Sophos Cloud Optix
Thankfully, award-winning US computer security reporter Brian Krebs is safe.
Nobody was harmed. But they could have been.
Given a DOSed website, a fake and libelous FBI letter sent to his website host, and a dinner party delayed by a SWAT team training guns on him and ordering him to “Put your hands in the air!”, Krebs last week surely endured the most dramatic retribution ever meted out to a security blogger.
Krebs has a good idea of the specific criminal element behind the trio of attacks. Since the dramatic events of Thursday, he’s traced the denial-of-service attack to a common operator who apparently launched a similar attack on Ars Technica following its coverage of Krebs’s victimization.
As described by his fellow security scribe Dan Goodin at Ars Technica, Krebs is known for work that includes:
- “Exposés [that] completely shut down a California hosting service that coddled spammers and child pornographers and severely disrupted an organized crime syndicate known as Russian Business Network” and, more recently,
- “Investigative journalism that followed the money to the people who sell malware exploit kits, illicitly procured credit reports, and denial-of-service services in underground forums.”
In short, Krebs has enemies.
Last week, one or more of those enemies targeted him, likely in retaliation for his most recent investigation.
On Friday, Krebs detailed in a post how the ordeal started the day before, when his site was targeted with “a fairly massive denial of service attack.”
That same afternoon, a technician from Prolexic called. Prolexic is a company that Krebs hired to protect his site, KrebsOnSecurity.com, from DOS attacks.
Prolexic forwarded a letter they’d received earlier that day, purporting to come from the US Federal Bureau of Investigation.
The letter, which Krebs reprinted here, falsely claimed that Krebs’s site was “hosting illegal content, profiting from cybercriminal activity, and that it should be shut down,” Krebs writes.
Both Prolexic and Krebs dubbed it a hoax – an assumption Krebs confirmed with a quick call to the FBI.
As Prolexic tidied up his DOSed site, Krebs got to work tidying up his home in anticipation of dinner guests. His office phone rang while he was vacuuming, but he ignored it.
That, it turns out, was an unfortunate choice, given that the call came from law enforcement who were trying to verify what would turn out to be a spoofed emergency call showing Krebs’s number on caller ID.
As he was vacuuming, Krebs noticed plastic tape on the front-door threshold, left over from securing an extension cord. He opened the door to unpeel it.
He tells of what happened next:
"When I opened the door to peel the rest of the tape off, I heard someone yell, 'Don't move! Put your hands in the air.' Glancing up from my squat, I saw a Fairfax County Police officer leaning over the trunk of a squad car, both arms extended and pointing a handgun at me. As I very slowly turned my head to the left, I observed about a half-dozen other squad cars, lights flashing, and more officers pointing firearms in my direction, including a shotgun and a semi-automatic rifle. I was instructed to face the house, back down my front steps and walk backwards into the adjoining parking area, after which point I was handcuffed and walked up to the top of the street.
"I informed the responding officers that this was a hoax, and that I’d even warned them in advance of this possibility. In August 2012, I filed a report with Fairfax County Police after receiving non-specific threats. The threats came directly after I wrote about a service called absoboot.com, which is a service that can be hired to knock Web sites offline."
Krebs had filed a police report last year on the suspicion that he would be SWATted.
SWATting is the practice of falsely reporting an emergency, as a prank or as revenge against a victim upon whom descends emergency services – or, in Krebs’s case, armed law enforcement.
Krebs’ persecutors had, in fact, spoofed an emergency call to make it appear that it had come from his phone.
As Sophos’s Chester Wisniewski noted last April when he wrote about fraudulent calls targeting US banks, caller ID spoofing can be particularly convincing in the US, given that the call display service used by most phone companies here does a reverse lookup for the name information based on the caller ID number provided by the call.
Once a criminal determines the phone number he wants to have fraudulently show up as his caller ID number – Krebs’s phone number, in this case – it’s trivial to display that number on the call recipient’s display.
Caller ID spoofing has been around for years through various technologies: ISDN PRI circuits used by collection agencies, law enforcement, and private investigators, all of whom have used it with varying degrees of legality; spoofing services such as Star38.com; and through Voice over IP (VoIP) technology.
Given how trivial it is to spoof caller ID, it’s surprising that people put any faith at all in the technology – most particularly that law enforcement do.
In fact, the police who took Krebs’s report warning that he might be targeted by SWATting hadn’t even heard of the practice.
All too readily, we tend to put faith in appearances. We believe caller ID identifies the true identity of a caller.
Or somebody flashes a piece of silver and we obediently hand over our licenses or wallets, or we open a door and allow strangers inside our home or our cars, without verifying whether what we’ve seen was an authentic emblem or a plastic toy badge.
We – the police included – trust in the technology we use. Criminals will always exploit that trust.
Krebs’s work, along with other security reporters and researchers, is to poke sticks into hornets’ nests, to borrow a friend’s analogy.
In this case, the sting from angry hornets could have had fatal consequences, as Krebs points out:
"I have seen many young hackers discussing SWATing attacks as equivalent to calling in a bomb threat to get out of taking exams in high school or college. Unfortunately, calling in a bomb threat is nowhere near as dangerous as sending a SWAT team or some equivalent force to raid someone’s residence. This type of individual prank puts peoples’ lives at risk, wastes huge amounts of taxpayer dollars, and draws otherwise scarce resources away from real emergencies. What’s more, there are a lot of folks who will confront armed force with armed force, all with the intention of self-defense.
"The local police departments of the United States are ill-equipped to do much to stop these sorts of attacks. I would like to see federal recognition of a task force or some kind of concerted response to these potentially deadly pranks. Hopefully, authorities can drive the message home that perpetrating these hoaxes on another will bring severe penalties. Who knows: Perhaps some of the data uncovered in this blog post and in future posts here will result in the legal SWATing of those responsible."
Well said, Brian. We all hope so too, for your sake and for the sake of all security researchers, law enforcement personnel and victims of attacks like the one you experienced.
Coming soon to a town near you.
I do believe that caller ID identifies the true identity of a caller..but not since now that I read this article,it was such a cruel that they(criminals) risk someone life..SWAT,FBI?
Spoofing of caller ID has been around for decades, sadly. Debt collectors used to use it quite a bit, to mask who was calling. I always thought it was a criminal offense – the telecomms companies own the phone numbers after all – but apparently not.
I know you can DoX, DDoS, S.W.A.T etc. by the IP address of your victim which you can recieve by encrypted websites such as bvogPost and other. You can easily track the victims Internet Protocol Address and lookup their Internet Protocol for their personal and public information which is officially used to be pasted onto Paste Bin or somewhere on the Internet.
It doesn't have to do with anything you said but I said that because I just wanted to tell/warn you about how it's done, my point is – do not click random links! EVER.
SWATting is one of the most vile acts of petty revenge to emerge in recent years. It's a potentially deadly perversion of an officer's oath "to protect and serve". If somebody ever does get killed by this tactic and the perpetrator of the call gets arrested I hope the prosecuting D.A. charges the perp with 1st degree murder and can get it to stick.
Emergency services caller ID is different from home caller ID.
This police agency was simply poorly trained.
Your talking about a local police force VS. an organized hacker organization. Do you really think there is any amount of training you can give to protect against that? Also, how do you plan on going about that? You want emergency services to be trained to argue when they get a call about a violent murder?
I can just see it now: "Someone just broke into my house waving a gun, he has already shot my friend"…… "Umm, Sir, You realize it is a serious offense to prank call emergency services right……"
Yeah, just what you want to hear when you really need help….. Basically we have a very serious case of "the boy who cried wolf". Problem is that a LOT of people are crying wolf and now we have to come up with a way to tell who is lying and when.
On the bright side, this pretty much further legitimizes Brian's hard investigative work over the years. Clearly he's pissed off or scared someone(s).
Lisa Vaas wrote: "Caller ID spoofing has been around for years through various technologies: ISDN PRI circuits used by collection agencies, law enforcement, and private investigators, all of whom have used it with varying degrees of legality;"
It is not at all difficult to spoof Caller ID data with an ISDN PRI. However, there is an associated flag with the data which indicates that the number was applied by the caller, not by the network. Consumer caller ID equipment ignores this flag but I would expect that professional-grade gear used at a PSAP would highlight it.
It's agreed that his is a terrible act, but try and get the legislature to do anything about it! They are busy not doing anything! They seem to waste time on useless items while ignoring what the public wants. I know here in Arizona, they are discussing how to make license plates more legible to police! You would thin they would just approve/disapprove plates as they came around instead of axing the whole lot! Seems it would be easier and less time consuming.
These type of crimes will kill someone, it's known as a ticking time bomb and to make things worse, where did the warning go that he filed? That should have been somewhere that it was on their mind at all times.
Not to fault the Police too much, as a retired LEO (Law Enforcement Officer) they have a strict line of what to do next. Unfortunately it doesn't include things like this. It will take a death before it gets fixed!
Thanks for the heads up…
Hope it isn't me next!
So it's more dangerous to SWAT an individual than call a bomb threat to a school? Don't bomb threats result in SWAT teams responding to the scene? Think about it. Either situation could result in catastrophe. Tell me, how many frightened children are equal to one journalist.
And before anyone tries to change that consideration into accusing me of endorsing the incident as described, just shut it down now. I don't endorse it, period. I wouldn't want it to happen to me, or anyone.
IF he hadn't interrupted them by opening the door, things would have been different.
Surely you've seen movies or tv shows when SWAT battering rams open the front door, while the rest of the team bursts in with flash-bangs, while pointing guns at anyone and everyone to "GET DOWN, GET DOWN" , and throwing all ocupants to the floor, and handcuffing – searching everyone?
Imagine having to prove to them that you arn't a gunman. That you're not holding your wife and kids hostage.
Also, and this may be minor, but do you think they will clean up after themselves? The carpets ruined by flash-bang explosions? Doors, windows, furnature destroyed by paramilitaryt cops bursting in?
Think your home owners insurance will pay? Think your premiums will go up?
Movies are not real life….
No, SWAT teams do not respond to bomb threats. Most bomb threats receive a police response of either law enforcement individuals or dogs that sweep the building; i.e., they look around for suspicious items in the building. This is not done with guns drawn or expecting a potential exchange of gunfire.
Having experienced several bomb threats in both middle/high school and college, I can tell you they were pretty mundane events that most participants never gave any real credibility to, and saw them as either a minor irritant or a small blessing, depending on your level of preparation for the class or assignment that got disrupted. My own kid experienced them as well and was never concerned.
SWAT teams responding to reported shootings are on a whole different, serious level.
Funny. I thought that exact same thing!
Thomas, the expected response for a bomb threat is local police and bomb squad personnel. Unfortunately, this country has so many local yocals that have nothing better to do than call out all personnel associated with their department, just to get the adrenaline rush and be "on scene" just in case. It's not only over kill, but a waste of man power and taxpayer money. If this country's leadership were really worried about situations like this, they would stop up arming the DHS with millions of rounds of ammo and armored vehicles for the supposed "domestic riots" by the American public, and develop training and practices that would properly identify and catch those people who are trying to seek revenge for their own felonious practices.
Wait… who said one is more dangerous than the other? Did I miss something, here?
If we would stop using POTS and rely on a Voice over SSL technology using mutual authentication and reverse DNS lookup, there wouldn't be this problem with faking Called ID. Caller ID provides no means of integrity,
SWAT turning up to a school are there for protection and presume the children innocent. SWAT turning up to a supposed murder-scene presume a suspect is present, and will freely use lethal force if he's confused and makes the wrong move.
Yes, there is a hell of a difference, this is a hundredfold more dangerous!
There are well known safeguards for this local police and municipalities and Mayors can use, some do but most just never consider it until they get hit a few times…sorta like not putting up a stop sign or light until three deaths have occurred at an off the (bankster/corporation )roads and intersections that millions use..