FYI, the only reason I'm still here is to to make fun of the new CEO and his $44B dumpster fire. Anything serious I have to say will be said over on that other site (rhymes with John Mastodon). But please, keep the replies coming!
Confirmed: The DNS records that tell systems how to find or got withdrawn this morning from the global routing tables. Can you imagine working at FB right now, when your email no longer works & all your internal FB-based tools fail?
Let this sink in:
@elonmusk
hath decreed that all links to Mastodon should be flagged as malware. This is, of course, a baldfaced lie, and he knows it. So the CEO of Twitter is lying to everyone on Twitter, and to all its advertisers, even to all of his defenders.
Everything that
@elonmusk
has done publicly so far to Twitter seems like exactly what I'd do if I wanted to ensure the entire platform ran straight into the ground, and fast. His actions and words make it really hard to see how this isn't actually his plan.
LOL. The CEO of Twitter has gone full despot/dictator mode. You can now get banned for mentioning your Insta, FB, Mastodon, Post, or other. You know a country is in full freedom mode when it starts shutting its borders for people trying to leave!
We don't know why this change was made. It could well have been the result of an internal, system wide change or update that went awry. It's all speculation at this point why. FB alone is in control over its DNS records.
To be more precise (and Geek Factor 5) the BGP routes serving Facebook's authoritative DNS were withdrawn, rendering all Facebook domains inaccessible. That's per
@DougMadory
, who knows a few things about BGP/DNS.
From trusted source: Person on FB recovery effort said the outage was from a routine BGP update gone wrong. But the update blocked remote users from reverting changes, and people with physical access didn't have network/logical access. So blocked at both ends from reversing it.
Being in infosec for so long takes its toll. I've come to the conclusion that if you give a data point to a company, they will eventually sell it, leak it, lose it or get hacked and relieved of it. There really don't seem to be any exceptions, and it gets depressing.
8kun/8chan went down tonight. A phone call to their DDoS protection provider was all it took. That provider says they had no idea they were helping 8kun stay online. 8kun, some QAnon sites now getting DDoS protection from ddos-guard dot net in Russia
Just published a short (hopefully broadly accessible) writeup on the ongoing outages at Facebook, Instagram & WhatsApp. Includes perspective, graphic from
@dougmadory
and Kentik. Will update to add more info soon.
The CEO of twitter just got his account hijacked, apparently by a bunch of SIM swappers who've been targeting high profile people and celebrities of late. Maybe this will finally get some real attention to the epidemic of SIM swapping happening right now? Not holding my breath.
Predictably, the Zoom hearing for the 17-year-old alleged Twitter hacker in Fla. was bombed multiple times, with the final bombing of a pornhub clip ending the zoom portion of the proceedings.
1/ So you go shopping for a PIV card reader, because the US govt gave you one and you're curious to look at what's on it. You settle for this "DOD military USB common access smart card reader," because it's compatible with Mac OS. Cool! Only $15! What a bargain!
Sources say Microsoft on Tuesday will fix an extraordinarily scary flaw in all Windows versions, in a core cryptographic component that could be abused to spoof the source of digitally signed software. Apparently DoD & a few others got an advance patch
Hey
@elonmusk
, since you don't seem to have much a media/comms team anymore, can you address the apparently legitimate claim that someone scraped & is now selling data on hundreds of millions of Twitter accounts? Maybe it didn't happen on your watch, but you owe Twitter a reply.
The admin of the cybercrime forum Breached said they just received a cease and desist letter claiming the forum thread where a Mexican bank's data was being sold was fake news and harming the bank's reputation. The admin responded by purchasing the data and leaking it. Whoops.
Sometimes Linkedin can be creepily helpful. I was researching this money mule recruitment gang that's been hiring via Linkedin and a day later Linkedin sends me an email suggesting other companies similar to the one I looked up. Looks like I may have found more mule groups.
With Fedex and UPS and DHL stopping package delivery to RU, that's gonna kill several cybercriminal industries -- particularly the reshippers which use stolen card data/mules to buy electronics/household goods at discount & sell to people in RU. Retailers should see a reprieve.
Another awful thing about this death from swatting in Kansas is that there are now multiple reports that the man killed wasn't even part of the dispute that prompted the swatting.
Prediction: In a few months, the volume of spam, phishing and just about every form of cybercrime is going to increase noticeably. New privacy rules coming out of the EU are going to take away the single most useful tool available to security experts and researchers: WHOIS.
Exclusive, breaking: The US Secret Service is quietly alerting banks and ATM operators that for the first time ever ATM "Jackpotting" attacks -- designed to empty ATMs of cash via malware and hardware -- have hit ATMs in the United States
The security researcher who originally reported the
@panerabread
security vuln that exposed millions of customers' private info has just penned this response to the company's unbelievable response to my story. worth a read:
Just discovered my mom-in-law has been going into her AOL spam folder and unsubscribing from emails there. Doing so involved clicking soooo many links in seriously dodgy emails. She was like, "why won't it let me unsubscribe?" Me screaming into my pillow.
Spent past 2 days reading 14 months worth of leaked chats from the Conti ransomware group (so you don't have to). Today's Part I focuses on the group's internal efforts to evade actions by law enforcement & intel agencies. This is a bottomless gold mine.
Experts say the LAPSUS$ data extortion group that hit Okta and Microsoft this week is run by a 17-year-old from the UK who recently bought the Doxbin doxing website, and then leaked its database. Naturally, Doxbin responded by doxing the LAPSUS$ leader.
Google said it has not had any of its 85,000+ employees phished on their work accounts since early 2017, when the company began requiring logins via Security Keys
Bought a product off Amazon, and it sucked so badly I had to write a negative but fair review. I then heard from the seller offering 2x what I paid for the item to remove or update my comment. I'm thinking of adding that as an update. But I wonder how many people take the money.
Looks like the domain used to control the malware infrastructure in the SolarWinds compromise is now controlled by Microsoft. They should soon have a good (if conservative) idea how many SW/Orion customers were hacked.
For real: Experian wants you to nominate it for cyber risk awards in 4 categories! What crazy fresh hell bs is this? Is there a way to vote *against* Experian winning anything ever in regards to "cyber"?
, the Web site for the bakery-cafe chain by the same name, leaked millions of customer records -- including names, DOBs, email/street addresses, last 4 of credit card -- until today: Worst part: They were first notified 8 months ago
Potentially huge scoop from Bloomberg alleging San Jose-based Super Micro, under direction or control of Chinese cyber spies, secretly embedded rice-sized computer chips on electronic components stitched into devices made by 30 companies
#supplychain
I never do this, but this is important so please RT if you agree: It's not okay for my mobile provider to sell or give my mobile device location info to a 3rd party without at least a court order/subpoena. Background: and
Antivirus giant Norton 360 has installed a cryptocurrency mining program on users PCs, but says the service that enables the miner is opt-in. Users report miner is hard to remove. Customer reactions range from unease/disbelief to "dude, where's my crypto?"
Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning
Norton360 isn't the only antivirus product installing cryptominers. Avira, a "free" antivirus product w/ > 500M users, recently introduced users to Avira Crypto. Avira is now owned by NortonLifeLock, which also just bought Avast antivirus (500M users)
New stats indicate half of all phishing sites now begin with https:// < The old "look for the padlock" security advice has never been more useless and dangerous
From a security pro who fought LAPSUS$: It forces us to shift thinking about insider access. Nation states want longer, strategic access; ransomware groups want lateral movement. LAPSUS$ asks: What can this account get me in the next 6 hours? We haven’t optimized to defend that.
Missouri Gov. Mike Parson today vowed to prosecute the St. Louis Post-Dispatch for reporting a security flaw in an agency website that exposed 100k+ teacher SSNs. They held their story until it was fixed. Now Parson is shooting the messenger:
Sources who've briefed U.S. national security advisors say >30K U.S. organizations hacked by newly-found holes in Microsoft's Exchange email products, and that 100s of thousands of victim organizations worldwide now have web-based backdoors installed.
How the judge in charge of the proceeding didn't think to enable settings that would prevent people from taking over the screen is beyond me. My guess is he didn't know he could. This guy's reaction sums it up.
The IRS says by mid-2022, the only way to log in to will be through , an ID verification service where applicants have to submit copies of bills/ID documents, as well as live selfies via a webcam or mobile.
The hospitality industry continues to fail very publicly on security. E.g., I've stayed in more than 20 hotels so far this year alone; ALL of the US-based hotels I stayed at swiped my chip-based card instead of using a chip reader. "We take your security and privacy. Seriously."
SMS was already the weakest link securing just about anything online. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept texts intended for other mobile users. Can we stop pretending SMS is okay now?
True story: I do most of my media and story reading from a virtual machine. Sorry, but while I trust most of the publications I frequent to do their best to get the story right, I don't trust the 97 other sites from which they pull scripts and other random stuff.
Exclusive: Fraudsters changed the email and DNS records for a number of cryptocurrency trading platforms this week, after successfully social engineering employees at GoDaddy, the world's largest domain name registrar.
NY cloud payroll provider MyPayrollHR abruptly closes up shop, diverts $35 million in payroll, tax payments to its own account. Employees at thousands of companies that used the service dinged for 1-2 payroll payments. Meanwhile, the CEO has vanished
Exclusive: The U.S. Drug Enforcement Administration (DEA) says it is investigating a breach of an agency portal that taps into 16 different federal law enforcement databases. The intruder said they logged in to DEA w/ just a username and password, no 2FA.
Dangerous domain goes up for sale. It's dangerous because years of testing shows whoever wields it would have access to an unending stream of passwords,
email/proprietary data from hundreds of 1,000s of systems
at big companies
Many people are asking whether last night's 60 Minutes interview with the Facebook whistleblower is at all related to this outage. That's a good question.
In just a few days, consumer credit freezes will be free for all Americans and their dependents -- no more fees to place or lift a freeze. Here's a primer on the upcoming changes and why you should embrace the freeze if you haven't already
Account inactivity fees by banks are complete BS, and should be illegal. Not only do they get to hold my money with virtually no interest, this bank I opened an account at a couple of years ago for a story has started charging $10/mo. Had $200 in it. Now almost in negative.
Exclusive: Hackers used phishing emails to break into a Virginia bank twice in eight months, making off with more than $2.4 million in total. Now the bank is suing its cybersecurity insurance provider for refusing to fully cover the loss.
Facebook just deleted almost 120 cybercrime groups from its platform, totaling ~300k members who promoted everything from spam & credit card from to DDoS services, tax refund fraud, 419 scams & account takeovers. The avg age of these groups was 2 years.
I own some crypto (mostly HODL'd gifts) and yeah it's now worth a lot less than it was just a few days ago. But you know what's crazy? I keep secretly wishing the price will fall even further. Coin investors like to say "To the Moon!" I say, "To the ditch," where it all belongs.
Crooks are now hacking police, govt email accounts/websites to send fake "emergency data requests" to wireless providers, ISPs, social media firms. The requests claim it's a matter of life & death, can't wait for subpoena. The compliance rate is high.
3/ And then you think, hrm....maybe I should scan this thing at Virustotal, just because who TF is this company anyway? Holy smokes! 39 different antivirus tools detect this driver as Ramnit.a, a type of malware able to exfiltrate sensitive data.
Dear Twitter: If you care about your account, get a Google Voice # to replace your mobile # in Twitter settings. Uncheck SMS. Then use only either mobile app or even better a security key for 2-factor authentication. Do this for every other account you care about that you can.
Here's a question about the twitter compromise today that hasn't yet been answered: With the internal twitter tools access the attackers had, could they also have viewed the target account's direct messages?
#1
of who knows how many in re: Why I don't go to RSAcon anymore. I always say the best way to experience RSA is not to go to any of the talks, but instead hang out at the bars near the con to let people get liquored up and tell you things they shouldn't.
Finally got around to deleting my Facebook account. I don't trust FB, and I don't want to tacitly encourage other people to trust it. Anyone who wishes to reach out, please either or twitter (DMs open) or Wickr: krebswickr. Thanks.
On Monday, KrebsOnSecurity began following up on info provided by
@holdsecurity
that a ransomware group (Ryuk) is preparing to encrypt systems at possibly hundreds of medical centers/hospitals. FBI/CISA/HHS just had a call warning of "imminent, credible threat to US hospitals."
It's a little weird when you confidently tell an established security firm that they will in all likelihood seriously regret publishing something they're really proud of. Stay tuned.
In 2018, I unmasked the creators of Coinhive as the admins of a German image forum, whose members protested by donating 100s of 1,000s to orgs that fight cancer (Krebs = "cancer" in German). In their 3rd annual 'Krebsaction" they've raised ~$160k so far
Coinbase and Overstock just fixed a bug I helped to report that let anyone buy items at ~15% of listed price by paying in bitcoin cash (BCH) instead of bitcoin (BTC). Worse, refunds for items purchased w/ BCH were refunded in BTC! Crypto-alchemy!
Also LOL: Twitter complained that I was trying to spread malware blah blah by changing my profile background like I just did. But it still let me. I can't decide which is funnier: Wrongfully accusing me of willfully spreading malware, or accusing me & letting me do it anyway.
Don't give away historic details about yourself. Today's post looks at how countless social media users are doing just that, responding to quizzes that ask you to give away answers to commonly asked "secret questions."
Scoop: InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber/physical threat info sharing partnerships w/ the private sector, this week saw its database of contact information on more than 80,000 members go up for sale.
The sheer volume of personal/sensitive data I've seen exposed on publicly accessible servers "in the cloud" over the past few weeks makes me wonder why cybercrooks bother "hacking" anything these days, other than perhaps because it's more challenging/fun to do so.
6/ According to Saicoo, this is all somehow my fault. "From the details you offered, issue may probably caused by your computer security defense system," "actually it's not carrying any virus you can trust us," "please just ignore it and continue installation." Cool cool.
At the risk of making my job harder (or possibly, easier?) it's clear I'm going to have to write an entire series of blog posts about how not to handle a data breach from a PR perspective. I'm sputtering over here. Gave
@panerabread
every courtesy and they treat me like an idiot
Exclusive: Multiple sources now say Indian IT outsourcing giant
@Wipro
is in the throes of dealing with a months-long breach in which intruders were seen using the company's networks to attack and probe customer systems
Someone's been creating a ton of fake CISO profiles on LinkedIn for major corporations. What's more, a lot of this info is getting ingested by various sources that then make it even harder to tell the truth in search results. Victor Sites CISO of Chevron? No. Real CISO on left.
Blown away that some of the largest media outlets including NYT and WaPo still have nothing about this mass Exchange server hack on hundreds of thousands of organizations. Esp. now that govies are saying it's a giant mess domestically and worldwide.
So...
@ATT
@TMobile
@sprint
@VZWNow
When will each of you step forward & pledge not to share real-time customer location data w/ 3rd parties full stop -- without a court order? Who else has access to this data? How exactly did we "opt-in" to sharing it?
15-year-old security researcher finds dangerous flaw in cryptocurrency hardware wallets made by French tech firm Ledger. Company has released firmware update to address the weakness.
Oh look,the guy my source initially notified at
@panerabread
EIGHT MONTHS AGO -- their dir. of info security - was senior dir. of security operations at Equifax until 2013. Shocker.
Unreal that BTC is soaring past $13,000. The spike is painting a huge target on anyone holding even meager BTC assets. Long past time to up your game, folks, At a minimum, make sure your security isn't reliant on the mobile carriers not getting social engineered
1/ Exclusive: Leaked private chats from the LAPSUS$ group show they hacked T-Mobile multiple times last month, stealing large volumes of source code. T-Mobile says no customer or government data was taken.