Decrypted: Apple and Facebook’s privacy feud, Twitter hires Mudge, mysterious zero-days

Trump’s election denialism saw him retaliate in a way that isn’t just putting the remainder of his presidency in jeopardy, it’s already putting the next administration in harm’s way.

In a stunning display of retaliation, Trump fired CISA director Chris Krebs last week after declaring that there was “no evidence that any voting system deleted or lost votes, changed votes or was in any way compromised,” a direct contradiction to the conspiracy-fueled fever dreams of the president who repeatedly claimed, without evidence, that the election had been hijacked by the Democrats. CISA is left distracted by disarray, with multiple senior leaders leaving their posts — some walked, some were pushed — only for the next likely chief to stumble before he even starts because of concerns with his security clearance.

Until yesterday, Biden’s presidential transition team was stuck in cybersecurity purgatory because the incumbent administration refused to trigger the law that grants the incoming team access to government resources, including cybersecurity protections. That’s left the incoming president exposed to ongoing cyber threats, all while being shut out from classified briefings that describe those threats in detail.

As Biden builds his team, Silicon Valley is also gearing up for a change in government — and temperament. But don’t expect too much of the backlash to change. Much of the antitrust allegations, privacy violations and net neutrality remain hot button issues, and the tech titans resorting to cheap “charm offenses” are likely to face the music under the Biden administration — whether they like it or not.

Here’s more from the week.


THE BIG PICTURE

Apple and Facebook spar over privacy — again

Apple and Facebook are back in the ring, fighting over which company is a bigger existential threat to privacy. In a letter to a privacy rights group, Apple said its new anti-tracking feature will launch next year, which will give users the choice of blocking in-app tracking, a move that’s largely expected to cause havoc to the online advertising industry and data brokers.

Given an explicit option between being tracked and not, as the feature will do, most are expected to decline.

Apple’s letter specifically called out Facebook for showing a “disregard for user privacy.” Facebook, which made more than 98% of its global revenue last year from advertising, took its own potshot back at Apple, claiming the iPhone maker was “using their dominant market position to self-preference their own data collection, while making it nearly impossible for their competitors to use the same data.”

#apple, #chief-information-security-officer, #chris-krebs, #cisa, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #iphone, #malware, #privacy, #rinki-sethi, #security, #startups

0

Build.security raises $6M for its authorization policy management platform

Build.security, a Tel Aviv and Sunnyvale-based startup that aims to make it easier for developers to bake authorization policy management right into their applications, today announced a $6 million seed funding round led by cybersecurity-centric firm YL Ventures.

CrowdStrike CEO and co-founder George Kurtz also participated in this round, in addition to former Zscaler CISO Michael Sutton, former Bank of America Chief Security Scientist Sounil Yu, Fireglass co-founder Dan Amiga, Cynet CEO and co-founder Eyal Gruner and Hexadite co-founder Eran Barak. That’s an impressive group of angels who clearly believe that build.security is solving an important problem in the industry.

Founded by Amit Kanfer (CEO) and Dekel Braunstein (CTO), who have previous experience at Intel, Fireglass, Symantec, Cymmetria and other companies, the company wants to build the “first true platform for authorization” for developers — it’s basically policy-as-code, somewhat similar to how the likes of Pulumi and others are delivering on the promise of “infrastructure-as-code.” In addition to using code to declare policies, though, build.security also offers a drag-and-drop user experience.

At the core of build.security is an open-source project: Open Policy Agent, first developed by Styra.

Image Credits: build.security

At first glance, “authorization policy management” may not sound like the most exciting problem to solve. Authorization — unlike authentication — remains a problem that is mostly unsolved, though, and there are few enterprise-ready services available. That means developers — who are increasingly tasked with managing the security of their applications — are using a mix of policy engines and other tools which inevitably leads to errors and potential vulnerabilities.

“Authorization remains a big challenge for engineering teams,” Kanfer told me. “It’s a big challenge, because, taking into account attributes on identities, resources and context — and then combining all of them together into a concise policy that’s easily managed and scaled — that’s a pretty mind-blowing task. Just to model the hierarchies and the roles and permissions and relationships between them. It’s not an easy task.”

And as Kanfer also noted, as enterprises move to a microservices model for their application development, the complexity here only increases. Today’s solutions, however, aren’t flexible enough to solve this problem. “The list of permissions can change according to multiple factors,” he explained. “It could be identity, the time of the day, working from home or from the office. Is it a trusted device? Is it a workday or weekend? What is the relationship between you and the resource?”

Image Credits: build.security

The company offers its service both as a cloud service and on-premises solution. Currently, the company’s focus is on containers and the company uses a Kubernetes sidecar container that fetches the configurations and policies from the build.security control plane. The company offers SDKs and plugins for many popular programming languages and frameworks (think Python, Node.js and .NET). The service integrates with all of your standard identity providers and other API-based services.

“Build.security’s innovation is an incredible win for the developer community — they’ve made authorization easy,” said John Brennan, partner at YL Ventures and build.security board member. “We’re excited by Amit and Dekel’s unique plug-and-play approach to API and function-level authorization, as well as the breadth of visibility their control plane offers. Their approach will enable developers and enterprises to build secure software at scale.”

#build-security, #computer-security, #computing, #cyberwarfare, #data-security, #recent-funding, #security, #startups, #tc, #tel-aviv, #yl-ventures

0

Trump fires US cybersecurity official Chris Krebs for debunking false election claims

Chris Krebs, one of the most senior cybersecurity officials in the U.S. government, has been fired.

Krebs served as the director of the Cybersecurity and Infrastructure Security Agency (CISA) since its founding in November 2018 until he was removed from his position on Tuesday. It’s not immediately clear who is currently heading the agency. A spokesperson for CISA did not immediately comment.

President Trump fired Krebs in a tweet late on Tuesday, citing a statement published by CISA last week, which found there was “no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.” Trump, who has repeatedly made claims of voter fraud without providing evidence, alleged that CISA’s statement was “highly inaccurate.”

Shortly after, Twitter labeled Trump’s tweet for making a “disputed” claim about election fraud.

Reuters first reported the news of Krebs’ potential firing last week.

Krebs was appointed by President Trump to head the newly created cybersecurity agency in November 2018, just days after the conclusion of the midterm elections. He previously served as an under secretary for CISA’s predecessor, the National Protection and Programs Directorate, and also held cybersecurity policy roles at Microsoft.

During his time in government, Krebs became one of the most vocal voices in election security, taking the lead during 2018 and in 2020, which largely escaped from disruptive cyberattacks, thanks to efforts to prepare for cyberattacks and misinformation that plagued the 2016 presidential election.

He was “one of the few people in this administration respected by everyone on both sides of the aisle,” said Sen. Mark Warner, a member of the Senate Intelligence Committee, in a tweet.

Krebs is the latest official to leave CISA in the past year. Brian Harrell, who oversaw infrastructure protection at the agency, resigned in August after less than a year on the job, and Jeanette Manfra, who left for a role at Google at the end of last year. Cyberscoop reported Thursday that Bryan Ware, CISA’s assistant director for cybersecurity, resigned for a position in the private sector.

#articles, #computer-security, #cryptography, #cybercrime, #cyberwarfare, #director, #government, #president, #presidential-election, #secretary, #security, #trump, #u-s-government, #united-states, #white-house

0

Election Security Experts Contradict Trump’s Voting Claims

In a public letter, 59 top specialists called the president’s fraud assertions “unsubstantiated” and “technically incoherent.”

#computer-security, #mcconnell-mitch, #presidential-election-of-2020, #rumors-and-misinformation, #trump-donald-j, #voter-fraud-election-fraud, #voting-machines

0

Animal Jam was hacked, and data stolen. Here’s what parents need to know

WildWorks, the gaming company that makes the popular kids game Animal Jam, has confirmed a data breach.

Animal Jam is one of the most popular games for kids, ranking in the top five games in the 9-11 age category in Apple’s App Store in the U.S., according to data provided by App Annie. But while no data breach is ever good news, WildWorks has been more forthcoming about the incident than most companies would be, making it easier for parents to protect both their information and their kids’ data.

Here’s what we know.

WildWorks said in a detailed statement that a hacker stole 46 million Animal Jam records in early October but that it only learned of the breach in November.

The company said someone broke into one of its systems that the company uses for employees to communicate with each other, and accessed a secret key that allowed the hacker to break into the company’s user database. The bad news is that the stolen data is known to be circulating on at least one cybercrime forum, WildWorks said, meaning that malicious hackers may use (or be using) the stolen information.

The stolen data dates back to over the past 10 years, the company said, so former users may still be affected.

Much of the stolen data wasn’t highly sensitive, but the company warned that 32 million of those stolen records had the player’s username, 23.9 million records had the player’s gender, 14.8 million records contained the player’s birth year, and 5.7 million records had the player’s full date of birth.

But, the company did say that the hacker also took 7 million parent email addresses used to manage their kids’ accounts. It also said that 12,653 parent accounts had a parent’s full name and billing address, and 16,131 parent accounts had a parent’s name but no billing address.

Besides the billing address, the company said no other billing data — such as financial information — was stolen.

WildWorks also said that the hacker also stole player’s passwords, prompting the company to reset every player’s password. (If you can’t log in, that’s probably why. Check your email for a link to reset your password.) WildWorks didn’t say how it scrambled passwords, which leaves open the possibility that they could be unscrambled and potentially used to break into other accounts that have the same password as used on Animal Jam. That’s why it’s so important to use unique passwords for each site or service you use, and use a password manager to store your passwords safely.

The company said it was sharing information about the breach with the FBI and other law enforcement agencies.

So what can parents do?

  • Thankfully the data associated with kids accounts is limited. But parents, if you have used your Animal Jam password on any other website, make sure you change those passwords to strong and unique passwords so that nobody can break into those other accounts.
  • Keep an eye out for scams related to the breach. Malicious hackers like to jump on recent news and events to try to trick victims into turning over more information or money in response to a breach.

#articles, #computer-security, #data-breach, #data-security, #gaming, #have-i-been-pwned, #password-manager, #player, #security, #security-breaches, #united-states

0

Decrypted: Grayshift raises $47M, Apple bugs under attack, video game maker hacked

The election is over, but not without a hitch or two. Some voters in Georgia and Ohio had to use paper ballots after hand sanitizer leaked into voting machines — an unexpected casualty of the pandemic. And a slew of robocalls across a number of swing states urged voters to “stay safe and stay home,” in an effort to disenfranchise voters from going to the polls. With record voter turnout, there’s little evidence to show it worked.

But we saw nothing like the hack-and-leak operations like we did four years ago, which delivered an “October surprise” that derailed the election for Hillary Clinton, despite winning the popular vote by three million votes.

Government officials and cybersecurity firms said there were no significant or damaging cyberattacks during Election Day. One Homeland Security official called it “another Tuesday on the internet,” but conceded there was still cause for concern in the election aftermath.

With the bulk of the votes counted, government officials pointed to the threat of “foreign influence” campaigns — or misinformation — that would try to cast doubt on the election results. In reality, much of the false and misleading claims ended up coming from inside the White House as the Trump administration tried to cling onto power. After being caught out four years ago, the social media giants put into place measures and policies that limited the spread of false news — including Trump’s repeated attempts to claim victory.

Fears that the 2020 election could turn into a national, or even an international security matter did not come to fruition. The U.S. is in a better place than it was four years ago by simply learning the lessons from Russia’s efforts to interfere with the election. Imagine where we could be in another four?

Since you, like us, were glued to the television screens last week, here’s more from the week you might have missed.


THE BIG PICTURE

Grayshift, the maker of phone unlocking tech, raises a Series A round

Grayshift, the secretive startup behind the U.S. government’s favorite phone unlocking technology, has raised $47 million in fresh funding. The Series A round was led by PeakEquity Partners, and — as first reported by Forbes — is a huge round for a little-known phone forensics firm.

One of only a few photos of the mysterious GrayKey phone unlocking devices. Image Credits: Malwarebytes

Grayshift exploded onto the mobile forensics scene in 2018, months after the company began quietly selling its proprietary GrayKey technology to federal agencies for about $15,000 each. The FBI and other agencies use their purchased GrayKey devices to break into encrypted phones without needing the passcode.

#computer-security, #cybercrime, #cyberwarfare, #decrypted, #hacker, #malware, #ransomware, #security, #security-breaches, #startups

0

Google reveals a new Windows zero-day bug it says is under active attack

Google has dropped details of a previously undisclosed vulnerability in Windows, which it says hackers are actively exploiting. As a result, Google gave Microsoft just a week to fix the vulnerability. That deadline came and went, and Google published details of the vulnerability this afternoon.

The vulnerability has no name but is labeled CVE-2020-17087, and affects at least Windows 7 and Windows 10.

Google’s Project Zero, the elite group of security bug hunters which made the discovery, said the bug allows an attacker to escalate their level of user access in Windows. Attackers are using the Windows vulnerability in conjunction with a separate bug in Chrome, which Google disclosed and fixed last week. This new bug allows an attacker to escape Chrome’s sandbox, normally isolated from other apps, and run malware on the operating system.

Microsoft did not immediately comment when contacted by TechCrunch, but Project Zero’s technical lead Ben Hawkes said in a tweet that Microsoft plans to issue a patch on November 10.

But it’s unclear who the attackers are or their motives. Google’s director of threat intelligence Shane Huntley said that the attacks were “targeted” and not related to the U.S. election.

It’s the latest in a list of major flaws affecting Windows this year. Microsoft said in January that the National Security Agency helped find a cryptographic bug in Windows 10, though there was no evidence of exploitation. But in June and September, Homeland Security issued alerts over two “critical” Windows bugs — one which had the ability to spread across the internet, and the other could have gained complete access to an entire Windows network.

#chrome-os, #computer-security, #elite, #google, #google-chrome, #malware, #microsoft, #microsoft-windows, #operating-system, #operating-systems, #security, #software, #vulnerability, #windows-7, #windows-xp

0

Enso Security raises $6M for its application security management platform

Enso Security, a Tel Aviv-based startup that is building a new application security platform, today announced that it has raised a $6 million seed funding round led by YL Ventures, with participation from Jump Capital. Angel investors in this round include HackerOne co-founder and CTO Alex Rice; Sounil Yu, the former chief security scientist at Bank of America; Omkhar Arasaratnam, the former head of Data Protection Technology at JPMorgan Chase and toDay Ventures.

The company was founded by Roy Erlich (CEO), Chen Gour Arie (CPO) and Barak Tawily (CTO). As is so often the case with Israeli security startups, the founding team includes former members of the Israeli Intelligence Corps, but also a lot of hands-on commercial experience. Erlich, for example, was previously the head of application security at Wix, while Gour Arie worked as an application security consultant for numerous companies across Europe and Tawily has a background in pentesting and led a security team at Wix, too.

Image Credits: Enso Security / Getty Images

“It’s no secret that, today, the diversity of R&D allows [companies] to rapidly introduce new applications and push changes to existing ones,” Erlich explained. “But this great complexity for application security teams results in significant AppSec management challenges. These challenges include the difficulty of tracking applications across environments, measuring risks, prioritizing tasks and enforcing uniform Application Security strategies across all applications.”

But as companies push out code faster than ever, the application security teams aren’t able to keep up — and may not even know about every application being developed internally. The team argues that application security today is often a manual effort to identify owners and measure risk, for example — and the resources for application security teams are often limited, especially when compared the size of the overall development team in most companies. Indeed, the Enso team argues that most AppSec teams today spend most of their time creating relationships with developers and performing operational and product-related tasks — and not on application security.

Image Credits: Enso Security / Getty Images

“It’s a losing fight from the application security side because you have no chance to cover everything,” Erlich noted. “Having said that, […] it’s all about managing the risk. You need to make sure that you take data-driven decisions and that you have all the data that you need in one place.”

Enso Security then wants to give these teams a platform that gives them a single pane of glass to discover applications, identify owners, detect changes and capture their security posture. From there, teams can then prioritize and track their tasks and get real-time feedback on what is happening across their tools. The company’s tools currently pull in data from a wide variety of tools, including the likes of JIRA, Jenkins, GitLab, GitHub, Splunk, ServiceNow and the Envoy edge and service proxy. But as the team argues, even getting data from just a few sources already provides benefits for Enso’s users.

Looking ahead, the team plans to continue improving its product and staff up from its small group of seven employees to about 20 in the next year.

“Roy, Chen and Barak have come up with a very elegant solution to a notoriously complex problem space,” said Ofer Schreiber, partner at YL Ventures . “Because they cut straight to visibility — the true heart of this issue — cybersecurity professionals can finally see and manage all of the applications in their environments. This will have an extraordinary impact on the rate of application rollout and enterprise productivity.”

#application-security, #computer-security, #computing, #data-security, #enso-security, #enterprise, #envoy, #europe, #github, #hackerone, #jenkins, #jump-capital, #recent-funding, #security, #servicenow, #splunk, #startups, #tel-aviv, #yl-ventures

0

Microsoft says Iranian hackers targeted ‘high profile’ conference attendees

Microsoft says hackers backed by the Iranian government targeted over 100 high-profile potential attendees of two international security and policy conferences.

The group, known as Phosphorus (or APT35), sent spoofed emails masquerading as organizers of the Munich Security Conference, one of the main global security and policy conferences attended by heads of state, and the Think 20 Summit in Saudi Arabia, scheduled for later this month. Microsoft said the spoofed emails were sent to former government officials, academics and policy makers to steal passwords and other sensitive data, like email inboxes.

Microsoft did not comment, when asked, what the goal of the operation was, but the company’s customer security and trust chief Tom Burt said that the attacks were carried out for “intelligence collection purposes.”

“The attacks were successful in compromising several victims, including former ambassadors and other senior policy experts who help shape global agendas and foreign policies in their respective countries,” said Burt. “We’ve already worked with conference organizers who have and will continue to warn their attendees, and we’re disclosing what we’ve seen so that everyone can remain vigilant to this approach being used in connection with other conferences or events.”

Microsoft said the attackers would write emails written in “perfect English” to their target requesting an invitation to the conference. After the target accepted the invitation, the attackers would try to trick the victim into entering their email password on a fake login page. The attackers then later log in to the mailbox to steal the victim’s emails and contacts.

The group’s previous hacking campaigns have also tried to steal passwords from high-profile victims.

Iran’s consulate in New York could not be reached for comment as its website was down.

Phosphorus is known to target high-profile individuals, like politicians and presidential hopefuls. But Microsoft said that this latest attack was not related to the upcoming U.S. presidential election.

Last year, Microsoft said it had stopped over 10,000 victims of state-sponsored hacking, including Phosphorus and another Iran-backed group, Holmium, also known as APT 33. In March, the tech giant secured a court order to take control of domains used by Phosphorus, which were used to steal credentials using fake Google and Yahoo login pages.

#articles, #computer-security, #computing, #cybercrime, #cyberwarfare, #gmail, #government, #information, #iran, #microsoft, #new-york, #presidential-election, #saudi-arabia, #security, #social-engineering, #united-states

0

Trump Campaign Website Is Defaced by Hackers

The defacement lasted less than 30 minutes, and the hackers appeared to be looking to generate cryptocurrency.

#computer-security, #computers-and-the-internet, #cyberwarfare-and-defense, #espionage-and-intelligence-services, #presidential-election-of-2020, #trump-donald-j, #united-states-politics-and-government, #virtual-currency

0

Decrypted: How Twitter was hacked, GitHub DMCA backfires

One week to the U.S. presidential election and things are getting spicy.

It’s not just the rhetoric — hackers are actively working to disrupt the election, officials have said, and last week they came with a concrete example and an unusually quick pointing of blame.

On Wednesday night, Director of National Intelligence John Ratcliffe blamed Iran for an email operation designed to intimidate voters in Florida into voting for President Trump “or else.” Ratcliffe, who didn’t take any questions from reporters and has been accused of politicizing the typically impartial office, said Iran had used voter registration data — which is largely public in the U.S. — to send emails that looked like they came from the far-right group the Proud Boys. Google security researchers also linked the campaign to Iran, which denied claims of its involvement. It’s estimated about 2,500 emails went through in the end, with the rest getting caught in spam filters.

The announcement was lackluster in detail. But experts like John Hultquist, who heads intelligence analysis at FireEye-owned security firm Mandiant, said the incident is “clearly aimed at undermining voter confidence,” just as the Russians attempted during the 2016 election.

 


THE BIG PICTURE

Twitter was hacked using a fake VPN portal, New York investigation finds

The hackers who broke into Twitter’s network used a fake VPN page to steal the credentials — and two-factor authentication code — of an employee, an investigation by New York’s Department of Financial Affairs found. The state tax division got involved after the hackers then hijacked user accounts using an internal “admin tool” to spread a cryptocurrency scam.

In a report published last week, the department said the hackers called several Twitter employees and used social engineering to trick one employee into entering their username and password on a site that looked like the company’s VPN portal, which most employees use to access the network from home during the pandemic.

“As the employee entered their credentials into the phishing website, the hackers would simultaneously enter the information into the real Twitter website. This false log-in generated a [two-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did,” wrote the report. Once onto the network using the employee’s VPN credentials, the hackers used that access to investigate how to access the company’s internal tools.

Twitter said in September that its employees would receive hardware security keys, which would make it far more difficult for a repeat phishing attack to be successful.

Open-source YouTube download tool hit by DMCA takedown, but backfires

#android, #computer-security, #decrypted, #encryption, #github, #iphone, #iran, #law-enforcement, #mandiant, #president, #security, #social, #social-engineering, #startups, #team8, #trump-administration, #united-states

0

Russians Who Pose Election Threat Have Hacked Nuclear Plants and Power Grid

The hacking group, Energetic Bear, is among Russia’s stealthiest. It appears to be casting a wide net to find useful targets ahead of the election, experts said.

#computer-security, #computers-and-the-internet, #cyberwarfare-and-defense, #federal-security-service, #russia, #russian-interference-in-2016-us-elections-and-ties-to-trump-associates, #united-states-politics-and-government

0

Russia Poses Greater Election Threat Than Iran, Many U.S. Officials Say

Russia’s hackers appeared to be preparing to sow chaos amid any uncertainty around election results, officials said.

#computer-security, #cyberwarfare-and-defense, #elections, #espionage-and-intelligence-services, #federal-security-service, #iran, #office-of-the-director-of-national-intelligence, #presidential-election-of-2020, #ratcliffe-john-lee-1965, #russia, #states-us, #trump-donald-j, #united-states-politics-and-government

0

The Police Can Probably Break Into Your Phone

At least 2,000 law enforcement agencies have tools to get into encrypted smartphones, according to new research, and they are using them far more than previously known.

#american-civil-liberties-union, #computer-security, #federal-bureau-of-investigation, #law-and-legislation, #national-assn-of-police-organizations, #search-and-seizure, #smartphones, #vance-cyrus-r-jr

0

How Ransomware Puts Your Hospital at Risk

In the midst of the Covid-19 pandemic, the potential consequences of cyberattacks are terrifying.

#computer-security, #computers-and-the-internet, #coronavirus-2019-ncov, #cyberattacks-and-hackers, #hospitals, #medical-devices

0

Decrypted: The major ransomware attack you probably didn’t hear about

Watching the news this past week was like drinking from a firehose. Speaking of which, you probably missed a busy week in cybersecurity, so here are the big stories from the past week.


THE BIG PICTURE

Blackbaud hack gets worse, as bank account data stolen

Blackbaud, a cloud technology company used by colleges, universities, nonprofits (and far-right organizations), was hit by a data-stealing ransomware attack earlier this year. The attack was one of the biggest of the year in terms of the number of organizations affected, hitting dozens of universities, hospitals and other high-profile organizations like NPR. Blackbaud said in July that it paid the ransom — but also claimed and received “confirmation” that the stolen personal data “had been destroyed,” fooling absolutely nobody.

This week Blackbaud confirmed in a regulatory filing that the stolen data also included bank account data and Social Security numbers — far more personally identifiable information than the company first thought. “In most cases, fields intended for sensitive information were encrypted and not accessible,” the company claimed.

Despite Blackbaud’s claim that the data was deleted, these are malicious hackers driven by financial reward. Hope for the best, but assume the worst — Blackbaud’s data is still out there.

Facebook shuts down malware that hijacked accounts to run ads

Hackers spent about $4 million to run scammy ads on Facebook by hijacking the accounts of unsuspecting users, reports Wired. The hackers used malware, dubbed SilentFade, to compromise Facebook accounts using stolen passwords to use whatever saved credit card details on those accounts to buy ads for diet pills and fake designer handbags.

#blackbaud, #chief-information-security-officer, #cloud-technology, #computer-security, #data-breach, #facebook, #identity-theft, #illusive-networks, #privacy, #ransomware, #rinki-sethi, #security, #security-breaches, #social

0

Imperva to acquire database security startup jSonar

Cybersecurity giant Imperva will acquire jSonar, a database security startup that recently landed $50 million from Goldman Sachs.

Financial terms of the deal weren’t disclosed.

The acquisition of jSonar, which provides security and compliance to databases on-premise or in the cloud, will help bolster Imperva’s data security business. As part of the deal, jSonar founder Ron Bennatan will join Imperva to lead its new data security division.

Imperva provides enterprise security, including distributed denial-of-service attacks, to more than 6,200 companies. Earlier this year the company acquired Distil Networks, adding bot protection to its security roster.

“Enterprises have shifted focus from compliance to data security while demanding lower costs and more measurable benefits,” said Imperva chief executive Pam Murphy. “This combination of two uniquely qualified trailblazers will signal a new approach to data security that puts an emphasis on usability and value with sustained and complete coverage for three initiatives organizations need to implement – security, compliance and privacy.”

Last year, private equity firm Thoma Bravo bought Imperva in a $2.1 billion deal to take the company private.

The Imperva-jSonar acquisition is expected to close by mid-October.

#computer-security, #computing, #imperva, #internet-security, #jsonar, #private, #security, #thoma-bravo

0

Ring to offer opt-in end-to-end encryption for videos beginning later this year

Ring will be stepping up its efforts to make its security products secure for users by enabling end-to-end video encryption later this year. The company will be providing this toggle in a new page in tits app’s Control Center, which will provide more information about Ring’s current encryption practices, and measures to keep user video secure, until the end-to-end encryption feature goes live. Ring is also taking the covers off a range of new devices todayincluding its first drone – but Ring CEO and founder Jamie Siminoff says that this new security measure could actually make the biggest difference to its customers.

“[End-to-end encryption] could be our most important product that we’re sort of putting out there, because security and privacy, and user control are foundational to Ring, and continuing to push those further than even the industry, and really even pushing the res of the industry, is something I think that we have a responsibility to do.”

Siminoff also points to Ring’s introduction of mandatory two-factor authentication earlier this year as something that’s above and beyond the standard across the industry. I asked him them why not make end-to-end encryption for video on by default, with an opt-out option instead if users feel strongly that they don’t want to take part.

“Privacy, as you know, is really individualized – we see people have different needs,” he said. Just one example for end-to-end, is thatwhen you enable it, you cannot use your Alexa to say ‘Show me who’s at the front door,’ because of the physics of locking down to an end-to-end key. As soon as you do something like that, it would actually break what you’re trying to achieve. So it really is something that is optional, because it doesn’t fit every user in terms of the way in which they want to use the product. But there are some users  that really do want this type of security – so I think what you’re going to see from us in the future, and I hope the industry as well, is just really allowing people to dial in the security that they want, and having transparency, which is also with the Video Control Center that we’ve launched today to provide you with the knowledge of what’s happening with your data, in this case with Ring videos.”

Overall, Siminoff said that the company hopes through all of its products, to be able to provide its users to build the system that they want to use, its the way that they want to use it. The Alway Home Cam drone, he points out, is another expression of that, since it provides the potential to monitor every room in your home – but also the ability to be selective about when and where.

“I think it’s just about building the options to allow people to use technology – but use it comfortably, understand it, and control it,” he said.

#alexa, #amazon-hardware-event-2020, #computer-security, #control-center, #cryptography, #data-security, #digital-rights, #encryption, #end-to-end-encryption, #gadgets, #hardware, #jamie-siminoff, #ring, #security, #tc

0

Senate’s encryption backdoor bill is ‘dangerous for Americans,’ says Rep. Lofgren

A Senate bill that would compel tech companies to build backdoors to allow law enforcement access to encrypted devices and data would be “very dangerous” for Americans, said a leading House Democrat.

Law enforcement frequently spars with tech companies over their use of strong encryption, which protects user data from hackers and theft, but the government says makes it harder to catch criminals accused of serious crime. Tech companies like Apple and Google have in recent years doubled down on their security efforts by securing data with encryption that even they cannot unlock.

Senate Republicans in June introduced their latest “lawful access” bill, renewing previous efforts to force tech companies to allow law enforcement access to a user’s data when presented with a court order.

“It’s dangerous for Americans, because it will be hacked, it will be utilized, and there’s no way to make it secure,” Rep. Zoe Lofgren, whose congressional seat covers much of Silicon Valley, told TechCrunch at Disrupt 2020. “If we eliminate encryption, we’re just opening ourselves up to massive hacking and disruption,” she said.

Lofgren’s comments echo those of critics and security experts, who have long criticized efforts to undermine encryption, arguing that there is no way to build a backdoor for law enforcement that could not also be exploited by hackers.

Several previous efforts by lawmakers to weaken and undermine encryption have failed. Currently, law enforcement has to use existing tools and techniques to find weaknesses in phones and computers. The FBI claimed for years that it had thousands of devices that it couldn’t get into, but admitted in 2018 that it repeatedly overstated the number of encrypted devices it had and the number of investigations that were negatively impacted as a result.

Lofgren has served in Congress since 1995 during the first so-called “Crypto Wars,” during which the security community fought the federal government to limit access to strong encryption. In 2016, Lofgren was part of an encryption working group on the House Judiciary Committee. The group’s final report, bipartisan but not binding, found that any measures to undermine encryption “works against the national interest.”

Still, it’s a talking point that the government continues to push, even as recently as this year when U.S. Attorney General William Barr said that Americans should accept the security risks that encryption backdoors pose.

“You cannot eliminate encryption safely,” Lofgren told TechCrunch. “And if you do, you will create chaos in the country and for Americans, not to mention others around the world,” she said. “It’s just an unsafe thing to do, and we can’t permit it.”

#apple, #attorney-general, #computer-security, #congress, #crypto-wars, #cryptography, #disrupt-2020, #encryption, #government, #law-enforcement, #security, #senate, #united-states, #william-barr, #zoe-lofgren

0

‘There’s No There There’: What the TikTok Deal Achieved

The agreement for the social media app falls short of President Trump’s promises.

#beijing-bytedance-technology-co-ltd, #china, #computer-security, #computers-and-the-internet, #executive-orders-and-memorandums, #mobile-applications, #oracle-corporation, #social-media, #suits-and-litigation-civil, #tiktok-bytedance, #trump-donald-j, #united-states-politics-and-government, #walmart-stores-inc

0

How to Secure and Protect Your Smart Home

A few simple steps will go a long way.

#computer-security, #computers-and-the-internet, #privacy

0

How the NSA is disrupting foreign hackers targeting COVID-19 vaccine research

The headlines aren’t always kind to the National Security Agency, a spy agency that operates almost entirely in the shadows. But a year ago, the NSA launched its new Cybersecurity Directorate, which in the past year has emerged as one of the more visible divisions of the spy agency.

At its core, the directorate focuses on defending and securing critical national security systems that the government uses for its sensitive and classified communications. But the directorate has become best known for sharing some of the more emerging, large-scale cyber threats from foreign hackers. In the past year the directorate has warned against attacks targeting secure boot features in most modern computers, and doxxed a malware operation linked to Russian intelligence. By going public, NSA aims to make it harder for foreign hackers to reuse their tools and techniques, while helping to defend critical systems at home.

But six months after the directorate started its work, COVID-19 was declared a pandemic and large swathes of the world — and the U.S. — went into lockdown, prompting hackers to shift gears and change tactics.

“The threat landscape has changed,” Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch at Disrupt 2020. “We’ve moved to telework, we move to new infrastructure, and we’ve watched cyber adversaries move to take advantage of that as well,” she said.

Publicly, the NSA advised on which videoconferencing and collaboration software was secure, and warned about the risks associated with virtual private networks, of which usage boomed after lockdowns began.

But behind the scenes, the NSA is working with federal partners to help protect the efforts to produce and distribute a vaccine for COVID-19, a feat that the U.S. government called Operation Warp Speed. News of NSA’s involvement in the operation was first reported by Cyberscoop. As the world races to develop a working COVID-19 vaccine, which experts say is the only long-term way to end the pandemic, NSA and its U.K. and Canadian partners went public with another Russian intelligence operation aimed at targeting COVID-19 research.

“We’re part of a partnership across the U.S. government, we each have different roles,” said Neuberger. “The role we play as part of ‘Team America for Cyber’ is working to understand foreign actors, who are they, who are seeking to steal COVID-19 vaccine information — or more importantly, disrupt vaccine information or shake confidence in a given vaccine.”

Neuberger said that protecting the pharma companies developing a vaccine is just one part of the massive supply chain operation that goes into getting a vaccine out to millions of Americans. Ensuring the cybersecurity of the government agencies tasked with approving a vaccine is also a top priority.

Here are more takeaways from the talk, and you can watch the interview in full below:

Why TikTok is a national security threat

TikTok is just days away from an app store ban, after the Trump administration earlier this year accused the Chinese-owned company of posing a threat to national security. But the government has been less than forthcoming about what specific risks the video sharing app poses, only alleging that the app could be compelled to spy for China. Beijing has long been accused of cyberattacks against the U.S., including the massive breach of classified government employee files from the Office of Personnel Management in 2014.

Neuberger said that the “scope and scale” of TikTok’s app’s data collection makes it easier for Chinese spies to answer “all kinds of different intelligence questions” on U.S. nationals. Neuberger conceded that U.S. tech companies like Facebook and Google also collect large amounts of user data. But that there are “greater concerns on how [China] in particular could use all that information collected against populations other than its own,” she said.

NSA is privately disclosing security bugs to companies

The NSA is trying to be more open about the vulnerabilities it finds and discloses, Neuberger said. She told TechCrunch that the agency has shared a “number” of vulnerabilities with private companies this year, but “those companies did not want to give attribution.”

One exception was earlier this year when Microsoft confirmed NSA had found and privately reported a major cryptographic flaw in Windows 10, which could have allowed hackers to run malware masquerading as a legitimate file. The bug was so dangerous that NSA reported the vulnerability to Microsoft, which patched the bug.

Only two years earlier, the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.

As a spy agency, NSA exploits flaws and vulnerabilities in software to gather intelligence on the enemy. It has to run through a process called the Vulnerabilities Equities Process, which allows the government to retain bugs that it can use for spying.

#anne-neuberger, #computer-security, #cyberattack, #cyberwarfare, #disrupt-2020, #government, #mass-surveillance, #microsoft, #microsoft-windows, #national-security-agency, #privacy, #security, #u-s-government

0

Explaining Trump Ban on TikTok, WeChat

The Commerce Department announced that it was prohibiting downloads of WeChat and TikTok in U.S. app stores. Here’s what you need to know.

#commerce-department, #computer-security, #computers-and-the-internet, #content-type-service, #instant-messaging, #mobile-applications, #mobile-commerce-and-payments, #social-media, #software, #tiktok-bytedance, #trump-donald-j, #united-states, #wechat-mobile-app

0

Trump Admin to Ban TikTok, WeChat From U.S. App Stores

The Trump administration issued new rules Friday morning that will cripple the operation of two popular Chinese-owned apps in the United States.

#computer-security, #computers-and-the-internet, #executive-orders-and-memorandums, #mobile-applications, #ross-wilbur-l-jr, #social-media, #tiktok-bytedance, #trump-donald-j, #united-states-politics-and-government, #wechat-mobile-app

0

Iranian Hackers Can Beat Encrypted Apps like Telegram, Researchers Say

Reports reveal that hackers have been secretly gathering intelligence on opponents of the Iranian regime, breaking into cellphones and computers and outsmarting apps like Telegram.

#computer-security, #cyberattacks-and-hackers, #iran, #telegram-llc, #whatsapp-inc

0

TikTok Accepts Deal Revisions as Trump Prepares to Review Proposal

The video app is also looking for a new chief executive and has talked to candidates including a founder of Instagram.

#beijing-bytedance-technology-co-ltd, #china, #computer-security, #computers-and-the-internet, #executive-orders-and-memorandums, #mobile-applications, #presidential-election-of-2020, #social-media, #systrom-kevin, #tiktok-bytedance, #trump-donald-j, #united-states-politics-and-government

0

JupiterOne raises $19M Series A to automate cyber asset management

Asset management might not be the most exciting talking topic, but it’s often an overlooked area of cyber-defenses. By knowing exactly what assets your company has makes it easier to know where the security weak spots are.

That’s the problem JupiterOne is trying to fix.

“We built JupiterOne because we saw a gap in how organizations manage the security and compliance of their cyber assets day to day,” said Erkang Zheng, the company’s founder and chief executive.

The Morrisville, N.C.-based startup, which spun out from healthcare cloud firm LifeOmic in 2018, helps companies see all of their digital and cloud assets by integrating with dozens of services and tools, including Amazon Web Services, Cloudflare, and GitLab, and centralizing the results into a single monitoring tool.

JupiterOne says it makes it easier for companies to spot security issues and maintain compliance, with an aim of helping companies prevent security lapses and data breaches by catching issues early on.

The company already has Reddit, Databricks and Auth0 as customers, and just secured $19 million in its Series A, led by Bain Capital Ventures and with participation from Rain Capital and its parent company LifeOmic.

As part of the deal, Bain partner Enrique Salem will join JupiterOne’s board. “We see a large multibillion dollar market opportunity for this technology across mid-market and enterprise customers,” he said. Asset management is slated to be a $8.5 billion market by 2024.

Zheng told TechCrunch the company plans to use the funds to accelerate its engineering efforts and its go-to-market strategy, with new product features to come.

#bain-capital-ventures, #computer-security, #computing, #enrique-salem, #free-software, #internet-security, #north-carolina, #security, #series-a, #software, #version-control, #web-services

0

China-Backed Hackers Broke Into 100 Firms and Agencies, U.S. Says

In indictments against five Chinese nationals, the Justice Department described sophisticated attacks to hijack networks and extort universities, businesses and nonprofits.

#china, #computer-security, #computers-and-the-internet, #cyberattacks-and-hackers, #cyberwarfare-and-defense, #industrial-espionage, #justice-department, #malaysia, #united-states-politics-and-government

0

Justice Dept. charges five Chinese members of APT41 over cyberattacks on U.S. companies

WASHINGTON, DC – DECEMBER 09: The Justice Department building on a foggy morning on December 9, 2019 in Washington, DC. (Photo by Samuel Corum/Getty Images)

The Justice Department has announced charges against five alleged Chinese citizens, accused of hacking over 100 companies in the United States, including tech companies, game makers, universities, and think tanks.

Zhang Haoran and Tan Dailin were charged in August 2019 with over two-dozen counts of conspiracy, wire fraud, identity theft and charges related to computer hacking. Prosecutors also added nine additional charges against Jiang Lizhi, Qian Chuan, and Fu Qiang last month.

Prosecutors also charged two businessmen, who were arrested in Malaysia, for their role in trying to profit from the group’s intrusions into game companies to steal and sell digital goods and virtual currency.

“Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and coordinated private sector protective actions reveal yet again the Department’s determination to use all of the tools at its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,” said assistant attorney general John C. Demers.

“This is the only way to neutralize malicious nation state cyber activity,” he said.

The hackers are accused of being members of the China-backed APT41 hacking group, also known as “Barium,” to steal source code, customer data, and other valuable business information from businesses in the U.S., Australia, Brazil, Hong Kong, South Korea and other countries.

The indictments said that the hackers worked for a front company, Chengdu 404, which purports to be a network security company but prosecutors say was a cover for the hackers. The alleged hackers used a number of known security vulnerabilities to break into companies and launch attacks against a company’s supply chains, allowing the hackers to break into other companies. The indictments confirm earlier research from security firm FireEye that said APT41 hackers used vulnerabilities against networking gear to break into their victims’ networks.

The hackers also allegedly stole code-signing certificates, which can be used to trick computers into thinking malware is from a legitimate source and safe to run. Last year, APT41 was blamed for a supply chain attack at computer maker Asus, which saw the attackers push a backdoor to at least hundreds of thousands of computers using the company’s own servers.

Prosecutors said the hackers tried to make money by launching ransomware attacks and cryptojacking schemes, which hijack computers with malware to mine cryptocurrency.

After the indictments were filed, prosecutors said they obtained warrants to seize websites, domains, and servers associated with the group’s operations, effectively shutting them down and hindering their operations.

The alleged hackers are still believed to be in China, but the allegations serve as a “name and shame” effort employed by the Justice Department in recent years against state-backed cyber attackers.

#computer-security, #cyberattack, #department-of-justice, #federal-bureau-of-investigation, #government, #hacker, #internet-security, #justice-department, #ransomware, #security, #security-breaches, #united-states

0

Two Are Accused of Hacking U.S. Websites With Pro-Iran Messages

The cyberattacks were in retaliation for the death of Maj. Gen. Qassim Suleimani of Iran in a U.S. military airstrike in January, according to a federal indictment unsealed Tuesday.

#abusrour-marwan, #computer-security, #computers-and-the-internet, #cyberwarfare-and-defense, #iran, #mohammadzadeh-behzad, #suleimani-qassim, #targeted-killings

0

‘Impossible Objects’ That Reveal a Hidden Power

The artist Trevor Paglen peers into the history of photography and its relationship to state surveillance.

#art, #carnegie-museum-of-art, #computer-security, #computer-vision, #opposing-geometries-exhibit, #paglen-trevor, #photography, #pittsburgh-pa, #privacy, #surveillance-of-citizens-by-government

0

HacWare wants you to hate email security a little less

Let’s face it, email security is something a lot of people would rather think less about. When you’re not deluged with a daily onslaught of phishing attacks trying to steal your passwords, you’re also expected to dodge the simulated phishing emails sent by your own company all for the sake of checking a compliance box.

One security startup wants that to change. Tiffany Ricks founded HacWare in Dallas, Texas, in 2017 to help bring better cybersecurity awareness to small businesses without getting in the way of the day job.

“We’re trying to show them what they don’t know about cybersecurity and educate them on that so they can get back to work,” Ricks told TechCrunch, ahead of the company’s participation in TechCrunch’s Startup Battlefield.

Ricks, a former Pentagon contractor, has her roots as an ethical hacker. As a penetration tester, or “red teamer,” she would test the limits of a company’s cybersecurity defenses by using a number of techniques, including social engineering attacks, which often involves tricking someone into turning over a password or access to a system.

“It was just very easy to get into organizations by social engineering employees,” said Ricks. But the existing offerings on the market, she said, weren’t up to the task of educating users at scale.

“And so we built the product in-house,” she said.

HacWare sits on a company’s email server and uses machine learning to categorize and analyze each message for risk — the same things you would look for in a phishing email, like suspicious links and attachments.

HacWare tries to identify the most at-risk users, like those working in finance and human resources, who are more vulnerable to business email compromise attacks that try to steal sensitive employee information. The system also uses automated simulated phishing attacks using the contents of what’s in a user’s inbox already to send personalized phishing emails to test the user.

Email remains the most popular way for attackers to use phishing and other social engineering attacks to try to steal sensitive information, according to Verizon’s annual data breach report. These attackers want your passwords or to try to trick you into sending sensitive documents, like employee tax and financial information.

But as the adage goes, humans are the weakest link in the security chain.

Stronger security features, like two-factor authentication, makes it far more difficult for hackers to break into accounts but it’s not a panacea. It was only in July that Twitter was hit by a devastating breach that saw hackers use social engineering techniques to trick employees into giving over access to an internal “admin” tool that the hackers abused to hijack high-profile accounts and spread a cryptocurrency scam.

HacWare’s approach to email security appears to be working. “We’ve seen a 60% reduction in reducing phishing responses,” she said. The automated phishing simulations also help to reduce IT workload, she said.

Ricks moved the bootstrapped HacWare to New York City after securing a place in Techstars’ accelerator program. HacWare is seeking to raise a $1 million seed round, said Ricks. For now, the company is “laser focused” on email security, but the company has growth in its sights.

“I see us expanding into just trying to understand human behavior and trying to figure out how we can mitigate that risk,” she said.

“We believe that cyber security is an integrated approach,” said Ricks. “But first we definitely need to start with the root cause, and the root cause is we need to really get our people the tools they need to empower them to make sound cybersecurity decisions,” she said.

#battlefield, #computer-security, #cybercrime, #disrupt-2020, #identity-theft, #multi-factor-authentication, #phishing, #security, #social-engineering, #startups

0

TikTok’s Proposed Deal Seeks to Mollify U.S. and China

The Chinese-owned app designed a compromise to satisfy U.S. security concerns. The terms are now under review by the Trump administration.

#china, #computer-security, #computers-and-the-internet, #executive-orders-and-memorandums, #international-trade-and-world-market, #mergers-acquisitions-and-divestitures, #oracle-corporation, #social-media, #stocks-and-bonds, #tiktok-bytedance, #treasury-department, #united-states-international-relations, #united-states-politics-and-government

0

TikTok’s Sale Is More About Power Than Protecting Your Privacy

Forcing a sale of the app is a show of power, but it doesn’t really protect your privacy.

#china, #computer-security, #computers-and-the-internet, #mobile-applications, #politics-and-government, #privacy, #social-media, #tiktok-bytedance, #trump-donald-j, #united-states

0

Microsoft Says Its Bid for TikTok Was Rejected in U.S.-China Standoff

The move leaves Oracle as the sole known remaining bidder, as the clock ticks down on President Trump’s executive order to block the app.

#computer-security, #computers-and-the-internet, #executive-orders-and-memorandums, #mergers-acquisitions-and-divestitures, #microsoft-corp, #oracle-corporation, #social-media, #tiktok-bytedance, #united-states-international-relations

0

‘It’s 8 P.M. on Election Day.’ Experts Share Their Nightmare Scenarios.

We asked security experts to tell us what keeps them up at night — and what to do about it.

#absentee-voting, #biden-joseph-r-jr, #computer-security, #cyberwarfare-and-defense, #polls-and-public-opinion, #presidential-election-of-2020, #rumors-and-misinformation, #russia, #social-media, #trump-donald-j, #united-states, #united-states-politics-and-government, #voter-registration-and-requirements, #voting-and-voters, #voting-machines

0

Use ‘productive paranoia’ to build cybersecurity culture at your startup

As any startup grows, getting new products out the door and securing that next round of funding are always top priorities.

But security, all too often, falls by the wayside. After all, why would you invest money in something that you hope never happens when you could be funneling cash back into the business?

Fostering a corporate culture that embraces cybersecurity best practices keeps customer data safe and your company’s reputation intact. But security isn’t something you can easily tack on later. It must be ingrained in your company’s culture, and it’s so much easier to start in the early days of your company than scrambling in the aftermath of a data breach.

But how do you get there?

At TechCrunch Early Stage, we asked Casey Ellis, founder, chairman and chief technology officer at Bugcrowd, to share his ideas for how startups can improve their security posture.

Bugcrowd helps companies dip into a huge pool of cybersecurity talent — including hackers and security researchers — to find vulnerabilities. By helping companies identify flaws, they can shore up their defenses before malicious hackers break in. Few know better than Ellis — who’s run Bugcrowd for close to a decade — which policies, procedures and protections companies have put in place to get there.

Extra Crunch subscribers can log in and watch the video below.

#computer-security, #cryptography, #security, #software, #startups, #tc, #techcrunch-early-stage

0

Yubico unveils its latest YubiKey 5C NFC security key, priced at $55

Yubico, a maker of hardware security keys, has unveiled its newest YubiKey 5C NFC, which the company says offers the strongest defenses against some of the most common cyberattacks.

Security keys provide a physical security barrier to your online accounts. Hackers can steal usernames and passwords, and two-factor authentication codes sent to your phone spoofed or bypassed. But plugging in a physical security key to your computer or phone tells the online service that it’s really you logging in to your account.

In the age of working from home, security keys make it practically impossible for hackers on the other side of the world to break into your accounts.

Yubico’s latest YubiKey 5C NFC is the latest iteration of the company’s lineup of security keys, which comes with a dedicated USB-C connector that works across different computers and phones. And for devices that don’t, it also comes with an in-built NFC chip allowing users to wirelessly tap their key against their device to log in.

YubiKeys pack in a ton of open security and authentication standards, making it work on the “majority” of computers and phones — including Macs, iPhones, Linux machines, and Windows and Android devices, said Guido Appenzeller, Yubico’s chief product officer.

Its keys also work with many enterprise apps, as well as consumer services like Facebook, Google, Microsoft, and Twitter.

Yubico priced its newest YubiKey at $55.

#android, #authentication, #computer-security, #hardware, #multi-factor-authentication, #security, #security-token, #startups, #yubico, #yubikey

0

Seven Election Day Nightmares

We asked security experts to tell us what keeps them up at night — and what to do about it.

#absentee-voting, #computer-security, #computers-and-the-internet, #elections, #elections-house-of-representatives, #local-government, #polls-and-public-opinion, #presidential-election-of-2020, #russian-interference-in-2016-us-elections-and-ties-to-trump-associates, #social-media, #united-states, #united-states-politics-and-government, #voting-and-voters, #voting-machines

0

WhatsApp reveals six previously undisclosed vulnerabilities on new security site

Facebook-owned WhatsApp has revealed six previously undisclosed vulnerabilities, which the company has now fixed. The vulnerabilities are being reported on a dedicated security advisory website that will serve as the new resource providing a comprehensive list of WhatsApp security updates and associated Common Vulnerabilities and Exposures (CVE).

WhatsApp said five of the six vulnerabilities were fixed in the same day, while the remaining bug took a couple of days to remediate. Although some of the bugs could have been remotely triggered, the company said it found no evidence of hackers actively exploiting the vulnerabilities.

Around one-third of the new vulnerabilities were reported through the company’s Bug Bounty Program, while the others were discovered in routine code reviews and by using automated systems, as would be expected.

WhatsApp is one of the world’s most popular apps with more than two billion users around the world. But it’s also a persistent target for hackers, who try to find and exploit vulnerabilities in the platform.

The new website was launched as part of the company’s efforts to be more transparent about vulnerabilities targeting the messaging app, and in response to user feedback. The company says the WhatsApp community has been asking for a centralized location for tracking security vulnerabilities, as WhatsApp isn’t always able to detail its security advisories in an app’s release notes due to app store policies.

The new dashboard will update monthly, or sooner if it has to warn users of an active attack. It will also offer an archive of past CVEs dating back to 2018. While the website’s main focus will be on CVEs in WhatsApp’s code, if the company files a CVE with the public database MITRE for a vulnerability it found in third-party code, it will denote that on the WhatsApp Security Advisory page, as well.

Last year, WhatsApp went public after fixing a vulnerability allegedly used by Israeli spyware maker NSO Group. WhatsApp sued the spyware maker, alleging the company used the vulnerability to covertly deliver its Pegasus spyware to some 1,400 devices — including more than 100 human rights defenders and journalists.

NSO denied the allegations.

John Scott-Railton, a senior researcher at Citizen Lab, whose work has included investigating NSO Group, welcomed the news.

“This is good, and we know that bad actors make use of extensive resources to acquire and weaponize vulnerabilities,” he told TechCrunch. “WhatsApp sending the signal that it’s going to move regularly to identify and patch in this way seems like yet another way to raise the cost for bad actors.”

In a blog post, WhatsApp said: “We are very committed to transparency and this resource is intended to help the broader technology community benefit from the latest advances in our security efforts. We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available.”

Facebook also said Thursday that it has codified its vulnerability disclosure policy, allowing the company to warn developers of security vulnerabilities in third-party code that Facebook and WhatsApp rely on.

#apps, #computer-security, #nso-group, #security, #social-media, #vulnerability, #whatsapp

0

US cell carrier Assist Wireless exposed thousands of customer IDs

U.S. cell carrier Assist Wireless left tens of thousands of personal customer documents on its website by mistake.

Assist provides free government-subsidized cell phones to low-income households across Oklahoma through the Lifeline program, set up by the Federal Communications Commission in 1985. Lifeline helps households on federal assistance programs, like food stamps or public housing, get access to cheap cell phone plans.

But part of the carrier’s website was leaking customer documents — including driver’s licenses, passports and Social Security cards — which customers submit to verify their eligibility to sign up for a free phone and a plan.

The documents are dated between 2019 and 2020.

Security researcher John Wethington found the exposed documents through a simple Google search result, and asked TechCrunch to alert the carrier to the leak. Assist removed the exposed documents from its website a short time later.

Assist told TechCrunch that it traced the issue to a third-party plugin, Imagify, which the carrier uses to optimize images on its website. Assist said that the plugin by default puts a backup of uploaded images in a separate folder, but that the backup location in Assist’s case was not secure.

“We have resolved the issue by turning the backup off and removed the folder from public view,” said Assist.

The carrier told TechCrunch it also submitted an “urgent request” to Google to remove the documents from its cached image search results. (TechCrunch held this story until the images were scrubbed.)

Assist said it is investigating if anyone else found the exposed data before the issue was fixed.

“Assist Wireless takes security and consumer data very seriously. We are hiring a third-party security firm to provide us with a thorough security audit and subsequent consultation on ensuring customer data is as safe as possible moving forward,” the carrier said.

The carrier also said it would notify customers if their data was exposed in the security lapse.

#computer-security, #cryptography, #data-security, #driver, #federal-communications-commission, #food-stamps, #oklahoma, #security, #sim-card

0

A SonicWall cloud bug exposed corporate networks to hackers

A newly discovered bug in a cloud system used to manage SonicWall firewalls could have allowed hackers to break into thousands of corporate networks.

Enterprise firewalls and virtual private network appliances are vital gatekeepers tasked with protecting corporate networks from hackers and cyberattacks while still letting in employees working from home during the pandemic. Even though most offices are empty, hackers frequently look for bugs in critical network gear in order to break into company networks to steal data or plant malware.

Vangelis Stykas, a researcher at security firm Pen Test Partners, found the new bug in SonicWall’s Global Management System (GMS), a web app that lets IT departments remotely configure their SonicWall devices across the network.

But the bug, if exploited, meant any existing user with access to SonicWall’s GMS could create a user account with access to any other company’s network without permission.

From there, the newly created account could remotely manage the SonicWall gear of that company.

In a blog post shared with TechCrunch, Stykas said there were two barriers to entry. Firstly, a would-be attacker would need an existing SonicWall GMS user account. The easiest way — and what Stykas did to independently test the bug — was to buy a SonicWall device.

The second issue was that the would-be attacker would also need to guess a unique seven-digit number associated with another company’s network. But Stykas said that this number appeared to be sequential and could be easily enumerated, one after the other.

Once inside a company’s network, the attacker could deliver ransomware directly to the internal systems of their victims, an increasingly popular tactic for financially driven hackers.

SonicWall confirmed the bug is now fixed. But Stykas criticized the company for taking more than two weeks to patch the vulnerability, which he described as “trivial” to exploit.

“Even car alarm vendors have fixed similar issues inside three days of us reporting,” he wrote.

A SonicWall spokesperson defended the decision to subject the fix to a “full” quality check before it was rolled out, and said it is “not aware” of any exploitation of the vulnerability.

#cloud, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #enterprise, #hacker, #pen-test-partners, #ransomware, #security, #security-breaches, #sonicwall, #spokesperson, #vpn, #web-app

0

Twitter Hack May Have Had Another Mastermind: A 16-Year-Old

On Tuesday, federal agents served a Massachusetts teenager with a search warrant. He appears to have played a significant role in the July 15 Twitter attack, investigators and fellow hackers said.

#bitcoin-currency, #clark-graham-ivan, #computer-security, #computers-and-the-internet, #cyberattacks-and-hackers, #frauds-and-swindling, #massachusetts, #phishing-computer-fraud, #search-and-seizure, #social-media, #twitter

0

Decrypted: Tesla’s ransomware near miss, Palantir’s S-1 risk factors

Another busy week in cybersecurity.

In case you missed it: A widely used messaging app used by over a million protesters has several major security flaws; a little-known loophole has let the DMV sell driver’s licenses and Social Security records to private investigators; and the U.S. government is suing to reclaim over $2.5 million in cryptocurrency stolen by North Korean hackers from two major exchanges.

But this week we are focusing on how a Tesla employee foiled a ransomware attack, and, ahead of Palantir’s debut on the stock market, how much of a risk factor is the company’s public image?


THE BIG PICTURE

Russian charged with attempted Tesla ransomware attack

$1 million. That’s how much a Tesla employee would have netted if they accepted a bribe from a Russian operative to install malware on Tesla’s Gigafactory network in Nevada. Instead, the employee told the FBI and the Russian was arrested.

The Justice Department charged the 27-year-old Russian, Egor Igorevich, weeks later as he tried to flee the United States. According to the indictment, his plan was to ask the employee to deliberately deploy ransomware on the Gigafactory’s network, grinding the network to a halt for a ransom of several million dollars. The would-be insider threat is likely the first of its kind, one ransomware expert told Wired, as financially driven hackers continue to up their game.

Tesla founder Elon Musk tweeted earlier this week confirming that Tesla was the target of the failed attack.

The attack, if carried out, could have been devastating. The indictment said that the malware was designed to extract data from the network before locking its files. This data-stealing ransomware is an increasing trend. These hacker groups not only encrypt a victim’s files but also exfiltrate the data to their servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

#computer-security, #computing, #cryptography, #cybercrime, #decrypted, #department-of-justice, #driver, #encryption, #facebook, #florida, #malware, #mayfield, #nevada, #ransomware, #security, #security-breaches, #software, #startups, #tampa, #ten-eleven-ventures, #tesla, #u-s-government, #united-states

0