TERRY GROSS, HOST:

This is FRESH AIR. I'm Terry Gross. Remember the data breach at Target late last year that resulted in hackers stealing information from about 40 million credit cards? That news was broken by my guest Brian Krebs who helped uncover the story. Just a few days later, he broke the story of a credit card breach at Neiman Marcus. Krebs writes about cybercrime and computer security for his blog "Krebs On Security," which he started in 2009.

Before that he spent 14 years working as a reporter at The Washington Post where he covered tech policy, privacy and computer security and wrote the blog "The Security Fix." His book, "Spam Nation," about organized cybercrime is scheduled for publication in November. In order to do his work, he's learned computer code, the Russian language and how to get onto black-market websites and cybercrime networks. Cyber criminals who don't appreciate his work have found creative and frightening ways to harass him.

Brian Krebs, welcome to FRESH AIR. Let's start with what's probably the most famous story that you broke which was the breach at Target. I had assumed - I guess I wasn't reading this carefully enough - I had assumed Target had reported the breach. That's not the way it worked. You discovered it. So let's start with - how did you find out?

BRIAN KREBS: Right. Well, so let's be clear. The Secret Service, well, according to Target - the Secret Service alerted Target I think on December 12. I didn't get wind of this until - and so for whatever reason - you know, Target was trying to figure out what was going on, figure out how bad it was, how they were going to talk about this at a very sensitive time. They didn't immediately disclose this. And it came to my attention that something wasn't right with Target, I think, on December 16 when I started hearing from different sources in the financial community who were saying, you know, Brian we are just seeing a tremendous number of our cards - probably an unprecedented number of our cards - that we've issued to customers showing up for sale on this one underground store.

And I think it's important to kind of point something out here. Most people when I talk to them about underground stores kind of get this blank stare, right? Like, what exactly are you talking about? There are literally dozens, if not hundreds, of these shops in the underground. And they're not hard to find. If you know the URL, you know the IP address, you can load these, you can create an account, if you want to fund it with bitcoins or whatever. You can go ahead and buy whatever they have for sale. But this shop in particular was moving millions of stolen cards onto the market all at once.

And I worked with three different financial institutions. One was a very large financial institution and they acquired a whole bunch of their cards back from this store and sure enough they had all been used between Thanksgiving and mid-December. If you go back and you look at each one of these cards and you see that they were all used at the same place within the same timeframe that's a pretty good indicator. It's called the common point-of-purchase. And it's a pretty good indicator that that's the source of the breach.

GROSS: So they get the cards. They check the numbers to see what were these cards used to purchase? And they found all of these cards that they bought had made purchases at Target, therefore, maybe it was connected to that?

KREBS: At some point, yeah - exactly. And at some point you get beyond maybe to near certainty. It's just a math problem, right? I mean, if every, you know, if these banks acquire 10 cards each and there's three different banks and they all were used at Target, you know, between the same three-week timeframe that's a pretty good indicator. And at that point I felt good enough to run a story. And I reached out to the company and said, it looks like, you know, you're having a bad day, a bad week, a bad month, a bad year - something like that. And they basically said, talk to the hand. So I ran my story that said they had a breach. They came out the next day and said, yeah, we had this little incident. It impacted like 40 million cards and, you know, 70 million people's personal information.

GROSS: Do companies often not want to acknowledge a credit card breach? And if so why don't they want to acknowledge it?

KREBS: Well, nobody wants to acknowledge a breach. Period. Whether it involves credit cards or more sensitive information. Companies are obviously concerned about their public image. That it might hurt their stock price if they're a public company. That customers might lose confidence in the company and stop shopping there. That their competitors, and this is actually a pretty good concern, pretty valid concern, that their competitors are going to use it against them.

But on a very basic level, when let's just take the retail industry for example - this is an industry that traditionally has been very focused on physical security as opposed to cyber security, right? I mean, most of their losses have to do with, you know, people coming into their stores and stealing stuff or their employees stealing stuff. And so these companies tend to be in the business of what - customer service, right? They're not in the security business. So when they have a security incident it tends to take them awhile to figure out what the actually happened, you know, and how bad it is and no company wants to, you know, come out and say, we had a breach and not be able to say anything, you know, sensible about what happened, how bad it is, you know.

GROSS: And whether it's fixed yet?

KREBS: And whether it's fixed yet, exactly.

GROSS: So can you describe how cyber criminals manage to steal tens of millions of credit cards? Well, they didn't steal physically the cards - but they stole the information from the cards.

KREBS: Yeah. Early on there were some questions about how the breach happened and I think the Wall Street Journal ran a story saying it was tied to some contractor breach. It was working with Target, it had a security problem. And I got some information indicating it was this heating and air conditioning company in Pennsylvania and reached out to them and they confirmed the Secret Service had visited them and was investigating. But they didn't want to say much more about that.

But it seemed pretty clear that this breach started - the bad guys somehow got their foot in the door because they hacked into this contractor. And that contractor had some modicum of access to Target's network - whether it was their internal network or what - it was apparently enough for them to get their foot in the door and leverage it to, you know, pry it open a bit more. And once they were in they do like most criminals do - they case the joint for a little bit, try to figure out where the crown jewels were and at some point they started deploying malicious software to each and every one of the cash registers within the organization.

And, you know, this is not a small undertaking. So you think about - I think Target said there were about 1,800 stores across the United States. You got to figure each one of these stores has between probably 20 and 40 checkout lanes. So that's a ridiculous number of machines that they have to compromise. Fortunately for the bad guys these tend to be pretty uniform systems, right? They don't differ from machine to machine. They're all the same. And so somehow they compromised the method by which Target updates these individual cash registers. And they pushed out a malicious update and basically infected each and every one of these cash registers with malicious software that sits there and waits for a card transaction to go through.

And then there is a blink of an eye where that transaction, the credit card number and information that's stored on the back of that credit card is not encrypted. And it's in that blink of an eye that that malicious software is designed to snatch that information and record a copy of it and then periodically upload it to a centralized server within Target's organization, at which point that information was sent outside of the organization's network.

GROSS: So do you know about a lot of breaches at other, you know, stores and companies that the public isn't really aware of? I mean, is this so common right now?

KREBS: Yeah it is. It's incredibly common. So I did a piece, not long ago, that profiled a - what I call - a dump's shop. It's another one of these sites that's selling stolen credit card information. This one was by far the most sophisticated and actually humorous one that I've ever seen. It was called McDumples.

(LAUGHTER)

KREBS: And they're like violating every single, you know, McDonalds trademark there is. But it's got like this gangstered up Ronald McDonald - he's pointing a gun at the, you know, at the screen and their motto is I'm swiping it, right?

(LAUGHTER)

KREBS: But they cater to wholesale buyers. So people who are really in the market for buying thousands if not tens of thousands of stolen credit cards at once. And so that story that I wrote about McDumples really tries to educate people about how, you know, just by looking at what they have for sale you can get a sense of how pervasive this problem is. And I found that over three or four months these guys had credit cards stolen for sale that were stolen from merchants in just about every U.S. state. And when I started looking deeper into this I came to the conclusion that - I get this question a lot from people - they go, wow you must see a lot of really bad stuff, you know, cybercrime wise.

I mean, do you bank online? Do you shop online? What's that about? And lately I've been telling people, you know, I actually feel safer shopping online than I do at a Main Street store or some sub shop or, you know, a liquor store or the car wash or whatever because they're getting compromised left and right. Again, these are organizations that are in the customer service business - once they have their system set up and it works they never touch it again. So you can imagine these things get out of date, they get lazy, they set it up so that one login can be used to administer all of the systems. You know, you can imagine what actually could go wrong there. So it's surprising at how common these vulnerabilities are and how so many organizations are similarly vulnerable.

GROSS: If you are just joining us my guest is Brian Krebs. He's a journalist who writes about cyber security and he's become a kind of cyber-detective in the process. He used to write for the Washington Post and there he created his first blog which was called "The Security Fix." Let's take a short break and then we'll talk some more. This is FRESH AIR.

(MUSIC)

GROSS: This is FRESH AIR and if you're just joining us my guest is Brian Krebs. He writes about cyber security and he's part detective because he's like infiltrated places that are responsible for cybercrime. He writes the blog "Krebs On Security." He used to write a security blog - a cyber-security blog - for the Washington Post that was called "Security Fix." He is a former Washington Post reporter. So another breach that you've written about, and you were the first to write about this breach, was a breach at Experian. And Experian is a credit bureau, which means that they monitor credit ratings, they provide credit reports. So a breach there is a big deal because they have a lot of information. It's not Experian, per se, that was breached. Experian acquired a company that was breached which led to Experian's exposure. So could you explain what this breach was?

KREBS: Sure. So there was identity theft service operating in the underground that sold access to people's most personal information - so their Social Security number, dates of birth, mother's maiden name - anything you'd need to assume somebody's identity. This service got the data, they bought it, from a company that was acquired by Experian. And this company, called Court Ventures, is a data broker - or data aggregator - and their job is just to basically Hoover up all the information they can about U.S. consumers and then sell that information to whoever wants to buy it. So in this case, you know, companies like Experian, Trans Union, Equifax these are sort of the gatekeepers of your personal information as it relates to who you are online and in the real world. So data aggregators will sell information.

It's basically packaged information. So they will sell this to marketers. They will sell it to advertisers and those advertisers will come to these data aggregators and say, look we want to reach this market. We want to reach soccer moms, you know, who are divorced that are making more than $100,000 year and maybe bought a car last year. And that level of detail is possible because data aggregators, like Experian, have so much information about what we do online and in the real world that they can slice and dice people into little buckets, little thimbles, if you will, very granularly. And so that in a sense is what these companies do. That's their business. But they also sell information to a different set of clients.

So law enforcement, private investigators and that data tends to be a lot more sensitive. So the information I mentioned before - driver's license information and then a, you know, criminal background records, civil court records, ownership records - things that would be useful in tracking people down. And a point in fact, the guy running this criminal identity theft service got access to all this information by posing as a private investigator based in the United States when of course he was actually this, you know, Vietnamese kid in his 20s operating out of Vietnam and paying for all of his information via wire transfers from Singapore.

GROSS: So you were tipped off about this breach. So what information was revealed? Who was compromised?

KREBS: Well, we're still sort of figuring that out. But what we know is that the Secret Service arrested the guy responsible for running that service and then basically pretended to be him for many months just to get, to understand to build dossiers on the people who were buying dossiers on Americans, essentially. And try to figure out what they were using it for. And what they found is that he had 1,300 paying customers that looked up, I think, a total of 4 million consumer records over a couple of years. And these guys were using it for identity theft, establishing new lines of credit in people's names and an increasingly common form of fraud where the fraudsters file your taxes for you. Which is a kind of identity theft that I wouldn't wish on my worst enemy, right? It's bad enough that you get your identity stolen but somebody files your, you know, taxes for you with the IRS and, you know, claims that you're due this huge refund and the IRS sends you this money then you figure out that not only is your identity stolen but now you have to deal with the IRS too. So a ridiculous number of these customers were actually using it for tax return fraud.

GROSS: That's a pretty big breach.

KREBS: It is a big breach.

GROSS: I guess what makes it scary is that since companies like Experian have so much information if they're breached that's really terrible.

KREBS: Right. And this is part of the reason, I mean, people have, you know, I've been criticized by Experian and by others saying, you know, it really isn't fair of you to call them out like this but particularly given the complex nature of the relationship that this criminal running this ID theft service exploited between these companies. But, you know, my point is that's neither here nor there. I want to know how many people did this impact? Why isn't there more discussion about this? And what it comes down to is these companies sort of have a de-facto mandate from our lawmakers here in the United States to act as the major credit bureaus. It's not clear to me though that they have a whole lot of accountability when things like this happen. And again, I'm not saying it's all experience faults or that it's even mostly their fault. The truth is they've denied any sort of responsibility here - just about every party involved has denied responsibility and my reporting shows that there have been thousands of consumers that have had their identity stolen either via tax fraud or new credit cards open in their new name or new bank accounts or whatever. And so far nobody's really been called to task for this.

GROSS: Were you onto the story before or after the Secret Service?

KREBS: Along after. But this is another really frustrating story for me because my question is, OK, so this identity theft service had access to 200 million consumer records. I'm not saying that these customers of this identity theft service actually looked up 200 million records but they certainly had access to those. They had to pay for every look up. And so did the ID theft service. So they didn't look up 200 million records. But, you know, in this case who's responsible for notifying consumers who were affected by this? And as near as I can tell none of these consumers have been notified by anybody.

So, you know, Congress has had a couple of hearings where they brought some Experian folks up to talk about this and maybe one or two hard questions have been asked of them that's pretty much it. They were more interested in, you know, the consumer dossiers that these companies were building on people and who they were selling those to. But I just want to make a point here that is the most galling thing for me having broken the story and the Target breach and this Experian thing - it is not long after the Target breach became public knowledge the company turned around and, you know, basically pulled out a page from what has become sort of the MO - the playbook of public response if companies have breach. They purchase huge numbers of licenses for identity theft detection or prevention services from companies like Experian.

And this, like I said, has become sort of the default response for companies that have a breach even in cases like at Target where identity theft protection service really doesn't do anybody any good because these services, well, first of all they're of dubious value to begin with but they don't do anything to help you monitor fraud on existing accounts, like credit cards. So anyway target buys the identity theft protection service for 40 million people, essentially, from Experian. Now essentially what they've done is said, OK guys, customers, we're really sorry about this breach and to make up for it we're going to go ahead and sign you up for this service at Experian, which by the way is one of the biggest data brokers on the planet and we would like you to go ahead and give them all the information they didn't already have so that they can package it up and sell it to marketers.

I mean, that is the default response when companies have a data breach today. And to me that has to change because it's insulting.

GROSS: Brian Krebs will be back in the second half of the show. He writes the blog "Krebs On Security" about cybercrime and computer safety and is the author of the forthcoming book "Spam Nation." I'm Terry Gross and this is FRESH AIR.

(MUSIC)

GROSS: This is FRESH AIR. I'm Terry Gross back with Brian Krebs, an investigative journalist who covers cybercrime and computer safety. He's the founder and author of the blog "Krebs On Security" and is a former reporter at the Washington Post where he wrote the blog "Security Fix." His book "Spam Nation" about organized cybercrime is scheduled for publication in November. Among the stories he's broken are last use credit card breaches at Target and Neiman Marcus. Because you have uncovered so much cybercrime, there are some cyber criminals who would really like to seek their revenge against you. And some of them have come up with some pretty unusual ways of doing it, including - (laughing) this is really an interesting one - the guy who sent heroin to you, notifying the police that he was sending heroin to you, expecting them to come and bust you when the heroin arrived.

(LAUGHTER)

GROSS: So who was behind this?

KREBS: Right. So at the time, I really didn't know much about who was behind this. But I did notice that there was an individual - this was probably spring of 2013 - an individual on twitter started sending me really nasty and malicious tweets and some of his Russian speaking buddies also started sending the same things. And then he changed his Twitter profile to be, you know, a picture of an action figure holding up my severed head. And then it was a picture of my face with Gestapo uniform and, you know, male genitalia next to it or whatever. And so I was like OK, what is going on? And this guy starts really harassing me. And I figured out that the guy who was harassing me actually was an administrator of a very exclusive cybercrime forum that caters to Russian and Ukrainian criminals, who essentially do all kinds of card fraud and identity theft. And I worked with a source of mine who was able to essentially get me access to his forum, which was no small feat. But it was none too soon because it became very clear that he was in the middle of hatching a plan to send heroin to my house. So his goal was to - he took up a collection of other crooks on the forum and I think they collected like two bitcoins, which at the time was, I don't know, you know, about $1000. And they went on the Silk Road, which is a, you know, it's a place where you can buy heroin on the Internet essentially, or guns or whatever you want. And they...

GROSS: It's like a black-market site.

KREBS: Yeah, it's a black-market - a black-market bazaar. So they - their plan was to send the drugs to my home and then, you know, call the police when it arrived and say oh, the drugs are well hidden. You know, make sure you search his house really well. And spoof a call from my neighbor's, basically saying, you know, Krebs' got people coming in and out of the house at all hours. He's - you know - he's been, like, lazing around the porch, we're really not sure, we think he's on drugs. And now he's, you know, buying drugs. Well, so thankfully I was able to sort of track this scheme as it was unfolding. They even put the tracking number for the shipment in the forum posting, which - so I could track the drugs as they were headed to my house.

I called the police and said look, I'm not a druggie (laughing), you know, and here's how you know. I think - I'll never forget the cop came out to take a report and I'm showing all these screenshots and say, you know, believe - just trust me, OK? I know it's in Russian, but this is what they're saying. And, you know, you could see the pictures of the heroin and the guy they're buying them from. The guys just shaking his head the whole time. And I - you know - he takes the report and he's like all right, give me a call when the drugs come and we'll pick them up, you know. I said OK. He goes - I'll never forget it - he goes - I said - I said all right well, thanks for coming, be safe. And I hear him mutter as he's walking out the door - yeah, I'm not the one getting Russians sending drugs to my house, you know.

(LAUGHTER)

KREBS: Anyway, they did show and I called the cops. They came and picked them up and that was that. And then I - yeah I got really curious, as you can imagine, about - all right, who was this jokester that sent drugs to my house? And - like, I wanted to know who he was in real life. And it really wasn't super difficult to figure that out. I figured out he was a Ukrainian fraudster who was actually living in Italy with his wife and young boy and he was running a card - a credit card fabrication factory in Naples. And I shared this information some friends who shared it with some other friends, I think. And a few weeks ago, got a heads up that basically this guy, who went by the name "The Fly," you know, that he'd been arrested. And so that was kind of a cathartic moment for me (laughing).

GROSS: It must have given you great relief too because after - after you reported him to the police, he sent a floral cross to your wife.

KREBS: Yeah, yeah, yeah.

GROSS: And that's a very threatening...

KREBS: It was.

GROSS: ...Thing to do.

KREBS: He was kind of - I think he was kind of embarrassed because I wrote about their scheme and my foiling their scheme and so he was kind of upset about that. So I was at Black Hat and Def Con, which are back-to-back security conferences. And I called my wife and said I'm here, I'm landed, I'm coming home. She's crying and I said well, you know, what happened? She told me that this, you know, life-sized cross with a note for her had arrived and said - you know - dear Jennifer, we're really sorry but you married wrong the guy. You know, rest in peace. But we'll always take care of you, don't worry. And at this point, I was really angry and I reached out to the guy on twitter again and I said listen, you jerk...

GROSS: You reached out to the perpetrator?

KREBS: Yeah, yeah, yeah. And by this time, I had figured out his real name and the wife - his wife's name and his kid's name and where he lived. And I said hey, how'd you like it if your wife Irena (ph) got an interesting package in the mail? How'd you like it if your son Max didn't come home from school one day? And how does that feel? And he laughed and just laughed it off and said oh, ha, ha, you know? I'll just wait for the FBI. But he never bothered me again after that.

GROSS: What were you - what message were you intending to say when you wrote how would it feel if your son didn't come home from - you weren't threatening to kidnap his son?

KREBS: No, no, no. I just wanted him - I wanted him to know that - so a lot of these guys perpetrating cybercrime, they do so because they think they're anonymous. They think they can't be found out. They think they can't be - nobody can touch them in the real world. And that's true to a certain extent for guys that are in Russia and Ukraine as long as they never leave those countries. But when you're talking about individuals that are in other parts of the world that are responsible for these types of crimes, that's not the case. And one of the things that I've spent a lot of my time as an independent reporter working on is identifying people who don't want to be found. And essentially giving them an opportunity to explain their actions but essentially, you know, putting that information out there saying look, you think you can - these things - there are no consequences for what you're doing but there are. And eventually, this stuff catches up to you. And that's a big part of, actually, the book that I've written, is all about.

GROSS: You have a book coming out in the fall.

KREBS: Yes, in - on November 18. It's by Sourcebooks. It's called "Spam Nation." And it is essentially about two of the biggest cybercrime kingpins there ever were doing battle with each other, trying to destroy each other and for better or for worse, trying to use me as a proxy for that (laughing). Essentially, these two guys that collectively employed probably the most infamous virus writers and spammers on the planet, paid hackers to break into each other's operations, steal years' worth of emails, chat records, you know, banking documents, everything that described - you know - how their entire criminal operations ran and leaked that to U.S. law enforcement and to yours truly. And so I've had a lot of time to really (laughing) dig through this information and, you know, figure out how this world works. But also, it's allowed me to - I think very accurate - figure out who these guys are. And it's a very - you'd be surprised how small this world is when you get right down to it. Most of these guys actually know each other.

GROSS: If you're just joining us, my guest is Brian Krebs and he founded and writes the blog "Krebs On Security," which is all about cybercrime. He broke the story about Target credit cards being breached. We're going to take a short break and then we're going to talk more about cybercrime. This is FRESH AIR.

(MUSIC)

GROSS: This is FRESH AIR. And if you are just joining us, we're talking about cybercrime. My guest is a journalist, who's really also a detective. His name is Brian Krebs and he writes the blog "Krebs On Security." He used to write the "Security Fix" blog for the Washington Post, where he was also a reporter. So what else have hackers done to you out of revenge for things you've revealed about them?

KREBS: I can't always say it's revenge. It's sort of like the heroin case - some of this just maybe it's become sort of a meme or just a trend for people to pick on Brian Krebs. But in March of last year, the heavily-armed police force showed up at my home, apropos of nothing. Somebody had called in - they called swatting. Somebody had called in a fake hostage situation at my home. Said I - you know, they said that Russians had broken into my home and shot my wife and that I was hiding in the closet - send, you know, guns and forces to get these guys out of my house. And that was a pretty troubling experience.

GROSS: So they actually showed up?

KREBS: They showed up. And, in fact, I had called six months in advance - the non-emergency number for the local police department - and said that this actually might happen. Some of the guys that I write about tend do this for fun to each other. And the guy that took the report - he had never even heard of swatting. He didn't even really know what it was. And I said, yeah, look, here's what happens. Here's my cell phone. Give me a call. If you get someone who says there's hostage situation going on at my house, just give me a call before you roll truck with the troops to my house. And to their credit, they actually did call. My phone was upstairs. I was downstairs vacuuming, 'cause I was getting ready to have company over. And I just happened to open the door and there's this heavily-armed police force pointing shotguns and AR-15s and pistols at my face. It was - if that never happens again, it'll be too soon. (Laughing).

GROSS: So even though you called, they still sent out the SWAT team?

KREBS: Yeah, yeah, they did. And they put - you know, they had me walk - put my hands up, walk - and this was when it was about 30 degrees. I'm in my gym shorts and a T-shirt and socks. And they have me walk down my front stoop, backwards. And then they handcuffed me and put me in the squad car. And, you know, this is all happening at about 5 p.m. - 5:45 in the evening on a weekday. So all the people trying to come home from work are - you know, the police have barricaded the entrance to our neighborhood and people are staring out their windows. (Laughing) And, you know, so it was quite a scene.

GROSS: Awkward.

(LAUGHTER)

GROSS: Yeah, oh, they're taking him away.

KREBS: Yeah. I guess the other things that happen constantly are taxes.

GROSS: Well, did you contact this guy, who's responsible for the swatting incident?

KREBS: I did. I spoke with him at length. He is a young man.

GROSS: Spoke with him via the Internet?

KREBS: Yeah, via instant message. And he's a young man with a very colorful past and basically, a really talented hacker who's broken into some very, very sensitive places and caused a lot of problems for people. And he's currently dealing with a whole bunch of different criminal charges. But he's a minor. You know, he's under 18. So the federal system really doesn't know what to do with minors, at least when it comes to cybercrime charges. And I think a lot of these guys know it, so they consider it pretty harmless. And at the end of the day, they consider that if they get in trouble, they'll be out of trouble within a year or two, so.

GROSS: Do you think some of this is the equivalent of a cybercriminal's idea of a prank call - a phony phone call?

KREBS: This is a tricky question to answer, I think, because my sense is that a lot of the cybercrime that's being perpetrated today is being done by young kids who, frankly, have nothing better to do. They've got no adult supervision in their life. And they do it because it makes them some spending money and gives them a sense of superiority over their friends or you know, their peers or maybe society at large, right? On the other hand, I can say for sure that on the other side of the coin are some very bad people. And I think it's never a good idea to dismiss your personal security and safety and that of your family, particularly when you're dealing with what I would consider sociopaths. It's my belief that a huge percentage of people involved in cybercrime are probably at best narcissists of the Nth degree. But more typically, they are sociopath and they find elaborate, if not very imaginative, ways to justify spreading widespread societal harm for their own personal pleasure and gain. And I think it would be a mistake to discount the willingness of these people to cause harm to those they might view as threatening their business or self-interest. So, you know, in short, I do a lot of different things to protect myself, my family, my assets from harm. Not many of which I want to go into detail here. But it's definitely a concern of mine and my wife, thank God, has a pretty good sense of humor.

GROSS: So, you know, there's so many scams to watch out for in terms of cybercrime. Give us some basic tips of things that we should do, whether we're shopping at a store or online or just opening up our email.

KREBS: Yeah, so for one thing I have a three rules sort of mantra which is - and the first one is if you didn't go looking for it, don't install it - OK? So this is, you know, you go to a site and it says, hey, you know, in order to use - to view this content, you need to install this. Well, probably not the best idea 'cause you don't really know what to install. So if you think you need to install something, go to the vendor of that software. Get it from them, you know, and do it that way. If you installed something, update it, right? A lot of this - a lot of people's computers no longer belongs to them because it gets taken over by malicious software that basically installs itself because people don't update the stuff that's plugged into their browser, right?

So it might be Flash or Java or Adobe Reader or whatever, you know, and they go to a site that is hacked and all of a sudden, their computer doesn't belong to them anymore. And all passwords and everything on it is, you know, stolen. So if you installed it, update it. And then the third one is if you don't need it anymore, get rid of it. It's one less program to worry about, one less program to update, etc. So that covers a lot of the cybercrime that might hit you as a consumer using a computer. The other thing is be really careful with email. I mean, a majority of this stuff comes through spam. The malicious links in emails or attachments - be extremely wary of anything sent to you in email.

GROSS: Is there a way to know if your computer's been compromised and is being used as part of a botnet?

KREBS: You know, it's really, really important that you keep up-to-date with this stuff, the software updates, and be wary about what people are sending you in email because it's a lot easier to keep your system from getting infected than it is to figure it out once it's infected and figure out how to fix it after the damage is done. And increasingly - and I say this - this is a really important point because it used to be, you know, you had to go to some help forum and, you know, get some volunteer to help you figure out how to remove the software. These days if your system gets compromised, there's an excellent chance that all of your data - so all of your pictures, your important files, anything that you value on your system is going to be held for ransom.

GROSS: Held for ransom - what do you mean?

KREBS: They call it ransomware. And so the first thing this malware does is it encrypts all of your data with very very difficult-to-crack encryption - encryption that would be hard for, say, the NSA to even break. And they say, hey, look. Then you get a pop-up. Once it's done with this process, it lets you know your system is infected. It says, hey, you know, your friendly neighborhood cybercriminal here. Sorry to bother you, but we've encrypted all your files. You have 72 hours to pay up or we'll delete your files forever. And it's really sad when you talk to people who've been hit by this because, unfortunately, there's not a lot you can tell them. I mean, they can pay the ransom or they can kiss their files goodbye because, increasingly, you don't get a second chance. You know, when your computer gets compromised, as I said, it's not your computer anymore. And it isn't your data anymore. Somebody else owns it.

GROSS: Is this why you wrote in your blog that 2014 may be the year extortion went mainstream?

KREBS: (Laughing) Yeah, partly. These ridiculous number of these cyber-attacks now involve some kind of ransomware component. And the other part of it is that recently we started seeing regular Main Street businesses getting things - notices the snail mail saying, hey, unless you want a massive number of complaints to say the health inspector or, you know, people to trash your reputation on Yelp or, you know, unless you want the cops showing up, you know, responding to bomb threats at your business - you know, all of these disruptive things, you will pay us one or two big coins, or I don't know what it is - the equivalent of like $1,000. So these are sort of like shakedowns that have been going on forever, right? You know, the mob has sort of done this forever - like protection money. But now it's kind of, you know, these cybercriminals are finding new ways to extort people that kind of blur the lines in cybercrime and, you know, real-world fraud.

GROSS: Well, Brian Krebs, thank you so much for talking with us and stay safe and secure.

KREBS: Thanks. Pleasure's all mine.

GROSS: Brian Krebs writes the blog "Krebs On Security." His book "Spam Nation," about organized cybercrime, is scheduled for publication in November. Coming up, John Powers reviews the French film "Violette," based on the story of trailblazing French novelist, Violette Leduc, who is friends with Simone de Beauvoir. This is FRESH AIR.

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR’s programming is the audio.

Comments

 

Please keep your community civil. All comments must follow the NPR.org Community rules and terms of use, and will be moderated prior to posting. NPR reserves the right to use the comments we receive, in whole or in part, and to use the commenter's name and location, in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.