How an Independent Reporter Broke the Target Security Breach Story, and at What Risk
ASCII portrait of Brian Krebs of KrebsonSecurity.org.
June 16, 2014


Brian Krebs, 41, of KrebsOnSecurity.com, sits at his Northern Virginia home office, showing me his daily routine. A shotgun in a case leans against the corner of the room. On his desk sit four busy computer monitors and two laptops. One of the monitors has video feeds from security cameras around his house; the others show a range of underground forums and websites that sell stolen personal information and credit cards.

It’s the home of a man who understands that a malicious intruder could come from anywhere.

Krebs reports on cybercrime. He broke the story about the Target breach in which 40 million people had their credit and debit cards stolen by hackers. Target’s profits dropped 46 percent in the fourth quarter of 2013 and CEO and chairman Gregg Steinhafel left the company in May amid news of the breach.

[Below, Krebs speaks with a CNN reporter about the common characteristics of today’s hackers.]

In the past year, Krebs also reported on a $900,000 “cyberheist” in which cyber-criminals overloaded the servers of a bank with fake traffic to distract employees while they stole nearly $1 million from an online bank account. He reported on a breach in retail stores Michaels and Aaron Brothers that resulted in 3 million credit cards being stolen. Since the beginning of 2014, he has covered at least 7 different data breaches. 

Krebs has covered cybersecurity for more than a decade, first writing about it for The Washington Post before starting his own site.

It’s only recently, though, close readers of his say, that his work has penetrated national conversations.

Krebs, who earned a bachelor’s degree in international studies from George Mason University in 1994, has over 60,000 followers on Twitter. His name is well known among security professionals and his stories are common household topics now. And, though he hasn’t revealed how much revenue his site generates, Krebs has said he is making more now based on advertising, speaking engagements and other consulting gigs than he did reporting at The Post.

The cybersecurity beat, after years of obscurity, is finally paving its way into the mainstream.

Back in his office, Krebs spins around in his chair to face me.

“What kind of music do you like?” he asks me, out of the blue. Krebs plays music all day as he does his reporting. I name-drop the band Beach House, which he looks up online and blasts through his sound system. He pulls up his own playlist.

“I kind of like the funky background music,” says Krebs, bobbing his head as drums, guitar and a groovy bass line burst through his speakers.

“Sometimes you just need a little bass,” he says.

[Below, the Brian Krebs playlist created by reporter Cory Blair, on Spotify]


The Dangers of Lurking Amid Cyber-Criminals

No other security reporter goes deep underground and mingles with criminals quite like Krebs, according to one of his former editors.

“Working with Brian was like a daily dose of paranoia,”  says Bob Greiner, Krebs’s editor at The Washington Post from 2004 to 2006. (Greiner now works for the IRS). “He would always do the scariest stuff…. There was always that kind of feeling that you were walking close to the edge of a cliff.”

Krebs is no stranger to the darker sides of the web. He says he trolls underground forums looking for criminal activity to write about. He wants to find out what the “bad guys” are doing, what they are talking about, and what new tricks they are coming up with.

“More than anything else, I look for raw data information that is indicative of trends, of breaches, of new lines of criminal business, whatever it is,” says Krebs.

No one on the forums wants people like Krebs snooping around, but they can’t lock him out because they have to strike a balance between being open and closed, Krebs explains. Sites can’t completely block the public or potential customers would be locked out as well, he says. So, for now, Krebs is free to snoop.

The ramifications are personal and often dangerous. His reports shine a light on illegal underground Internet activities and cyber-criminals don’t take such exposure kindly.

Security camera footage of law enforcement officials at the doorstep of Brian Krebs's home in the "Swating" incident.

Security camera footage of law enforcement officials at the doorstep of Brian Krebs’s home in the “SWATting” incident.

On March 14, 2013, an unknown person or persons, in a move known as “SWATting,” contacted police with a fake tip, which resulted in a SWAT team showing up at Krebs’s house. According to an account on his website, “the caller claimed to be me, reporting that Russians had broken into my home and shot my wife.”  Krebs was handcuffed before it was determined that it was all a hoax.

On July 29, 2013, someone sent heroin to his front door, then notified police. Krebs says his website, KrebsOnSecurity.com, gets cyber-attacked and taken down about once a week.

The Fairfax County Police Department declined to comment on any of these incidents.

Krebs shows me a webpage constructed in his honor. The website hosts, shall we say, unflattering Photoshopped pictures of Krebs. In one, a Mortal Kombat character holds up a depiction of his severed head.

The site also has information that would make anybody paranoid.

“Here’s my credit report,” says Krebs, scrolling through the site. “My neighbors, my house, my Social, credit card number, balance, wife’s name, her Social, birthdate, the front of my house,” Krebs lists, chuckling. It’s nothing new to him.

“The genie’s out of the bottle, and there’s no stuffing him back in,” says Krebs. “At the end of the day, life goes on, you got to get work done, and you try not to worry about it too much.”

Still, that shotgun in his house? Krebs says he keeps it for home security.

Krebs and I sit at his desk, the music still blasting.

He continues down the playlist.

“I’m pretty proud of this mix,” says Krebs. He goes to the next song. “This is a pretty good song. It’s almost like, acid punk.” We bond over a fondness for musical groups Four Tet and Com Truise. He checks his email.

“Hey, my Klout score went up!” shouts Krebs over the music. “Who cares? I don’t even know why I signed up for this thing!”

How Krebs Broke the Target Breach Story
Krebs worked at The Washington Post from 1995 to 2009, starting in the circulation department. He started covering technology in 1998. His interest in cybersecurity started in 2001 after he was twice locked out of his computer by a virus. Krebs realized he knew very little about cybersecurity and decided to beef up his knowledge. He then started his own website, KrebsOnSecurity.com, after his job was eliminated at The Post in 2009.

A lot has changed since he first started on the beat. Now, each of Krebs’s four computer monitors each have their own function. Some have tough and very technical security systems to prevent hackers from breaking in; he uses these computers for diving into underground forums — online communities where cyber-criminals communicate with one another.

Brian Krebs, in his home.

Brian Krebs, in his home.

This snooping can have enormous consequences. Take his Target story, for example. According to Krebs, it all started when several smaller banks came to him and reported that fraud rates were going off the charts.

Krebs went directly to a known site that sells stolen credit cards and had just received an enormous shipment. He matched the BIN numbers (the Bank Identification Number is the first few digits of a credit card number) on the cards with the banks that issued them and confirmed that the banks all had stolen cards on the market. Krebs gave the banks some pointers on how buy some cards back using Bitcoins, a type of digital currency.

He asked the banks to tell him if they all had a common point of purchase, and the fraud teams at the banks verified that they were all used at Target between Thanksgiving and Dec. 15, 2013. Krebs knew this had to be more than just coincidence.

After giving me a tour of his workplace, Krebs shows me a website where the Target cards were sold. There’s a seemingly endless list of credit card numbers, names, passwords and other personal information, organized in neat, vertical columns. Next to each are price and “purchase” buttons.

“If you want to buy Target cards, you still can,” says Krebs, highlighting a few of the cards. “They’re a lot cheaper than they used to be. Only 16 bucks a piece.”

Target did not respond to requests for comment; the company says on its website that anyone who shopped at its stores between Nov. 27 and Dec. 15, 2013 should watch for “suspicious or unusual” activity on any credit or debit cards used at the store in that time period.

Krebs pauses the music as he walks over to his acoustic guitar. “Do you like The Rolling Stones?” he asks as he sits and begins to strum one of their songs. After a little while he stops and points to another guitar case in his room.

“In there is a classical I got for my birthday a couple of years ago,” says Krebs. “It’s a beautiful guitar. It’s frickin’ awesome. I love it.”

Though Krebs said he doesn’t get as much time as he wants to play guitar, he’s still happy with his career.

“I really do love what I do,” says Krebs. “Most of the time the day goes by and I’m like, ‘Where’d the day go?'”

Michael Figueroa, an MIT graduate and member of the cybersecurity community from the Boston area, says Krebs is important because people notice him and his work.

“If Brian hadn’t exposed the depth of the [Target] breach, mainstream media might not have paid attention to it,” says Figueroa. “There’s also the fact that he’s the deepest investigative reporter you could ask for.”

Greiner compared Krebs to an undercover cop and called him an “enterprising, adventurous, fearless individual.”

“I don’t think there’s anybody who does what Brian does,” he said.

Comments
  • Opps Mad
  • http://www.elteto.net/ Adam Elteto

    For fairness, it must be stated this kind of work could be done with less personal risks, but if someone wants to make it a living and wants credit, he or she has to attach a name and identity to it. Not all security researchers put their name and face alongside their findings on the Internet.

  • http://www.wiredtree.com/ Rachel Gillevet

    Great post, Cory. Really fascinating stuff. I just wanted to reach out and let you know that I included this in my roundup of June’s best security content. http://www.wiredtree.com/blog/the-monthly-round-up-junes-best-web-designdevelopment-cms-and-security-content/ Thanks for the insightful look at Brian Krebs day-today, our readers will appreciate it. Cheers!

    Rachel