Window Snyder’s new startup Thistle Technologies raises $2.5M seed to secure IoT devices

The Internet of Things has a security problem. The past decade has seen wave after wave of new internet-connected devices, from sensors through to webcams and smart home tech, often manufactured in bulk but with little — if any — consideration to security. Worse, many device manufacturers make no effort to fix security flaws, while others simply leave out the software update mechanisms needed to deliver patches altogether.

That sets up an entire swath of insecure and unpatchable devices to fail, and destined to be thrown out when they break down or are invariably hacked.

Security veteran Window Snyder thinks there is a better way. Her new startup, Thistle Technologies, is backed with $2.5 million in seed funding from True Ventures with the goal of helping IoT manufacturers reliably and securely deliver software updates to their devices.

Snyder founded Thistle last year, and named it after the flowering plant with sharp prickles designed to deter animals from eating them. “It’s a defense mechanism,” Snyder told TechCrunch, a name that’s fitting for a defensive technology company. The startup aims to help device manufacturers without the personnel or resources to integrate update mechanisms into their device’s software in order to receive security updates and better defend against security threats.

“We’re building the means so that they don’t have to do it themselves. They want to spend the time building customer-facing features anyway,” said Snyder. Prior to founding Thistle, Snyder worked in senior cybersecurity positions at Apple, Intel, and Microsoft, and also served as chief security officer at Mozilla, Square, and Fastly.

Thistle lands on the security scene at a time when IoT needs it most. Botnet operators are known to scan the internet for devices with weak default passwords and hijack their internet connections to pummel victims with floods of internet traffic, knocking entire websites and networks offline. In 2016, a record-breaking distributed denial-of-service attack launched by the Mirai botnet on internet infrastructure giant Dyn knocked some of the biggest websites — Shopify, SoundCloud, Spotify, Twitter — offline for hours. Mirai had ensnared thousands of IoT devices into its network at the time of the attack.

Other malicious hackers target IoT devices as a way to get a foot into a victim’s network, allowing them to launch attacks or plant malware from the inside.

Since device manufacturers have done little to solve their security problems among themselves, lawmakers are looking at legislating to curb some of the more egregious security mistakes made by default manufacturers, like using default — and often unchangeable — passwords and selling devices with no way to deliver security updates.

California paved the way after passing an IoT security law in 2018, with the U.K. following shortly after in 2019. The U.S. has no federal law governing basic IoT security standards.

Snyder said the push to introduce IoT cybersecurity laws could be “an easy way for folks to get into compliance” without having to hire fleets of security engineers. Having an update mechanism in place also helps to keeps the IoT devices around for longer — potentially for years longer — simply by being able to push fixes and new features.

“To build the infrastructure that’s going to allow you to continue to make those devices resilient and deliver new functionality through software, that’s an incredible opportunity for these device manufacturers. And so I’m building a security infrastructure company to support that security needs,” she said.

With the seed round in the bank, Snyder said the company is focused on hiring device and back-end engineers, product managers, and building new partnerships with device manufacturers.

Phil Black, co-founder of True Ventures — Thistle’s seed round investor — described the company as “an astute and natural next step in security technologies.” He added: “Window has so many of the qualities we look for in founders. She has deep domain expertise, is highly respected within the security community, and she’s driven by a deep passion to evolve her industry.”

#apple, #bank, #botnet, #california, #co-founder, #computer-security, #computing, #cybercrime, #cyberwarfare, #dyn, #fastly, #intel, #internet-of-things, #internet-traffic, #malware, #microsoft, #mirai, #science-and-technology, #security, #shopify, #soundcloud, #spotify, #startups, #technology, #true-ventures, #united-kingdom, #united-states

0

UK’s IoT ‘security by design’ law will cover smartphones too

Smartphones will be included in the scope of a planned “security by design” U.K. law aimed at beefing up the security of consumer devices, the government said today.

It made the announcement in its response to a consultation on legislative plans aimed at tackling some of the most lax security practices long-associated with the Internet of Things (IoT).

The government introduced a security code of practice for IoT device manufacturers back in 2018 — but the forthcoming legislation is intended to build on that with a set of legally binding requirements.

A draft law was aired by ministers in 2019 — with the government focused on IoT devices, such as webcams and baby monitors, which have often been associated with the most egregious device security practices.

Its plan now is for virtually all smart devices to be covered by legally binding security requirements, with the government pointing to research from consumer group “Which?” that found that a third of people kept their last phone for four years, while some brands only offer security updates for just over two years.

The forthcoming legislation will require smartphone and device makers like Apple and Samsung to inform customers of the duration of time for which a device will receive software updates at the point of sale.

It will also ban manufacturers from using universal default passwords (such as “password” or “admin”), which are often preset in a device’s factory settings and easily guessable — making them meaningless in security terms.

California already passed legislation banning such passwords in 2018 with the law coming into force last year.

Under the incoming U.K. law, manufacturers will additionally be required to provide a public point of contact to make it simpler for anyone to report a vulnerability.

The government said it will introduce legislation as soon as parliamentary time allows.

Commenting in a statement, digital infrastructure minister Matt Warman added: “Our phones and smart devices can be a gold mine for hackers looking to steal data, yet a great number still run older software with holes in their security systems.

“We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.

“The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”

A DCMS spokesman confirmed that laptops, PCs and tablets with no cellular connection will not be covered by the law, nor will secondhand products. Although he added that the intention is for the scope to be adaptive, to ensure the law can keep pace with new threats that may emerge around devices.

#california, #computer-security, #cryptography, #europe, #gadgets, #internet-of-things, #iot, #mobile, #password, #security, #smart-devices, #smartphones, #united-kingdom

0

UK gov’t triggers national security scrutiny of Nvidia-Arm deal

The UK government has intervened to trigger public interest scrutiny of chipmaker’s Nvidia’s planned to buy Arm Holdings.

The secretary of state for digital issues, Oliver Dowden, said today that the government wants to ensure that any national security implications of the semiconductor deal are explored.

Nvidia’s $40BN acquisition of UK-based Arm was announced last September but remains to be cleared by regulators.

The UK’s Competition and Markets Authority (CMA) began to solicit views on the proposed deal in January.

Domestic opposition to Nvidia’s plan has been swift, with one of the original Arm co-founders kicking off a campaign to ‘save Arm’ last year. Hermann Hauser warned that Arm’s acquisition by a U.S. entity would end its position as a company independent of U.S. interests — risking the U.K.’s economic sovereignty by surrendering its most powerful trade weapon.

The intervention by Department of Digital, Media, Culture and Sport (DCMS) — using statutory powers set out in the Enterprise Act 2002 — means the competition regulator has been instructed to begin a phase 1 investigation.

The CMA has a deadline of July 30 to submit its report to the secretary of state.

Commenting in a statement, Dowden said: “Following careful consideration of the proposed takeover of ARM, I have today issued an intervention notice on national security grounds. As a next step and to help me gather the relevant information, the UK’s independent competition authority will now prepare a report on the implications of the transaction, which will help inform any further decisions.”

“We want to support our thriving UK tech industry and welcome foreign investment but it is appropriate that we properly consider the national security implications of a transaction like this,” he added.

At the completion of the CMA’s phase 1 investigation Dowden will have an option to clear the deal, i.e. if no national security or competition concerns have been identified; or to clear it with remedies to address any identified concerns.

He could also refer the transaction for further scrutiny by instructing the CMA to carry out an in-depth phase 2 investigation.

After the phase 1 report has been submitted there is no set period when the secretary of state must make a decision on next steps — but DCMS notes that a decision should be made as soon as “reasonably practicable” to reduce uncertainty.

While Dowden’s intervention has been made on national security grounds, additional concerns have been raised about impact of an Nvidia take-over of Arm — specifically on U.K. jobs and on Arm’s open licensing model.

Nvidia sought to address those concerns last year, claiming it’s committed to Arm’s licensing model and pledging to expand the Cambridge, UK offices of Arm — saying it would create “a new global center of excellence in AI research” at the UK campus.

However it’s hard to see what commercial concessions could be offered to assuage concern over the ramifications of an Nvidia-owed Arm on the UK’s economic sovereignty. That’s because it’s a political risk, which would require a political solution to allay, such as at a treaty level — something which isn’t in Nvidia’s gift (alone) to give.

National security concerns are a rising operational risk for tech companies involved in the supply of cutting edge infrastructure, such as semiconductor design and next-gen networks — where a relative paucity of competitors not only limits market choice but amps up the political calculations.

Proposed mergers are one key flash point as market consolidation takes on an acute politico-economic dimension.

However tech companies’ operations are being more widely squeezed in the name of national security — such as, in recent years, the U.S. government’s attacks on China-based 5G infrastructure suppliers like Huawei, with former president Trump seeking to have the company barred from supplying next-gen networks not only within the U.S. but to national networks of Western allies.

Nor has (geo)political pressure been applied purely over key infrastructure companies in recent years; with Trump claiming a national security justification to try and shake down the Chinese-owned social networking company, TikTok — in another example that speaks to how tech tools are being coopted into wider geopolitical power-plays, fuelled by countries’ economic and political self-interest.

#arm-holdings, #artificial-intelligence, #cambridge, #cma, #competition-and-markets-authority, #computer-security, #europe, #huawei, #ma, #national-security, #nvidia, #oliver-dowden, #security, #semiconductor, #tiktok, #trump, #u-s-government, #uk-government, #united-kingdom, #united-states

0

Enterprise security attackers are one password away from your worst day

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes, and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the mid-pandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

#column, #computer-security, #credential-stuffing, #crime, #cyberattack, #cybercrime, #cyberwarfare, #data-breach, #ec-column, #ec-cybersecurity, #encryption, #enterprise, #fireeye, #national-security-agency, #phishing, #security, #solarwinds

0

Medtronic partners with cybersecurity startup Sternum to protect its pacemakers from hackers

If you think cyberattacks are scary, what if those attacks were directed at your cardiac pacemaker? Medtronic, a medical device company, has been in hot water over the last couple of years because its pacemakers were getting hacked through their internet-based software updating systems. But in a new partnership with Sternum, an IoT cybersecurity startup based in Israel, Medtronic has focused on resolving the issue.

The problem was not with the medical devices themselves, but with the remote systems used to update the devices. Medtronic’s previous solution was to disconnect the devices from the internet, which in and of itself can cause other issues to arise.

“Medtronic was looking for a long-term solution that can help them with future developments,” said Natali Tshuva, Sternum’s founder and CEO. The company has already secured about 100,000 Medtronic devices.

Sternum’s solution allows medical devices to protect themselves in real-time. 

“There’s this endless race against vulnerability, so when a company discovers a vulnerability, they need to issue an update, but updating can be very difficult in the medical space, and until the update happens, the devices are vulnerable,” Tshuva told TechCrunch. “Therefore, we created an autonomous security that operates from within the device that can protect it without the need to update and patch vulnerabilities,” 

However, it is easier to protect new devices than to go back and protect legacy devices. Over the years hackers have gotten more and more sophisticated, so medical device companies have had to figure out how to protect the devices that are already out there.  

 “The market already has millions — perhaps billions — of medical devices connected, and that could be a security and management nightmare,” Tshuva added.

In addition to potentially doing harm to an individual, hackers have been taking advantage of device vulnerability as the gateway of choice into a hospital’s network, possibly causing a breach that can affect many more people. Tshuva explained that hospital networks are secured from the inside out, but devices that connect to the networks but are not protected can create a way in.

In fact, health systems have been known to experience the most data breaches out of any sector, accounting for 79% of all reported breaches in 2020. And in the first 10 months of last year, we saw a 45% increase in cyberattacks on health systems, according to data by Health IT Security.

In addition to Sternum’s partnership with Medtronic, the company also launched this week an IoT platform that allows, “devices to protect themselves, even when they are not connected to the internet,” Tshuva said.

Sternum, which raised about $10 million to date, also offers cybersecurity for IoT devices outside of healthcare, and according to Tshuva, the company focuses on areas that are “mission-critical.” Examples include railroad infrastructure sensors and management systems, and power grids.

Tshuva, who grew up in Israel, holds a master’s in computer science and worked for the Israeli Defense Force’s 8200 unit — similar to the U.S.’s National Security Alliance — said she always wanted to make an impact in the medical field. “I looked to combine the medical space with my life, and I realized I could have an impact on remote care devices,” she said.

#computer-security, #cyberattack, #cybercrime, #cybersecurity-startup, #health-systems, #healthcare, #internet-of-things, #israel, #malware, #medical-device, #medtronic, #science-and-technology, #sternum, #tc, #technology

0

Grocery startup Mercato spilled years of data, but didn’t tell its customers

A security lapse at online grocery delivery startup Mercato exposed tens of thousands of customer orders, TechCrunch has learned.

A person with knowledge of the incident told TechCrunch that the incident happened in January after one of the company’s cloud storage buckets, hosted on Amazon’s cloud, was left open and unprotected.

The company fixed the data spill, but has not yet alerted its customers.

Mercato was founded in 2015 and helps over a thousand smaller grocers and specialty food stores get online for pickup or delivery, without having to sign up for delivery services like Instacart or Amazon Fresh. Mercato operates in Boston, Chicago, Los Angeles, and New York, where the company is headquartered.

TechCrunch obtained a copy of the exposed data and verified a portion of the records by matching names and addresses against known existing accounts and public records. The data set contained more than 70,000 orders dating between September 2015 and November 2019, and included customer names and email addresses, home addresses, and order details. Each record also had the user’s IP address of the device they used to place the order.

The data set also included the personal data and order details of company executives.

It’s not clear how the security lapse happened since storage buckets on Amazon’s cloud are private by default, or when the company learned of the exposure.

Companies are required to disclose data breaches or security lapses to state attorneys-general, but no notices have been published where they are required by law, such as California. The data set had more than 1,800 residents in California, more than three times the number needed to trigger mandatory disclosure under the state’s data breach notification laws.

It’s also not known if Mercato disclosed the incident to investors ahead of its $26 million Series A raise earlier this month. Velvet Sea Ventures, which led the round, did not respond to emails requesting comment.

In a statement, Mercato chief executive Bobby Brannigan confirmed the incident but declined to answer our questions, citing an ongoing investigation.

“We are conducting a complete audit using a third party and will be contacting the individuals who have been affected. We are confident that no credit card data was accessed because we do not store those details on our servers. We will continually inform all authoritative bodies and stakeholders, including investors, regarding the findings of our audit and any steps needed to remedy this situation,” said Brannigan.


Know something, say something. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

#amazon, #boston, #california, #chicago, #cloud-computing, #cloud-infrastructure, #cloud-storage, #computer-security, #computing, #data-breach, #data-security, #ecommerce, #food, #instacart, #los-angeles, #mercato, #new-york, #security, #technology, #united-states, #velvet-sea-ventures

0

Gay dating site Manhunt hacked, thousands of accounts stolen

Manhunt, a gay dating app that claims to have 6 million male members, has confirmed it was hit by a data breach in February after a hacker gained access to the company’s accounts database.

In a notice filed with the Washington attorney general’s office, Manhunt said the hacker “gained access to a database that stored account credentials for Manhunt users,” and “downloaded the usernames, email addresses and passwords for a subset of our users in early February 2021.

The notice did not say how the passwords were scrambled, if at all, to prevent them from being read by humans. Passwords scrambled using weak algorithms can sometimes be decoded into plain text, allowing malicious hackers to break into their accounts.

Following the breach, Manhunt force-reset account passwords began alerting users in mid-March. Manhunt did not say what percentage of its users had their data stolen or how the data breach happened, but said that more than 7,700 Washington state residents were affected.

The company’s attorneys did not reply to an email requesting comment.

But questions remain about how Manhunt handled the breach. In March, the company tweeted that, “At this time, all Manhunt users are required to update their password to ensure it meets the updated password requirements.” The tweet did not say that user accounts had been stolen.

Manhunt was launched in 2001 by Online-Buddies Inc., which also offered gay dating app Jack’d before it was sold to Perry Street in 2019 for an undisclosed sum. Just months before the sale, Jack’d had a security lapse that exposed users’ private photos and location data.

Dating sites store some of the most sensitive information on their users, and are frequently a target of malicious hackers. In 2015, Ashley Madison, a dating site that encouraged users to have an affair, was hacked, exposing names, and postal and email addresses. Several people died by suicide after the stolen data was posted online. A year later, dating site AdultFriendFinder was hacked, exposing more than 400 million user accounts.

In 2018, same-sex dating app Grindr made headlines for sharing users’ HIV status with data analytics firms.

In other cases, poor security — in some cases none at all — led to data spills involving some of the most sensitive data. In 2019, Rela, a popular dating app for gay and queer women in China, left a server unsecured with no password, allowing anyone to access sensitive data — including sexual orientation and geolocation — on more than 5 million app users. Months later, Jewish dating app JCrush exposed around 200,000 user records.

Read more: 


Know something, say something. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

#jack, #apps, #articles, #ashley-madison, #china, #computer-security, #computing, #cryptography, #data-breaches, #password, #securedrop, #security, #security-breaches

0

PlexTrac raises $10M Series A round for its collaboration-centric security platform

PlexTrac, a Boise, ID-based security service that aims to provide a unified workflow automation platform for red and blue teams, today announced that it has raised a $10 million Series A funding round led by Noro-Moseley Partners and Madrona Venture Group. StageDot0 ventures also participated in this round, which the company plans to use to build out its team and grow its platform.

With this new round, the company, which was founded in 2018, has now raised a total of $11 million, with StageDot0 leading its 2019 seed round.

PlexTrac CEO and President Dan DeCloss

PlexTrac CEO and President Dan DeCloss

“I have been on both sides of the fence, the specialist who comes in and does the assessment, produces that 300-page report and then comes back a year later to find that some of the critical issues had not been addressed at all.  And not because the organization didn’t want to but because it was lost in that report,” PlexTrac CEO and President Dan DeCloss said. “These are some of the most critical findings for an entity from a risk perspective. By making it collaborative, both red and blue teams are united on the same goal we all share, to protect the network and assets.”

With an extensive career in security that included time as a penetration tester for Veracode and the Mayo Clinic, as well as senior information security advisor for Anthem, among other roles, DeCloss has quite a bit of first-hand experience that led him to found PlexTrac. Specifically, he believes that it’s important to break down the wall between offense-focused red teams and defense-centric blue teams.

Image Credits: PlexTrac

 

 

“Historically there has been more of the cloak and dagger relationship but those walls are breaking down– and rightfully so, there isn’t that much of that mentality today– people recognize they are on the same mission whether they are internal security team or an external team,” he said. “With the PlexTrac platform the red and blue teams have a better view into the other teams’ tactics and techniques – and it makes the whole process into an educational exercise for everyone.”

At its core, PlexTrac makes it easier for security teams to produce their reports — and hence free them up to actually focus on ‘real’ security work. To do so, the service integrates with most of the popular scanners like Qualys, and Veracode, but also tools like ServiceNow and Jira in order to help teams coordinate their workflows. All the data flows into real-time reports that then help teams monitor their security posture. The service also features a dedicated tool, WriteupsDB, for managing reusable write-ups to help teams deliver consistent reports for a variety of audiences.

“Current tools for planning, executing, and reporting on security testing workflows are either nonexistent (manual reporting, spreadsheets, documents, etc…) or exist as largely incomplete features of legacy platforms,” Madrona’s S. Somasegar and Chris Picardo write in today’s announcement. “The pain point for security teams is real and PlexTrac is able to streamline their workflows, save time, and greatly improve output quality. These teams are on the leading edge of attempting to find and exploit vulnerabilities (red teams) and defend and/or eliminate threats (blue teams).”

 

#cloud-applications, #computer-security, #computing, #enterprise, #information-technology, #madrona-venture-group, #mayo-clinic, #noro-moseley-partners, #qualys, #recent-funding, #red-team, #security, #servicenow, #startups

0

Risk startup LogicGate confirms data breach

Risk and compliance startup LogicGate has confirmed a data breach. But unless you’re a customer, you probably didn’t hear about it.

An email sent by LogicGate to customers earlier this month said on February 23 an unauthorized third-party obtained credentials to its Amazon Web Services-hosted cloud storage servers storing customer backup files for its flagship platform Risk Cloud, which helps companies to identify and manage their risk and compliance with data protection and security standards. LogicGate says its Risk Cloud can also help find security vulnerabilities before they are exploited by malicious hackers.

The credentials “appear to have been used by an unauthorized third party to decrypt particular files stored in AWS S3 buckets in the LogicGate Risk Cloud backup environment,” the email read.

“Only data uploaded to your Risk Cloud environment on or prior to February 23, 2021, would have been included in that backup file. Further, to the extent you have stored attachments in the Risk Cloud, we did not identify decrypt events associated with such attachments,” it added.

LogicGate did not say how the AWS credentials were compromised. An email update sent by LogicGate last Friday said the company anticipates finding the root cause of the incident by this week.

But LogicGate has not made any public statement about the breach. It’s also not clear if the company contacted all of its customers or only those whose data was accessed. LogicGate counts Capco, SoFi, and Blue Cross Blue Shield of Kansas City as customers.

We sent a list of questions, including how many customers were affected and if the company has alerted U.S. state authorities as required by state data breach notification laws. When reached, LogicGate chief executive Matt Kunkel confirmed the breach but declined to comment citing an ongoing investigation. “We believe it’s best to communicate developments directly to our customers,” he said.

Kunkel would not say, when asked, if the attacker also exfiltrated the decrypted customer data from its servers.

Data breach notification laws vary by state, but companies that fail to report security incidents can face heavy fines. Under Europe’s GDPR rules, companies can face fines of up to 4% of their annual turnover for violations.

In December, LogicGate secured $8.75 million in fresh funding, totaling more than $40 million since it launched in 2015.


Are you a LogicGate customer? Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

#amazon, #amazon-web-services, #blue-cross-blue-shield, #capco, #cloud, #cloud-computing, #cloud-storage, #computer-security, #computing, #data-breach, #data-security, #europe, #health-insurance, #securedrop, #security, #security-breaches, #sofi, #united-states

0

Biden Names Chris Inglis to Be First National Cyber Director

Chris Inglis will be nominated to the new post as the president fills out his cybersecurity team and the U.S. considers responses to recent attacks.

#biden-joseph-r-jr, #computer-security, #computers-and-the-internet, #cybersecurity-and-infrastructure-security-agency, #cyberwarfare-and-defense, #easterly-jen, #homeland-security-department, #inglis-chris, #national-security-agency, #silvers-robert, #solarwinds, #united-states-cyber-command, #united-states-defense-and-military-forces, #united-states-politics-and-government, #us-federal-government-data-breach-2020

0

Biden’s cybersecurity dream team takes shape

President Biden has named two former National Security Agency veterans to senior government cybersecurity positions, including the first national cyber director.

The appointments, announced Monday, land after the discovery of two cyberattacks linked to foreign governments earlier this year — the Russian espionage campaign that planed backdoors in U.S. technology giant SolarWinds’ technology to hack into at least nine federal agencies, and the mass exploitation of Microsoft Exchange servers linked to hackers backed by China.

Jen Easterly, a former NSA official under the Obama administration who helped to launch U.S. Cyber Command, has been nominated as the new head of CISA, the cybersecurity advisory unit housed under Homeland Security. CISA has been without a head for six months after then-President Trump fired former director Chris Krebs, who Trump appointed to lead the agency in 2018, for disputing Trump’s false claims of election hacking.

Biden has also named former NSA deputy director John “Chris” Inglis as national cyber director, a new position created by Congress late last year to be housed in the White House, charged with overseeing the defense and cybersecurity budgets of civilian agencies.

Inglis is expected to work closely with Anne Neuberger, who in January was appointed as the deputy national security adviser for cyber on the National Security Council. Neuberger, a former NSA executive and its first director of cybersecurity, was tasked with leading the government’s response to the SolarWinds attack and Exchange hacks.

Biden has also nominated Rob Silvers, a former Obama-era assistant secretary for cybersecurity policy, to serve as undersecretary for strategy, policy, and plans at Homeland Security. Silvers was recently floated for the top job at CISA.

Both Easterly and Silvers’ positions are subject to Senate confirmation. The appointments were first reported by The Washington Post.

Former CISA director Krebs praised the appointments as “brilliant picks.” Dmitri Alperovitch, a former CrowdStrike executive and chair of Silverado Policy Accelerator, called the appointments the “cyber equivalent of the dream team.” In a tweet, Alperovitch said: “The administration could not have picked three more capable and experienced people to run cyber operations, policy and strategy alongside Anne Neuberger.”

Neuberger is replaced by Rob Joyce, a former White House cybersecurity czar, who returned from a stint at the U.S. Embassy in London earlier this year to serve as NSA’s new cybersecurity director.

Last week, the White House asked Congress for $110 million in new funding for next year to help Homeland Security to improve its defenses and hire more cybersecurity talent. CISA hemorrhaged senior staff last year after several executives were fired by the Trump administration or left for the private sector.

#anne-neuberger, #biden, #chris-krebs, #cisa, #computer-security, #crowdstrike, #cybercrime, #government, #national-security-agency, #security, #solarwinds, #system-administration, #u-s-cyber-command

0

Cybersecurity training startup Hack The Box raises $10.6M Series A led by Paladin Capital

Cybersecurity training startup Hack The Box, which emerged originally from Greece, has raised a Series A investment round of $10.6 million, led by Paladin Capital Group and joined by Osage University Partners, Brighteye Ventures, and existing investors Marathon Venture Capital. It will use the funding to expand. Most recently it launched Hack The Box Academy.

Started in 2017, Hack The Box specializes in using ‘ethical hacking’ to train cybersecurity techniques. Users are given challenges to “attack” virtual vulnerable labs in a simulated, gamified, and test environment. This approach has garnered over 500,000 platform members, from beginners to experts, and brought in around 800 organizations (such as governments, Fortune 500 companies, and academic institutions) to improve their cyber-adversarial knowledge.

Haris Pylarinos, Hack The Box Co-Founder and CEO said: “Everything we do is geared around creating a safer Internet by empowering corporate teams and individuals to create unbreakable systems.”

Gibb Witham, Senior Vice President, Paladin Capital Group commented: “We’re excited to be backing Hack The Box at this inflection point in their growth as organizations recognize the increasing importance of an adversarial security practice to combat constantly evolving cyber attacks.”

Hack The Box competes with Offensive Security, Immersive Labs,   
INE, and eLearnSecurity (acquired by INE).

Hack The Box is using a SaaS business model. In the B2C market it provides monthly and annual subscriptions that provide unrestricted access to the training content and in the B2B market, it provides bi-annual and annual licenses which provide access to dedicated adversarial training environments with value-added admin capabilities.

#brighteye-ventures, #computer-security, #cyberwarfare, #data-security, #europe, #greece, #hack, #immersive-labs, #marathon-venture-capital, #paladin-capital-group, #tc, #vice-president

0

Why Students Are Logging In to Class From 7,000 Miles Away

Students are joining remote classes from outside the country. In one New Jersey school district, computers were traced to 24 countries on a day last month.

#computer-security, #coronavirus-2019-ncov, #e-learning, #education-k-12, #families-and-family-life, #immigration-and-emigration, #new-jersey, #new-york-city, #parenting, #quarantine-life-and-culture, #teachers-and-school-employees

0

Former Amazon exec gives Chinese firms a tool to fight cyber threats

China is pushing forward an internet society where economic and public activities increasingly take place online. In the process, troves of citizen and government data get transferred to cloud servers, raising concerns over information security. One startup called ThreatBook sees an opportunity in this revolution and pledges to protect corporations and bureaucracies against malicious cyberattacks.

Antivirus and security software has been around in China for several decades, but until recently, enterprises were procuring them simply to meet compliance requests, Xue Feng, founder and CEO of six-year-old ThreatBook, told TechCrunch in an interview.

Starting around 2014, internet accessibility began to expand rapidly in China, ushering in an explosion of data. Information previously stored in physical servers was moving to the cloud. Companies realized that a cyber attack could result in a substantial financial loss and started to pay serious attention to security solutions.

In the meantime, cyberspace is emerging as a battlefield where competition between states plays out. Malicious actors may target a country’s critical digital infrastructure or steal key research from a university database.

“The amount of cyberattacks between countries is reflective of their geopolitical relationships,” observed Xue, who oversaw information security at Amazon China before founding ThreatBook. Previously, he was the director of internet security at Microsoft in China.

“If two countries are allies, they are less likely to attack one another. China has a very special position in geopolitics. Besides its tensions with the other superpowers, cyberattacks from smaller, nearby countries are also common.”

Like other emerging SaaS companies, ThreatBook sells software and charges a subscription fee for annual services. More than 80% of its current customers are big corporations in finance, energy, the internet industry, and manufacturing. Government contracts make up a smaller slice. With its Series E funding round that closed 500 million yuan ($76 million) in March, ThreatBook boosted its total capital raised to over 1 billion yuan from investors including Hillhouse Capital.

Xue declined to disclose the company’s revenues or valuation but said 95% of the firm’s customers have chosen to renew their annual subscriptions. He added that the company has met the “preliminary requirements” of the Shanghai Exchange’s STAR board, China’s equivalent to NASDAQ, and will go public when the conditions are ripe.

“It takes our peers 7-10 years to go public,” said Xue.

ThreatBook compares itself to CrowdStrike from Silicon Valley, which filed to go public in 2019 and detect threats by monitoring a company’s “endpoints”, which could be an employee’s laptops and mobile devices that connect to the internal network from outside the corporate firewall.

ThreatBook similarly has a suite of software that goes onto the devices of a company’s employees, automatically detects threats and comes up with a list of solutions.

“It’s like installing a lot of security cameras inside a company,” said Xue. “But the thing that matters is what we tell customers after we capture issues.”

SaaS providers in China are still in the phase of educating the market and lobbying enterprises to pay. Of the 3,000 companies that ThreatBook serves, only 300 are paying so there is plentiful room for monetization. Willingness to spend also differs across sectors, with financial institutions happy to shell out several million yuan ($1 = 6.54 yuan) a year while a tech startup may only want to pay a fraction of that.

Xue’s vision is to take ThreatBook global. The company had plans to expand overseas last year but was held back by the COVID-19 pandemic.

“We’ve had a handful of inquiries from companies in Southeast Asia and the Middle East. There may even be room for us in markets with mature [cybersecurity companies] like Europe and North America,” said Xue. “As long as we are able to offer differentiation, a customer may still consider us even if it has an existing security solution.”

#asia, #china, #cloud-computing, #cloud-infrastructure, #computer-security, #crowdstrike, #cyberattack, #cybercrime, #firewall, #internet-security, #internet-society, #microsoft-china, #saas, #security, #security-software, #software-as-a-service, #tc, #tech-startup

0

Answers being sought from Facebook over latest data breach

Facebook’s lead data protection regulator in the European Union is seeking answers from the tech giant over a major data breach reported on over the weekend.

The breach was reported on by Business Insider on Saturday which said personal data (including email addresses and mobile phone numbers) of more than 500M Facebook accounts had been posted to a low level hacking forum — making the personal information on hundreds of millions of Facebook users’ accounts freely available.

“The exposed data includes the personal information of over 533M Facebook users from 106 countries, including over 32M records on users in the US, 11M on users in the UK, and 6M on users in India,” Business Insider said, noting that the dump includes phone numbers, Facebook IDs, full names, locations, birthdates, bios, and some email addresses.

Facebook responded to the report of the data dump by saying it related to a vulnerability in its platform it had “found and fixed” in August 2019 — dubbing the info “old data” which it also claimed had been reported on in 2019. However as security experts were quick to point out, most people don’t change their mobile phone number often — so Facebook’s trigger reaction to downplay the breach looks like an ill-thought through attempt to deflect blame.

It’s also not clear whether all the data is all ‘old’, as Facebook’s initial response suggests.

There’s plenty of reasons for Facebook to try to downplay yet another data scandal. Not least because, under European Union data protection rules, there are stiff penalties for companies that fail to promptly report significant breaches to relevant authorities. And indeed for breaches themselves — as the bloc’s General Data Protection Regulation (GDPR) bakes in an expectation of security by design and default.

By pushing the claim that the leaked data is “old” Facebook may be hoping to peddle the idea that it predates the GDPR coming into application (in May 2018).

However the Irish Data Protection Commission (DPC), Facebook’s lead data supervisor in the EU, told TechCrunch that it’s not abundantly clear whether that’s the case at this point.

“The newly published dataset seems to comprise the original 2018 (pre-GDPR) dataset and combined with additional records, which may be from a later period,” the DPC’s deputy commissioner, Graham Doyle said in a statement.

“A significant number of the users are EU users. Much of the data appears to been data scraped some time ago from Facebook public profiles,” he also said.

“Previous datasets were published in 2019 and 2018 relating to a large-scale scraping of the Facebook website which at the time Facebook advised occurred between June 2017 and April 2018 when Facebook closed off a vulnerability in its phone lookup functionality. Because the scraping took place prior to GDPR, Facebook chose not to notify this as a personal data breach under GDPR.”

Doyle said the regulator sought to establish “the full facts” about the breach from Facebook over the weekend and is “continuing to do so” — making it clear that there’s an ongoing lack of clarity on the issue, despite the breach itself being claimed as “old” by Facebook.

The DPC also made it clear that it did not receive any proactive communication from Facebook on the issue — despite the GDPR putting the onus on companies to proactively inform regulators about significant data protection issues. Rather the regulator had to approach Facebook — using a number of channels to try to obtain answers from the tech giant.

Through this approach the DPC said it learnt Facebook believes the information was scraped prior to the changes it made to its platform in 2018 and 2019 in light of vulnerabilities identified in the wake of the Cambridge Analytica data misuse scandal.

A huge database of Facebook phone numbers was found unprotected online back in September 2019.

Facebook had also earlier admitted to a vulnerability with a search tool it offered — revealing in April 2018 that somewhere between 1BN and 2BN users had had their public Facebook information scraped via a feature which allowed people to look up users by inputting a phone number or email — which is one potential source for the cache of personal data.

Last year Facebook also filed a lawsuit against two companies it accused of engaging in an international data scraping operation.

But the fallout from its poor security design choices continue to dog Facebook years after its ‘fix’.

More importantly, the fallout from the massive personal data spill continues to affect Facebook users whose information is now being openly offered for download on the Internet — opening them up to the risk of spam and phishing attacks and other forms of social engineering (such as for attempted identity theft).

There are still more questions than answers about how this “old” cache of Facebook data came to be published online for free on a hacker forum.

The DPC said it was told by Facebook that “the data at issue appears to have been collated by third parties and potentially stems from multiple sources”.

The company also claimed the matter “requires extensive investigation to establish its provenance with a level of confidence sufficient to provide your Office and our users with additional information” — which is a long way of suggesting that Facebook has no idea either.

“Facebook assures the DPC it is giving highest priority to providing firm answers to the DPC,” Doyle also said. “A percentage of the records released on the hacker website contain phone numbers and email address of users.

“Risks arise for users who may be spammed for marketing purposes but equally users need to be vigilant in relation to any services they use that require authentication using a person’s phone number or email address in case third parties are attempting to gain access.”

“The DPC will communicate further facts as it receives information from Facebook,” he added.

At the time of writing Facebook had not responded to a request for comment about the breach.

Facebook users who are concerned whether their information is in the dump can run a search for their phone number or email address via the data breach advice site, haveibeenpwned.

According to haveibeenpwned’s Troy Hunt, this latest Facebook data dump contains far more mobile phone numbers than email addresses.

He writes that he was sent the data a few weeks ago — initially getting 370M records and later “the larger corpus which is now in very broad circulation”.

“A lot of it is the same, but a lot of it is also different,” Hunt also notes, adding: “There is not one clear source of this data.”

 

#computer-security, #data-breach, #data-security, #european-union, #facebook, #gdpr, #general-data-protection-regulation, #social-media, #tc, #troy-hunt, #united-kingdom

0

Hack takes: A CISO and a hacker detail how they’d respond to the Exchange breach

The cyber world has entered a new era in which attacks are becoming more frequent and happening on a larger scale than ever before. Massive hacks affecting thousands of high-level American companies and agencies have dominated the news recently. Chief among these are the December SolarWinds/FireEye breach and the more recent Microsoft Exchange server breach. Everyone wants to know: If you’ve been hit with the Exchange breach, what should you do?

To answer this question, and compare security philosophies, we outlined what we’d do — side by side. One of us is a career attacker (David Wolpoff), and the other a CISO with experience securing companies in the healthcare and security spaces (Aaron Fosdick).

Don’t wait for your incident response team to take the brunt of a cyberattack on your organization.

CISO Aaron Fosdick

1. Back up your system.

A hacker’s likely going to throw some ransomware attacks at you after breaking into your mail server. So rely on your backups, configurations, etc. Back up everything you can. But back up to an instance before the breach. Design your backups with the assumption that an attacker will try to delete them. Don’t use your normal admin credentials to encrypt your backups, and make sure your admin accounts can’t delete or modify backups once they’ve been created. Your backup target should not be part of your domain.

2. Assume compromise and stop connectivity if necessary.

Identify if and where you have been compromised. Inspect your systems forensically to see if any systems are using your surface as a launch point and attempting to move laterally from there. If your Exchange server is indeed compromised, you want it off your network as soon as possible. Disable external connectivity to the internet to ensure they cannot exfiltrate any data or communicate with other systems in the network, which is how attackers move laterally.

3. Consider deploying default/deny.

#backup, #column, #computer-security, #data-protection, #data-security, #ec-column, #ec-cybersecurity, #ec-how-to, #security, #tc

0

Duo goes passwordless

Duo, the authentication service Cisco acquired for $2.35 billion in 2018, today announced its plans to launch a passwordless authentication service that will allow users to log in to their Duo-protected services through security keys or platform biometrics like Apple’s Face ID or Microsoft’s Windows Hello. The infrastructure-agnostic service will go into public preview in the summer.

“Cisco has strived to develop passwordless authentication that meets the needs of a diverse and evolving workforce and allows the broadest set of enterprises to securely progress towards a passwordless future, regardless of their IT stack,” said Gee Rittenhouse, SVP and GM of Cisco’s Security Business Group. “It’s not an overstatement to say that passwordless authentication will have the most meaningful global impact on how users access data by making the easiest path the most secure.”

If you’re using Duo or a similar product today, chances are that you are using both passwords and a second factor to log into your work applications. But users are notoriously bad about their password hygiene — and to the despair of any IT department, they also keep forgetting them.

In the standard two-factor authentication scheme, the second factor is basically an extra moat around your password. Passwordless is essentially another form of two-factor authentication, but it instead of passwords, it relies on cryptographic key pairs, be that with the help of a hardware security key or biometric authentication.

Duo’s passwordless service relies on the Web Authentication standard which ensures that your data is stored locally and not on a centralized server, too.

According to Duo’s own data, we have now reached a point where the hardware is ready for passwordless, with 80 percent of mobile devices now offering support for biometrics.

“Passwordless is a journey requiring incremental changes in users and IT environments alike, not something enterprises can enable overnight,” said Wolfgang Goerlich, Advisory Chief Information Security Officer, Duo Security at Cisco. “Duo can help enterprises transition their environments and workforces securely and minimize user friction while simultaneously increasing trust in every authentication.”

#access-control, #authentication, #cisco, #computer-security, #cryptography, #microsoft-windows, #multi-factor-authentication, #password, #security-token, #svp, #tc, #work-applications

0

How startups can go passwordless, thanks to zero trust

“There is no doubt that over time, people are going to rely less and less on passwords… they just don’t meet the challenge for anything you really want to secure,” said Bill Gates.

That was seventeen years ago. Although passwords have lost some of their charm, they have so far survived many attempts to kill them for good.

The perception of high cost and tricky implementations has stalled some smaller businesses from ditching passwords. But alternatives to passwords are affordable, easy to implement, and safer, show industry insights gathered by Extra Crunch. The move to zero trust systems is acting as a catalyst.

First, a primer. Zero trust focuses on who you are, not where you are. Zero trust models require companies to never trust any attempt to access its network, and must verify every single time — even from logins from inside the network. Passwordless tech is a key part of zero trust models.

There are several alternatives for passwords, including:

  • Biometric authentication: widely used as fingerprint readers in smartphones and physical verification points at buildings;
  • Social media authentication: where you use your Google or Facebook IDs to authenticate you with a third-party service;
  • Multi-factor authentication: where more layers of authentication are added using devices or services, such as token authentication using a trusted device.
  • Grid authentication cards: which provides access while using a combination PIN number.
  • Push notifications: which are usually sent to the user’s smartphones or encrypted devices.
  • Digital certificates: cryptographic files stored locally on the machine or device.

Wolt, a Finnish food-delivery site is just one example of going passwordless.

“The user registers by entering their email address or a phone number. Login to the app takes place by clicking the temporary link in the user’s inbox. The app on the user’s mobile phone places an authentication cookie, which enables the user to continue from that device without having to go through any further authentication,” said Erka Koivunen, CISO at F-Secure.

In this case, the service provider is in full control of the authentication, allowing it to set expiration time, revoke service, and detect fraud. The service provider does not need to count on the user’s commitment to keep track of their passwords.

Passwordless tech is not inherently costly but may take some adjustment, explained Ryan Weeks, CISO at managed service provider Datto.

“It is not necessarily costly in terms of monetary investment, because there are a lot of easily accessible open-source alternatives for multi factor authentication that don’t require any sort of investment,” said Weeks. But some companies believe passwordless tech may cause friction to their employees’ productivity.

Koivunen also dismissed that zero trust models are unaffordable for startups.

“Zero trust recognises the futility of forcing users to authenticate themselves by presenting something they should keep as secret. Instead, it prefers to establish the user’s identity using some context-aware method,” he said.

Zero trust goes further than authenticating users; it also includes the device and the user.

“From a zero trust perspective, there is an idea that there is a continuous authentication or revalidation of trust occurring. Therefore, passwordless in a zero trust model is potentially easier for the user and more secure as the combination of the ‘something you have’ and ‘something you are’ factors are more difficult to attack,” said Datto’s Weeks.

Larger companies, like Microsoft and Google, already offer zero trust technologies. But investors are also eyeing smaller companies that offer zero trust for growing companies.

Axis Security, a zero trust provider that allows remote employees to access their company’s network, raised $32 million last year. Beyond Identity raised $75 million in funding in December. And, Israel identity validation startup Identiq raised $47 million in Series A funding in March.

#access-control, #authentication, #bill-gates, #computer-security, #cryptography, #f-secure, #facebook, #google, #identiq, #israel, #microsoft, #multi-factor-authentication, #password, #security, #smartphones, #startups

0

Tools to Protect Your Digital Privacy

A few simple tools go a long way.

#computer-security, #content-type-service, #data-mining-and-database-marketing, #online-advertising, #privacy

0

FatFace tells customers to keep its data breach ‘strictly private’

Clothing giant FatFace had a data breach, but doesn’t want you to tell anyone about it.

The company sent an email to customers this week disclosing that it first detected a breach on January 17. A hacker made off with the customer’s name, email and postal address, and the last four-digits of their credit card. “Full payment card information was not compromised,” the notice reiterated.

But despite going out to thousands of customers, the email said to “keep this email and the information included within it strictly private and confidential,” an entirely unenforceable request.

Under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident, but there are no legal requirements on the customer to keep the information confidential. It didn’t take long for the company to face flack from the public. The company didn’t have much to say in response, asking instead to “DM us with any questions.”

In a statement sent via crisis communications firm Kekst CNC, FatFace said: “The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned. Given its contents, we wanted to make this clear, which is why we marked it private and confidential.” (FatFace declined to attribute the statement to a named spokesperson.)

TechCrunch obtained a near-identical email sent to its staff from a former employee who asked not to be named. The email to employees was largely the same as the customer email, but warned that staff may have had their bank account information and their National Insurance numbers — the U.K. equivalent of Social Security — compromised.

FatFace confirmed “a select number of employees, former employees and customers and providing appropriate guidance and support,” but would not say specifically how many customers and employees were affected by the breach.

#computer-security, #computing, #crisis-communications, #cybercrime, #data-breach, #data-security, #email, #information-technology, #security, #spokesperson, #united-kingdom

0

Facebook caught Chinese hackers using fake personas to target Uyghurs abroad

Facebook on Wednesday announced new actions to disrupt a network of China-based hackers leveraging the platform to compromise targets in the Uyghur community.

The group, known to security researchers as “Earth Empusa” “Evil Eye” or “Poison Carp,” targeted around around 500 people on Facebook, including individuals living abroad in the United States, Turkey, Syria, Australia and Canada. Through fake accounts on Facebook, the hackers posed as activists, journalists and other sympathetic figures in order to send their targets to compromised websites beyond Facebook.

Facebook’s security and cyber espionage teams began seeing the activity in 2020 and opted to disclose the threat publicly to maximize the impact on the hacking group, which has proven sensitive to public disclosures in the past.

Though Facebook says social engineering efforts on the platform are “a piece of the puzzle,” most of the hacking group’s efforts take place elsewhere online. They focus on attempts to gain access to targets’ devices with watering hole attacks and lookalike domains, including a fake Android app store offering prayer apps and Uyghur-themed keyboard downloads.

When downloaded, those fake apps infected devices using two strains of Android trojan malware, ActionSpy and PluginPhantom. On iOS devices, the hackers leveraged malware known as Insomnia.

While the hackers targeted a small number of users relative to what the company sees in disinformation operations, Facebook stressed that a small, well-chosen group of targets can result in huge impacts. “You can imagine surveillance, you can imagine a range of secondary consequences” Facebook Head of Security Policy Nathaniel Gleicher said.

The Uyghurs are a predominantly Muslim ethnic minority in China that continues to face brutal repression from the Chinese government, including being forced into labor camps in the country’s Xinjiang province.

Facebook declined to link what it observed to the Chinese government, saying that it defers to the broader security community to make those determinations when it lacks the technical indicators to do so itself. Researchers believe that adjacent hacking campaigns are Beijing’s efforts to extend its surveillance of communities it already subjugates within China’s bounds.

#beijing, #china, #computer-security, #cybercrime, #facebook, #malware, #security, #social-engineering, #spyware, #tc, #trojan-horse

0

Five Tech Commandments to a Safer Digital Life

We can survive a world of ever-changing tech if we remember these principles.

#computer-security, #computers-and-the-internet, #content-type-service, #cyberattacks-and-hackers, #mobile-applications, #smartphones

0

Roll still doesn’t know how its hot wallet was hacked

Move fast, break things, get hacked.

That’s what happened at Roll, the social currency platform that allows creators to mint and distribute their own Ethereum-based cryptocurrency known as social tokens. Last week, Roll disclosed a hacker had stolen $5.7 million from its hot wallet, a little over a year after the company launched.

Roll set up a $500,000 fund to help creators recoup their losses, and the company promised to hire a third-party to audit its security infrastructure.

But the company has so far been unable to contract with security investigators to probe the breach, leaving the startup to look for clues itself. A week has passed since the breach, and the social currency startup says it still doesn’t know how the hacker broke in or stole its private keys.

In a call with TechCrunch this week, Roll executives confirmed its infrastructure never underwent a security audit, a process designed to help find and fix vulnerabilities, prior to its launch.

“We weren’t ready from a security standpoint,” said Roll CEO Bradley Miles.

“This incident was a big setback for us, we will revamp a lot of infrastructure around this that we have in place to prevent something like this from happening again,” said Roll’s chief technology officer Sid Kalla, who oversees cybersecurity because the company does not have dedicated staff.

The executives said while its smart contracts — the technology that underpins the blockchain — were audited by a third-party firm, the rest of the company’s infrastructure was never stress-tested.

“That was a shortcoming on our end, and we should have done this earlier,” said Kalla.

The emptying of Roll’s hot wallet comes as social currency climbs to new levels of popularity. Roll has netted high-profile creators like actor Terry Crews, along with hundreds of other social currency on the platform, many plummeting in value after the hot wallet was hacked.

Some of the larger social currencies, like $WHALE, bounced back fairly quickly after the breach of Roll’s hot wallet. A month earlier, $WHALE “serendipitously withdrew” a large amount of its supply to its cold wallets, which aren’t connected to the internet, in anticipation of community distributions. The social currencies that had measures in place proved some resiliency against the hack.

After the company realized its hot wallet was emptied, the company spent the first two days following the money trail. Miles said the company engaged with forensic blockchain company Chainalysis for help. The company said it was looking at his logs, but says they have not seen any anomalous logins. Roll uses Amazon’s cloud for its infrastructure, and only a handful of employees have access to the private keys, and their accounts are secured with app-based authentication codes, said Kalla.

“We’re a young company, we’re growing extraordinarily quickly,” said Miles, who admitted that the company’s response “could have been better.”

“There’s no scenario in which you can lose that kind of money and not bring in incident response,” said Jake Williams, founder of cybersecurity firm Rendition Infosec. “The idea that you would try to do a DIY incident response, especially if it’s not your core capability, is just ridiculous.”

“To rebuild trust, the company has to come clean on where the failures were at,” said Williams, a former NSA hacker turned incident responder.

Roll is rebuilding its infrastructure, but did not give a timeline for when the work would be completed. The company said it won’t allow users to make withdrawals until it’s confident that its infrastructure is secure. The company says it will engage a security company to audit the changes to its infrastructure. Roll also said it will reduce how many tokens it holds in its hot wallet.

Miles said the company’s relief fund for creators was raised to $750,000, which he said will go directly to affected communities. The company also plans to hire a dedicated chief information security officer when its next financing round closes.

#blockchains, #chainalysis, #computer-security, #computing, #crypto-economy, #cryptocurrencies, #cryptocurrency, #cryptography, #decentralization, #ethereum, #hack, #payments, #roll, #security, #social-currency, #technology

0

Carmakers Strive to Stay Ahead of Hackers

The effects of a breach of a car, or fleet, could be devastating. Auto manufacturers and suppliers have aggressive plans, and a lot of firewalls.

#automobile-safety-features-and-defects, #computer-security, #computers-and-the-internet, #continental-ag, #jeep-division-of-fiat-chrysler, #national-highway-traffic-safety-administration, #traffic-accidents-and-safety

0

Vulcan Cyber raises $21M Series B for its vulnerability remediation platform

Tel Aviv-based Vulcan Cyber, a cybersecurity startup that helps businesses prioritize and fix security vulnerabilities, today announced that it has raised a $21 million Series B funding round led by Dawn Capital. Wipro Ventures and existing investors YL Ventures and Ten Eleven Ventures also participated in this round. The company says it will use the new funding to roll out new remediation solutions and launch a free risk-based vulnerability management platform under the Vulcan Free monicker.

With this new round, Vulcan Cyber’s total funding to date is now $35 million. The company says it saw 500% growth in annual recurring revenue and new customer account metrics in 2020, with each user typically having between 10 and 100 users on the platform.

Image Credits: Vulcan Cyber

The company’s emphasis has always been on not just warning its customers about potential vulnerabilities but also helping them prioritize them based on the severity of the risk and the threat to a company’s business assets. Security teams, after all, are often overwhelmed by alerts and not every vulnerability a scanner represents is a high-priority risk for a business. The promise of Vulcan Cyber’s platform is that it helps these teams figure out where to best focus their resources.

While the funding is the headline news today, Vulcan’s new free offering is also worth a closer look.

Cybersecurity pros have used open-source vulnerability scanners like Nessus for almost two decades. More recently, vulnerability management programs have used risk-based vulnerability management tools to prioritize scan results to determine specific risk to the business and focus the remediation effort. The scan and prioritize functions are fundamental, necessary elements of any mature remediation program,” Yaniv Bar-Dayan, Vulcan Cyber’s CEO and co-founder said about the new free offering. “But now the industry has a free vulnerability prioritization engine to complement the scanners. This round of funding allows us to provide the Vulcan Free service to the cybersecurity industry to help businesses achieve cyber hygiene. This move shifts the economics of our market and will push CISOs and CIOs to dedicate more budget and resources not just on simple scan and prioritize paper pushing, but on driving actual remediation outcomes. We hope this will help the industry get fix done more effectively.”

With this new free offering, Vulcan’s freemium portfolio now includes Vulcan Free, which provides some of the company’s core prioritization and vulnerability management features, and its existing free vulnerability intelligence database.

#computer-security, #cybersecurity, #cyberwarfare, #data-security, #dawn-capital, #hacking, #recent-funding, #security, #software-testing, #startups, #tc, #tel-aviv, #ten-eleven-ventures, #vulcan-cyber, #vulnerability, #wipro-ventures, #yl-ventures

0

2 Win Abel Prize for Work That Bridged Math and Computer Science

Avi Wigderson and László Lovász will share the annual prize that aims to be something like the Nobel for mathematics.

#abel-prize, #computer-security, #computers-and-the-internet, #cryptography-codes-and-ciphers, #lovasz-laszlo, #mathematics, #quantum-computing, #research, #wigderson-avi, #your-feed-science

0

Netflix Tests a Clampdown on Password Sharing

The company said a feature was being tested with a limited number of users, a move that might signal a broader crackdown on the common practice of password sharing among family and friends.

#computer-security, #dvd-digital-versatile-disc, #netflix-inc, #passwords, #prices-fares-fees-and-rates

0

Hackers are exploiting vulnerable Exchange servers to drop ransomware, Microsoft says

Hackers are exploiting recently discovered vulnerabilities in Exchange email servers to drop ransomware, Microsoft has warned, a move that puts tens of thousands of email servers at risk of destructive attacks.

In a tweet late Thursday, the tech giant said it had detected the new kind of file-encrypting malware called DoejoCrypt — or DearCry — which uses the same four vulnerabilities that Microsoft linked to a new China-backed hacking group called Hafnium.

When chained together, the vulnerabilities allow a hacker to take full control of a vulnerable system.

Microsoft said Hafnium was the “primary” group exploiting these flaws, likely for espionage and intelligence gathering. But other security firms say they’ve seen other hacking groups exploit the same flaws. ESET said at least 10 groups are actively compromising Exchange servers.

Michael Gillespie, a ransomware expert who develops ransomware decryption tools, said many vulnerable Exchange servers in the U.S., Canada, and Australia had been infected with DearCry.

The new ransomware comes less than a day after a security researcher published proof-of-concept exploit code for the vulnerabilities to Microsoft-owned GitHub. The code was swiftly removed a short time later for violating the company’s policies.

Marcus Hutchins, a security researcher at Kryptos Logic, said in a tweet that the code worked, albeit with some fixes.

Threat intelligence company RiskIQ says it has detected over 82,000 vulnerable servers as of Thursday, but that the number is declining. The company said hundreds of servers belonging to banks and healthcare companies are still affected, as well as more than 150 servers in the U.S. federal government.

That’s a rapid drop compared to close to 400,000 vulnerable servers when Microsoft first disclosed the vulnerabilities on March 2, the company said.

Microsoft published security fixes last week, but the patches do not expel the hackers from already-breached servers. Both the FBI and CISA, the federal government’s cybersecurity advisory unit, have warned that the vulnerabilities present a major risk to businesses across the United States.

John Hultquist, vice president of analysis at FireEye’s Mandiant threat intelligence unit, said he anticipates more ransomware groups trying to cash in.

“Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails,” said Hultquist.

#australia, #canada, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #federal-bureau-of-investigation, #fireeye, #github, #healthcare, #malware, #mandiant, #marcus-hutchins, #microsoft, #ransomware, #riskiq, #security, #security-breaches, #united-states

0

America’s small businesses face the brunt of China’s Exchange server hacks

As the U.S. reportedly readies for retaliation against Russia for hacking into some of the government’s most sensitive federal networks, the U.S. is facing another old adversary in cyberspace: China.

Microsoft last week revealed a new hacking group it calls Hafnium, which operates in, and is backed by, China. Hafnium used four previously unreported vulnerabilities — or zero-days — to break into at least tens of thousands of organizations running vulnerable Microsoft Exchange email servers and steal email mailboxes and address books.

It’s not clear what Hafnium’s motives are. Some liken the activity to espionage — a nation-state gathering intelligence or industrial secrets from larger corporations and governments.

But what makes this particular hacking campaign so damaging is not only the ease with which the flaws can be exploited, but also how many — and how widespread — the victims are.

Security experts say the hackers automated their attacks by scanning the internet for vulnerable servers, hitting a broad range of targets and industries — law firms and policy think tanks, but also defense contractors and infectious disease researchers. Schools, religious institutions, and local governments are among the victims running vulnerable Exchange email servers and caught up by the Hafnium attacks.

While Microsoft has published patches, the U.S. federal cybersecurity advisory agency CISA said the patches only fix the vulnerabilities — and won’t close any backdoors left behind by the hackers.

There is little doubt that larger, well-resourced organizations have a better shot at investigating if their systems were compromised, allowing those victims to prevent further infections, like destructive malware or ransomware.

But that leaves the smaller, rural victims largely on their own to investigate if their networks were breached.

“The types of victims we have seen are quite diverse, many of whom outsource technical support to local IT providers whose expertise is in deploying and managing IT systems, not responding to cyber threats,” said Matthew Meltzer, a security analyst at Volexity, a cybersecurity firm that helped to identify Hafnium.

Without the budget for cybersecurity, victims can always assume they are compromised – but that doesn’t equate to knowing what to do next. Patching the flaws is just one part of the recovery effort. Cleaning up after the hackers will be the most challenging part for smaller businesses that may lack the cybersecurity expertise.

It’s also a race against the clock to prevent other malicious hackers from discovering or using the same vulnerabilities to spread ransomware or launch destructive attacks. Both Red Canary and Huntress said they believe hacking groups beyond Hafnium are exploiting the same vulnerabilities. ESET said at least ten groups were also exploiting the same server flaws.

Katie Nickels, director of intelligence at threat detection firm Red Canary, said there is “clearly widespread activity” exploiting these Exchange server vulnerabilities, but that the number of servers exploited further has been fewer.

“Cleaning up the initial web shells will be much easier for the average IT administrator than it would be to investigate follow-on activity,” said Nickels.

Microsoft has published guidance on what administrators can do, and CISA has both advice and a tool that helps to search server logs for evidence of a compromise. And in a rare statement, the White House’s National Security Council warned that patching alone “is not remediation,” and urged businesses to “take immediate measures.”

How that advice trickles down to smaller businesses will be watched carefully.

Cybersecurity expert Runa Sandvik said many victims, including the mom-and-pop shops, may not even know they are affected, and even if they realize they are, they’ll need step-by-step guidance on what to do next.

“Defending against a threat like this is one thing, but investigating a potential breach and evicting the actor is a larger challenge,” said Sandvik. “Companies have people who can install patches — that’s the first step — but figuring out if you’ve been breached requires time, tools, and logs.”

Security experts say Hafnium primarily targets U.S. businesses, but that the attacks are global. Europe’s banking authority is one of the largest organizations to confirm its Exchange email servers were compromised by the attack.

Norway’s national security authority said that it has “already seen exploitation of these vulnerabilities” in the country and that it would scan for vulnerable servers across Norway’s internet space to notify their owners. Slovenia’s cybersecurity response unit, known as SI-CERT, said in a tweet that it too had notified potential victims in its internet space.

Sandvik said the U.S. government and private sector could do more to better coordinate the response, given the broad reach into U.S. businesses. CISA proposed new powers in 2019 to allow the agency to subpoena internet providers to identify the owners of vulnerable and unpatched systems. The agency just received those new powers in the government’s annual defense bill in December.

“Someone needs to own it,” said Sandvik.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.

#banking, #china, #cisa, #computer-security, #computing, #cryptography, #cyberattack, #cybercrime, #cyberwarfare, #europe, #fireeye, #government, #law-firms, #microsoft, #norway, #russia, #security, #tor, #united-states, #vulnerability, #zero-day

0

Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China

The hackers started their attack in January but escalated their efforts in recent weeks, security experts say. Business and government agencies affected.

#computer-security, #computers-and-the-internet, #cyberwarfare-and-defense, #e-mail, #krebs-brian, #krebs-christopher-c, #microsoft-corp, #solarwinds, #us-federal-government-data-breach-2020

0

Microsoft says China-backed hackers are exploiting Exchange zero-days

Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server, an enterprise email product built by the software giant.

The technology company said Tuesday that it believes the hacking group, which it calls Hafnium, tries to steal information from a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks.

Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data from a victim’s organization — such as email accounts and address books — and the ability to plant malware. When used together, the four vulnerabilities create an attack chain that can compromise vulnerable servers running on-premise Exchange 2013 and later.

Hafnium operates out of China, but uses servers located in the U.S. to launch its attacks, the company said. Microsoft said that Hafnium was the only threat group it has detected using these four new vulnerabilities.

Microsoft declined to say how many successful attacks it had seen, but described the number as “limited.”

Patches to fix those four security vulnerabilities are now out, a week earlier than the company’s typical patching schedule, usually reserved for the second Tuesday in each month.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” said Tom Burt, Microsoft’s vice president for customer security.

The company said it has also briefed U.S. government agencies on its findings, but that the Hafnium attacks are not related to the SolarWinds-related espionage campaign against U.S. federal agencies. In the last days of the Trump administration, the National Security Agency and the FBI said that the SolarWinds campaign was “likely Russian in origin.”

#china, #computer-security, #computing, #cryptography, #cyberattack, #cybercrime, #cyberwarfare, #defense-contractors, #federal-bureau-of-investigation, #internet-security, #law-firms, #microsoft, #national-security-agency, #security, #software, #solarwinds, #technology, #threat, #trump-administration, #u-s-government, #united-states, #vulnerability

0

A Spreadsheet of China’s Censorship Shows the Human Toll

An online spreadsheet with an anonymous minder tabulates Xi Jinping’s crackdown on speech.

#china, #computer-security, #computers-and-the-internet, #coronavirus-2019-ncov, #freedom-of-speech-and-expression, #freedom-of-the-press, #political-prisoners, #politics-and-government, #polls-and-public-opinion

0

After Russian Cyberattack, Looking for Answers and Debating Retaliation

Key senators and corporate executives warned at a hearing on Tuesday that the “scope and scale” of the hacking of government agencies and companies, the most sophisticated in history, were still unclear.

#amazon-com-inc, #biden-joseph-r-jr, #computer-security, #computers-and-the-internet, #cyberattacks-and-hackers, #defense-department, #espionage-and-intelligence-services, #fireeye-inc, #microsoft-corp, #russia, #senate-committee-on-intelligence, #solarwinds, #united-states-politics-and-government

0

SolarWinds hackers targeted NASA, Federal Aviation Administration networks

Hackers are said to have broken into the networks of U.S. space agency NASA and the Federal Aviation Administration as part of a wider espionage campaign targeting U.S. government agencies and private companies.

The two agencies were named by the Washington Post on Tuesday, hours ahead of a Senate Intelligence Committee hearing tasked with investigating the widespread cyberattack, which the previous Trump administration said was “likely Russian in origin.”

Spokespeople for the agencies did not immediately respond to a request for comment, but did not deny the breach in remarks to the Post.

It’s believed NASA and the FAA are the two remaining unnamed agencies of the nine government agencies confirmed to have been breached by the attack. The other seven include the Departments of Commerce, Energy, Homeland Security, Justice, and State, the Treasury, and the National Institutes of Health, though it’s not believed the attackers breached their classified networks.

FireEye, Microsoft, and Malwarebytes were among a number of cybersecurity companies also breached as part of the attacks.

The Biden administration is reportedly preparing sanctions against Russia, in large part because of the hacking campaign, the Post also reported.

The attacks were discovered last year after FireEye raised the alarm about the hacking campaign after its own network was breached. Each victim was a customer of the U.S. software firm SolarWinds, whose network management tools are used across the federal government and Fortune 500 companies. The hackers broke into SolarWinds’ network, planted a backdoor in its software, and pushed the backdoor to customer networks with a tainted software update.

It wasn’t the only way in. The hackers are also said to have targeted other companies by breaking into other devices and appliances on their victims’ networks, as well as targeting Microsoft vendors to breach other customers’ networks.

Last week, Anne Neuberger, the former NSA cybersecurity director who last month was elevated to the White House’s National Security Council to serve as the deputy national security adviser for cyber and emerging technology, said that the attack took “months to plan and execute,” and will “take us some time to uncover this layer by layer.”

#anne-neuberger, #biden-administration, #computer-security, #computing, #cyberattacks, #cybercrime, #cyberwarfare, #director, #federal-aviation-administration, #federal-government, #fireeye, #government, #information-technology, #malwarebytes, #microsoft, #russia, #security, #senate-intelligence-committee, #software, #solarwinds, #supply-chain-attack, #the-washington-post, #trump-administration, #u-s-government, #united-states

0