US blames China for Exchange server hacks and ransomware attacks

The Biden administration has formally accused China of the mass-hacking of Microsoft Exchange servers earlier this year, which prompted the FBI to intervene as concerns rose that the hacks could lead to widespread destruction.

The mass-hacking campaign targeted Microsoft Exchange email servers with four previously undiscovered vulnerabilities that allowed the hackers — which Microsoft already attributed to a China-backed group of hackers called Hafnium — to steal email mailboxes and address books from tens of thousands of organizations around the United States.

Microsoft released patches to fix the vulnerabilities, but the patches did not remove any backdoor code left behind by the hackers that might be used again for easy access to a hacked server. That prompted the FBI to secure a first-of-its-kind court order to effectively hack into the remaining hundreds of U.S.-based Exchange servers to remove the backdoor code. Computer incident response teams in countries around the world responded similarly by trying to notify organizations in their countries that were also affected by the attack.

In a statement out Monday, the Biden administration said the attack, launched by hackers backed by China’s Ministry of State Security, resulted in “significant remediation costs for its mostly private sector victims.”

“We have raised our concerns about both this incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the statement read.

The National Security Agency also released details of the attacks to help network defenders identify potential routes of compromise. The Chinese government has repeatedly denied claims of state-backed or sponsored hacking.

The Biden administration also blamed China’s Ministry of State Security for contracting with criminal hackers to conduct unsanctioned operations, like ransomware attacks, “for their own personal profit.” The government said it was aware that China-backed hackers have demanded millions of dollars in ransom demands against hacked companies. Last year, the Justice Department charged two Chinese spies for their role in a global hacking campaign that saw prosecutors accuse the hackers of operating for personal gain.

Although the U.S. has publicly engaged the Kremlin to try to stop giving ransomware gangs safe harbor from operating from within Russia’s borders, the U.S. has not previously accused Beijing of launching or being involved with ransomware attacks.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” said Monday’s statement.

The statement also said that the China-backed hackers engaged in extortion and cryptojacking, a way of forcing a computer to run code that uses its computing resources to mine cryptocurrency, for financial gain.

The Justice Department also announced fresh charges against four China-backed hackers working for the Ministry of State Security, which U.S. prosecutors said were engaged in efforts to steal intellectual property and infectious disease research into Ebola, HIV and AIDS, and MERS against victims based in the U.S., Norway, Switzerland and the United Kingdom by using a front company to hide their operations.

“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft,” said deputy attorney general Lisa Monaco.

#attorney-general, #biden, #biden-administration, #china, #computer-security, #computing, #cyberattacks, #cybercrime, #cyberwarfare, #department-of-justice, #doj, #federal-bureau-of-investigation, #government, #hacker, #hacking, #healthcare, #internet-security, #microsoft, #national-security-agency, #norway, #russia, #security, #switzerland, #technology, #united-kingdom, #united-states

GSA blocks senator from reviewing documents used to approve Zoom for government use

The General Services Administration has denied a senator’s request to review documents Zoom submitted to have its software approved for use in the federal government.

The denial was in response to a letter sent by Democratic senator Ron Wyden to the GSA in May, expressing concern that the agency cleared Zoom for use by federal agencies just weeks before a major security vulnerability was discovered in the app.

Wyden said the discovery of the bug raises “serious questions about the quality of FedRAMP’s audits.”

Zoom was approved to operate in government in April 2019 after receiving its FedRAMP authorization, a program operated by the GSA that ensures cloud services comply with a standardized set of security requirements designed to toughen the service from some of the most common threats. Without this authorization, federal agencies cannot use cloud products or technologies that are not cleared.

Months later, Zoom was forced to patch its Mac app after a security researcher found a flaw that could be abused to remotely switch on a user’s webcam without their permission. Apple was forced to intervene since users were still affected by the vulnerabilities even after uninstalling Zoom. As the pandemic spread and lockdowns were enforced, Zoom’s popularity skyrocketed — as did the scrutiny — including a technical analysis by reporters that found Zoom was not truly end-to-end encrypted as the company long claimed.

Wyden wrote to the GSA to say he found it “extremely concerning” that the security bugs were discovered after Zoom’s clearance. In the letter, the senator requested the documents known as the “security package,” which Zoom submitted as part of the FedRAMP authorization process, to understand how and why the app was cleared by GSA.

The GSA declined Wyden’s first request in July 2020 on the grounds that he was not a committee chair. In the new Biden administration, Wyden was named chair of the Senate Finance Committee and requested Zoom’s security package again.

But in a new letter sent to Wyden’s office late last month, GSA declined the request for the second time, citing security concerns.

“GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.” Sen. Ron Wyden (D-OR)

“The security package you have requested contains highly sensitive proprietary and other confidential information relating to the security associated with the Zoom for Government product. Safeguarding this information is critical to maintaining the integrity of the offering and any government data it hosts,” said the GSA letter. “Based on our review, GSA believes that disclosure of the Zoom security package would create significant security risks.”

In response to the GSA’s letter, Wyden told TechCrunch that he was concerned that other flawed software may have been approved for use across the government.

“The intent of GSA’s FedRAMP program is good — to eliminate red tape so that multiple federal agencies don’t have to review the security of the same software. But it’s vitally important that whichever agency conducts the review do so thoroughly,” said Wyden. “I’m concerned that the government’s audit of Zoom missed serious cybersecurity flaws that were subsequently uncovered and exposed by security researchers. GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.”

Of the people we spoke with who have first-hand knowledge of the FedRAMP process, either as a government employee or as a company going through the certification, FedRAMP was described as a comprehensive but by no means an exhaustive list of checks that companies have to meet in order to meet the security requirements of the federal government.

Others said that the process had its limits and would benefit from reform. One person with knowledge of how FedRAMP works said the process was not a complete audit of a product’s source code but akin to a checklist of best practices and meeting compliance requirements. Much of it relies on trusting the vendor, said the person, describing it like ” an honor system.” Another person said the FedRAMP process cannot catch every bug, as evidenced by executive action taken by President Biden this week aimed at modernizing and improving the FedRAMP process.

Most of the people we spoke to weren’t surprised that Wyden’s office was denied the request, citing the sensitivity of a company’s FedRAMP security package.

The people said that companies going through the certification process have to provide highly technical details about the security of their product, which if exposed would almost certainly be damaging to the company. Knowing where security weaknesses might be could tip off cyber-criminals, one of the people said. Companies often spend millions on improving their security ahead of a FedRAMP audit but companies wouldn’t risk going through the certification if they thought their trade secrets would get leaked, they added.

When asked by GSA why it objected to Wyden’s request, Zoom’s head of U.S. government relations Lauren Belive argued that handing over the security package “would set a dangerous precedent that would undermine the special trust and confidence” that companies place in the FedRAMP process.

GSA puts strict controls on who can access a FedRAMP security package. You need a federal government or military email address, which the senator’s office has. But the reason for GSA denying Wyden’s request still isn’t clear, and when reached a GSA spokesperson would not explain how a member of Congress would obtain a company’s FedRAMP security package

“GSA values its relationship with Congress and will continue to work with Senator Wyden and our committees of jurisdiction to provide appropriate information regarding our programs and operations,” said GSA spokesperson Christina Wilkes, adding:

“GSA works closely with private sector partners to provide a standardized approach to security authorizations for cloud services through the [FedRAMP]. Zoom’s FedRAMP security package and related documents provide detailed information regarding the security measures associated with the Zoom for Government product. GSA’s consistent practice with regard to sensitive security and trade secret information is to withhold the material absent an official written request of a congressional committee with jurisdiction, and pursuant to controls on further dissemination or publication of the information.”

GSA wouldn’t say which congressional committee had jurisdiction or whether Wyden’s role as chair of the Senate Finance Committee suffices, nor would the agency answer questions about the efficacy of the FedRAMP process raised by Wyden.

Zoom spokesperson Kelsey Knight said that cloud companies like Zoom “provide proprietary and confidential information to GSA as part of the FedRAMP authorization process with the understanding that it will be used only for their use in making authorization decisions. While we do not believe Zoom’s FedRAMP security package should be disclosed outside of this narrow purpose, we welcome conversations with lawmakers and other stakeholders about the security of Zoom for Government.”

Zoom said it has “engaged in security enhancements to continually improve its products,” and received FedRAMP reauthorization in 2020 and 2021 as part of its annual renewal. The company declined to say to what extent the Zoom app was audited as part of the FedRAMP process.

Over two dozen federal agencies use Zoom, including the Defense Department, Homeland Security, U.S. Customs and Border Protection, and the Executive Office of the President.

#apps, #biden, #biden-administration, #chair, #cloud-computing, #cloud-services, #computing, #congress, #department-of-defense, #executive, #federal-government, #fedramp, #government, #head, #internet, #internet-security, #official, #president, #ron-wyden, #security, #senator, #software, #spokesperson, #technology, #u-s-government, #united-states, #web-conferencing, #zoom

CISA launches platform to let hackers report security bugs to US federal agencies

The Cybersecurity and Infrastructure Security Agency has launched a vulnerability disclosure program allowing ethical hackers to report security flaws to federal agencies.

The platform, launched with the help of cybersecurity companies Bugcrowd and Endyna, will allow civilian federal agencies to receive, triage and fix security vulnerabilities from the wider security community.

The move to launch the platform comes less than a year after the federal cybersecurity agency, better known as CISA, directed the civilian federal agencies that it oversees to develop and publish their own vulnerability disclosure policies. These policies are designed to set the rules of engagement for security researchers by outlining what (and how) online systems can be tested, and which can’t be.

It’s not uncommon for private companies to run VDP programs to allow hackers to report bugs, often in conjunction with a bug bounty to pay hackers for their work. The U.S. Department of Defense has for years warmed to hackers, the civilian federal government has been slow to adopt.

Bugcrowd, which last year raised $30 million at Series D, said the platform will “give agencies access to the same commercial technologies, world-class expertise, and global community of helpful ethical hackers currently used to identify security gaps for enterprise businesses.”

The platform will also help CISA share information about security flaws between other agencies.

The platform launches after a bruising few months for government cybersecurity, including a Russian-led espionage campaign against at least nine U.S. federal government agencies by hacking software house SolarWinds, and a China-linked cyberattack that backdoored thousands of Microsoft Exchange servers, including in the federal government.

#bugcrowd, #cisa, #computer-security, #computing, #cyberattack, #cybercrime, #cyberwarfare, #federal-government, #government, #information-technology, #internet-security, #security, #solarwinds, #united-states

Apple’s new encrypted browsing feature won’t be available in China, Saudi Arabia and more: report

Apple announced a handful of privacy-focused updates at its annual software developer conference on Monday. One called Private Relay particularly piques the interest of Chinese users living under the country’s censorship system, for it encrypts all browsing history so nobody can track or intercept the data.

As my colleague Roman Dillet explains:

When Private Relay is turned on, nobody can track your browsing history — not your internet service provider, anyone standing in the middle of your request between your device and the server you’re requesting information from. We’ll have to wait a bit to learn more about how it works exactly.

The excitement didn’t last long. Apple told Reuters that Private Relay won’t be available in China alongside Belarus, Colombia, Egypt, Kazakhstan, Saudi Arabia, South Africa, Turkmenistan, Uganda and the Philippines.

Apple couldn’t be immediately reached by TechCrunch for comment.

Virtual private networks or VPNs are popular tools for users in China to bypass the “great firewall” censorship apparatus, accessing web services that are otherwise blocked or slowed down. But VPNs don’t necessarily protect users’ privacy because they simply funnel all the traffic through VPN providers’ servers instead of users’ internet providers, so users are essentially entrusting VPN firms with protecting their identities. Private Relay, on the other hand, doesn’t even allow Apple to see one’s browsing activity.

In an interview with Fast Company, Craig Federighi, Apple’s senior vice president of software engineering, explained why the new feature may be superior to VPNs:

“We hope users believe in Apple as a trustworthy intermediary, but we didn’t even want you to have to trust us [because] we don’t have this ability to simultaneously source your IP and the destination where you’re going to–and that’s unlike VPNs. And so we wanted to provide many of the benefits that people are seeking when in the past they’ve decided to use a VPN, but not force that difficult and conceivably perilous privacy trade-off in terms of trusting it a single intermediary.”

It’s unclear whether Private Relay will simply be excluded from system upgrades for users in China and the other countries where it’s restricted, or it will be blocked by internet providers in those regions. It also remains to be seen whether the feature will be available to Apple users in Hong Kong, which has seen an increase in online censorship in the past year.

Like all Western tech firms operating in China, Apple is trapped between antagonizing Beijing and flouting the values it espouses at home. Apple has a history of caving in to Beijing’s censorship pressure, from migrating all user data in China to a state-run cloud center, cracking down on independent VPN apps in China, limiting free speech in Chinese podcasts, to removing RSS feed readers from the China App Store.

#apple, #asia, #beijing, #belarus, #china, #colombia, #craig-federighi, #egypt, #firewall, #government, #great-firewall, #internet-censorship, #internet-security, #internet-service, #isp, #kazakhstan, #philippines, #saudi-arabia, #security, #south-africa, #tc, #uganda, #vpn

Former Amazon exec gives Chinese firms a tool to fight cyber threats

China is pushing forward an internet society where economic and public activities increasingly take place online. In the process, troves of citizen and government data get transferred to cloud servers, raising concerns over information security. One startup called ThreatBook sees an opportunity in this revolution and pledges to protect corporations and bureaucracies against malicious cyberattacks.

Antivirus and security software has been around in China for several decades, but until recently, enterprises were procuring them simply to meet compliance requests, Xue Feng, founder and CEO of six-year-old ThreatBook, told TechCrunch in an interview.

Starting around 2014, internet accessibility began to expand rapidly in China, ushering in an explosion of data. Information previously stored in physical servers was moving to the cloud. Companies realized that a cyber attack could result in a substantial financial loss and started to pay serious attention to security solutions.

In the meantime, cyberspace is emerging as a battlefield where competition between states plays out. Malicious actors may target a country’s critical digital infrastructure or steal key research from a university database.

“The amount of cyberattacks between countries is reflective of their geopolitical relationships,” observed Xue, who oversaw information security at Amazon China before founding ThreatBook. Previously, he was the director of internet security at Microsoft in China.

“If two countries are allies, they are less likely to attack one another. China has a very special position in geopolitics. Besides its tensions with the other superpowers, cyberattacks from smaller, nearby countries are also common.”

Like other emerging SaaS companies, ThreatBook sells software and charges a subscription fee for annual services. More than 80% of its current customers are big corporations in finance, energy, the internet industry, and manufacturing. Government contracts make up a smaller slice. With its Series E funding round that closed 500 million yuan ($76 million) in March, ThreatBook boosted its total capital raised to over 1 billion yuan from investors including Hillhouse Capital.

Xue declined to disclose the company’s revenues or valuation but said 95% of the firm’s customers have chosen to renew their annual subscriptions. He added that the company has met the “preliminary requirements” of the Shanghai Exchange’s STAR board, China’s equivalent to NASDAQ, and will go public when the conditions are ripe.

“It takes our peers 7-10 years to go public,” said Xue.

ThreatBook compares itself to CrowdStrike from Silicon Valley, which filed to go public in 2019 and detect threats by monitoring a company’s “endpoints”, which could be an employee’s laptops and mobile devices that connect to the internal network from outside the corporate firewall.

ThreatBook similarly has a suite of software that goes onto the devices of a company’s employees, automatically detects threats and comes up with a list of solutions.

“It’s like installing a lot of security cameras inside a company,” said Xue. “But the thing that matters is what we tell customers after we capture issues.”

SaaS providers in China are still in the phase of educating the market and lobbying enterprises to pay. Of the 3,000 companies that ThreatBook serves, only 300 are paying so there is plentiful room for monetization. Willingness to spend also differs across sectors, with financial institutions happy to shell out several million yuan ($1 = 6.54 yuan) a year while a tech startup may only want to pay a fraction of that.

Xue’s vision is to take ThreatBook global. The company had plans to expand overseas last year but was held back by the COVID-19 pandemic.

“We’ve had a handful of inquiries from companies in Southeast Asia and the Middle East. There may even be room for us in markets with mature [cybersecurity companies] like Europe and North America,” said Xue. “As long as we are able to offer differentiation, a customer may still consider us even if it has an existing security solution.”

#asia, #china, #cloud-computing, #cloud-infrastructure, #computer-security, #crowdstrike, #cyberattack, #cybercrime, #firewall, #internet-security, #internet-society, #microsoft-china, #saas, #security, #security-software, #software-as-a-service, #tc, #tech-startup

Microsoft says China-backed hackers are exploiting Exchange zero-days

Microsoft is warning customers that a new China state-sponsored threat actor is exploiting four previously undisclosed security flaws in Exchange Server, an enterprise email product built by the software giant.

The technology company said Tuesday that it believes the hacking group, which it calls Hafnium, tries to steal information from a broad range of U.S.-based organizations, including law firms and defense contractors, but also infectious disease researchers and policy think tanks.

Microsoft said Hafnium used the four newly discovered security vulnerabilities to break into Exchange email servers running on company networks, granting the attackers to steal data from a victim’s organization — such as email accounts and address books — and the ability to plant malware. When used together, the four vulnerabilities create an attack chain that can compromise vulnerable servers running on-premise Exchange 2013 and later.

Hafnium operates out of China, but uses servers located in the U.S. to launch its attacks, the company said. Microsoft said that Hafnium was the only threat group it has detected using these four new vulnerabilities.

Microsoft declined to say how many successful attacks it had seen, but described the number as “limited.”

Patches to fix those four security vulnerabilities are now out, a week earlier than the company’s typical patching schedule, usually reserved for the second Tuesday in each month.

“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems,” said Tom Burt, Microsoft’s vice president for customer security.

The company said it has also briefed U.S. government agencies on its findings, but that the Hafnium attacks are not related to the SolarWinds-related espionage campaign against U.S. federal agencies. In the last days of the Trump administration, the National Security Agency and the FBI said that the SolarWinds campaign was “likely Russian in origin.”

#china, #computer-security, #computing, #cryptography, #cyberattack, #cybercrime, #cyberwarfare, #defense-contractors, #federal-bureau-of-investigation, #internet-security, #law-firms, #microsoft, #national-security-agency, #security, #software, #solarwinds, #technology, #threat, #trump-administration, #u-s-government, #united-states, #vulnerability

Cloudflare introduces free digital waiting rooms for any organizations distributing COVID-19 vaccines

Web infrastructure company Cloudflare is releasing a new tool today that aims to provide a way for health agencies and organizations globally tasked with rolling out COVID-19 vaccines to maintain a fair, equitable and transparent digital queue – completely free of charge. The company’s ‘Project Fair Shot’ initiative will make its new Cloudflare Waiting Room offering free to any organization that qualifies, essentially providing a way from future vaccine recipients to register and gain access to a clear and constantly-updated view of where they are in line to receive the preventative treatment.

“The wife of one of Cloudflare’s executives in our Austin was trying to register her parents for the COVID-19 vaccine program there,” explained Cloudflare CEO Matthew Prince via email. “The registration site kept crashing. She said to her husband: why doesn’t Cloudflare build a queuing feature to help vaccine sites? As it happened, we had exactly such a feature under development and scheduled to be launched in early February.”

After realizing the urgency of the need for something like this tool to help alleviate the many infrastructure challenges that come up when you’re trying to vaccinate a global population against a viral threat as quickly as possible, Cloudflare changed their release timetable and devoted additional resources to the project.

“We talked to the team about moving up the scheduled launch of our Waiting Room feature,” Prince added. “They worked around the clock because they recognized how important helping with vaccine delivery was. These are the sorts of projects that really drive our team: when we can use our technical expertise and infrastructure to solve problems with broad, positive impact.”

On the technical side, Cloudflare Waiting Room is simple to implement, according to the company, and can be added to any registration website built on the company’s existing content delivery network without any engineering or coding knowledge required. Visitors to the site can register and will receive a confirmation that they’re in line, and then will receive a follow-up directing them to a sign-up page for the organization administering their vaccine when it’s their turn. Further configuration options allow Waiting Room operators to offer wait time estimates to registrants, as well as provide additional alerts when their turn is nearing (though that functionality is coming in a future update).

As Prince mentioned, Waiting Room was already on Cloudflare’s project roadmap, and was actually intended for other high-demand, limited supply allocation items: Think must-have concert tickets, or the latest hot sneaker release. But the Fair Shot program will provide it totally free to those organizations that need it, whereas that would’ve been a commercial product. Interested parties can sign up at Cloudflare’s registration page to get on the waitlist for availability.

“With Project Fair Shot we stand ready to help ensure everyone who is eligible can get equitable access to the COVID-19 vaccines and we, along with the rest of humanity, look forward to putting this disease behind us,” Prince explained.

#austin, #ceo, #cloudflare, #content-delivery-network, #disease, #health, #information-technology, #internet, #internet-security, #matthew, #matthew-prince, #prince, #tc, #vaccine, #web-infrastructure

Cyber insurance startup At-Bay raises $34M Series C, adds M12 as a new investor

Cybersecurity insurance startup At-Bay has raised $34 million in its Series C round, the company announced Tuesday.

The round was led by Qumra Capital, a new investor. Microsoft’s venture fund M12, also a new investor, participated in the round alongside Acrew Capital, Khosla Ventures, Lightspeed Venture Partners, Munich Re Ventures, and Israeli entrepreneur Shlomo Kramer, who co-founded security firms Check Point and Imperva.

It’s a huge move for the company, which only closed its Series B in February.

The cybersecurity insurance market is expected to become a $23 billion industry by 2025, driven in part by an explosion in connected devices and new regulatory regimes under Europe’s GDPR and more recently California’s state-wide privacy law. But where traditional insurance companies have struggled to acquire the acumen needed to accommodate the growing demand for cybersecurity insurance, startups like At-Bay have filled the space.

At-Bay was founded in 2016 by Rotem Iram and Roman Itskovich, and is headquartered in Mountain View. In the past year, the company has tripled its headcount and now has offices in New York, Atlanta, Chicago, Portland, Los Angeles, and Dallas.

The company differentiates itself from the pack by monitoring the perimeter of its customers’ networks and alerting them to security risks or vulnerabilities. By proactively looking for potential security issues, At-Bay helps its customers to prevent network intrusions and data breaches before they happen, avoiding losses for the company while reducing insurance payouts — a win-win for both the insurance provider and its customers.

“This modern approach to risk management is not only driving strong demand for our insurance, but also enabling us to improve our products and minimize loss to our insureds,” said Iram.

It’s a bet that’s paying off: the company says its frequency of claims are less than half of the industry average. Lior Litwak, a partner at M12, said he sees “immense potential” in the company for melding cyber risk and analysis with cyber insurance.

Now with its Series C in the bank, the company plans to grow its team and launch new products, while improving its automated underwriting platform that allows companies to get instant cyber insurance quotes.

#acrew-capital, #atlanta, #california, #chicago, #computer-security, #computing, #cyber-insurance, #cyberwarfare, #dallas, #europe, #information-technology, #internet-security, #los-angeles, #m12, #new-york, #portland, #qumra-capital, #security, #series-c

Twitter now supports hardware security keys for iPhones and Android

Twitter said Wednesday that accounts protected with a hardware security key can now log in from their iPhone or Android device.

The social media giant rolled out support for hardware security keys in 2018, allowing users to add a physical security barrier to their accounts in place of other two-factor authentication options, like a text message or a code generated from an app.

Security keys are small enough to fit on a keyring but make certain kinds of account hacks near impossible by requiring a user to plug in the key when they log in. That means hackers on the other side of the planet can’t easily break into your account, even if they have your username and password.

But technical limitations meant that accounts protected with security keys could only log in from a computer, and not a mobile device.

Twitter solved that headache in part by switching to the WebAuthn protocol last year, which paved the way for bringing hardware security key support to more devices and browsers.

Now anyone with a security key set up on their Twitter account can use that same key to log in from their mobile device, so long as the key is supported. (A ton of security keys exist today that work across different devices, like YubiKeys and Google’s Titan key.)

Twitter — and other companies — have long recommended that high-profile accounts, like journalists, politicians, and government officials, use security keys to prevent some of the more sophisticated attacks. Twitter explains how to set up two-factor authentication (and security keys) here.

Earlier this year Twitter rolled out hardware security keys to its own staff to prevent a repeat of its July cyberattack that saw hackers break into the company’s internal network and abuse an “admin” tool, which the hackers then used to hijack high-profile accounts to spread a cryptocurrency scam.

In the wake of the attack, Twitter hired Rinki Sethi as its new chief information security officer, and famed hacker Peiter Zatko, known as Mudge, as the company’s head of security.

#access-control, #chief-information-security-officer, #computer-security, #cryptography, #identification, #internet-security, #iphone, #mobile-device, #multi-factor-authentication, #security, #yubikey

The Supreme Court will hear its first big CFAA case

The Supreme Court will hear arguments on Monday in a case that could lead to sweeping changes to America’s controversial computer hacking laws — and affecting how millions use their computers and access online services.

The Computer Fraud and Abuse Act was signed into federal law in 1986 and predates the modern internet as we know it, but governs to this day what constitutes hacking — or “unauthorized” access to a computer or network. The controversial law was designed to prosecute hackers, but has been dubbed as the “worst law” in the technology law books by critics who say it’s outdated and vague language fails to protect good-faith hackers from finding and disclosing security vulnerabilities.

At the center of the case is Nathan Van Buren, a former police sergeant in Georgia. Van Buren used his access to a police license plate database to search for an acquaintance in exchange for cash. Van Buren was caught, and prosecuted on two counts: accepting a kickback for accessing the police database, and violating the CFAA. The first conviction was overturned, but the CFAA conviction was upheld.

Van Buren may have been allowed to access the database by way of his police work, but whether he exceeded his access remains the key legal question.

Orin Kerr, a law professor at the University of California, Berkeley, said Van Buren vs. United States was an “ideal case” for the Supreme Court to take up. “The question couldn’t be presented more cleanly,” he argued in a blog post in April.

The Supreme Court will try to clarify the decades-old law by deciding what the law means by “unauthorized” access. But that’s not a simple answer in itself.

“The Supreme Court’s opinion in this case could decide whether millions of ordinary Americans are committing a federal crime whenever they engage in computer activities that, while common, don’t comport with an online service or employer’s terms of use,” said Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford University’s law school. (Pfefferkorn’s colleague Jeff Fisher is representing Van Buren at the Supreme Court.)

How the Supreme Court will determine what “unauthorized” means is anybody’s guess. The court could define unauthorized access anywhere from violating a site’s terms of service to logging into a system that a person has no user account for.

Pfefferkorn said a broad reading of the CFAA could criminalize anything from lying on a dating profile, sharing the password to a streaming service, or using a work computer for personal use in violation of an employer’s policies.

But the Supreme Court’s eventual ruling could also have broad ramifications on good-faith hackers and security researchers, who purposefully break systems in order to make them more secure. Hackers and security researchers have for decades operated in a legal grey area because the law as written exposes their work to prosecution, even if the goal is to improve cybersecurity.

Tech companies have for years encouraged hackers to privately reach out with security bugs. In return, the companies fix their systems and pay the hackers for their work. Mozilla, Dropbox, and Tesla are among the few companies that have gone a step further by promising not to sue good-faith hackers under the CFAA. Not all companies welcome the scrutiny and bucked the trend by threatening to sue researchers over their findings, and in some cases actively launching legal action to prevent unflattering headlines.

Security researchers are no stranger to legal threats, but a decision by the Supreme Court that rules against Van Buren could have a chilling effect on their work, and drive vulnerability disclosure underground.

“If there are potential criminal (and civil) consequences for violating a computerized system’s usage policy, that would empower the owners of such systems to prohibit bona fide security research and to silence researchers from disclosing any vulnerabilities they find in those systems,” said Pfefferkorn. “Even inadvertently coloring outside the lines of a set of bug bounty rules could expose a researcher to liability.”

“The Court now has the chance to resolve the ambiguity over the law’s scope and make it safer for security researchers to do their badly-needed work by narrowly construing the CFAA,” said Pfefferkorn. “We can ill afford to scare off people who want to improve cybersecurity.”

The Supreme Court will likely rule on the case later this year, or early next.

Read more:

#america, #articles, #california, #computer-fraud-and-abuse-act, #computer-security, #computing, #georgia, #government, #hacker, #hacking, #information-technology, #internet-security, #lawsuit, #security, #supreme-court, #united-states, #university-of-california, #university-of-california-berkeley

Imperva to acquire database security startup jSonar

Cybersecurity giant Imperva will acquire jSonar, a database security startup that recently landed $50 million from Goldman Sachs.

Financial terms of the deal weren’t disclosed.

The acquisition of jSonar, which provides security and compliance to databases on-premise or in the cloud, will help bolster Imperva’s data security business. As part of the deal, jSonar founder Ron Bennatan will join Imperva to lead its new data security division.

Imperva provides enterprise security, including distributed denial-of-service attacks, to more than 6,200 companies. Earlier this year the company acquired Distil Networks, adding bot protection to its security roster.

“Enterprises have shifted focus from compliance to data security while demanding lower costs and more measurable benefits,” said Imperva chief executive Pam Murphy. “This combination of two uniquely qualified trailblazers will signal a new approach to data security that puts an emphasis on usability and value with sustained and complete coverage for three initiatives organizations need to implement – security, compliance and privacy.”

Last year, private equity firm Thoma Bravo bought Imperva in a $2.1 billion deal to take the company private.

The Imperva-jSonar acquisition is expected to close by mid-October.

#computer-security, #computing, #imperva, #internet-security, #jsonar, #private, #security, #thoma-bravo

Homeland Security issues rare emergency alert over ‘critical’ Windows bug

Homeland Security’s cybersecurity advisory unit has issued a rare emergency alert to government departments after the recent disclosure of a “critical”-rated security vulnerability in server versions of Microsoft Windows.

The Cybersecurity and Infrastructure Security Agency, better known as CISA, issued an alert late on Friday requiring all federal departments and agencies to “immediately” patch any Windows servers vulnerable to the so-called Zerologon attack by Monday, citing an “unacceptable risk” to government networks.

It’s the third emergency alert issued by CISA this year.

The Zerologon vulnerability, rated the maximum 10.0 in severity, could allow an attacker to take control of any or all computers on a vulnerable network, including domain controllers, the servers that manage a network’s security. The bug was appropriately called “Zerologon,” because an attacker doesn’t need to steal or use any network passwords to gain access to the domain controllers, only gain a foothold on the network, such as by exploiting a vulnerable device connected to the network.

With complete access to a network, an attacker could deploy malware, ransomware, or steal sensitive internal files.

Security company Secura, which discovered the bug, said it takes “about three seconds in practice” to exploit the vulnerability.

Microsoft pushed out an initial fix in August to prevent exploitation. But given the complexity of the bug, Microsoft said it would have to roll out a second patch early next year to eradicate the issue completely.

But the race is on to patch systems after researchers reportedly released proof-of-concept code, potentially allowing attackers use the code to launch attacks. CISA said that Friday that it “assumes active exploitation of this vulnerability is occurring in the wild.”

Although the CISA alert only applies to federal government networks, the agency said it “strongly” urges companies and consumers to patch their systems as soon as possible if not already.

#computing, #cybercrime, #exploit, #internet-security, #microsoft, #microsoft-windows, #national-security-agency, #ransomware, #security, #security-breaches, #vulnerability

JupiterOne raises $19M Series A to automate cyber asset management

Asset management might not be the most exciting talking topic, but it’s often an overlooked area of cyber-defenses. By knowing exactly what assets your company has makes it easier to know where the security weak spots are.

That’s the problem JupiterOne is trying to fix.

“We built JupiterOne because we saw a gap in how organizations manage the security and compliance of their cyber assets day to day,” said Erkang Zheng, the company’s founder and chief executive.

The Morrisville, N.C.-based startup, which spun out from healthcare cloud firm LifeOmic in 2018, helps companies see all of their digital and cloud assets by integrating with dozens of services and tools, including Amazon Web Services, Cloudflare, and GitLab, and centralizing the results into a single monitoring tool.

JupiterOne says it makes it easier for companies to spot security issues and maintain compliance, with an aim of helping companies prevent security lapses and data breaches by catching issues early on.

The company already has Reddit, Databricks and Auth0 as customers, and just secured $19 million in its Series A, led by Bain Capital Ventures and with participation from Rain Capital and its parent company LifeOmic.

As part of the deal, Bain partner Enrique Salem will join JupiterOne’s board. “We see a large multibillion dollar market opportunity for this technology across mid-market and enterprise customers,” he said. Asset management is slated to be a $8.5 billion market by 2024.

Zheng told TechCrunch the company plans to use the funds to accelerate its engineering efforts and its go-to-market strategy, with new product features to come.

#bain-capital-ventures, #computer-security, #computing, #enrique-salem, #free-software, #internet-security, #north-carolina, #security, #series-a, #software, #version-control, #web-services

Justice Dept. charges five Chinese members of APT41 over cyberattacks on U.S. companies

WASHINGTON, DC – DECEMBER 09: The Justice Department building on a foggy morning on December 9, 2019 in Washington, DC. (Photo by Samuel Corum/Getty Images)

The Justice Department has announced charges against five alleged Chinese citizens, accused of hacking over 100 companies in the United States, including tech companies, game makers, universities, and think tanks.

Zhang Haoran and Tan Dailin were charged in August 2019 with over two-dozen counts of conspiracy, wire fraud, identity theft and charges related to computer hacking. Prosecutors also added nine additional charges against Jiang Lizhi, Qian Chuan, and Fu Qiang last month.

Prosecutors also charged two businessmen, who were arrested in Malaysia, for their role in trying to profit from the group’s intrusions into game companies to steal and sell digital goods and virtual currency.

“Today’s charges, the related arrests, seizures of malware and other infrastructure used to conduct intrusions, and coordinated private sector protective actions reveal yet again the Department’s determination to use all of the tools at its disposal and to collaborate with the private sector and nations who support the rule of law in cyberspace,” said assistant attorney general John C. Demers.

“This is the only way to neutralize malicious nation state cyber activity,” he said.

The hackers are accused of being members of the China-backed APT41 hacking group, also known as “Barium,” to steal source code, customer data, and other valuable business information from businesses in the U.S., Australia, Brazil, Hong Kong, South Korea and other countries.

The indictments said that the hackers worked for a front company, Chengdu 404, which purports to be a network security company but prosecutors say was a cover for the hackers. The alleged hackers used a number of known security vulnerabilities to break into companies and launch attacks against a company’s supply chains, allowing the hackers to break into other companies. The indictments confirm earlier research from security firm FireEye that said APT41 hackers used vulnerabilities against networking gear to break into their victims’ networks.

The hackers also allegedly stole code-signing certificates, which can be used to trick computers into thinking malware is from a legitimate source and safe to run. Last year, APT41 was blamed for a supply chain attack at computer maker Asus, which saw the attackers push a backdoor to at least hundreds of thousands of computers using the company’s own servers.

Prosecutors said the hackers tried to make money by launching ransomware attacks and cryptojacking schemes, which hijack computers with malware to mine cryptocurrency.

After the indictments were filed, prosecutors said they obtained warrants to seize websites, domains, and servers associated with the group’s operations, effectively shutting them down and hindering their operations.

The alleged hackers are still believed to be in China, but the allegations serve as a “name and shame” effort employed by the Justice Department in recent years against state-backed cyber attackers.

#computer-security, #cyberattack, #department-of-justice, #federal-bureau-of-investigation, #government, #hacker, #internet-security, #justice-department, #ransomware, #security, #security-breaches, #united-states

How to respond to a data breach

I cover a lot of data breaches. From inadvertent exposures to data-exfiltrating hacks, I’ve seen it all. But not every data breach is the same. How a company responds to a data breach — whether it was their fault — can make or break its reputation.

I’ve seen some of the worst responses: legal threats, denials and pretending there isn’t a problem at all. In fact, some companies claim they take security “seriously” when they clearly don’t, while other companies see it merely as an exercise in crisis communications.

But once in a while, a company’s response almost makes up for the daily deluge of hypocrisy, obfuscation and downright lies.

Last week, Assist Wireless, a U.S. cell carrier that provides free government-subsidized cell phones and plans to low-income households, had a security lapse that exposed tens of thousands of customer IDs — driver’s licenses, passports and Social Security cards — used to verify a person’s income and eligibility.

A misconfigured plugin for resizing images on the carrier’s website was blamed for the inadvertent data leak of customer IDs to the open web. Security researcher John Wethington found the exposed data through a simple Google search. He reported the bug to TechCrunch so we could alert the company.

Make no mistake, the bug was bad and the exposure of customer data was far from ideal. But the company’s response to the incident was one of the best I’ve seen in years.

Take notes, because this is how to handle a data breach.

Their response was quick. Assist immediately responded to acknowledge the receipt of my initial email. That’s already a positive sign, knowing that the company was looking into the issue.

#data-breach, #driver, #hacking, #internet-security, #security, #startups, #tc, #vulnerability

LA gets a big SAAS exit as Fastly nabs the Culver City-based Signal Sciences for $775M

Los Angeles was always more than a one industry town, even when it comes to technology startups, but media and entertainment (and social networking) were always the big draws in tinseltown.

Now the city’s enterprise tech scene can claim a really big winner with Signal Sciences, the security monitoring and management company that is getting bought by Fastly, a provider of content delivery networking services, for $775 million.

“Our team couldn’t be more excited about the opportunity to join Fastly to continue to drive forward security protections that empower developers. But we also believe this is a great moment to showcase the diversity of the LA technology scene,” wrote Signal Sciences chief executive, Andrew Peterson, in a direct message. “Being the largest enterprise tech outcome ever here, we’re just one of so many great deep technology companies who are paving the way for the next generation of SoCal based start ups. We’re thrilled to help lead the way for the broader tech community in Los Angeles.”

Content delivery and security go hand-in-hand and some of the biggest companies online use businesses like Fastly and its competitor, Cloudflare, to ensure that their online presence doesn’t go offline — and that browsers can quickly download and deliver websites.

Fastly said that the acquisition of Signal Sciences’ business will boost its ability to provide better security for applications and APIs — the connective fabric between different services that knit different technologies together behind the scenes.

With the acquisition, Fastly is planting a flag as a new competitor in the cybersecurity market, even as companies like Amazon, Microsoft, and Google offer a wider array of services under their Internet as a service business lines.

Application security is a higher value piece of the services stack and it takes advantage of the natural position that a company like Fastly has as a content distribution network.

“Fastly was founded to meet developers’ need for greater visibility and control. Now, as the digital transformation movement continues to accelerate, DevOps teams are struggling with inadequate and inflexible security tools,” said Joshua Bixby, Chief Executive Officer of Fastly, in a statement. “Together with Signal Sciences, we will give developers modern security tools designed for the way they work.”

Los Angeles, California, USA – March 23, 2016: Aerial view of the Hollywood sign at dusk in Los Angeles. The image has been taken from an helicopter flying over LA. Image Credit: Getty Images/franckreporter

Under the terms of the agreement Fastly is buying Signal Sciences for $200 million in cash and approximately $575 million worth of stock, subject to customary adjustments for transactions, according to a statement.

Fastly is also setting up a $50 million retention pool of restricted stock units to give out to Signal Sciences employees.

Signal Sciences employees aren’t the only winners in the deal. The company raised $63 million in venture financing from investors including CRV, Harrison Metal, Index Ventures, Oreilly Alphatech Ventures, Lead Edge Capital, and individual investors including former Facebook security officer Alex Stamos, and Etsy chief executive Chad Dickerson.

The company’s last round was a $35 million investment raised about two years ago, and one investor with knowledge of the company’s cap table called it a “pretty efficient exit” for its backers.

Morgan Stanley & Co. and Union Square Advisors are acting as financial advisors to Fastly, and Cooley LLP is acting as its legal advisor with regard to the transaction, according to a statement. Qatalyst Partners is acting as financial advisor to Signal Sciences, while Goodwin Procter was the company’s lawyer.

#alex-stamos, #amazon, #chad-dickerson, #chief-executive-officer, #cloudflare, #computing, #cooley-llp, #etsy, #facebook, #fastly, #financial-advisor, #financial-advisors, #google, #harrison-metal, #internet, #internet-security, #joshua-bixby, #lawyer, #lead-edge-capital, #los-angeles, #microsoft, #oreilly-alphatech-ventures, #qatalyst-partners, #signal-sciences, #social-networking, #tc, #union-square-advisors

Hear Cloudflare and PlanGrid’s amazing journey from founding to exit at Disrupt 2020

How and when should startup founders think about the “exit”? It’s the perennial question in tech entrepreneurialism, but the how’s and when’s are questions to which there are a multitude of answers. For one thing, new founders often forget that the terms of the exit may not eventually be entirely in their control. There’s the board to think of, the strategic direction of the company, the first-in investors, the last-in. You name it. We’ll be chatting about this at Disrupt 2020.

Exits normally happen in only one of two ways: Either the startup gets acquired for enough money to give the investors a return or it grows big enough to list on the public markets. And it just so happens we have two perfect founders who will be able to unpack their own journeys on those two roads.

When Cloudflare went public last year it certainly wasn’t the end of its 10-year journey, and nor was it PlanGrid’s when it was acquired by Autodesk in 2018.

Cloudflare’s Michelle Zatlyn saw every nook and cranny of the company’s journey towards its IPO, which received a warm reception, even if there were a few bumps along the road leading up to it. What comes after an IPO and how to do you even get there in the first place? Zatlyn will be laying it all out for us.

PlanGrid’s journey to acquisition by Autodesk was equally fascinating, and Tracy Young – who, as CEO and co-founder, shepherded the company to an $875 Million exit – will be able to give us an insight into what it’s like to dance with a potential acquirer, go through that (often fraught) process, and come out the other side.

We’re excited to host this conversation at Disrupt 2020 and expect it to fill up quickly. Grab your pass before this Friday to save up to $300 on this session and more.

#autodesk, #business, #cloudflare, #europe, #initial-public-offering, #internet, #internet-security, #michelle-zatlyn, #plangrid, #startup-company, #tc, #tracy-young

Google is making autofill on Chrome for mobile more secure

Google today announced a new autofill experience for Chrome on mobile that will use biometric authentication for credit card transactions, as well as an updated built-in password manager that will make signing in to a site a bit more straightforward.

Image Credits: Google

Chrome already uses the W3C WebAuthn standard for biometric authentication on Windows and Mac. With this update, this feature is now also coming to Android .

If you’ve ever bought something through the browser on your Android phone, you know that Chrome always asks you to enter the CVC code from your credit card to ensure that it’s really you — even if you have the credit card number stored on your phone. That was always a bit of a hassle, especially when your credit card wasn’t close to you.

Now, you can use your phone’s biometric authentication to buy those new sneakers with just your fingerprint — no CVC needed. Or you can opt out, too, since you’re not required to enroll in this new system.

As for the password manager, the update here is the new touch-to-fill feature that shows you your saved accounts for a given site through a standard Android dialog. That’s something you’re probably used to from your desktop-based password manager already, but it’s definitely a major new built-in convenience feature for Chrome — and the more people opt to use password managers, the safer the web will be. This new feature is coming to Chrome on Android in the next few weeks, but Google says that “is only the start.”

Image Credits: Google

 

#access-control, #android, #biometrics, #computing, #cryptography, #google, #identification, #identity-management, #internet-security, #password, #password-manager, #smartphones, #tc

Cloudflare launches Workers Unbound, the next evolution of its serverless platform

Cloudflare today announced the private beta launch of Workers Unbound, the latest step in its efforts to offer a serverless platform that can compete with the likes of AWS Lambda.

The company first launched its Workers edge computing platform in late 2017. Today it has “hundreds of thousands of developers” who use it and in the last quarter alone, more than 20,000 developers built applications based on the service, according to the company. Cloudflare also uses Workers to power many of its own services, but the first iteration of the platform had quite a few limitations. The idea behind Workers Unbound is to do away with most of those and turn it into a platform that can compete with the likes of AWS, Microsoft and Google.

“The original motivation for us building Cloudflare Workers was not to sell it as a product but because we were using it as our own internal platform to build applications,” Cloudflare co-founder and CEO Matthew Prince told me ahead of today’s announcement. “Today, Cloudflare Teams, which is our fastest-growing product line, is all running on top of Cloudflare workers and it’s allowed us to innovate as fast as we have and stay nimble and stay agile and all those things that get harder as you as you become a larger and larger company.”

Cloudflare co-founder and CEO Matthew Prince

Prince noted that Cloudflare aims to expose all of the services it builds for its internal consumption to third-party developers as well. “The fact that we’ve been able to roll out a whole Zscaler competitor in almost no time is because of the fact that we had this platform and we could build on it ourselves,” he said.

The original Workers service will continue to operate (but under the Workers Bundled moniker) and essentially become Cloudflare’s serverless platform for basic workloads that only run for a very short time. Workers Unbound — as the name implies — is meant for more complex and longer-running processes.

When it first launched Workers, the company said that its killer feature was speed. Today, Prince argues that speed obviously remains an important feature — and Cloudflare Workers Unbound promises that it essentially does away with cold start latencies. But developers also adopted the platform because of its ability to scale and its price.

Indeed, Workers Unbound, Cloudflare argues, is now significantly more affordable than similar offerings. “For the same workload, Cloudflare Workers Unbound can be 75 percent less expensive than AWS Lambda, 24 percent less expensive than Microsoft Azure Functions, and 52 percent less expensive than Google Cloud Functions,” the company says in today’s press release.

As it turned out, the fact that Workers was also an edge computing platform was basically a bonus but not necessarily why developers adopted it.

Another feature Prince highlighted is regulatory compliance. “I think the thing we’re realizing as we talk to our largest enterprise customers is that for real companies — not just the individual developer hacking away at home — but for real businesses in financial services or anyone who has to deal with a regulated industry, the only thing that trumps ease of use is regulatory compliance, which is not sexy or interesting or anything else but like if your GC says you can’t use XYZ platform, then you don’t use XYZ platform and that’s the end of the story,” Prince noted.

Speed, though, is of course something developers will always care about. Prince stressed that the team was quite happy with the 5ms cold start times of the original Workers platform. “But we wanted to be better,” he said. “We wanted to be the clearly fastest serverless platform forever — and the only number that we know no one else can beat is zero — unless they invent a time machine.”

The way the team engineered this is by queuing up the process while the two servers are still negotiating their TLS handshake. “We’re excited to be the first cloud computing platform that [offers], for no additional costs, out of the box, zero millisecond cold start times which then also means less variability in the performance.”

Cloudflare also argues that developers can update their code and have it go live globally within 15 seconds.

Another area the team worked on was making it easier to use the service in general. Among the key new features here is support for languages like Python and a new SDK that will allow developers to add support for their favorite languages, too.

Prince credits Cloudflare’s ability to roll out this platform, which is obviously heavy on compute resources — and to keep it affordable — to the fact that it always thought of itself as a security platform first (the team has often said that the CDN functionality was more or less incidental). Because it performed deep packet inspection, for example, the company’s servers always featured relatively high-powered CPUs. “Our network has been optimized for CPU usage from the beginning and as a result, it’s actually made it much more natural for us to extend our network that way,” he explained. “To this day, the same machines that are running our firewall products are the same machines that are running our edge computing platform.”

Looking ahead, Prince noted that while Workers and Workers Unbound feature a distributed key-value store, the team is looking at adding a more robust database infrastructure and distributed storage.

The team is also looking at how to decompose applications to put them closest to where they will be running. “You could imagine that in the future, it might be that you write an application and we say, ‘listen, the parts of the application that are sensitive to the user of the database might run in Portland, where you are — but if the database is in Ashburn, Virginia, then the parts that are sensitive to latency in the database might run there,” he said.

 

#amazon-web-services, #aws-lambda, #cloud, #cloud-computing, #cloud-infrastructure, #cloudflare, #computing, #developer, #financial-services, #firewall, #google, #internet-security, #matthew-prince, #microsoft, #portland, #prince, #python, #serverless-computing, #tc, #virginia, #zscaler

Apple starts giving ‘hacker-friendly’ iPhones to top bug hunters

For the past decade Apple has tried to make the iPhone one of the most secure devices on the market. By locking down its software, Apple keeps its two billion iPhone owners safe. But security researchers say that makes it impossible to look under the hood to figure out what happened when things go wrong.

Once the company that claimed its computers don’t get viruses, Apple has in recent years begun to embrace security researchers and hackers in a way it hadn’t before.

Last year at the Black Hat security conference, Apple’s head of security Ivan Krstic told a crowd of security researchers that it would give its most-trusted researchers a “special” iPhone with unprecedented access to the the device’s underbelly, making it easier to find and report security vulnerabilities that Apple can fix in what it called the iOS Security Research Device program.

Starting today, the company will start loaning these special research iPhones to skilled and vetted researchers that meet the program’s eligibility.

These research iPhones will come with specific, custom-built iOS software with features that ordinary iPhones don’t have, like SSH access and a root shell to run custom commands with the highest access to the software, and debugging tools that make it easier for security researchers to run their code and better understand what’s going on under the surface.

Apple told TechCrunch it wants the program to be more of a collaboration rather than shipping out a device and calling it a day. Hackers in the research device program will also have access to extensive documentation and a dedicated forum with Apple engineers to answer questions and get feedback.

These research devices are not new per se, but have never before been made directly available to researchers. Some researchers are known to have sought out these internal, so-called “dev-fused” devices that have found their way onto underground marketplaces to test their exploits. Those out of luck had to rely on “jailbreaking” an ordinary iPhone first to get access to the device’s internals. But these jailbreaks are rarely available for the most recent iPhones, making it more difficult for hackers to know if the vulnerabilities they find can be exploited or have been fixed.

By giving its best hackers effectively an up-to-date and pre-jailbroken iPhone with some of its normal security restrictions removed, Apple wants to make it easier for trusted security researchers and hackers to find vulnerabilities deep inside the software that haven’t been found before.

But as much as these research phones are more open to hackers, Apple said that the devices don’t pose a risk to the security of any other iPhone if they are lost or stolen.

The new program is a huge leap for the company that only a year ago opened its once-private bug bounty program to everyone, a move seen as long overdue and far later than most other tech companies. For a time, some well-known hackers would publish their bug findings online without first alerting Apple — which hackers call a “zero-day” as they give no time for companies to patch — out of frustration with Apple’s once-restrictive bug bounty terms.

Now under its bounty program, Apple asks hackers to privately submit bugs and security issues for its engineers to fix, to help make its iPhones stronger to protect against nation-state attacks and jailbreaks. In return, hackers get paid on a sliding scale based on the severity of their vulnerability.

Apple said the research device program will run parallel to its bug bounty program. Hackers in the program can still file security bug reports with Apple and receive payouts of up to $1 million — and up to a 50% bonus on top of that for the most serious vulnerabilities found in the company’s pre-release software.

The new program shows Apple is less cautious and more embracing of the hacker community than it once was — even if it’s better late than never.

#apple, #apple-inc, #computing, #internet-security, #ios, #iphone, #operating-systems, #security, #smartphones, #technology

Decrypted: Police hack criminal phone network; Randori raises $20M Series A

Last week was, for most Americans, a four-day work week. But a lot still happened in the security world.

The U.S. government’s cybersecurity agencies warned of two critical vulnerabilities — one in Palo Alto’s networking tech and the other in F5’s gear — that foreign, nation state-backed hackers will “likely” exploit these flaws to get access to networks, steal data or spread malware. Plus, the FCC formally declared Chinese tech giants Huawei and ZTE as threats to national security.

Here’s more from the week.


THE BIG PICTURE

How police hacked a massive criminal phone network

Last week’s takedown of EncroChat was, according to police, the “biggest and most significant” law enforcement operation against organized criminals in the history of the U.K. EncroChat sold encrypted phones with custom software akin to how BlackBerry phones used to work; you needed one to talk to other device owners.

But the phone network was used almost exclusively by criminals, allowing their illicit activities to be kept secret and go unimpeded: drug deals, violent attacks, corruption — even murders.

That is, until French police hacked into the network, broke the encryption and uncovered millions of messages, according to Vice, which covered the takedown of the network. The circumstances of the case are unique; police have not taken down a network like this before.

But technical details of the case remain under wraps, likely until criminal trials begin, at which point attorneys for the alleged criminals are likely to rest much of their defense on the means — and legality — in which the hack was carried out.

#advisors, #ceo, #chief-information-security-officer, #china, #computing, #cryptography, #data-breach, #data-protection, #decrypted, #encryption, #extra-crunch, #federal-communications-commission, #huawei, #hunt, #information-technology, #internet-security, #market-analysis, #palo-alto, #security, #series-a, #social, #startups, #u-s-government, #united-kingdom, #united-states, #video-conferencing

How Have I Been Pwned became the keeper of the internet’s biggest data breaches

When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach?

Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard ‘p’ — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it’s grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt’s original question is more clear.

“Empirically, it’s very likely,” Hunt told me from his home on Australia’s Gold Coast. “For those of us that have been on the internet for a while it’s almost a certainty.”

What started out as Hunt’s pet project to learn the basics of Microsoft’s cloud, Have I Been Pwned quickly exploded in popularity, driven in part by its simplicity to use, but largely by individuals’ curiosity.

As the service grew, Have I Been Pwned took on a more proactive security role by allowing browsers and password managers to bake in a backchannel to Have I Been Pwned to warn against using previously breached passwords in its database. It was a move that also served as a critical revenue stream to keep down the site’s running costs.

But Have I Been Pwned’s success should be attributed almost entirely to Hunt, both as its founder and its only employee, a one-man band running an unconventional startup, which, despite its size and limited resources, turns a profit.

As the workload needed to support Have I Been Pwned ballooned, Hunt said the strain of running the service without outside help began to take its toll. There was an escape plan: Hunt put the site up for sale. But, after a tumultuous year, he is back where he started.

Ahead of its next big 10-billion milestone mark, Have I Been Pwned shows no signs of slowing down.

‘Mother of all breaches’

Even long before Have I Been Pwned, Hunt was no stranger to data breaches.

By 2011, he had cultivated a reputation for collecting and dissecting small — for the time — data breaches and blogging about his findings. His detailed and methodical analyses showed time and again that internet users were using the same passwords from one site to another. So when one site was breached, hackers already had the same password to a user’s other online accounts.

Then came the Adobe breach, the “mother of all breaches” as Hunt described it at the time: Over 150 million user accounts had been stolen and were floating around the web.

Hunt obtained a copy of the data and, with a handful of other breaches he had already collected, loaded them into a database searchable by a person’s email address, which Hunt saw as the most common denominator across all the sets of breached data.

And Have I Been Pwned was born.

It didn’t take long for its database to swell. Breached data from Sony, Snapchat and Yahoo soon followed, racking up millions more records in its database. Have I Been Pwned soon became the go-to site to check if you had been breached. Morning news shows would blast out its web address, resulting in a huge spike in users — enough at times to briefly knock the site offline. Hunt has since added some of the biggest breaches in the internet’s history: MySpace, Zynga, Adult Friend Finder, and several huge spam lists.

As Have I Been Pwned grew in size and recognition, Hunt remained its sole proprietor, responsible for everything from organizing and loading the data into the database to deciding how the site should operate, including its ethics.

Hunt takes a “what do I think makes sense” approach to handling other people’s breached personal data. With nothing to compare Have I Been Pwned to, Hunt had to write the rules for how he handles and processes so much breach data, much of it highly sensitive. He does not claim to have all of the answers, but relies on transparency to explain his rationale, detailing his decisions in lengthy blog posts.

His decision to only let users search for their email address makes logical sense, driven by the site’s only mission, at the time, to tell a user if they had been breached. But it was also a decision centered around user privacy that helped to future-proof the service against some of the most sensitive and damaging data he would go on to receive.

In 2015, Hunt obtained the Ashley Madison breach. Millions of people had accounts on the site, which encourages users to have an affair. The breach made headlines, first for the breach, and again when several users died by suicide in its wake.

The hack of Ashley Madison was one of the most sensitive entered into Have I Been Pwned, and ultimately changed how Hunt approached data breaches that involved people’s sexual preferences and other personal data. (AP Photo/Lee Jin-man, File)

Hunt diverged from his usual approach, acutely aware of its sensitivities. The breach was undeniably different. He recounted a story of one person who told him how their local church posted a list of the names of everyone in the town who was in the data breach.

“It’s clearly casting a moral judgment,” he said, referring to the breach. “I don’t want Have I Been Pwned to enable that.”

Unlike earlier, less sensitive breaches, Hunt decided that he would not allow anyone to search for the data. Instead, he purpose-built a new feature allowing users who had verified their email addresses to see if they were in more sensitive breaches.

“The purposes for people being in that data breach were so much more nuanced than what anyone ever thought,” Hunt said. One user told him he was in there after a painful break-up and had since remarried but was labeled later as an adulterer. Another said she created an account to catch her husband, suspected of cheating, in the act.

“There is a point at which being publicly searchable poses an unreasonable risk to people, and I make a judgment call on that,” he explained.

The Ashely Madison breach reinforced his view on keeping as little data as possible. Hunt frequently fields emails from data breach victims asking for their data, but he declines every time.

“It really would not have served my purpose to load all of the personal data into Have I Been Pwned and let people look up their phone numbers, their sexualities, or whatever was exposed in various data breaches,” said Hunt.

“If Have I Been Pwned gets pwned, it’s just email addresses,” he said. “I don’t want that to happen, but it’s a very different situation if, say, there were passwords.”

But those remaining passwords haven’t gone to waste. Hunt also lets users search more than half a billion standalone passwords, allowing users to search to see if any of their passwords have also landed in Have I Been Pwned.

Anyone — even tech companies — can access that trove of Pwned Passwords, he calls it. Browser makers and password managers, like Mozilla and 1Password, have baked-in access to Pwned Passwords to help prevent users from using a previously breached and vulnerable password. Western governments, including the U.K. and Australia, also rely on Have I Been Pwned to monitor for breached government credentials, which Hunt alos offers for free.

“It’s enormously validating,” he said. “Governments, for the most part, are trying to do things to keep countries and individuals safe — working under extreme duress and they don’t get paid much,” he said.

“There have been similar services that have popped up. They’ve been for-profit — and they’ve been indicted.”
Troy Hunt

Hunt recognizes that Have I Been Pwned, as much as openness and transparency is core to its operation, lives in an online purgatory under which any other circumstances — especially in a commercial enterprise — he would be drowning in regulatory hurdles and red tape. And while the companies whose data Hunt loads into his database would probably prefer otherwise, Hunt told me he has never received a legal threat for running the service.

“I’d like to think that Have I Been Pwned is at the far-legitimate side of things,” he said.

Others who have tried to replicate the success of Have I Been Pwned haven’t been as lucky.

“There have been similar services that have popped up,” said Hunt. “They’ve been for-profit — and they’ve been indicted,” he said.

LeakedSource was, for a time, one of the largest sellers of breach data on the web. I know, because my reporting broke some of their biggest gets: music streaming service Last.fm, adult dating site AdultFriendFinder, and Russian internet giant Rambler.ru to name a few. But what caught the attention of federal authorities was that LeakedSource, whose operator later pleaded guilty to charges related to trafficking identity theft information, indiscriminately sold access to anyone else’s breach data.

“There is a very legitimate case to be made for a service to give people access to their data at a price.”

Hunt said he would “sleep perfectly fine” charging users a fee to access their data. “I just wouldn’t want to be accountable for it if it goes wrong,” he said.

Project Svalbard

Five years into Have I Been Pwned, Hunt could feel the burnout coming.

“I could see a point where I would be if I didn’t change something,” he told me. “It really felt like for the sustainability of the project, something had to change.”

He said he went from spending a fraction of his time on the project to well over half. Aside from juggling the day-to-day — collecting, organizing, deduplicating and uploading vast troves of breached data — Hunt was responsible for the entirety of the site’s back office upkeep — its billing and taxes — on top of his own.

The plan to sell Have I Been Pwned was codenamed Project Svalbard, named after the Norweigian seed vault that Hunt likened Have I Been Pwned to, a massive stockpile of “something valuable for the betterment of humanity,” he wrote announcing the sale in June 2019. It would be no easy task.

Hunt said the sale was to secure the future of the service. It was also a decision that would have to secure his own. “They’re not buying Have I Been Pwned, they’re buying me,” said Hunt. “Without me, there’s just no deal.” In his blog post, Hunt spoke of his wish to build out the service and reach a larger audience. But, he told me, it was not about the money

As its sole custodian, Hunt said that as long as someone kept paying the bills, Have I Been Pwned would live on. “But there was no survivorship model to it,” he admitted. “I’m just one person doing this.”

By selling Have I Been Pwned, the goal was a more sustainable model that took the pressure off him, and, he joked, the site wouldn’t collapse if he got eaten by a shark, an occupational hazard for living in Australia.

But chief above all, the buyer had to be the perfect fit.

Hunt met with dozens of potential buyers, and many in Silicon Valley. He knew what the buyer would look like, but he didn’t yet have a name. Hunt wanted to ensure that whomever bought Have I Been Pwned upheld its reputation.

“Imagine a company that had no respect for personal data and was just going to abuse the crap out of it,” he said. “What does that do for me?” Some potential buyers were driven by profits. Hunt said any profits were “ancillary.” Buyers were only interested in a deal that would tie Hunt to their brand for years, buying the exclusivity to his own recognition and future work — that’s where the value in Have I Been Pwned is.

Hunt was looking for a buyer with whom he knew Have I Been Pwned would be safe if he were no longer involved. “It was always about a multiyear plan to try and transfer the confidence and trust people have in me to some other organizations,” he said.

Hunt testifies to the House Energy Subcommittee on Capitol Hill in Washington, Thursday, Nov. 30, 2017. (AP Photo/Carolyn Kaster)

The vetting process and due diligence was “insane,” said Hunt. “Things just drew out and drew out,” he said. The process went on for months. Hunt spoke candidly about the stress of the year. “I separated from my wife early last year around about the same time as the [sale process],” he said. They later divorced. “You can imagine going through this at the same time as the separation,” he said. “It was enormously stressful.”

Then, almost a year later, Hunt announced the sale was off. Barred from discussing specifics thanks to non-disclosure agreements, Hunt wrote in a blog post that the buyer, whom he was set on signing with, made an unexpected change to their business model that “made the deal infeasible.”

“It came as a surprise to everyone when it didn’t go through,” he told me. It was the end of the road.

Looking back, Hunt maintains it was “the right thing” to walk away. But the process left him back at square one without a buyer and personally down hundreds of thousands in legal fees.

After a bruising year for his future and his personal life, Hunt took time to recoup, clambering for a normal schedule after an exhausting year. Then the coronavirus hit. Australia fared lightly in the pandemic by international standards, lifting its lockdown after a brief quarantine.

Hunt said he will keep running Have I Been Pwned. It wasn’t the outcome he wanted or expected, but Hunt said he has no immediate plans for another sale. For now it’s “business as usual,” he said.

In June alone, Hunt loaded over 102 million records into Have I Been Pwned’s database. Relatively speaking, it was a quiet month.

“We’ve lost control of our data as individuals,” he said. But not even Hunt is immune. At close to 10 billion records, Hunt has been ‘pwned’ more than 20 times, he said.

Earlier this year Hunt loaded a massive trove of email addresses from a marketing database — dubbed ‘Lead Hunter’ — some 68 million records fed into Have I Been Pwned. Hunt said someone had scraped a ton of publicly available web domain record data and repurposed it as a massive spam database. But someone left that spam database on a public server, without a password, for anyone to find. Someone did, and passed the data to Hunt. Like any other breach, he took the data, loaded it in Have I Been Pwned, and sent out email notifications to the millions who have subscribed.

“Job done,” he said. “And then I got an email from Have I Been Pwned saying I’d been pwned.”

He laughed. “It still surprises me the places that I turn up.”

Related stories:

#australia, #computer-security, #computing, #data-breach, #firefox-monitor, #government, #have-i-been-pwned, #information-technology, #internet-security, #password, #privacy, #security, #startups

Decrypted: DEA spying on protesters, DDoS attacks, Signal downloads spike

This week saw protests spread across the world sparked by the murder of George Floyd, an unarmed Black man, killed by a white police officer in Minneapolis last month.

The U.S. hasn’t seen protests like this in a generation, with millions taking to the streets each day to lend their voice and support. But they were met with heavily armored police, drones watching from above, and “covert” surveillance by the federal government.

That’s exactly why cybersecurity and privacy is more important than ever, not least to protect law-abiding protesters demonstrating against police brutality and institutionalized, systemic racism. It’s also prompted those working in cybersecurity — many of which are former law enforcement themselves — to check their own privilege and confront the racism from within their ranks and lend their knowledge to their fellow citizens.


THE BIG PICTURE

DEA allowed ‘covert surveillance’ of protesters

The Justice Department has granted the Drug Enforcement Administration, typically tasked with enforcing federal drug-related laws, the authority to conduct “covert surveillance” on protesters across the U.S., effectively turning the civilian law enforcement division into a domestic intelligence agency.

The DEA is one of the most tech-savvy government agencies in the federal government, with access to “stingray” cell site simulators to track and locate phones, a secret program that allows the agency access to billions of domestic phone records, and facial recognition technology.

Lawmakers decried the Justice Department’s move to allow the DEA to spy on protesters, calling on the government to “immediately rescind” the order, describing it as “antithetical” to Americans’ right to peacefully assembly.

#ceo, #cloudflare, #computer-security, #cybercrime, #cyberwarfare, #decrypted, #department-of-justice, #extra-crunch, #federal-government, #george-floyd, #google, #government, #information-technology, #inky, #insight-partners, #internet-security, #iphone, #israel, #lastline, #law-enforcement, #market-analysis, #matthew, #matthew-prince, #minneapolis, #moxie-marlinspike, #national-security, #online-harassment, #police-brutality, #prevention, #privacy, #security, #series-b, #startups, #surveillance, #team8, #techcrunch, #united-states, #vmware

Cloudflare partners with JD to expand its network in China

Cloudflare today announced a new partnership with JD Cloud & AI that will see the company expand its network in Chinato an additional 150 data centers. Currently, Cloudflare is available in 17 data centers in mainland China, thanks to a long-standing partnership with Baidu, but this new deal is obviously significantly larger.

CloudFlare’s original partnership with Baidu launched in 2015. The idea then, as now, was to give Cloudflare a foothold in one of the fastest-growing internet markets by providing Chinese companies better reach customers inside and outside of the country, but also — and maybe more importantly — to allow foreign companies to better reach the vast Chinese market.

“I think there are very few Western technology companies that have figured out how to operate in China,” Matthew Prince, the CEO and co-founder Cloudflare told me. “And I think we’re really proud of the fact that we’ve done that. What I’ve learned about China — certainly in the last six years that we’ve been directly working with partners there, […] has been that while it’s an enormous market and an enormous opportunity […], it’s still a very tight-knot technology community there — and one with a very long memory.”

GettyImages 489573216

SAN FRANCISCO, CA – SEPTEMBER 22: (L-R) Matthew Prince and Michelle Zatlyn of CloudFlare speak onstage during day two of TechCrunch Disrupt SF 2015 at Pier 70 on September 22, 2015 in San Francisco, California. (Photo by Steve Jennings/Getty Images for TechCrunch)

He attributes the fact that Cloudflare was a good partner to Baidu for so many years to JD’s interest in working with the company as well. That partnership with Baidu will continue (Prince called them a “terrific partner”). This new deal with JD, however, will now also give Cloudflare the ability to reach another set of Chinese enterprises, too, that are currently betting on that company’s cloud.

“As we got to know them, JD really stood out,” Prince said. “I think they’re first of all really one of the up and coming cloud providers in China. And I think that then means that marrying Cloudflare’s services with JD’s services makes their overall cloud platform much more robust for Chinese customers.” He also noted that JD has relationships with many large Chinese businesses that are increasingly looking to go global.

To put this deal into perspective, today, Cloudflare operates in about 200 cities. Adding another 150 to this — even if it’s through a partner — marks a major expansion for the company.

As for the deal itself, Prince said that its structure is similar to the deal it made with Baidu. “We contribute the technology and the know-how to build a network out across China. They introduce capital in order to build that network out and also have some financial guarantees to us and then we share in the upside of what happens as we’re both able to sell the China network or as JD is able to sell Cloudflare’s services outside of China.”

When the company first went to China through Baidu, it was criticized for going into a market where there some obvious issues around free speech. Prince, who has been pretty outspoken about free speech issues, seems to be taking a rather pragmatic approach here.

“[Free speech] is certainly something we thought about a lot when we first made the decision to go into China in 2014,” he said. “And I think we’ve learned a lot about it. Around the world, whether it’s China or Turkey or Egypt or the United Kingdom or Brazil or increasingly even the United States, there are rules about what content can be accessed there. Regardless of what my personal feelings might be — and I grew up as a son of a journalist and in the United States and have seen the power of having a very free press and really, really, really strong freedom of expression protection. But I also think that every country doesn’t have the same tradition and the same laws as the United States. And I think that what we have tried to do everywhere that we operate, is comply with whatever the regional laws are. And it’s hard to do anything else.”

Cloudflare expects that it will take three years before all of the data centers will go online.

“I’m thrilled to establish this strategic collaboration with Cloudflare,” said Dr. Bowen Zhou, President of JD Cloud & AI. “Cloudflare’s mission of ‘helping to build a better Internet,’ closely aligns with JD Cloud & AI’s commitment to provide the best service possible to global partners. Leveraging JD.com’s rich experience across vast business scenarios, as well as its logistics and technological capabilities, we believe that this collaboration will provide valuable services that will transform how business is done for users inside and outside of China.”

#asia, #baidu, #china, #cloud, #cloudflare, #companies, #developer, #internet, #internet-security, #matthew, #partner, #technology

Decrypted: Post-coronavirus, Auth0’s close call, North Korea warning, Awake’s Series C

Welcome to a look back at the past week in security and what it means for you. Each week we’ll look at the big news of the week and why it matters.

What will the world look like after the coronavirus pandemic subsides?

Some of us are now in our fifth week of sheltering in place, but there’s no fixed end-date in sight. We’ve gone from a period of confusion and concern to testing and mitigation. Now we’re starting to look ahead at the world post-coronavirus. Things still have to get done. But how do we regain a semblance of normality in the middle of a pandemic?

Tech can be the answer but it’s not a panacea; Apple and Google have explained more about their contact tracing efforts to help better understand the spread of the virus seems promising. But privacy concerns and worries that the system could be abused have raised justified concerns. On the other hand, with a U.S. presidential election slated for later this year, many experts want tech out of the picture in favor of a secure solution that uses paper ballots.

Will tech save the day, or will it kick us while we’re down? Let’s dive in.


THE BIG PICTURE

Voting by mail should be having its moment. Will it?

This year’s U.S. presidential election will still go ahead — it’s in the constitution as an immutable fact — but a pandemic throws a wrench in the works.

But security experts say electronic voting isn’t secure or resilient enough to protect from foreign interference. Even the more established mobile voting offerings have been shown to be deeply flawed.

#computer-security, #computing, #coronavirus, #covid-19, #cyberwarfare, #data-breach, #extra-crunch, #internet-security, #security, #security-breaches, #sony-pictures, #startups