins of the world band together to go on strike. What's on their list of demands?

    *Correct answers optional.

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @prefec2 Really? C'mon, you've got management by the balls, and all you want is correct specifications and change requests? :)

    briankrebs , to Random stuff
    @briankrebs@infosec.exchange avatar

    I love that this is about an Instagram-based fraudster, and the presiding judge's name is Block.

    "INSTAGRAM INFLUENCER KNOWN AS “JAY MAZINI” SENTENCED TO
    84 MONTHS IN PRISON FOR OVERLAPPING FRAUD SCHEMES
    Defendant Capitalized on His Social Media Persona to Commit Fraud, Including a Scheme That Bilked the Muslim Community Out of Over $8 Million

    "Earlier today, in federal court in Brooklyn, Jebara Igbara, also known as “Jay Mazini,” was sentenced by United States District Judge Frederic Block to 84 months in prison for wire fraud, wire fraud conspiracy and money laundering arising out of multiple schemes that resulted in millions of dollars in loss to trusting investors. Igbara pleaded guilty to the charges in November 2022. As set forth in the information, up until March 2021, Igbara maintained a popular Instagram account under the name “Jay Mazini,” where he would post videos depicting, among other things, occasions during which he would hand out large amounts of cash to various individuals as gifts. In reality, Igbara was perpetrating overlapping fraud schemes, scamming investors out of at least $8 million. As part of his sentence, Igbara was ordered to pay $10 million in forfeiture. The amount of restitution will be determined at a later date."

    briankrebs OP ,
    @briankrebs@infosec.exchange avatar

    @bojanland The guilty party's name is Igbara. That is all.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • Mordhau
  • WatchParties
  • Rutgers
  • loren
  • Lexington
  • cragsand
  • mead
  • RetroGamingNetwork
  • mauerstrassenwetten
  • MidnightClan
  • xyz
  • PowerRangers
  • AnarchoCapitalism
  • kamenrider
  • supersentai
  • itdept
  • neondivide
  • AgeRegression
  • Teensy
  • WarhammerFantasy
  • space_engine
  • learnviet
  • bjj
  • electropalaeography
  • steinbach
  • khanate
  • jeremy
  • fandic
  • All magazines
    •