Target Calls it Quits in Canada.

Vacancy Rate For Chicago Retail Space Hits 15 Year High

(Inspired by an article by Kavita Kumar.)

Finding they could not gainsay

Savings at the Hudson Bay

Target now has stole away

From Canada this very day.


Their cor’prate chieftains did agree

It was just pure misery

To remain and disagree

With their northern polity.


No use giving in to cry;

They gave it the college try.

Instead of eating humble pie

They’ll raise prices HERE – banzai!

The Ballad of Two Shoplifters, or Crime Doesn’t Pay But the Hours are Good.


The wind chill, it was bitter; the snow had drifted down,

When the Bad Girls drove in to the prosp’rous little town.

They ate a meal at Denny’s, and paid the check with cash;

Then at Kohl’s Department Store they collected their first stash.


Oh, they were very clever; these daring racketeers;

They boosted dresses left and right, and swiped five chandeliers.

Their vehicle was parked away from prying spying eyes.

They had no trouble packing up their predatory prize.


Next they struck a Walmart, and stole fine jewelry;

The clerks were careless, on a break, or some tomfoolery.

Their luck held with Cabela’s; they looted it in style,

Secluding tons of spinner baits as they walked down the aisle.


At Target it was cell phones; at Lowe’s a sack of nails.

At Barnes & Noble they made off with books about Versailles.

Their crime spree wasn’t over; they couldn’t stop themselves –

They had to visit Walgreens and swipe Bag Balm off the shelves.


Their car was near to bursting, but one more heist they gaily planned;

They’d sneak into Schmitt’s Music to kidnap a baby grand.

Although it was fantastic, they did turn the trick by golly –

And even got a salesman to transport it with a dolly!


Their wiles were subjugating the whole retail industry;

Was there no way to prevent their sad skullduggery?

The big box stores laid traps amain, but it was all in vain;

These female kleptomaniacs had good fortune as their swain.


But at last the fates decreed these women bandits must

Be thrown down from their pedestal and eat a peck of dust.

(For ev’ry epic ballad must detail the rise AND fall

Of the bad and prideful, of the tyrant or gun moll.)


And so it came to pass that our two scofflaws one day went

Into a nearby dollar store to buy some Pepsodent.

But force of habit made them hide two tins of plain sardines

In the pockets of their stolen, stone-washed Levi jeans.


Alarums sounded ev’rywhere and cops showed up in haste.

They put the two offenders in a dim cell, cold and chaste.

They’re locked up until sunshine comes in many hues of green,

Until the big box stores decay . . . and Congress grows serene.

Russian Cyber Criminals Threaten to Steal a Third of America’s Credit Cards.



In the last year, Eastern European cybercriminals have stolen Brian Krebs’s identity a half dozen times, brought down his website, included his name and some unpleasant epithets in their malware code, sent fecal matter and heroin to his doorstep, and called a SWAT team to his home just as his mother was arriving for dinner.

“I can’t imagine what my neighbors think of me,” he said dryly.

Mr. Krebs, 41, tries to write pieces that cannot be found elsewhere. His widely read cybersecurity blog, Krebs on Security, covers a particularly dark corner of the Internet: profit-seeking cybercriminals, many based in Eastern Europe, who make billions off pharmaceutical sales, malware, spam, frauds and heists like the recent ones that Mr. Krebs was first to uncover at Adobe, Target and Neiman Marcus.

He covers this niche with much the same tenacity of his subjects, earning him their respect and occasional ire.

Mr. Krebs — a former reporter at The Washington Post who taught himself to read Russian while jogging on his treadmill and who blogs with a 12-gauge shotgun by his side — is so entrenched in the digital underground that he is on a first-name basis with some of Russia’s major cybercriminals. Many call him regularly, leak him documents about their rivals, and try to bribe and threaten him to keep their names and dealings off his blog.

His clean-cut looks and plain-speaking demeanor seem more appropriate for a real-estate broker than a man who spends most of his waking hours studying the Internet’s underbelly. But few have done more to shed light on the digital underground than Mr. Krebs.

His obsession with hackers kicked in when he was just another victim. In 2001, a computer worm — a malicious software program that can spread quickly — locked him out of his home computer. “It felt like someone had broken into my home,” Mr. Krebs recalled in an interview. He started looking into it. And he kept looking, learning about spam, computer worms and the underground industry behind it.

Eventually, his anger and curiosity turned into a full-time beat at The Post and then on his own blog.

“I realized that if security breaks down, the technology breaks down,” Mr. Krebs said.

Today, he maintains extensive files on criminal syndicates and their tools. Some security experts readily acknowledge that he knows more about Russia’s digital underground than they do.

“I would put him up against the best threat intelligence analyst,” said Rodney Joffe, senior vice president at Neustar, an Internet infrastructure firm. “Many of us in the industry go to him to help us understand what the Eastern European criminals are doing, how they work with each other and who is doing what to whom.”

That proved the case in December when Mr. Krebs uncovered what could be the biggest known Internet credit-card heist. That month, he had been poking around private, underground forums where criminals were bragging about a fresh haul of credit and debit cards.

Soon after, one of Mr. Krebs’s banking sources called to report a high number of fraudulent purchases and asked whether Mr. Krebs could pinpoint where they were coming from. The source said that he had bought a large batch of stolen cards from an underground site and that they all appeared to have been used at Target.

Mr. Krebs checked with a source at a second bank that had also been dealing with a spike in fraud. Together, they visited one forum and bought a batch of stolen cards. Again, the cards appeared to have one thing in common: They had been used at Target from late November to mid-December.

On the morning of Dec. 18, Mr. Krebs called Target. The company’s spokeswoman did not return his call until several hours later, but by then he had enough to run his article: Criminals had breached the registers in Target’s stores and had made off with tens of millions of payment card numbers.

 In the following weeks, Mr. Krebs discovered breaches at Neiman Marcus; Michaels, the arts and crafts retailer; and White Lodging, which manages franchises for major hotel chains like Hilton, Marriott and Starwood Hotels.

It is still unclear whether the attacks were related, but at least 10 other retailers may have been hit by the same hackers that hit Target and are reluctant to acknowledge it.

That is where Mr. Krebs comes in. Unlike physical crime — a bank robbery, for example, quickly becomes public — online thefts are hushed up by companies that worry the disclosure will inflict more damage than the theft, allowing hackers to raid multiple companies before consumers hear about it.

“There’s a lot going on in this industry that impedes the flow of information,” Mr. Krebs said. “And there’s a lot of money to be made in having intelligence and information about what’s going on in the underworld. It’s big business but most people don’t want to pay for it, which explains why they come to someone like me.”

Mr. Krebs is “doing the security industry an enormous favor by disseminating real-time threat information,” said Barmak Meftah, chief executive of AlienVault, a threat-detection service. “We are only as strong as our information. Unless we are very specific and effective about exchanging threat data when one of us gets breached, we will always be a step behind the attackers.”


The tally of victims from the breaches at Target, Neiman Marcus and others now exceeds one-third of the United States population — a grim factoid that may offer Mr. Krebs a strange sense of career vindication.

He first developed an interest in computers because his father, an Air Force engineer, was obsessed with the latest devices. But he did little about it until 1998, when he began writing about technology for The Post, after working his way up from the mailroom. Cybersecurity became a bit of a focus after his own computer was infected by that worm in 2001. “I learned there’s this whole underworld that seemed really fascinating,” he said.

In 2005, he started The Post’s Security Fix blog, occasionally frustrating editors with hacker jargon and unnerving some who worried he was becoming too close to sources.

“A lot of what Brian does would scare the hell out of traditional newsroom editors,” said Russ Walker, Mr. Krebs’s former editor at The Post. “I don’t think he crossed the lines journalistically, but he was living a different type of experience.”

By 2006, Mr. Krebs was a fixture in hacker forums, learning code, and — ever the dutiful reporter — borrowing Russian language tapes from his local library since most of what he tracks originates in the former Soviet Union and its satellite states. (He acknowledges having used his technical prowess at one point to peek inside The Post’s payroll system to see how much colleagues were making, something he now strongly advises against.)

In 2009, The Post asked Mr. Krebs to broaden his focus to general technology news and policy. When he declined, he was let go.

He used his severance to start his own blog, Krebs on Security, from his “command center,” a guest room at the Annandale, Va., home he shares with his wife. There, three 19-inch computer screens help him keep tabs on the underworld, while another monitors security footage of his house.

Mr. Krebs’s readership is growing. In December, 850,000 readers visited his blog, mostly to learn more about the breach at Target. Though he will not disclose figures, Mr. Krebs says the salary he now makes from advertising, occasional speaking engagements and consulting work is a “nice bump” from what he earned at The Post.

But there are risks implicit to being a one-man operation. “The work that he’s done exposing Eastern European hackers has been seminal,” said Tom Kellermann, vice president for cybersecurity at Trend Micro, a computer security company. “But Brian needs a bodyguard.”

  Russian criminals routinely feed Mr. Krebs information about their rivals that they obtained through hacks. After one such episode, he began receiving daily calls from a major Russian cybercriminal seeking his files back. Mr. Krebs is writing a book about the ordeal, called “Spam Nation,” to be published by Sourcebooks this year.

In the meantime, hackers have been competing in a dangerous game of one-upmanship to see who can pull the worst prank on Mr. Krebs. They often steal his identity. One opened a $20,000 credit line in his name. Admirers have made more than $1,000 in bogus PayPal donations to his blog using hacked accounts. Others have paid his cable bill for three years with stolen credit cards.

The antics can be dangerous. In March, as Mr. Krebs was preparing to have his mother over for dinner, he opened his front door to find a police SWAT team pointing semiautomatic guns in his direction. Only after his wife returned home from the grocery store to find him handcuffed did the police realize Mr. Krebs had been the victim of “swatting.” Someone had called the police and falsely reported a murder at their home.

Four months after that, someone sent packets of heroin to Mr. Krebs’s home, then spoofed a call from his neighbor to the police. But Mr. Krebs had already been tipped off to the prank. He was tracking the fraud in a private forum — where a criminal had posted the shipment’s tracking number — and had alerted the local police and the F.B.I.

Mr. Joffe worries Mr. Krebs’s enemies could do far worse. “I don’t understand why he hasn’t moved to a new, undisclosed address,” he said.

Mr. Krebs said he did plan to move and keep his new address secret. But these days it is almost impossible.

Though he goes to great lengths to protect his personal information, last month his wife received an email from Target informing her that their mailing address and other personal information had been stolen in the breach.

“I got that letter,” he said, “and I just had to laugh.”



What to Do if Your Credit is Frozen by Identity Theft.

Target has frozen thousands of store accounts due to identity theft.
Target has frozen thousands of store accounts due to identity theft.

The pattern with credit- and debit-card breaches tends to go something like this: A company like Target or Neiman Marcus announces that thieves may have stolen your card numbers or other information, then the company offers a year of credit-monitoring. But the chastened keeper of your personal data rarely if ever offers to pay for the most potent protection of all: A security freeze on the files that the three big credit bureaus keep on you.

Credit-monitoring is often backward-looking, informing you of new accounts that thieves may have already opened in your name. But a freeze prohibits the bureaus from releasing your credit reports to any company or other entity that doesn’t already have a relationship with you.

This prohibition is crucial, since credit-card issuers, mobile phone providers, loan officers and others in similar roles almost never open a new account for people without seeing a credit report first. If they can’t get access to the credit file, they probably won’t open that new account. Given that this sort of new account fraud can be especially damaging, security freezes are one of the best tools consumers have to protect themselves from identity theft.

To sign up for one, you need to approach each of the three credit bureaus separately, pay a small fee of no more than $10 or so (it depends on your state, and it may be free for identity-theft victims and in other limited situations) and follow their instructions. You can start the process at the following web pages: Equifax: Experian: TransUnion:

A credit freeze lasts indefinitely, and the only downside is that you’ll need to thaw your files temporarily when you want to give a company or entity access to your credit report. Experian warns that this affects applications for new loans, insurance, government services or payments, rental housing, employment, investments, professional licenses, cellular telephone, utilities, digital signatures and instant-credit applications that come with one-day discounts at stores.

Only about 600,000 people have frozen their files at Experian; Equifax and TransUnion did not provide figures, but their numbers are probably similar, given that most people who do freeze their files do so at all three bureaus.

In practice most people, especially older ones who already have all the credit cards and mortgage loans they need, don’t have cause to give new creditors access to their files more than once or twice a year, if that. For people who seek credit more frequently, but still want the security of a freeze, the thawing process generally takes no more than 15 minutes each time at all three credit bureaus.

To lift the freeze, you’ll need to provide a PIN and other information and may also need to pay a small fee. The bureaus warn on their websites that it could take a few days for the freeze to take effect and for companies to access your credit reports, though if you lift your freeze by phone, the human representatives are generally able to lift it instantly.