How to Bury a Major Breach Notification

Amid the hustle and bustle of the RSA Security Conference in San Francisco last week, researchers at RSA released a startling report that received very little press coverage relative to its overall importance. The report detailed a malware campaign that piggybacked on a popular piece of software used by system administrators at some of the nation’s largest … Читать далее

Brazilian ‘Boleto’ Bandits Bilk Billions

With the eyes of the world trained on Brazil for the 2014 FIFA World Cup, it seems a fitting time to spotlight a growing form of computer fraud that’s giving Brazilian banks and consumers a run for their money. Today’s post looks at new research into a mostly small-time cybercrime practice that in the aggregate … Читать далее

KrebsOnSecurity.com Wins Awards

In February, this blog and its author were recognized for three separate awards. At the RSA Security conference in San Francisco, KrebsOnSecurity.com was voted the “Most Educational Security Blog” at the Security Bloggers Meetup (for the second year in a row). The judges at the meetup also gave KrebsOnSecurity.com the honor of the “Best Blog … Читать далее

Double the Love from Friends and Enemies

KrebsOnSecurity.com earned two honors this week at the RSA Security Conference. For the second year running, it was voted the blog that best represents the security industry by judges at the 2012 Social Security Blogger Awards. I was also recognized for a “Security Bloggers Hall of Fame award,” alongside noted security expert Bruce Schneier. Many … Читать далее

Zeus Trojan Author Ran With Spam Kingpins

The cybercrime underground is expanding each day, yet the longer I study it the more convinced I am that much of it is run by a fairly small and loose-knit group of hackers. That suspicion was reinforced this week when I discovered that the author of the infamous ZeuS Trojan was a core member of … Читать далее

Chasing APT: Persistence Pays Off

The IT director for an international hedge fund received the bad news in a phone call from a stranger: Chinese hackers were running amok on the fund’s network. Not seeing evidence of the claimed intrusion, and unsure about the credibility of the caller, the IT director fired off an email to a reporter. “So do … Читать далее

Court: Passwords + Secret Questions = ‘Reasonable’ eBanking Security

A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge … Читать далее

RSA Among Dozens of Firms Breached by Zero-Day Attacks

This is the second installment of a multi-part series examining the tools and tactics used by attackers in the RSA breach and other recent network intrusions characterized as “ultra-sophisticated” and “advanced persistent threats.”  If you missed the first piece, please check out Advanced Persistent Tweets: Zero-Day in 140 Characters. The recent data breach at security … Читать далее

Advanced Persistent Tweets: Zero-Day in 140 Characters

The unceasing barrage of targeted email attacks that leverage zero-day software flaws to steal sensitive information from businesses and the U.S. government often are described as being ultra-sophisticated, almost ninja-like in stealth and anonymity. But according to expert analysis of several recent zero-day attacks – including the much publicized break-in at security giant RSA — … Читать далее

Domains Used in RSA Attack Taunted U.S.

Details about the recent cyber attacks against security firm RSA suggest the assailants may have been taunting the industry giant and the United States while they were stealing secrets from a company whose technology is used to secure many banks and government agencies. Earlier this month, RSA disclosed that “an extremely sophisticated cyber attack” targeting … Читать далее