Web host Epik was warned of a critical website bug weeks before it was hacked

Hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik, a web host and domain registrar that provides services to far-right sites like Gab, Parler and 8chan, which found refuge in Epik after they were booted from mainstream platforms.

In a statement attached to a torrent file of the dumped data this week, the group said the 180 gigabytes amounts to a “decade’s worth” of company data, including “all that’s needed to trace actual ownership and management” of the company. The group claimed to have customer payment histories, domain purchases and transfers, and passwords, credentials, and employee mailboxes. The cache of stolen data also contains files from the company’s internal web servers, and databases that contain customer records for domains that are registered with Epik.

The hackers did not say how they obtained the breached data or when the hack took place, but timestamps on the most recent files suggest the hack likely happened in late February.

Epik initially told reporters it was unaware of a breach, but an email sent out by founder and chief executive Robert Monster on Wednesday alerted users to an “alleged security incident.”

TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach.

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.

“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.

Leo ran a proof-of-concept command from the public-facing WHOIS page to ask the server to display its username, which confirmed that code could run on Epik’s internal server, but he did not test to see what access the server had as doing so would be illegal.

It’s not known if the Anonymous hacktivists used the same vulnerability that Leo discovered. (Part of the stolen cache also includes folders relating to Epik’s WHOIS system, but the hacktivists left no contact information and could not be reached for comment.) But Leo contends that if a hacker exploited the same vulnerability and the server had access to other servers, databases or systems on the network, that access could have allowed access to the kind of data stolen from Epik’s internal network in February.

“I am really guessing that’s how they got owned,” Leo told TechCrunch, who confirmed that the flaw has since been fixed.

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

#8chan, #computer-security, #computing, #cyberspace, #cyberwarfare, #epik, #gab, #parler, #rob-monster, #security, #texas, #world-wide-web

Ransomware: A market problem deserves a market solution

REvil is a solid choice for a villain’s name: R Evil. Revil. Evil and yet fun. I could imagine Black Widow, Hulk and Spider-Man teaming up to topple the leadership of REvil Incorporated.

The criminal gang using the name REvil may have enabled ransomware attacks on thousands of small businesses worldwide this summer — but the ransomware problem is bigger than REvil, LockBit or DarkSide. REvil has disappeared from the internet, but the ransomware problem persists.

REvil is a symptom, not the cause. I advise Tony Stark and his fellow Avengers to look past any one criminal organization — because there is no evil mastermind. Ransomware is just the latest in the 50,000-year evolution of petty criminals discovering get-rich-quick schemes.

The massive boom in the number of ransomware occurrences arises from the lack of centralized control. More than 304 million ransomware attacks hit global businesses last year, with costs surpassing $178,000 per event. Technology has created a market where countless petty criminals can make good money fast. The best way to fight this kind of threat is with a market-based approach.

The spike in global ransomware attacks reflects a massive “dumbing down” of criminal activity. People looking to make an illicit buck have many more options available to them today than they did even two years ago. Without technical chops, people can steal your data, hold it for ransom and coerce you to pay to get it back. Law enforcement has not yet responded to combat this form of cybercrime, and large, sophisticated criminal networks have likewise not yet figured out how to control the encroaching upstarts.

The spike in ransomware attacks is attributable to the “as a service” economy. In this case, we’re talking about RaaS, or ransomware as a service. This works because each task in the ransomware chain benefits from the improved sophistication enabled by the division of labor and specialization.

Someone finds a vulnerable target. Someone provides bulletproof infrastructure outside of the jurisdiction of responsible law enforcement. Someone provides the malicious code. The players all come together without knowing each other’s names. No need to meet in person as Mr. Pink, Mr. Blonde and Mr. Orange because the ability to coordinate tasks has become simple. The rapid pace of technological innovation created a decentralized market, enabling amateurs to engage in high-dollar crimes.

There’s a gig economy for the underworld just like there is for the legal business world. I’ve built two successful software companies, even though I’m an economist. I use open source software and rent infrastructure via cloud technologies. I operated my first software company for six years before I sought outside capital, and I used that money for marketing and sales more than technology.

This tech advancement is both good and bad. The global economy did better than expected during a global pandemic because technology enabled many people to work from anywhere.

But the illicit markets of crime also benefited. REvil provided a service — a piece of a larger network — and earned a share of proceeds from ransomware attacks committed by others — like Jeff Bezos and Amazon get a share of my company’s revenues for the services they provide to me.

To fight ransomware attacks, appreciate the economics — the markets that enable ransomware — and change the market dynamics. Specifically, do three things:

1. Analyze the market like a business executive

Any competitive business thinks about what’s allowing competitors to succeed and how they can outcompete. The person behind a ransomware strike is an entrepreneur or a worker in a firm engaged in cybercrime, so start with good business analytics using data and smart business questions.

Can the crypto technologies that enable the crime also be used to enable entity resolution and deny anonymity/pseudonymity? Can technology undermine a criminal’s ability to recruit, coordinate or move, store and spend the proceeds from criminal activities?

2. Define victory in market terms

Doing the analytics to understand competing firms allows one to more clearly see the market for ransomware. Eliminating one “firm” often creates a power vacuum that will be filled by another, provided the market remains the same.

REvil disappeared, but ransomware attacks persist. Victory in market terms means creating markets in which criminals choose not to engage in the activity in the first place. The goal is not to catch criminals, but to deter the crime. Victory against ransomware happens when arrests drop because attempted attacks drop to near zero.

3. Combat RaaS as an entrepreneur in a competitive market

To prevent ransomware is to fight against criminal entrepreneurs, so the task requires one to think and fight crime like an entrepreneur.

Crime-fighting entrepreneurs require collaboration — networks of government officials, banking professionals and technologists in the private sector across the globe must come together.

Through artificial intelligence and machine learning, the capability to securely share data, information and knowledge while preserving privacy exists. The tools of crime become the tools to combat crime.

No evil mastermind sits in their lair laughing at the chaos inflicted on the economy. Instead, growing numbers of amateurs are finding ways to make money quickly. Tackling the ransomware industry requires the same coordinated focus on the market that enabled amateurs to enter cybercrime in the first place. Iron Man would certainly agree.

#column, #computer-security, #crime, #cybercrime, #machine-learning, #malware, #open-source-software, #ransomware, #security, #security-breaches, #tc

Don’t get Bezosed

A spyware flaw, Elizabeth Holmes and my latest Facebook alert.

#bush-cori, #carreyrou-john, #computer-security, #cyberattacks-and-hackers, #internal-sub-only, #surveillance-of-citizens-by-government, #wearable-computing

Apple Security Update Closes Spyware Flaw in iPhones, Macs and iWatches

Researchers at Citizen Lab found that NSO Group, an Israeli spyware company, had infected Apple products without so much as a click.

#ahmed-azam, #amnesty-international, #apple-inc, #citizen-lab, #computer-security, #computers-and-the-internet, #cyberattacks-and-hackers, #cyberwarfare-and-defense, #defective-products, #hubbard-ben, #human-rights-and-human-rights-violations, #iphone, #israel, #mohammed-bin-salman-1985, #nso-group, #privacy, #signal-open-whisper-systems, #software, #text-messaging, #university-of-toronto

BitSight raises $250M from Moody’s and acquires cyber risk startup VisibleRisk

BitSight, a startup that assesses the likelihood that an organization will be breached, has received a $250 million investment from credit rating giant Moody’s, and acquired Israeli cyber risk assessment startup VisibleRisk for an undisclosed sum.

Boston-based BitSight says the investment from Moody’s, which has long warned that cyber risk can impact credit ratings, will enable it to create a cybersecurity risk platform, while the credit ratings giant said it plans to make use of BitSight’s cyber risk data and research across its integrated risk assessment product offerings.

The investment values BitSight at $2.4 billion and makes Moody’s the largest shareholder in the company.

“Creating transparency and enabling trust is at the core of Moody’s mission,” Moody’s president and CEO Rob Fauber said in a statement. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of cyber loss.”

Meanwhile, BitSight’s purchase of VisibleRisk, a cyber risk ratings joint venture created by Moody’s and Team8, brings in-depth cyber risk assessment capabilities to BitSight’s platform, enabling the startup to better analyze and calculate an organization’s financial exposure to cyber risk. VisibleRisk, which has raised $25 million to date, says its so-called “cyber ratings” are based on cyber risk quantification, which allows companies to benchmark their cyber risk against those of their peers, and to better understand and manage the impact of cyber threats to their businesses.

Following the acquisition, BitSight will also create a risk solutions division focused on delivering a suite of critical solutions and analytics serving stakeholders including chief risk officers, C-suite executives, and boards of directors. This division will be led by VisibleRisk co-founder and CEO Derek Vadala, who previously headed up Moody’s cyber risk group.

Steve Harvey, president and CEO of BitSight, said the company’s partnership with Moody’s and its acquisition of VisibleRisk will expand its reach to “help customers manage cyber risk in an increasingly digital world.”

BitSight was founded in 2011 and has raised a total of $155 million in outside funding, most recently closing a $60 million Series D round led by Warburg Pincus. The startup has just shy of 500 employees and more than 2,300 global customers, including government agencies, insurers and asset managers. 

#articles, #boston, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #leader, #risk, #risk-analysis, #risk-management, #safety, #security, #team8, #warburg-pincus

Rezilion raises $30M help security operations teams with tools to automate their busywork

Security operations teams face a daunting task these days, fending off malicious hackers and their increasingly sophisticated approaches to cracking into networks. That also represents a gap in the market: building tools to help those security teams do their jobs. Today, an Israeli startup called Rezilion that is doing just that — building automation tools for DevSecOps, the area of IT that addresses the needs of security teams and the technical work that they need to do in their jobs — is announcing $30 million in funding.

Guggenheim Investments is leading the round with JVP and Kindred Capital also contributing. Rezilion said that unnamed executives from Google, Microsoft, CrowdStrike, IBM, Cisco, PayPal, JP Morgan Chase, Nasdaq, eBay, Symantec, RedHat, RSA and Tenable are also in the round. Previously, the company had raised $8 million.

Rezilion’s funding is coming on the back of strong initial growth for the startup in its first two years of operations.

Its customer base is made up of some of the world’s biggest companies, including two of the “Fortune 10” (the top 10 of the Fortune 500). CEO Liran Tancman, who co-founded Rezilion with CTO Shlomi Boutnaru, said that one of those two is one of the world’s biggest software companies, and the other is a major connected device vendor, but he declined to say which. (For the record, the top 10 includes Amazon, Apple, Alphabet/Google, Walmart and CVS.)

Tancman and Boutnaru had previously co-founded another security startup, CyActive, which was acquired by PayPal in 2015; the pair worked there together until leaving to start Rezilion.

There are a lot of tools out in the market now to help automate different aspects of developer and security operations. Rezilion focuses on a specific part of DevSecOps: large businesses have over the years put in place a lot of processes that they need to follow to try to triage and make the most thorough efforts possible to detect security threats. Today, that might involve inspecting every single suspicious piece of activity to determine what the implications might be.

The problem is that with the volume of information coming in, taking the time to inspect and understand each piece of suspicious activity can put enormous strain on an organization: it’s time-consuming, and as it turns out, not the best use of that time because of the signal to noise ratio involved. Typically, each vulnerability can take 6-9 hours to properly investigate, Tancman said. “But usually about 70-80% of them are not exploitable,” meaning they may be bad for some, but not for this particular organization and the code it’s using today. That represents a very inefficient use of the security team’s time and energy.

“Eight of out ten patches tend to be a waste of time,” Tancman said of the approach that is typically made today. He believes that as its AI continues to grow and its knowledge and solution becomes more sophisticated, “it might soon be 9 out of 10.”

Rezilion has built a taxonomy and an AI-based system that essentially does that inspection work as a human would do: it spots any new, or suspicious, code, figures out what it is trying to do, and runs it against a company’s existing code and systems to see how and if it might actually be a threat to it or create further problems down the line. If it’s all good, it essentially whitelists the code. If not, it flags it to the team.

The stickiness of the product has come out of how Tancman and Boutnaru understand large enterprises, especially those heavy with technology stacks, operate these days in what has become a very challenging environment for cybersecurity teams.

“They are using us to accelerate their delivery processes while staying safe,” Tancman said. “They have strict compliance departments and have to adhere to certain standards,” in terms of the protocols they take around security work, he added. “They want to leverage DevOps to release that.”

He said Rezilion has generally won over customers in large part for simply understanding that culture and process and helping them work better within that: “Companies become users of our product because we showed them that, at a fraction of the effort, they can be more secure.” This has special resonance in the world of tech, although financial services, and other verticals that essentially leverage technology as a significant foundation for how they operate, are also among the startup’s user base.

Down the line, Rezilion plans to add remediation and mitigation into the mix to further extend what it can do with its automation tools, which is part of where the funding will be going, too, Boutnaru said. But he doesn’t believe it will ever replace the human in the equation altogether.

“It will just focus them on the places where you need more human thinking,” he said. “We’re just removing the need for tedious work.”

In that grand tradition of enterprise automation, then, it will be interesting to watch which other automation-centric platforms might make a move into security alongside the other automation they are building. For now, Rezilion is forging out an interesting enough area for itself to get investors interested.

“Rezilion’s product suite is a game changer for security teams,” said Rusty Parks, senior MD of Guggenheim Investments, in a statement. “It creates a win-win, allowing companies to speed innovative products and features to market while enhancing their security posture. We believe Rezilion has created a truly compelling value proposition for security teams, one that greatly increases return on time while thoroughly protecting one’s core infrastructure.”

#agile-software-development, #alphabet, #amazon, #apple, #articles, #artificial-intelligence, #automation, #ceo, #cisco, #computer-security, #crowdstrike, #cto, #cyactive, #devops, #ebay, #energy, #entrepreneurship, #europe, #financial-services, #funding, #google, #ibm, #jp-morgan-chase, #kindred-capital, #maryland, #microsoft, #paypal, #security, #software, #software-development, #startup-company, #symantec, #technology

What China’s new data privacy law means for US tech firms

China enacted a sweeping new data privacy law on August 20 that will dramatically impact how tech companies can operate in the country. Officially called the Personal Information Protection Law of the People’s Republic of China (PIPL), the law is the first national data privacy statute passed in China.

Modeled after the European Union’s General Data Protection Regulation, the PIPL imposes protections and restrictions on data collection and transfer that companies both inside and outside of China will need to address. It is particularly focused on apps using personal information to target consumers or offer them different prices on products and services, and preventing the transfer of personal information to other countries with fewer protections for security.

The PIPL, slated to take effect on November 1, 2021, does not give companies a lot of time to prepare. Those that already follow GDPR practices, particularly if they’ve implemented it globally, will have an easier time complying with China’s new requirements. But firms that have not implemented GDPR practices will need to consider adopting a similar approach. In addition, U.S. companies will need to consider the new restrictions on the transfer of personal information from China to the U.S.

Implementation and compliance with the PIPL is a much more significant task for companies that have not implemented GDPR principles.

Here’s a deep dive into the PIPL and what it means for tech firms:

New data handling requirements

The PIPL introduces perhaps the most stringent set of requirements and protections for data privacy in the world (this includes special requirements relating to processing personal information by governmental agencies that will not be addressed here). The law broadly relates to all kinds of information, recorded by electronic or other means, related to identified or identifiable natural persons, but excludes anonymized information.

The following are some of the key new requirements for handling people’s personal information in China that will affect tech businesses:

Extra-territorial application of the China law

Historically, China regulations have only been applied to activities inside the country. The PIPL is similar in applying the law to personal information handling activities within Chinese borders. However, similar to GDPR, it also expands its application to the handling of personal information outside China if the following conditions are met:

  • Where the purpose is to provide products or services to people inside China.
  • Where analyzing or assessing activities of people inside China.
  • Other circumstances provided in laws or administrative regulations.

For example, if you are a U.S.-based company selling products to consumers in China, you may be subject to the China data privacy law even if you do not have a facility or operations there.

Data handling principles

The PIPL introduces principles of transparency, purpose and data minimization: Companies can only collect personal information for a clear, reasonable and disclosed purpose, and to the smallest scope for realizing the purpose, and retain the data only for the period necessary to fulfill that purpose. Any information handler is also required to ensure the accuracy and completeness of the data it handles to avoid any negative impact on personal rights and interests.

#asia, #china, #column, #computer-security, #data-protection, #data-security, #ec-china, #ec-column, #ec-east-asia, #encryption, #european-union, #general-data-protection-regulation, #government, #internet, #iphone, #privacy, #tc

Titanfall 2 video game allegedly hacked via “simple exploit”

Knifin' around. Cutcutcutcutcutcutcutcut.

Enlarge / Knifin’ around. Cutcutcutcutcutcutcutcut.

Popular first-person shooter video game Titanfall 2 has been rumored to have a severe security vulnerability that has been exploited.

The reports of the game having been hacked started circulating on Twitter after Titanfall 2 community members, including Leon Benkovic, were seen urging players to uninstall the game:

Gamers allege that the vulnerability lets attackers gain local code execution abilities from Respawn’s servers, affecting Titanfall 2 players on all platforms—Windows, PlayStation, and Xbox.

Read 11 remaining paragraphs | Comments

#computer-security, #electronic-arts, #exploit, #gaming-culture, #hacked, #respawn-entertainment, #tech, #titanfall-2, #video-game, #vulnerability

Meet the Freedom Phone, a Smartphone for Conservatives

A 22-year-old Bitcoin millionaire wants Republicans to ditch their iPhones for a low-end handset that he hopes to turn into a political tool.

#apple-inc, #bitcoin-currency, #censorship, #computer-security, #computers-and-the-internet, #conservatism-us-politics, #finman-erik, #freedom-of-speech-and-expression, #gab-ai-inc, #google-inc, #parler-llc, #politics-and-government

SEC fines brokerage firms over email hacks that exposed client data

The U.S. Securities and Exchange Commission has fined several brokerage firms a total of $750,000 for exposing the sensitive personally identifiable information of thousands of customers and clients after hackers took over employee email accounts.

A total of eight entities belonging to three companies have been sanctioned by the SEC, including Cetera (Advisor Networks, Investment Services, Financial Specialists, Advisors, and Investment Advisers), Cambridge Investment Research (Investment Research and Investment Research Advisors), and KMS Financial Services.

In a press release, the SEC announced that it had sanctioned the firms for failures in their cybersecurity policies and procedures that allowed hackers to gain unauthorized access to cloud-based email accounts, exposing the personal information of thousands of customers and clients at each firm

In the case of Cetera, the SEC said that cloud-based email accounts of more than 60 employees were infiltrated by unauthorized third parties for more than three years, exposing at least 4,388 clients’ personal information.

The order states that none of the accounts featured the protections required by Cetera’s policies, and the SEC also charged two of the Cetera entities with sending breach notifications to clients containing “misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.”

The SEC’s order against Cambridge concludes that the personal information exposure of at least 2,177 Cambridge customers and clients was the result of lax cybersecurity practices at the firm. 

“Although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information,” the SEC said. 

The order against KMS is similar; the SEC’s order states that the data of almost 5,000 customers and clients were exposed as a result of the company’s failure to adopt written policies and procedures requiring additional firm-wide security measures until May 2020. 

“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

All of the parties agreed to resolve the charges and to not commit future violations of the charged provisions, without admitting or denying the SEC’s findings. As part of the settlements, Cetera will pay a penalty of $300,000, while Cambridge and KMS will pay fines of $250,000 and $200,000 respectively.  

Cambridge told TechCrunch that it does not comment on regulatory matters, but said it has and does maintain a comprehensive information security group and procedures to ensure clients’ accounts are fully protected. Cetera and KMS have yet to respond.

This latest action by the SEC comes just weeks after the Commission ordered London-based publishing and education giant Pearson to pay a $1 million fine for misleading investors about a 2018 data breach at the company.

#chief, #computer-security, #data-breach, #data-security, #security

How G.O.P. Election Reviews Created a New Security Threat

As Republicans continue to challenge the 2020 results, voting equipment is being compromised when partisan insiders and unvetted operatives gain access.

#computer-security, #computers-and-the-internet, #conspiracy-theories, #dominion-voting-systems-corp, #infrastructure-public-works, #presidential-election-of-2020, #republican-party, #rumors-and-misinformation, #state-legislatures, #trump-donald-j, #united-states-politics-and-government, #voting-and-voters, #voting-machines

A popular smart home security system can be remotely disarmed, researchers say

A cybersecurity company says a popular smart home security system has a pair of vulnerabilities that can be exploited to disarm the system altogether.

Rapid7 found the vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors, and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.

But the cybersecurity company said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give to companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Riling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities.

Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.

The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.

Vishwakarma said homeowners could add a plus-tagged email address with a long, unique string of letters and numbers in place of a password as a stand-in for a password. But there was little for homeowners to do for the radio signal bug until Fortress addresses it.

Fortress has not said if it has fixed or plans to fix the vulnerabilities. It’s not clear if Fortress is able to fix the vulnerabilities without replacing the hardware. It’s not known if Fortress builds the device itself or buys the hardware from another manufacturer.

Read more:

#api, #computer-security, #cryptography, #cyberwarfare, #hacking, #law, #massachusetts, #password, #rapid7, #security, #software-testing, #vulnerability

Big Tech pledges billions to bolster U.S. cybersecurity defenses

Tech giants Apple, Google and Microsoft have pledged billions to bolster U.S. cybersecurity following a meeting with President Joe Biden at the White House on Wednesday.

The meeting, which also included attendees from the financial and education sectors, was held following months of high-profile cyberattacks against critical infrastructure and several U.S. government agencies, along with a glaring cybersecurity skills gap; according to data from CyberSeek, there are currently almost 500,000 cybersecurity jobs across the U.S that remain unfilled.

“Most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said at the start of the meeting. “I’ve invited you all here today because you have the power, the capacity and the responsibility, I believe, to raise the bar on cybersecurity.”

In order to help the U.S. in its fight against a growing number of cyberattacks, Big Tech pledged to invest billions of dollars to strengthen cybersecurity defenses and to train skilled cybersecurity workers.

Apple has vowed to work with its 9,000-plus suppliers in the U.S. to drive “mass adoption” of multi-factor authentication and security training, according to the White House, as well as to establish a new program to drive continuous security improvements throughout the technology supply chain.

Google said it will invest more than $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and to enhance open source security. The search and ads giant has also pledged to train 100,000 Americans in fields like IT support and data analytics, learning in-demand skills including data privacy and security.

“Robust cybersecurity ultimately depends on having the people to implement it,” said Kent Walker, Google’s global affairs chief. “That includes people with digital skills capable of designing and executing cybersecurity solutions, as well as promoting awareness of cybersecurity risks and protocols among the broader population.”

And, Microsoft said it’s committing $20 billion to integrate cybersecurity by design and deliver “advanced security solutions.” It also announced that it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.

Other attendees included Amazon Web Services (AWS), Amazon’s cloud computing arm, and IBM. The former has said it will make its security awareness training available to the public and equip all AWS customers with hardware multi-factor authentication devices, while IBM said it will help to train more than 150,000 people in cybersecurity skills over the next five years.

While many have welcomed Big Tech’s commitments, David Carroll, managing director at Nominet Cyber, told TechCrunch that these latest initiatives set a “powerful precedent” and show “the gloves are well and truly off” — some within the cybersecurity industry remain skeptical.

Following the announcement, some infosec veterans noted that many of the vacant cybersecurity jobs the U.S. is looking to fill fall behind on competitive salaries and few, if any, benefits.

“So 500,000 open cybersecurity jobs and almost that same amount or more looking for jobs,” said Khalilah Scott, founder of TechSecChix, a foundation for supporting women in technology, in a tweet. “Make it make sense.”

#amazon, #apple, #computer-security, #cyberattack, #google, #government, #malware, #microsoft, #president, #security, #u-s-government, #united-states

Monad emerges from stealth with $17M to solve the cybersecurity big data problem

Cloud security startup Monad, which offers a platform for extracting and connecting data from various security tools, has launched from stealth with $17 million in Series A funding led by Index Ventures. 

Monad was founded on the belief that enterprise cybersecurity is a growing data management challenge, as organizations try to understand and interpret the masses of information that’s siloed within disconnected logs and databases. Once an organization has extracted data from their security tools, Monad’s Security Data Platform enables them to centralize that data within a data warehouse of choice, and normalize and enrich the data so that security teams have the insights they need to secure their systems and data effectively.

“Security is fundamentally a big data problem,” said Christian Almenar, CEO and co-founder of Monad. “Customers are often unable to access their security data in the streamlined manner that DevOps and cloud engineering teams need to build their apps quickly while also addressing their most pressing security and compliance challenges. We founded Monad to solve this security data challenge and liberate customers’ security data from siloed tools to make it accessible via any data warehouse of choice.”

The startup’s Series A funding round, which was also backed by Sequoia Capital, brings its total amount of investment raised to  $19 million and comes 12 months after its Sequoia-led seed round. The funds will enable Monad to scale its development efforts for its security data cloud platform, the startup said.

Monad was founded in May 2020 by security veterans Christian Almenar and Jacolon Walker. Almenar previously co-founded serverless security startup Intrinsic which was acquired by VMware in 2019, while Walker served as CISO and security engineer at OpenDoor, Collective Health, and Palantir.

#big-data, #cloud-computing, #cloud-infrastructure, #computer-security, #computing, #data-management, #data-warehouse, #devops, #funding, #information-technology, #intrinsic, #opendoor, #palantir, #security, #security-tools, #sequoia-capital, #serverless-computing, #technology, #vmware

Spies for Hire: China’s New Breed of Hackers Blends Espionage and Entrepreneurship

The state security ministry is recruiting from a vast pool of private-sector hackers who often have their own agendas and sometimes use their access for commercial cybercrime, experts say.

#chengdu-china, #china, #commerce-department, #computer-security, #computers-and-the-internet, #cyberwarfare-and-defense, #defense-and-military-forces, #espionage-and-intelligence-services, #federal-bureau-of-investigation, #hainan-island-china, #industrial-espionage, #justice-department, #ministry-of-state-security-of-the-peoples-republic-of-china, #peoples-liberation-army-china, #politics-and-government, #xi-jinping

Cybersecurity VC funding surges to a record $11.5B in 2021

The pandemic completely upended the threat landscape as we know it. Ransomware accounted for an estimated 2.9 million attacks so far in 2021, and supply-chain attacks that targeted Kaseya and SolarWinds have increased fourfold over 2020, according to the European Union’s cybersecurity agency, ENISA, which recently warned that the more traditional cybersecurity protections are no longer effective in defending against these types of attacks.

This has created an unprecedented need for emerging technologies, attracting both organizations and investors to look closer at newer cybersecurity technologies.

“We are seeing a perfect storm of factors coming together to create the most aggressive threat landscape in history for commercial and government organizations around the world,” said Dave DeWalt, founder and managing director of NightDragon, which recently invested in multi-cloud security startup vArmour. “As an investor and advisor, I feel we have a responsibility to help these organizations better prepare themselves to mitigate this growing risk.”

According to Momentum Cyber’s latest cybersecurity market review out Wednesday, investors poured $11.5 billion in total venture capital financing into cybersecurity startups in the first half of 2021, up from $4.7 billion during the same period a year earlier.

More than 36 of the 430 total transactions surpassed the $100 million mark, according to Momentum, which includes the $543 million Series A raised by passwordless authentication company Transmit Security and the $525 million round closed by cloud-based security company Lacework.

“As an investor in the cyber market for over fifteen years, I can say that this market climate is unlike anything we’ve seen to date,” said Bob Ackerman, founder and managing director of AllegisCyber Capital, which recently led a $26.5 million investment in cybersecurity startup Panaseer. “It is encouraging to finally see CEOs, boards of directors, investors and more paying serious attention to this space and putting the resources and capital in place to fund the innovations that address the cybersecurity challenges of today and tomorrow.”

Unsurprisingly, M&A volume also saw a massive increase during the first six months of the year, with significant deals for companies in cloud security, security consulting, and risk and compliance. Total M&A volume reached a record-breaking $39.5 billion across 163 transactions, according to Momentum, more than four-times the $9.8 billion spent in the first half of 2020 across 93 transactions.

Nine M&A deals in 2021 so far have been valued at greater than $1 billion, including Proofpoint’s $12.3 billion acquisition by Thoma Bravo, Auth0’s $6.4 billion acquisition by Okta, and McAfee’s $4 billion acquisition by TG.

“Through the first half of 2021, we have witnessed unprecedented strategic activity with both M&A and financing volumes at all-time highs,” said Eric McAlpine and Michael Tedesco, managing partners at Momentum Cyber. “We fully expect this trend to continue through the rest of the year and into 2022.”

Read more on Extra Crunch:

#computer-security, #computing, #cyberwarfare, #fundings-exits, #network-management, #security, #thoma-bravo, #venture-capital

Phone Upgrade Guide: Should You Buy Now or Wait?

Apple, Samsung and others want us to replace our phones constantly, but many of our problems with current devices can be fixed.

#android-operating-system, #apple-inc, #batteries, #cameras, #computer-security, #computers-and-the-internet, #content-type-service, #data-storage, #google-inc, #iphone, #mobile-applications, #samsung-group, #smartphones, #software

BreachQuest emerges from stealth with $4.4M to modernize incident response

BreachQuest, an early-stage startup with a founding team of cybersecurity experts building a modern incident response platform, has emerged from stealth with $4.4 million in seed funding.

The investment was raised from Slow Ventures, Lookout founder Kevin Mahaffey, and Tinder co-founders Sean Rad and Justin Mateen, who described BreachQuest as having a “disruptive vision and a world-class team.”

The latter is certainly true. BreachQuest is made up of former U.S. Cyber Command, National Security Agency, and Department of Defense employees that it sees as its biggest competitive advantage. The second is its Priori platform, which the Texas-based company believes will re-engineer the incident response process and move incident preparedness into the future.

Currently, it takes most organizations thereabouts 280 days to detect a breach, the startup says, and the slow recovery process that typically follows means this largely manual process costs the average U.S. business just shy of $4 million. The startup’s Priori platform uses aims to improve on what the team sees as “unacceptable industry standards,” enabling organizations to detect intrusions and compromises far faster. That allows companies to near-instantly respond and contain the compromise, the startup says.

BreachQuest’s co-founder and CTO is Jake Williams, a former NSA hacker and founder of Rendition Infosec, an Augusta, Ga.-based cybersecurity company that was acquired by BreachQuest. Williams told TechCrunch that while most other incident response firms are focused on preventing incidents, BreachQuest is focusing on preparing for the inevitable.

“It’s a reality that determined adversaries will get into your network regardless of what tools you put in place to keep them out,” he says. “That’s not [fear, uncertainty and doubt], it’s just a reality that if you’re targeted you’re going to be compromised. That’s what our mission is all about: preparation to facilitate response.”

BreachQuest, which will also assess the cybersecurity risks posed to an organization by potential mergers and acquisitions, believes it has little competition in the market right now because incident preparation is a tough market.

“We continuously see statistics about how IT managers think their security controls will prevent them from being breached, so selling incident response preparation tools and services to those organizations is a hard sell,” Williams said. “But given the landscape of ransomware and other cybersecurity threats being regular front-page news, we think the market is ready.”

BreachQuest will use its $4.4 million seed investment to accelerate the rollout and development of its Priori platform, with future plans to speed up its forensic evidence collection processes and improve response coordination across its disparate team members.

“Incident response is chaotic and it’s hard for people who infrequently work in these situations to address all the issues identified throughout the investigation,” Williams said. “Fundamentally, the problem is a combination of the difficulties getting the right evidence in a timely manner and understanding the status of the response.”

Read more:

#articles, #computer-security, #cybercrime, #funding, #lookout, #malware, #security, #texas, #tinder

The Illusion of Privacy Is Getting Harder to Sell

The illusion of privacy is getting harder and harder to maintain.

#apple-inc, #computer-security, #computers-and-the-internet, #data-mining-and-database-marketing, #google-inc, #iphone, #mobile-applications, #nso-group, #privacy

T-Mobile Says Hack Exposed Personal Data of 40 Million People

The company said that stolen files included the personal information of 7.8 million current customers and 40 million people who had applied for credit.

#computer-security, #cyberattacks-and-hackers, #t-mobile-us-inc, #wireless-communications

Are Apple’s Tools Against Child Abuse Bad for Your Privacy?

The backlash to Apple’s efforts to fight child sexual abuse show that in the debate between privacy and security, there are few easy answers.

#apple-inc, #child-abuse-and-neglect, #child-pornography, #computer-security, #computers-and-the-internet, #holder-eric-h-jr, #icloud, #iphone, #kutcher-ashton, #national-center-for-missing-and-exploited-children, #privacy, #sex-crimes, #smartphones, #snowden-edward-j, #surveillance-of-citizens-by-government, #whatsapp-inc

Insider hacks to streamline your SOC 3 certification application

If you’re a tech company offering anyone a service, somewhere in your future is a security assessment giving you the seal of approval to manage clients’ data and operate on your devices. No one takes security lightly anymore. The business costs of cyberattacks have now hit an all-time high. Government bodies, companies and consumers need the assurance that the next software they download isn’t going to be an open door for hackers.

For good reason, security certifications like the SOC 3 really put you through the wringer. My company, Waydev, has just attained the SOC 3 certification, becoming one of the first development analytics tools to receive that accreditation. We learned so much from the process, we felt it was right to share our experience with others that might be daunted by the prospect.

As a non-tech founder, it was hard not only to navigate the process, but to appreciate its value. But by putting our business caps on, our team was able to optimize our approach and minimize the time and effort needed to achieve our goal. In doing so, we were granted SOC 3 compliance in two weeks, as opposed to the two months it takes some companies.

We also turned the assessment into an opportunity to better our product, align our internal teams, boost our brand and even launch partnerships.

So here’s our advice on how teams can smoothly reach an SOC 3 while simultaneously balancing workloads and minimizing disruption to users.

First, bring your teams on board

Because we can’t expect employees to stack those hours on top of their regular workdays, as a leader you have to accept — and communicate — that the speed of your output will inevitably decrease.

As a founder, you’ll be acting as captain steering a ship into that SOC 3 port, and you’ll need all members of your crew to join forces. This isn’t a job for a specially designated security team alone and will require deep involvement from your development and other teams, too. That might lead to internal resistance, as they still have a full-time job tending to your product and customers.

That’s why it’s so important to start by being crystal clear with your employees about what this process will mean to their work lives. However, they have to embrace the true benefits that will arise. SOC 3 will immediately raise your brand’s appeal and likely see new customers come in as a result.

Each employee will also come out the other end with well-honed cybersecurity skills — they’ll have a deep understanding of potential cyber threats to the company, and all security initiatives will carry a far lighter burden. There’s also the sense of pride and fulfillment that comes with having an indisputable edge over your competitors.

#column, #computer-security, #cryptography, #cyberwarfare, #data-security, #ec-column, #ec-cybersecurity, #ec-how-to, #security, #security-tools, #startups

A bug in a medical startup’s website put thousands of COVID-19 test results at risk

A California-based medical startup that provides COVID-19 testing across Los Angeles has pulled down a website it used to allow customers to access their test results after a customer found a vulnerability that allowed access to other people’s personal information.

Total Testing Solutions has ten COVID-19 testing sites across Los Angeles, and processes “thousands” of COVID-19 tests at workplaces, sports venues, and schools each week. When test results are ready, customers get an email with a link to a website to get their results.

But one customer said they found a website vulnerability that allowed them to access other customers’ information by increasing or decreasing a number in the website’s address by a single digit. That allowed the customer to see other customers’ names and the date of their test. The website also only requires a person’s date of birth to access their COVID-19 test results, which the customer who discovered the vulnerability said “wouldn’t take long” to brute-force, or simply guess. (That’s just 11,000 birthday guesses for anyone under age 30.)

Read more on TechCrunch

Although the test results website is protected by a login page that prompts the customer for their email address and password, the vulnerable part of the website that allowed the customer to change the web address and access other customers’ information could be accessed directly from the web, bypassing the sign-in prompt altogether.

The customer passed on details of the vulnerability to TechCrunch to get the vulnerability fixed before someone else finds it or exploits it, if not already.

TechCrunch verified the customer’s findings, but while we did not enumerate each result code, through limited testing found that the vulnerability likely put around 60,000 tests at risk. TechCrunch reported the vulnerability to TTS chief medical officer Geoffrey Trenkle, who did not dispute the number of discovered tests, but said the vulnerability was limited to an on-premise server used to provide legacy test results that has since been shut down and replaced by a new cloud-based system.

“We were recently made aware of a potential security vulnerability in our former on-premises server that could allow access to certain patient names and results using a combination of URL manipulation and date of birth programming codes,” said Trenkle in a statement. “The vulnerability was limited to patient information obtained at public testing sites before the creation of the cloud-based server. In response to this potential threat, we immediately shut down the on-premises software and began migrating that data to the secure cloud-based system to prevent future risk of data breach. We also initiated a vulnerability assessment, including the review of server access logs to detect any unrecognized network activity or unusual authentication failures.”

Trenkle declined to say when the cloud server became active, and why the allegedly legacy server had test results as recently as last month.

“Currently, TTS is not aware of any breach of unsecured protected health information as a result of the issues with its prior server. To our knowledge, no patient health information was actually compromised, and all risk has been mitigated going forward,” said Trenkle.

Trenkle said the company will comply with its legal obligations under state law, but stopped short of explicitly saying if the company plans to notify customers of the vulnerability. Although companies aren’t obliged to report vulnerabilities to their state’s attorney general or to their customers, many do out of an abundance of caution since it’s not always possible to determine if there was improper access.

TTS chief executive Lauren Trenkle, who was copied on an email chain, did not comment.

#attorney-general, #california, #computer-security, #covid-19, #cyberwarfare, #hacking, #health, #jamaica, #los-angeles, #privacy, #security, #software-testing, #tts, #vulnerability

Pearson to pay $1M fine for misleading investors about 2018 data breach

Pearson, a London-based publishing and education giant that provides software to schools and universities has agreed to pay $1 million to settle charges that it misled investors about a 2018 data breach resulting in the theft of millions of student records.

The U.S. Securities and Exchange Commission announced the settlement on Monday after the agency found that Pearson made “misleading statements and omissions” about its 2018 data breach, which saw millions of student usernames and scrambled passwords stolen, along with the administrator login credentials of 13,000 schools, district and university customer accounts.

The agency said that in Person’s semi-annual review filed in July 2019, the company referred to the incident as a “hypothetical risk,” even after the data breach had happened. Similarly, in a statement that same month, Pearson said the breach may include dates of birth and email addresses, when it knew that such records were stolen, according to the SEC.

Pearson also said that it had “strict protections” in place when it actually took the company six months to patch the vulnerability after it was notified.

“As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company’s data protections,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “As public companies face the growing threat of cyber intrusions, they must provide accurate information to investors about material cyber incidents.”

While Pearson did not admit wrongdoing as part of the settlement, Pearson agreed to pay a $1 million penalty — a small fraction of the $489 million in pre-tax profits that the company raked in last year.

A Pearson spokesperson told TechCrunch: “We’re pleased to resolve this matter with the SEC. We also appreciate the work of the FBI and the Justice Department to identify and charge those responsible for a global cyberattack that affected Pearson and many other companies and industries, including at least one government agency.”

Pearson said the breach related to its AIMSweb1.0 web-based software for entering and tracking students’ academic performance, which it retired in July 2019. “Pearson continues to enhance its cybersecurity efforts to minimize the risk of cyberattacks in an ever-changing threat landscape,” the spokesperson added.

#articles, #computer-security, #cyberattack, #cybercrime, #data-breach, #data-security, #federal-bureau-of-investigation, #pearson, #security, #u-s-securities-and-exchange-commission

Early-stage benchmarks for young cybersecurity companies

We’re quick to celebrate the extraordinary victories of Israel’s multiplying cybersecurity unicorns, but every success story must start somewhere. The early days of any young startup decide how successful it can be, which is why we’ve developed a focused, value-add program to support cybersecurity founders during this most critical stage and maximize their potential in building market-leading companies.

However, the early stages of cybersecurity company-building are often shrouded in mystery, only coming into the light for fundraising and feature announcements. This leaves many entrepreneurs we speak with asking what exactly cybersecurity companies are achieving behind the curtain to earn these huge victories.

Though every company’s journey is unique, we can tease out trends and patterns to establish performance benchmarks for the cybersecurity ecosystem as a whole. To most entrepreneurs, however, the sensitive data required to understand the early success of a company is often unavailable or obscured. Moreover, the industry has yet to formally define proxies for growth and momentum beyond fundraising — leaving cybersecurity founders aiming for landmarks without guideposts.

When it comes to contracts, timing can provide important insight into the quality and performance of the sales pipeline. On average, successful companies will have closed their first paying customers in the U.S. within 12 months of their seed round.

Entrepreneurs require guideposts to aspire to when building large companies, and critical customer and revenue expectations can be best established by looking at what already successful cybersecurity companies have accomplished. Such metrics have been previously established for wider areas of technology, such as SaaS.

Leveraging our experience and resources, we collect this knowledge to keep our founders informed with the most up-to-date cybersecurity-specific metrics for long-term and large-scale growth. We hope that sharing these unique insights into early-stage cybersecurity companies — based on our own portfolio companies’ average performance — will help entrepreneurs in the wider Israeli ecosystem more confidently build their budgets and roadmaps with industry evidence.

Benchmarks for early-stage cybersecurity companies

Image Credits: YL Ventures

What should revenue look like over the first few years?

Though today’s investors are growing more aggressive, $500,000 in annual recurring revenue (ARR) is a traditional baseline requirement for a successful Series A from strong investors, and hitting that mark quickly should remain every entrepreneur’s goal. Hitting this target indicates product-market fit and customer willingness to commit to your solution.

Discounting variances in pricing, the best companies we’ve seen are able to reach the $500,000 benchmark in less than 18 months. From there, top-performing companies can expect to gain momentum and reach $1 million in ARR in 18 to 24 months. Such momentum is contingent on a number of factors for Israeli cybersecurity entrepreneurs, but growth is mainly reliant on how well founders connect with relevant customers outside the Israeli market.

#banking, #column, #computer-security, #customer-success, #cybersecurity, #ec-column, #ec-cybersecurity, #entrepreneur, #entrepreneurship, #executive, #healthcare, #israel, #private-equity, #security, #startup-company, #startups, #united-states, #venture-capital, #yl-ventures

Baffle lands $20M Series B to simplify data-centric encryption

California-based Baffle, a startup that aims to prevent data breaches by keeping data encrypted from production through processing, has raised $20 million in Series B funding.

Baffle was founded in 2015 to help thwart the increasing threats to enterprise assets in public and private clouds. Unlike many solutions that only encrypt data in-transit and at-rest, Baffle’s solution keeps data encrypted while it’s being processed by databases and applications through a “security mesh” that de-identifies sensitive data that it claims offers no performance impact to customers.

The startup says its goal is to make data breaches “irrelevant” by efficiently encrypting data wherever it may be, so that even if there is a security breach, the data will be unavailable and unusable by hackers.

“Most encryption is misapplied, and quite frankly, doesn’t do anything to protect your data,” the startup claims. “The protection measures that are most commonly used do nothing to protect you against modern hacks and breaches.”

Baffle supports all major cloud platforms, including AWS, Google Cloud and Microsoft Azure, and it’s currently used to protect more than 100 billion records in financial services, healthcare, retail, industrial IoT, and government, according to the startup. The company claims it stores records belonging to the top 5 global financial services companies and five of the top 25 global companies.

“Securing IT infrastructure—networks, devices, databases, lakes and warehouses—is never complete. Constant change makes it impossible to adopt a zero trust security posture without protecting the data itself,” said Ameesh Divatia, co-founder and CEO of Baffle.

The startup’s Series B funding round, which comes more than three years after it secured closed $6M in Series A financing, was led by new investor Celesta Capital with contributions from National Grid Partners, Lytical Ventures and Nepenthe Capital, and brings the startup’s total funding to date to $36.5 million.

Baffle, which says it has seen threefold revenue growth over the past year, tells TechCrunch that the funds will be used to help it grow to meet market demand and to invest further in product development. It also plans to double its headcount from 25 to 50 employees over the next 12 months.

“With this investment, we can meet market demand for data-centric cloud data protection that enables responsible digital information sharing and breaks the cycle of continuous data and privacy breaches,” Divatia added.

Read more:

#cloud, #computer-security, #cryptography, #data-protection, #data-security, #encryption, #security

Cybersecurity giants NortonLifeLock and Avast merge in $8.1B deal

US cybersecurity firm NortonLifeLock has confirmed it is acquiring British rival Avast in order to create a global consumer security powerhouse.

The agreement, which comes just weeks after both companies confirmed they were in advanced discussions regarding a possible combination of the two brands, will see Avast stockholders receive cash and shares that value the deal at $8.1 billion to $8.6 billion. That makes this merger the third-largest cybersecurity acquisition of all time, following Thoma Bravo‘s $12.3 billion takeover of Proofpoint and Broadcom’s $10.7 billion acquisition of Symantec’s enterprise business. 

NortonLifeLock, formed in 2019 as a spin-off from Symantec following the latter, says the deal will create an industry-leading consumer cyber safety business, unlock approximately $280 million of annual gross cost synergies, and dramatically expand its user numbers thanks to Avast’s 435 million-strong customer base.

“With this combination, we can strengthen our cyber safety platform and make it available to more than 500 million users,” NortonLifeLock CEO Vincent Pilette said in a statement. “This transaction is a huge step forward for consumer cyber safety and will ultimately enable us to achieve our vision to protect and empower people to live their digital lives safely.”

Avast, founded in 1988, focuses on cybersecurity software for consumers and small and medium-sized businesses and describes itself as one of the largest security companies. However, the company has not been without controversy during its near-25-year history; Avast was forced to shut down its marketing technology subsidiary Jumpshot last year after it was found to be peddling web browsing data that could be linked to individual users.

Once NortonLifeLock’s acquisition of the company is complete, Pilette will remain CEO of the new business, while Avast CEO Ondrej Vlcek will become president and join the board, the companies said.

“Our talented teams will have better opportunities to innovate and develop enhanced solutions and services, with improved capabilities from access to superior data insights,” Vlcek said. “Through our well-established brands, greater geographic diversification and access to a larger global user base, the combined businesses will be poised to access the significant growth opportunity that exists worldwide.”

The final name of the merged company has yet to be determined, but NortonLifeLock has confirmed it will be dual headquartered in the Czech Republic and Tempe, Arizona, and will seek to cut its number of employees from 5,000 workers to around 4,000 over the next two years. The combined company will be listed on the Nasdaq, rather than Avast’s current London Stock Exchange home.

The deal, which has been confirmed just weeks after NortonLifeLock bought free antivirus provider Avira for £360 million, is expected to close in mid-2022. 

#arizona, #avast, #avira, #broadcom, #ceo, #computer-security, #czech-republic, #freeware, #jumpshot, #ma, #nortonlifelock, #president, #proofpoint, #security, #software, #symantec, #thoma-bravo, #united-states

Siga secures $8.1M Series B to prevent cyberattacks on critical infrastructure

Siga OT Solutions, an Israeli cybersecurity startup that helps organizations secure their operations by monitoring the raw electric signals of critical industrial assets, has raised $8.1 million in Series B funding.

Siga’s SigaGuard says its technology, used by Israel’s critical water facilities and the New York Power Authority, is unique in that rather than monitoring the operational network, it uses machine learning and predictive analysis to “listen” to Level 0 signals. These are typically made up of components and sensors that receive electrical signals, rather than protocols or data packets that can be manipulated by hackers.

By monitoring Level 0, which Siga describes as the “richest and most reliable level of process data within any operational environment,” the company can detect cyberattacks on the most critical and vulnerable physical assets of national infrastructures. This, it claims, ensures operational resiliency even when hackers are successful in manipulating the logic of industrial control system (ICS) controllers.

Amir Samoiloff, co-founder and CEO of Siga, says: “Level 0 is becoming the major axis in the resilience and integrity of critical national infrastructures worldwide and securing this level will become a major element in control systems in the coming years.”

The company’s latest round of funding — led by PureTerra Ventures, with investment from Israeli venture fund SIBF, Moore Capital, and Phoenix Contact — comes amid an escalation in attacks against operational infrastructure. Israel’s water infrastructure was hit by three known cyberattacks in 2020 and these were followed by an attack on the water system of a city in Florida that saw hackers briefly increase the amount of sodium hydroxide in Oldsmar’s water treatment system. 

The $8.1 million investment lands three years after the startup secured $3.5 million in Series A funding. The company said it will use the funding to accelerate its sales and strategic collaborations internationally, with a focus on North America, Europe, Asia, and the United Arab Emirates. 

Read more:

#articles, #asia, #computer-security, #cryptography, #cyberattack, #cybercrime, #cybersecurity-startup, #cyberwarfare, #data-security, #energy, #europe, #florida, #israel, #machine-learning, #north-america, #nozomi-networks, #phoenix, #ransomware, #security, #united-arab-emirates

Checkmarx acquires open source supply chain security startup Dustico

Checkmarx, an Israeli provider of static application security testing (AST), has acquired open-source supply chain security startup Dustico for an undisclosed sum. 

Founded in 2020, Dustico provides a dynamic source-code analysis platform that employs machine learning to detect malicious attacks and backdoors in software supply chains. 

The acquisition will see Checkmarx combine its AST capabilities with Dustico’s behavioral analysis technology to give customers a consolidated view into the risk and reputation of open-source packages, and as a result, a more comprehensive approach to preventing supply chain attacks. 

The deal comes amid a sharp rise in supply chain attacks, in which threat actors slip malicious code into a trusted piece of software or hardware. Last December, it was revealed that Russian hackers had breached software firm SolarWinds to plant malicious code in its IT management tool Orion. This allowed the hackers — later identified as Russia’s Foreign Intelligence Service (SVR) — to access as many as 18,000 networks that used the Orion software.

Dustico’s technology, which is similar to that offered by Sonatype, analyses open source packages using a three-pronged approach. First, it factors in trust, providing visibility into the credibility of package providers and individual contributors in the open-source community, and then it examines the health of packages to determine their level of maintenance. Finally, Dustico’s advanced behavioral analysis engine inspects the package and looks for malicious attacks hiding within including backdoors, ransomware, multi-stage attacks, and trojans. 

This insight, coupled with vulnerability results from Checkmarx’s AST solutions, aims to give organizations and developers greater insights for managing the risks associated with open-source and the supply chains dependent on them, according to the two companies.

“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO of Checkmarx. “Blending Dustico’s differentiated approach to open-source analysis with Checkmarx’s security testing capabilities will bring disruptive value to our customers as they manage the challenges with securing software supply chains.”

The acquisition of Dustico comes after Checkmarx was bought by private equity firm Hellman & Friedman at a valuation of $1.15 billion in March 2020. Prior to this, in 2015, the company was sold to Insight Partners with an $84 million investment. 

#backdoor, #ceo, #checkmarx, #computer-security, #computing, #cryptography, #cybercrime, #cyberwarfare, #developer, #hellman-friedman, #insight-partners, #ma, #machine-learning, #security, #software, #solarwinds, #supply-chain, #supply-chain-attack, #supply-chain-management, #united-states

Beware Free Wi-Fi: Government Urges Workers to Avoid Public Networks

The National Security Agency warned government employees that hackers could take advantage of the public Wi-Fi in coffee shops, airports and hotel rooms.

#computer-security, #computers-and-the-internet, #cyberattacks-and-hackers, #cyberwarfare-and-defense, #government-employees, #national-security-agency, #united-states-politics-and-government, #wireless-communications

Passwordstate customers complain of silence and secrecy after cyberattack

It has been over three months since Click Studios, the Australian software house behind the enterprise password manager Passwordstate, warned its customers to “commence resetting all passwords.” The company was hit by a supply chain attack that sought to steal the passwords from customer servers around the world.

But customers tell TechCrunch that they are still without answers about the attack. Several customers say they were met with silence from Click Studios, while others were asked to sign strict secrecy agreements when they asked for assurances about the security of the software.

One IT executive whose company was compromised by the attack said they felt “abandoned” by the software maker in the wake of the attack.

Passwordstate is a standalone web server that enterprise companies can use to store and share passwords and secrets for their organizations, like keys for cloud systems and databases that store sensitive customer data, or “break glass” accounts that grant emergency access to the network. Click Studios says it has 29,000 customers using Passwordstate, including banks, universities, consultants, tech companies, defense contractors and U.S. and Australian government agencies, according to public records seen by TechCrunch. The sensitive data held by these customers might be why Passwordstate was the target of this supply-chain attack.

Click Studios sent an email to customers on April 22 warning of a possible Passwordstate compromise, but it wasn’t until Danish security research firm CSIS published a blog post the next day that revealed the existence and the extent of the breach.

CSIS said that cyber-criminals had compromised the Passwordstate software update feature to deliver a malicious update to any customer who had updated their server during a 28-hour window between April 20–22. The malicious update was designed to steal the secrets from customers’ Passwordstate servers and transmit them back to the cyber-criminals.

Read more on TechCrunch

This is how some customers found out about the hack, they told TechCrunch. Many customers turned to social media since Click Studios shut down its blog and forums as a “precaution,” prompting customers to look for other sources of information.

Some believed that the hack was “another SolarWinds,” referring to an incident months earlier at tech company SolarWinds after the network management software it sells to customers to monitor their networks and fleets of devices was compromised. Russian spies had infiltrated SolarWinds’ network and planted a backdoor in Orion’s software update feature, which was automatically pushed to customer systems. That gave the spies unfettered access to sneak around and gather information from potentially thousands of networks, including nine agencies of the U.S. federal government.

But Passwordstate was fortunate in ways that SolarWinds was not. Since new Passwordstate software updates need to be manually installed, many companies evaded compromise simply by luck. Determining whether a server had been compromised was also relatively easy by checking to see if the size of a particular file on the server was larger than it should be; the fix was fairly simple, as well.

Click Studios went public with the breach on April 24 — late on Friday night in the United States — by publishing an advisory on its website. The advisory largely repeated what it emailed to customers the day before, urging them to reset their passwords starting with all internet-facing networking gear, which, if compromised by a stolen password, would allow the cyber-criminals into a victim’s network.

Several customers who spoke to TechCrunch about the hack, including customers with compromised servers, said the Click Studios was largely unresponsive after that.

The IT executive whose Passwordstate server was compromised by the attack said they updated their server during the 28-hour-long attack, but heard nothing from Click Studios besides the mass email warning of the hack. “Everything was just, ‘change your passwords,’” the executive said.

The executive’s company invoked its incident response plan and found logs showing that passwords had been exfiltrated, but found no evidence that the stolen passwords were used. Because the company uses multi-factor authentication, the stolen passwords alone aren’t enough to break into its network. “None of the multi-factor authentication prompts came up that would have if somebody had tried to log in with any of these accounts,” the executive said.

The executive offered to provide its logs to Click Studio in the hope it would help the investigation. In a reply, Click Studios apologized but did not request the logs.

Another compromised customer — a managed service provider — said that the attackers tried to steal the company’s passwords but a glitch stopped the exfiltration in its tracks. The company’s logs showed that the malicious update tried to communicate with the cyber-criminals’ servers using a deprecated encryption protocol, which the server refused to accept. The customer said they offered to provide the logs to Click Studios, which the company agreed to and received, but that the customer heard nothing more from Click Studios after that.

Click Studios published two more advisories that weekend, but customers who asked for more information were only referred back to the advisories. Some vented their frustrations along with their other embattled customers on public forums.

By the following week, Click Studios began asking customers to refrain from posting its correspondence to social media after reports of phishing emails that were similarly worded to the emails sent by Click Studios, but some customers suspected the company was trying to control the fallout.

Months on, some customers said they feel discouraged by the Click Studios’ lack of response and are using what leverage they have to get answers.

Some customers had licenses up for renewal and wanted firm reassurances about the security and resiliency of the software. Before the incident, customers would expect an update every week or two, but Passwordstate updates were on pause indefinitely until the company’s software development line could be secured. Click Studios had a plan to prevent a similar attack in the future, but insisted on customers signing strict non-disclosure agreements before it would say anything about what changes it was making. The non-disclosure agreements also included provisions that barred anyone from revealing the very existence of the agreement.

Click Studios chief executive Mark Sandford has not responded to multiple requests for comment since the incident. Instead, TechCrunch received the same canned auto-response from the company’s support email saying that its staff are “focused only on assisting customers technically.”

In its most recent advisory, Click Studios said as of May 17 the company has returned to “normal business operations,” but has not responded to our more recent emails. Click Studios released a long-awaited update to Passwordstate on August 2 to remove the software update feature that it blamed on the supply chain attack.

Some organizations said they are staying on as customers despite the attack. One said while the incident was scary and that it warranted an investigation, they said the initial reporting was “vastly overblown.” Others expressed some sympathy for Click Studios for what was seen as a rare event that was unlikely to happen again.

“I haven’t lost faith. But this was unpleasant,” said one customer.


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.

#computer-security, #computing, #cybercrime, #government, #passwordstate, #phishing, #security, #solarwinds, #supply-chain-attack

Security flaws found in popular EV chargers

U.K. cybersecurity company Pen Test Partners has identified several vulnerabilities in the APIs of six home electric vehicle charging brands and a large public EV charging network. While the charger manufacturers resolved most of the issues, the findings are the latest example of the poorly regulated world of Internet of Things devices, which are poised to become all but ubiquitous in our homes and vehicles.

Vulnerabilities were identified in the API of six different EV charging brands — Project EV, Wallbox, EVBox, EO Charging’s EO Hub and EO mini pro 2, Rolec, and Hypervolt — and public charging network Chargepoint. Security researcher Vangelis Stykas identified several security flaws among the various brands that could have allowed a malicious hacker to hijack user accounts, impede charging, and even turn one of the chargers into a “backdoor” into the owner’s home network.

The consequences of a hack to a public charging station network could include theft of electricity at the expense of driver accounts and turning chargers on or off.

A Raspberry Pi in a Wallbox charger. (Image: Pen Test Partners (opens in a new window))

Some EV chargers used a Raspberry Pi compute module, a low-cost computer that’s often used by hobbyists and programmers.

“The Pi is a great hobbyist and educational computing platform, but in our opinion it’s not suitable for commercial applications as it doesn’t have what’s known as a ‘secure bootloader’,” Pen Test Partners founder Ken Munro told TechCrunch. “This means anyone with physical access to the outside of your home (hence to your charger) could open it up and steal your Wi-Fi credentials. Yes, the risk is low, but I don’t think charger vendors should be exposing us to additional risk.”

The hacks are “really fairly simple,” Munro said. “I can teach you to do this in five minutes,” he added.

The company’s report, published this past weekend, touched on vulnerabilities associated with emerging protocols like the Open Charge Point Interface, maintained and managed by the EVRoaming Foundation. The protocol was designed to make charging seamless between different charging networks and operators.

Munro likened it to roaming on a cell phone, allowing drivers to use networks outside of their usual charging network. OCPI isn’t widely used at the moment, so these vulnerabilities could be designed out of the protocol. But if left unaddressed, it could mean “that a vulnerability in one platform potentially creates a vulnerability in another,” Stykas explained.

Hacks to charging stations have become a particularly nefarious threat as a greater share of transportation becomes electrified and more power flows through the electric grid. Electric grids are not designed for large swings in power consumption — but that’s exactly what could happen, should there be a large hack that turned on or off a sufficient number of DC fast chargers.

“It doesn’t take that much to trip the power grid to overload,” Munro said. “We’ve inadvertently made a cyberweapon that others could use against us.”

The “Wild West” of cybersecurity

While the effects on the electric grid are unique to EV chargers, cybersecurity issues aren’t. The routine hacks reveal more endemic issues in IoT devices, where being first to market often takes precedence over sound security — and where regulators are barely able to catch up to the pace of innovation.

“There’s really not a lot of enforcement,” Justin Brookman, the director of consumer privacy and technology policy for Consumer Reports, told TechCrunch in a recent interview. Data security enforcement in the United States falls within the purview of the Federal Trade Commission. But while there is a general-purpose consumer protection statute on the books, “it may well be illegal to build a system that has poor security, it’s just whether you’re going to get enforced against or not,” said Brookman.

A separate federal bill, the Internet of Things Cybersecurity Improvement Act, passed last September but only broadly applies to the federal government.

There’s only slightly more movement on the state level. In 2018, California passed a bill banning default passwords in new consumer electronics starting in 2020 — useful progress to be sure, but which largely puts the burden of data security in the hands of consumers. California, as well as states like Colorado and Virginia, also have passed laws requiring reasonable security measures for IoT devices.

Such laws are a good start. But (for better or worse) the FTC isn’t like the U.S. Food and Drug Administration, which audits consumer products before they hit the market. As of now, there’s no security check on technology devices prior to them reaching consumers. Over in the United Kingdom, “it’s the Wild West over here as well, right now,” Munro said.

Some startups have emerged that are trying to tackle this issue. One is Thistle Technologies, which is trying to help IoT device manufacturers integrate mechanisms into their software to receive security updates. But it’s unlikely this problem will be fully solved on the back of private industry alone.

Because EV chargers could pose a unique threat to the electric grid, there’s a possibility that EV chargers could fall under the scope of a critical infrastructure bill. Last week, President Joe Biden released a memorandum calling for greater cybersecurity for systems related to critical infrastructure. “The degradation, destruction, or malfunction of systems that control this infrastructure could cause significant harm to the national and economic security of the United States,” Biden said. Whether this will trickle down to consumer products is another question.

#api, #automotive, #california, #cloud, #computer-security, #consumer-electronics, #developer, #electric-vehicle-charging, #hack, #hardware, #pen-test-partners, #privacy, #security, #technology, #technology-policy, #transportation

Finite State lands $30M Series B to help uncover security flaws in device firmware

Columbus, Ohio-based Finite State, a startup that provides supply chain security for connected devices and critical infrastructure, has raised $30M in Series B funding. 

The funding lands amid increased focus on the less-secure elements in an organizations’ supply chain, such as Internet of Things devices and embedded systems. The problem, Finite State says, is largely fueled by device firmware, the foundational software that often includes components sourced from third-party vendors or open-source software. This means if a security flaw is baked into the finished product, it’s often without the device manufacturers’ knowledge. 

“Cyber attackers see firmware as a weak link to gain unauthorized access to critical systems and infrastructure,” Matt Wyckhouse, CEO of Finite State, tells TechCrunch. “The number of known cyberattacks targeting firmware has quintupled in just the last four years.”

The Finite State platform brings visibility to the supply chains that create connected devices and embedded systems. After unpacking and analyzing every file and configuration in a firmware build, the platform generates a complete bill of materials for software components, identifies known and possible zero-day vulnerabilities, shows a contextual risk score, and provides actionable insights that product teams can use to secure their software.

“By looking at every piece of their supply chain and every detail of their firmware — something no other product on the market offers — we enable manufacturers to ship more secure products, so that users can trust their connected devices more,” Wyckhouse says.

The company’s latest funding round was led by Energize Ventures, with participation from Schneider Electric Ventures and Merlin Ventures, and comes a year after Finite State raised a $12.5 million Series A round. It brings the total amount of funds raised by the firm to just shy of $50 million. 

The startup says it plans to use the funds to scale to meet the demands of the market. It plans to increase its headcount too; Finite State currently has 50 employees, a figure that’s expected to grow to more than 80 by the end of 2021.  

“We also want to use this fundraising round to help us get out the message: firmware isn’t safe unless it’s safe by design,” Wyckhouse added. “It’s not enough to analyze the code your engineers built when other parts of your supply chain could expose you to major security issues.”

Finite State was founded in 2017 by Matt Wyckhouse, founder and former CTO of Battelle’s Cyber Business Unit. The company showcased its capabilities in June 2019, when its widely-cited Huawei Supply Chain Assessment revealed numerous backdoors and major security vulnerabilities in the Chinese technology company’s networking devices that could be used in 5G networks. 

Read more:

#articles, #battelle, #ceo, #columbus, #computer-security, #computing, #cto, #cyberwarfare, #energize-ventures, #firmware, #funding, #hardware, #huawei, #internet-of-things, #open-source-software, #security, #supply-chain, #supply-chain-management, #technology

Industrial cybersecurity startup Nozomi Networks secures $100M in pre-IPO funding

Nozomi Networks, an industry cybersecurity startup that aims to shield critical infrastructure from cyberattacks, has raised $100 million in pre-IPO funding. 

The Series D funding round was led by Triangle Peak Partners, and also includes investment from a number of equipment, security, service provider and go-to-market companies including Honeywell Ventures, Keysight Technologies and Porsche Digital. 

This funding comes at a critical time for the company. Cyberattacks on industrial control systems (ICS) — the devices necessary for the continued running of power plants, water supplies, and other critical infrastructure — increased both in frequency and severity during the pandemic. Look no further than May and June, which saw ransomware attacks target the IT networks of Colonial Pipeline and meat manufacturing giant JBS, forcing the companies to shut down their industrial operations.

Nozomi Networks, which competes with Dragos and Claroty, claims its industrial cybersecurity solution, which works to secure ICS devices by detecting threats before they hit, aims to prevent such attacks from happening. It provides real-time visibility to help organizations manage cyber risk and improve resilience for industrial operations.

The technology currently supports more than a quarter of a million devices in sectors such as critical infrastructure, energy, manufacturing, mining, transportation, and utilities, with Nozomi Networks doubling its customer base in 2020 and seeing a 5,000% increase in the number of devices its solutions monitor. 

The company will use its latest investment, which comes less than two years after it secured $30 million in Series C funding, to scale product development efforts as well as its go-to-market approach globally. 

Specifically, Nozomi Networks said it plans to grow its sales, marketing, and partner enablement efforts, and upgrade its products to address new challenges in both the OT and IoT visibility and security markets. 

#articles, #australia, #canada, #colonial-pipeline, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #energy, #funding, #internet-of-things, #malware, #manufacturing, #mining, #nozomi-networks, #porsche, #security, #technology, #united-states

True ‘shift left and extend right’ security requires empowered developers

DevOps is fundamentally about collaboration and agility. Unfortunately, when we add security and compliance to the picture, the message gets distorted.

The term “DevSecOps” has come into fashion the past few years with the intention of seamlessly integrating security and compliance into the DevOps framework. However, the reality is far from the ideal: Security tools have been bolted onto the existing DevOps process along with new layers of automation, and everyone’s calling it “DevSecOps.” This is a misguided approach that fails to embrace the principles of collaboration and agility.

Integrating security into DevOps to deliver DevSecOps demands changed mindsets, processes and technologies. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent. — Neil MacDonald, Gartner

In an ideal world, all developers would be trained and experienced in secure coding practices from front end to back end and be skilled in preventing everything from SQL injection to authorization framework exploits. Developers would also have all the information they need to make security-related decisions early in the design phase.

If a developer is working on a type of security control they haven’t worked on before, an organization should provide the appropriate training before there is a security issue.

Once again, the reality falls short of the ideal. While CI/CD automation has given developers ownership over the deployment of their code, those developers are still hampered by a lack of visibility into relevant information that would help them make better decisions before even sitting down to write code.

The entire concept of discovering and remediating vulnerabilities earlier in the development process is already, in some ways, out of date. A better approach is to provide developers with the information and training they need to prevent potential risks from becoming vulnerabilities in the first place.

Consider a developer that is assigned to add PII fields to an internet-facing API. The authorization controls in the cloud API gateway are critical to the security of the new feature. “Shifting left and extending right” doesn’t mean that a scanning tool or security architect should detect a security risk earlier in the process — it means that a developer should have all the context to prevent the vulnerability before it even happens. Continuous feedback is key to up-leveling the security knowledge of developers by orders of magnitude.

#agile-software-development, #api, #column, #computer-security, #computing, #cybersecurity, #developer, #devops, #ec-column, #ec-cybersecurity, #security, #security-testing, #software-development, #software-testing, #sql, #startups, #u-s-securities-and-exchange-commission, #vulnerability

Calgary’s parking authority exposed driver’s personal data and tickets

If you parked your car in one of the thousands of parking spots across Calgary, there’s a good chance you paid the Calgary Parking Authority for the privilege. But soon you might be hearing from the authority after a recent security lapse exposed the personal information of vehicle owners.

The parking authority oversees about 14% of the paid parking spots in the Calgary region, and lets drivers pay to park their cars by a parking kiosk, online, or through the phone app by entering their vehicle’s license plate and their payment details.

But a logging server used to monitor the authority’s parking system for bugs and errors was left on the internet without a password. The server contained computer-readable technical logs, but also real-world events like payments and parking tickets that contained a driver’s personal information.

A review of the logs by TechCrunch found contact information, like driver’s full names, dates of birth, phone numbers, email addresses and postal addresses, as well as details of parking tickets and parking offenses — which included license plates and vehicle descriptions — and in some cases the location data of where the alleged parking offense took place. The logs also contained some partial card payment numbers and expiry dates.

None of the data was encrypted.

Because the server’s data was entangled with logs and other computer-readable data, it’s not known exactly how many people had their information exposed by the security lapse. (In 2019, the Calgary Parking Authority issued more than 450,000 parking tickets, up by 69% in five years.)

Security researcher Anurag Sen found the exposed server and asked TechCrunch for help in reporting it to its owner. The server was secured on Tuesday, a day after TechCrunch contacted the authority.

A spokesperson for the authority confirmed that the server was exposed since May 13, though data seen by TechCrunch shows records dating back to at least the start of the year. The authority also told TechCrunch that the exposure was due to human error and that it was investigating its logs to determine if anyone else had access to the server.

“We at the CPA take this very seriously,” said Moe Houssaini, the acting general manager for the Calgary Parking Authority, told TechCrunch in a statement. “Any public access has been disabled and we are actively investigating to determine what exact data was impacted and what unauthorized access may have occurred. We apologize to our customers and will be reaching out to all individuals who may have been impacted. Protecting the security of our systems and privacy of our customers is a top priority of the CPA. It was an isolated error, and the database has now been secured. We are reviewing our procedures to ensure that this does not happen again,” said Houssaini.

The Calgary Parking Authority recently made headlines after it canceled more than a thousand parking tickets for drivers who were attending a COVID-19 vaccination center in the city.

Earlier this year, New York-based cashless parking startup ParkMobile reported a data breach that saw personal account information and license plates on some 21 million customers taken by hackers. The company blamed the breach on a vulnerability in an unspecified piece of third-party software.

Read more:


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.

#automotive, #calgary, #computer-security, #data-breach, #driver, #geico, #new-york, #parking, #parkmobile, #privacy, #securedrop, #security, #spokesperson, #transport