While there are a lot of “outsourced” malware-as-a-service and hacking-as-a-service outfits out there, the majority have law enforcement somehow embedded in some part of the supply chain or are a complete honeypot run by governments to entrap criminals. Beware outsourcers bearing gifts.
The “encrypted” Swiss phone of choice by narco traffickers (and others) in the 1980s run by the CIA:
They know that if they actually capture them all they would be left without work. Instead their goal is to say "look they are even bigger than before we need even more funds!!"
On the other hand, if they cought them all, in the long run society will remove the funding, actually leaving us without an "immune-system"
There is a balance to be achieved
The right immune system here would be to legalize the drugs and regulate them, just as we do with ethanol. Then you can remove the funding from war on drugs and related entities. Financing an army of bureaucrats and militants who feast on county's resources and undermine the democracy is not a terminal goal of a society.
He’s also doxxed people who left bad book reviews, and people who argued with him on Twitter. Krebs is frequently a major shithead.
He’s not the judge and jury and he shouldn’t be doxxing anyone. It’s a big problem with him, and one of the reasons I wish people would stop linking to his website.
I'm not proud to say this but no way I'd want to do that. I'd hate to be on the radar of criminals like that ransomware mogul. Being in a country like Russia he is basically immune to law enforcement and he specialises in harming people remotely.
> ... today’s attackers have exactly zero trouble gaining that initial intrusion ...
Any ideas why that is? I thought s/w companies have gotten smarter about securing their infra, e.g., strict https-only access, linux server (not windows), and so on.
If you're a startup with limited resources, what essentials do you need to be aware of to secure your systems?
https may hurt more than it helps in this case. One well crafted email asking for help to debug a script on github is all it takes to get sudo on up to 10% of the laptops in a company. Developers are just too darn helpful. :-) Unless you enforce full tunnel vpns on all laptops and force all outbound connections through MITM proxies, there is really no way to stop this. Anti-malware and anti-virus software will rarely detect a malicious python, ruby, perl, bash script and simply connects outbound and downloads / executes a payload. Even DNS can be used to fetch the payload.
If you are a startup with limited resources, keep things as simple as you can. Back up your code, artifacts and customer data somewhere that automation and malware can not tamper with it. Encrypt your customer backups. Challenge your staff to automate patching of your endpoints, your servers, your virtual machine images, etc... Challenge them to create build systems that produce lean, fully patched images with software that only comes from trusted sources. Images for laptops, images you run in dev, images you run in production. Have a manifest of every piece of software, every library, every snippet of code your teams utilize. This will be helpful down the road when you have grown and your legal team want to do a software license review. If using AWS, set up automation to audit and report on public S3 buckets.
Initial intrusion includes gaining foothold on individual workstations/personal computers. The idea being that a) endpoint security is always a shit show and b) social engineering is the bomb.
I think after doing the obvious stuff with your core infrastructure and making sure you have good data backup and recovery procedures in place, the next best use of resources is in trying to make sure your employees don't fished.
The less glib answer is that while best practices have gotten better, companies aren't necessarily better at following them (your company or your vendors). Additionally, on average people have not gotten all that smarter (while scammers have become more sophisticated).
Its all about defense in depth. Plan for compromise, trade off the costs (nothing is free).
At a technical level there are basic things like: separating dev from production, requiring 2FA across the board, strong passwords, certs, separation of privileges, up to date software, secret management, etc that form strong defenses.
Another way to approach this is to pose scenarios and understand defenses:
* What information could an employee give away that would then lead to a compromise? How do you stop it? Password to a phisher? Check in credentials to github? Wire money to a fake vendor/wrong account?
* If X was compromised, what is the impact? What would it take to recover? Where X is: dev box, production box, customer facing service, etc.
Two insidious scenarios that happen way too often:
* Latest malware distributed via legitimate sites (ad networks, sharepoint, dropbox, etc) -- Hard to prevent beyond up to date systems and content filtering. If paranoid, all browsing through VMs or other forms isolated environments. It won't stop compromise, but it will restrict scope.
* BEC -- Attacker studies your company. They impersonate an employee or partner (down to linkedin profiles) and convince someone to wire money. Or worse -- account compromise of a trusted partner. The attacker then uses this partners' account to hijack an email thread or send a 'normal' request like: "Our account has changed, future payments goto account YYYY."
Which brings us to vendors. Can a vendors' weak security break your company? Is it a good idea that your Microsoft Office 365 account allows unlimited password attempts (at least MS used to by default)?
These scammers should be hunted down globally and put to death if they are convicted after a fair trial. Their scams kill people as they target hospitals.
The “encrypted” Swiss phone of choice by narco traffickers (and others) in the 1980s run by the CIA:
https://en.wikipedia.org/wiki/Crypto_AG