Thankfully, award-winning US computer security reporter Brian Krebs is safe.
Nobody was harmed. But they could have been.
Given a DOSed website, a fake and libelous FBI letter sent to his website host, and a dinner party delayed by a SWAT team training guns on him and ordering him to “Put your hands in the air!”, Krebs last week surely endured the most dramatic retribution ever meted out to a security blogger.
Krebs has a good idea of the specific criminal element behind the trio of attacks. Since the dramatic events of Thursday, he’s traced the denial-of-service attack to a common operator who apparently launched a similar attack on Ars Technica following its coverage of Krebs’s victimization.
As described by his fellow security scribe Dan Goodin at Ars Technica, Krebs is known for work that includes:
- “Exposés [that] completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network” and, more recently,
- “Investigative journalism that followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services in underground forums.”
In short, Krebs has enemies.
Last week, one or more of those enemies targeted him, likely in retaliation for his most recent investigation.
On Friday, Krebs detailed in a post how the ordeal started the day before, when his site was targeted with “a fairly massive denial of service attack.”
That same afternoon, a technician from Prolexic called. Prolexic is a company that Krebs hired to protect his site, KrebsOnSecurity.com, from DOS attacks.
Prolexic forwarded a letter they’d received earlier that day, purporting to come from the US Federal Bureau of Investigation.
The letter, which Krebs reprinted here, falsely claimed that Krebs’s site was “hosting illegal content, profiting from cybercriminal activity, and that it should be shut down,” Krebs writes.
Both Prolexic and Krebs dubbed it a hoax – an assumption Krebs confirmed with a quick call to the FBI.
As Prolexic tidied up his DOSed site, Krebs got to work tidying up his home in anticipation of dinner guests. His office phone rang while he was vacuuming, but he ignored it.
That, it turns out, was an unfortunate choice, given that the call came from law enforcement who were trying to verify what would turn out to be a spoofed emergency call showing Krebs’s number on caller ID.
As he was vacuuming, Krebs noticed plastic tape on the front-door threshold, left over from securing an extension cord. He opened the door to unpeel it.
He tells of what happened next:
"When I opened the door to peel the rest of the tape off, I heard someone yell, 'Don't move! Put your hands in the air.' Glancing up from my squat, I saw a Fairfax County Police officer leaning over the trunk of a squad car, both arms extended and pointing a handgun at me. As I very slowly turned my head to the left, I observed about a half-dozen other squad cars, lights flashing, and more officers pointing firearms in my direction, including a shotgun and a semi-automatic rifle. I was instructed to face the house, back down my front steps and walk backwards into the adjoining parking area, after which point I was handcuffed and walked up to the top of the street.
"I informed the responding officers that this was a hoax, and that I’d even warned them in advance of this possibility. In August 2012, I filed a report with Fairfax County Police after receiving non-specific threats. The threats came directly after I wrote about a service called absoboot.com, which is a service that can be hired to knock Web sites offline."
Krebs had filed a police report last year on the suspicion that he would be SWATted.
SWATting is the practice of falsely reporting an emergency, as a prank or as revenge against a victim upon whom descends emergency services – or, in Krebs’s case, armed law enforcement.
Krebs’ persecutors had, in fact, spoofed an emergency call to make it appear that it had come from his phone.
As Sophos’s Chester Wisniewski noted last April when he wrote about fraudulent calls targeting US banks, caller ID spoofing can be particularly convincing in the US, given that the call display service used by most phone companies here does a reverse lookup for the name information based on the caller ID number provided by the call.
Once a criminal determines the phone number he wants to have fraudulently show up as his caller ID number – Krebs’s phone number, in this case – it’s trivial to display that number on the call recipient’s display.
Caller ID spoofing has been around for years through various technologies: ISDN PRI circuits used by collection agencies, law enforcement, and private investigators, all of whom have used it with varying degrees of legality; spoofing services such as Star38.com; and through Voice over IP (VoIP) technology.
Given how trivial it is to spoof caller ID, it’s surprising that people put any faith at all in the technology – most particularly that law enforcement do.
In fact, the police who took Krebs’s report warning that he might be targeted by SWATting hadn’t even heard of the practice.
All too readily, we tend to put faith in appearances. We believe caller ID identifies the true identity of a caller.
Or somebody flashes a piece of silver and we obediently hand over our licenses or wallets, or we open a door and allow strangers inside our home or our cars, without verifying whether what we’ve seen was an authentic emblem or a plastic toy badge.
We – the police included – trust in the technology we use. Criminals will always exploit that trust.
Krebs’s work, along with other security reporters and researchers, is to poke sticks into hornets’ nests, to borrow a friend’s analogy.
In this case, the sting from angry hornets could have had fatal consequences, as Krebs points out:
"I have seen many young hackers discussing SWATing attacks as equivalent to calling in a bomb threat to get out of taking exams in high school or college. Unfortunately, calling in a bomb threat is nowhere near as dangerous as sending a SWAT team or some equivalent force to raid someone’s residence. This type of individual prank puts peoples’ lives at risk, wastes huge amounts of taxpayer dollars, and draws otherwise scarce resources away from real emergencies. What’s more, there are a lot of folks who will confront armed force with armed force, all with the intention of self-defense.
"The local police departments of the United States are ill-equipped to do much to stop these sorts of attacks. I would like to see federal recognition of a task force or some kind of concerted response to these potentially deadly pranks. Hopefully, authorities can drive the message home that perpetrating these hoaxes on another will bring severe penalties. Who knows: Perhaps some of the data uncovered in this blog post and in future posts here will result in the legal SWATing of those responsible."
Well said, Brian. We all hope so too, for your sake and for the sake of all security researchers, law enforcement personnel and victims of attacks like the one you experienced.