Coming to a laptop near you: A new type of security chip from Microsoft

Promotional image of new laptop computer.

Enlarge (credit: Lenovo)

In November 2020, Microsoft unveiled Pluton, a security processor the company designed to thwart some of the most sophisticated types of hack attacks. On Tuesday, AMD said it would integrate the chip into its upcoming Ryzen CPUs for use in Lenovo’s ThinkPad Z Series of laptops.

Microsoft already used Pluton to secure Xbox Ones and Azure Sphere microcontrollers against attacks that involve people with physical access opening device cases and performing hardware hacks that bypass security protections. Such hacks are usually carried out by device owners who want to run unauthorized games or programs for cheating.

Now, Pluton is evolving to secure PCs against malicious physical hacks designed to install malware or steal cryptographic keys or other sensitive secrets. While many systems already have trusted platform modules or protections such as Intel’s Software Guard Extensions to secure such data, the secrets remain vulnerable to several types of attacks.

Read 11 remaining paragraphs | Comments

#amd, #biz-it, #lenovo, #pluton, #ryzen, #security, #thinkpad

Google warns that NSO hacking is on par with elite nation-state spies

A man walks by the building entrance of Israeli cyber company NSO Group at one of its branches in the Arava Desert on November 11, 2021, in Sapir, Israel.

Enlarge / A man walks by the building entrance of Israeli cyber company NSO Group at one of its branches in the Arava Desert on November 11, 2021, in Sapir, Israel. (credit: Amir Levy | Getty Images)

The Israeli spyware developer NSO Group has shocked the global security community for years with aggressive and effective hacking toolsthat can target both Android and iOS devices. The company’s products have been so abused by its customers around the world that NSO Group now faces sanctions, high-profile lawsuits, and an uncertain future. But a new analysis of the spyware maker’s ForcedEntry iOS exploit—deployed in a number of targeted attacks against activists, dissidents, and journalists this year—comes with an even more fundamental warning: Private businesses can produce hacking tools that have the technical ingenuity and sophistication of the most elite government-backed development groups.

Google’s Project Zero bug-hunting group analyzed ForcedEntry using a sample provided by researchers at the University of Toronto’s Citizen Lab, which published extensively this year about targeted attacks utilizing the exploit. Researchers from Amnesty International also conducted important research about the hacking tool this year. The exploit mounts a zero-click, or interactionless, attack, meaning that victims don’t need to click a link or grant a permission for the hack to move forward. Project Zero found that ForcedEntry used a series of shrewd tactics to target Apple’s iMessage platform, bypass protections the company added in recent years to make such attacks more difficult, and adroitly take over devices to install NSO’s flagship spyware implant Pegasus.

Apple released a series of patches in September and October that mitigate the ForcedEntry attack and harden iMessage against future, similar attacks. But the Project Zero researchers write in their analysis that ForcedEntry is still “one of the most technically sophisticated exploits we’ve ever seen.” NSO Group has achieved a level of innovation and refinement, they say, that is generally assumed to be reserved for a small cadre of nation-state hackers.

Read 8 remaining paragraphs | Comments

#biz-it, #forced-entry, #security, #wired

New PS4 homebrew exploit points to similar PS5 hacks to come

Sony's PlayStation 4.

Enlarge / Sony’s PlayStation 4. (credit: Andrew Cunningham)

Hackers have released details of a new exploit that allows homebrew and custom firmware to be installed on PS4 consoles running relatively recent firmware. What’s more, the specifics of the exploit suggest similar homebrew capabilities may soon be available on some versions of the PlayStation 5.

The new exploit builds on a known error in the way that the PS4’s WebKit implementation utilizes font-faces. That exploit on the PS4 was publicized in October as a proof of concept after a similar error was found in Apple’s Safari WebKit implementation in September.

On the PS4, the full exploit can now be triggered by visiting a website with specially formatted JavaScript via the PS4 web browser, allowing the system to run kernel-level code that bypasses the console’s usual security protections. From there, the exploit can read files from an inserted USB stick and install homebrew software, including existing custom PS4 firmware.

Read 6 remaining paragraphs | Comments

#gaming-culture, #homebrew, #playstation, #security

Hackers launch over 840,000 attacks through Log4J flaw

Hackers launch over 840,000 attacks through Log4J flaw

Enlarge (credit: Matejmo | Getty Images)

Hackers including Chinese state-backed groups have launched more than 840,000 attacks on companies globally since last Friday, according to researchers, through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J.

Cyber security group Check Point said the attacks relating to the vulnerability had accelerated in the 72 hours since Friday, and that at some points its researchers were seeing more than 100 attacks a minute.

Perpetrators include “Chinese government attackers,” according to Charles Carmakal, chief technology officer of cyber company Mandiant.

Read 11 remaining paragraphs | Comments

#biz-it, #china, #hacking, #log4j, #security

iPhones of US diplomats hacked using “0-click” exploits from embattled NSO

iPhones of US diplomats hacked using “0-click” exploits from embattled NSO

Enlarge (credit: Getty Images)

The iPhones of nine US State Department officials were infected by powerful and stealthy malware developed by NSO Group, the Israeli exploit seller that has come under increasing scrutiny for selling its wares to journalists, lawyers, activists, and US allies.

The US officials, either stationed in Uganda or focusing on issues related to that country, received warnings like this one from Apple informing them their iPhones were being targeted by hackers. Citing unnamed people with knowledge of the attacks, Reuters said the hackers used software from NSO.

No clicking required

As previously reported, NSO software known as Pegasus uses exploits sent through messaging apps that infect iPhones and Android devices without requiring targets to click links or take any other action. From there, the devices run hard-to-detect malware that can download photos, contacts, text messages, and other data. The malware also allows the operator to listen to audio and view video in real time.

Read 3 remaining paragraphs | Comments

#biz-it, #iphone, #nso-group, #security

New secret-spilling hole in Intel CPUs sends company patching (again)

New secret-spilling hole in Intel CPUs sends company patching (again)

Enlarge (credit: Intel)

Intel is fixing a vulnerability that unauthorized people with physical access can exploit to install malicious firmware on the chip to defeat a variety of measures, including protections provided by Bitlocker, trusted platform modules, anti-copying restrictions, and others.

The vulnerability—present in Pentium, Celeron, and Atom CPUs on the Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms—allows skilled hackers with possession of an affected chip to run it in debug and testing modes used by firmware developers. Intel and other chipmakers go to great lengths to prevent such access by unauthorized people.

Once in developer mode, an attacker can extract the key used to encrypt data stored in the TPM enclave and, in the event TPM is being used to store a Bitlocker key, defeat that latter protection as well. An adversary could also bypass code-signing restrictions that prevent unauthorized firmware from running in the Intel Management Engine, a subsystem inside vulnerable CPUs, and from there permanently backdoor the chip.

Read 13 remaining paragraphs | Comments

#central-processing-unit, #security, #tech

Google Fi is getting end-to-end encrypted phone calls

Google Fi is getting end-to-end encrypted phone calls

Enlarge

Google’s MVNO cell phone service, Google Fi, is getting a surprise new feature: encrypted phone calls. Encrypted voice chats via messaging apps have been available for a while, but this is the first time we’ve seen a company hijack the regular phone system for end-to-end encrypted calls. Open the phone app, dial a number, and your call can be encrypted.

End-to-end encryption is not a normal phone standard, so both parties on the call will need to be firmly in the Google Fi ecosystem for the feature to work. Google’s description says that “calls between two Android phones on Fi will be secured with end-to-end encryption by default.” Google Fi works on the iPhone, too, but given that Google would have to use Apple’s default phone app, it can’t add encryption.

For encrypted Fi-to-Fi calls, Google will show a new “Encrypted by Google Fi” message in both users’ phone apps, along with the ubiquitous lock icon. The company says there will be “unique audio cues” as well.

Read 2 remaining paragraphs | Comments

#encryption, #google-fi, #security, #tech

Securing your digital life, part two: The bigger picture—and special circumstances

Securing your digital life, part two: The bigger picture—and special circumstances

Enlarge (credit: ANDRZEJ WOJCICKI / SCIENCE PHOTO LIBRARY / Getty Images)

In the first half of this guide to personal digital security, I covered the basics of assessing digital risks and protecting what you can control: your devices. But the physical devices you use represent only a fraction of your overall digital exposure.

According to a report by Aite Group, nearly half of US consumers experienced some form of identity theft over the last two years. Losses from these thefts are expected to reach $721.3 billion for 2021—and that’s only counting cases where criminals take over and abuse online accounts. Other valuable parts of your digital life may not carry specific monetary risks to you but could still have a tangible impact on your privacy, safety, and overall financial health.

Case in point: last September, my Twitter account was targeted for takeover by an unidentified attacker. Even though I had taken multiple measures to prevent the theft of my account (including two-factor authentication), the attacker made it impossible for me to log in (though they were locked out of the account as well). It took several weeks and some high-level communication with Twitter to restore my account. As someone whose livelihood is tied to getting the word out about things with a verified Twitter account, this went beyond inconvenience and was really screwing with my job.

Read 20 remaining paragraphs | Comments

#biz-it, #features, #infosec, #securing-your-digital-life, #security

Securing your digital life, part one: The basics

Artist's impression of how to keep your digital stuff safe from all kinds of threats.

Enlarge / Artist’s impression of how to keep your digital stuff safe from all kinds of threats. (credit: Aurich Lawson | Getty Images)

I spend most of my time these days investigating the uglier side of digital life—examining the techniques, tools, and practices of cyber criminals to help people better defend against them. It’s not entirely different from my days at Ars Technica, but it has given me a greater appreciation for just how hard it is for normal folks to stay “safe” digitally.

Even those who consider themselves well educated about cyber crime and security threats—and who do everything they’ve been taught to do—can (and do!) still end up as victims. The truth is that, with enough time, resources, and skill, everything can be hacked.

The key to protecting your digital life is to make it as expensive and impractical as possible for someone bent on mischief to steal the things most important to your safety, financial security, and privacy. If attackers find it too difficult or expensive to get your stuff, there’s a good chance they’ll simply move on to an easier target. For that reason, it’s important to assess the ways that vital information can be stolen or leaked—and understand the limits to protecting that information.

Read 34 remaining paragraphs | Comments

#biz-it, #features, #infosec, #securing-your-digital-life, #security

Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Enlarge (credit: Joshua Sortino)

Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019. But the researcher who reported the bug isn’t pleased with Telegram’s months-long turnaround time—and an offered $1,159 (€1,000) bounty award in exchange for his silence.

Self-destructed images remained on the device

Like other messaging apps, Telegram allows senders to set communications to “self-destruct,” such that messages and any media attachments are automatically deleted from the device after a set period of time. Such a feature offers extended privacy to both the senders and the recipients intending to communicate discreetly.

In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release:

Read 12 remaining paragraphs | Comments

#biz-it, #bug-bounty, #confidential, #end-to-end-encryption, #hackerone, #messaging-app, #nda, #security, #tech, #telegram

Facebook’s latest “apology” reveals security and safety disarray

A person in a Hazmat suit covers the Facebook logo with warning tape.

Enlarge (credit: Aurich Lawson / Getty Images)

Facebook had it rough last week. Leaked documents—many leaked documents—formed the backbone of a string of reports published in The Wall Street Journal. Together, the stories paint the picture of a company barely in control of its own creation. The revelations run the gamut: Facebook had created special rules for VIPs that largely exempted 5.8 million users from moderation, forced troll farm content on 40 percent of America, created toxic conditions for teen girls, ignored cartels and human traffickers, and even undermined CEO Mark Zuckerberg’s own desire to promote vaccination against COVID.

Now, Facebook wants you to know it’s sorry and that it’s trying to do better.

“In the past, we didn’t address safety and security challenges early enough in the product development process,” the company said in an unsigned press release today. “Instead, we made improvements reactively in response to a specific abuse. But we have fundamentally changed that approach.”

Read 10 remaining paragraphs | Comments

#facebook, #mark-zuckerberg, #policy, #security, #social-media

Stairwell secures $20M Series A to help organizations outsmart attackers

Back when Stairwell emerged from stealth in 2020, the startup was shrouded in secrecy. Now with $20 million in Series A funding, its founder and CEO Mike Wiacek — who previously served as chief security officer at Chronicle, Google’s moonshot cybersecurity company — is ready to talk.

As well as raising $20M, an investment round co-led by Sequoia Capital and Accel, Stairwell is launching Inception, a threat hunting platform that aims to help organizations determine if they were compromised now or in the past. Unlike other threat detection platforms, Inception takes an “inside out” approach to cybersecurity, which starts by looking inwards at a company’s data.

“This helps you study what’s in your environment first before you start thinking about what’s happening in the outside world,” Wiacek tells TechCrunch. “The beautiful thing about that approach is that’s not information that outside parties, a.k.a. the bad guys, are privy to.”

This data, all of which is treated as suspicious, is continuously evaluated in light of new indicators and new threat intelligence. Stairwell claims this enables organizations to detect anomalies within just days, rather than the industry average of 280 days, as well as to “bootstrap” future detections.

“If you go and buy a threat intelligence feed from Vendor X, do you really think that someone who’s spending hundreds of thousands, or even millions of dollars to conduct an offensive campaign isn’t going to make sure that whatever they’re using isn’t in that field?,” said Wiacek. “They know what McAfee knows and they know other antivirus engines know, but they don’t know what you know and that’s a very powerful advantage that you have there.”

Stairwell’s $20 million in Series A funding, which comes less than 12 months after it secured $4.5 million in seed funding, will be used to further advance the Inception platform and to increase the startup’s headcount; the Palo Alto-based firm currently has a modest headcount of 21.

The Inception platform, which the startup claims finally enables enterprises to “outsmart the bad guys”, is launching in early release for a limited number of customers, with full general availability scheduled for 2022.

“I just wish we had a product to market when SolarWinds happened,” Wiacek added.

#accel, #anomali, #ceo, #computer-security, #computing, #google-cloud, #inception, #information-technology, #mcafee, #palo-alto, #security, #sequoia-capital, #solarwinds, #stairwell, #system-administration

F5 acquires cloud security startup Threat Stack for $68 million

Applications networking company F5 has announced it’s acquiring Threat Stack, a Boston-based cloud security and compliance startup, for $68 million.

The deal, which comes months after F5 bought multi-cloud management startup Volterra for $500 million, sees the 25-year-old company looking to bolster its cloud security portfolio as applications become a growing focus for cybercriminals. Businesses lose more than $100 billion a year to attacks targeting digital experiences, F5 says and these experiences are increasingly powered by applications distributed across multiple environments and interconnected through APIs.

Threat Stack, which was founded in November 2012 and has since amassed more than $70 million across six funding rounds including a $45 million Series C round led by F-Prime Capital Partners and Eight Roads Ventures, specializes in cloud security for applications and provides customers with real-time threat detection for cloud infrastructure and workloads. Unlike many cloud security tools that kick in after an intrusion, Threat Stack takes a more proactive approach, alerting organizations to all known vulnerabilities and providing a report on the holes that need to be plugged.

The startup’s intrusion detection platform, the Threat Stack Cloud Security Platform, works across cloud, hybrid cloud, multi-cloud, and containerized environments, and is perhaps best known for its Slack integration that alerts DevOps teams to security concerns in real-time. Threat Stack has a number of big-name customers, according to its website, including Glassdoor, Ping Identity and Proofpoint.

F5 says that integrating its application and API protection solutions with Threat Stack’s cloud security capabilities and expertise will enhance visibility across application infrastructure and workloads, making it easier for customers to adopt consistent security in any cloud.

“Applications are the backbone of today’s modern businesses, and protecting them is mission-critical for our customers,” said Haiyan Song, EVP of Security at F5. “Threat Stack brings technology and talent that will strengthen F5’s security capabilities and further our adaptive applications vision with broader cloud observability and actionable security insights for customers.”

The acquisition, which is expected to close in F5’s first-quarter fiscal year 2022, is subject to closing conditions.

#api, #boston, #cloud-computing, #cloud-infrastructure, #cloud-management, #computing, #eight-roads-ventures, #f5, #glassdoor, #palo-alto-networks, #ping-identity, #security, #splunk, #system-administration, #threat-stack, #volterra

Web host Epik was warned of a critical website bug weeks before it was hacked

Hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik, a web host and domain registrar that provides services to far-right sites like Gab, Parler and 8chan, which found refuge in Epik after they were booted from mainstream platforms.

In a statement attached to a torrent file of the dumped data this week, the group said the 180 gigabytes amounts to a “decade’s worth” of company data, including “all that’s needed to trace actual ownership and management” of the company. The group claimed to have customer payment histories, domain purchases and transfers, and passwords, credentials, and employee mailboxes. The cache of stolen data also contains files from the company’s internal web servers, and databases that contain customer records for domains that are registered with Epik.

The hackers did not say how they obtained the breached data or when the hack took place, but timestamps on the most recent files suggest the hack likely happened in late February.

Epik initially told reporters it was unaware of a breach, but an email sent out by founder and chief executive Robert Monster on Wednesday alerted users to an “alleged security incident.”

TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach.

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.

“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.

Leo ran a proof-of-concept command from the public-facing WHOIS page to ask the server to display its username, which confirmed that code could run on Epik’s internal server, but he did not test to see what access the server had as doing so would be illegal.

It’s not known if the Anonymous hacktivists used the same vulnerability that Leo discovered. (Part of the stolen cache also includes folders relating to Epik’s WHOIS system, but the hacktivists left no contact information and could not be reached for comment.) But Leo contends that if a hacker exploited the same vulnerability and the server had access to other servers, databases or systems on the network, that access could have allowed access to the kind of data stolen from Epik’s internal network in February.

“I am really guessing that’s how they got owned,” Leo told TechCrunch, who confirmed that the flaw has since been fixed.

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

#8chan, #computer-security, #computing, #cyberspace, #cyberwarfare, #epik, #gab, #parler, #rob-monster, #security, #texas, #world-wide-web

FTC says health apps must notify consumers about data breaches — or face fines

The U.S. Federal Trade Commission (FTC) has warned apps and devices that collect personal health information must notify consumers if their data is breached or shared with third parties without their permission.

In a 3-2 vote on Wednesday, the FTC agreed on a new policy statement to clarify a decade-old 2009 Health Breach Notification Rule, which requires companies handling health records to notify consumers if their data is accessed without permission, such as the result of a breach. This has now been extended to apply to health apps and devices — specifically calling out apps that track fertility data, fitness, and blood glucose — which “too often fail to invest in adequate privacy and data security,” according to FTC chair Lina Khan.

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said Khan in a statement, pointing to a study published this year in the British Medical Journal that found health apps suffer from “serious problems” ranging from the insecure transmission of user data to the unauthorized sharing of data with advertisers.

There have also been a number of recent high-profile breaches involving health apps in recent years. Babylon Health, a U.K. AI chatbot and telehealth startup, last year suffered a data breach after a “software error” allowed users to access other patients’ video consultations, while period tracking app Flo was recently found to be sharing users’ health data with third-party analytics and marketing services.

Under the new rule, any company offering health apps or connected fitness devices that collect personal health data must notify consumers if their data has been compromised. However, the rule doesn’t define a “data breach” as just a cybersecurity intrusion; unauthorized access to personal data, including the sharing of information without an individual’s permission, can also trigger notification obligations.

“While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan said.

If companies don’t comply with the rule, the FTC said it will “vigorously” enforce fines of $43,792 per violation per day.

The FTC has been cracking down on privacy violations in recent weeks. Earlier this month, the agency unanimously voted to ban spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry for harvesting mobile data on thousands of people and leaving it on the open internet.

#articles, #artificial-intelligence, #babylon-health, #chair, #data-breach, #digital-rights, #flo, #government, #identity-management, #lina-khan, #open-internet, #security, #security-breaches, #social-issues, #spyfone, #terms-of-service

Ransomware: A market problem deserves a market solution

REvil is a solid choice for a villain’s name: R Evil. Revil. Evil and yet fun. I could imagine Black Widow, Hulk and Spider-Man teaming up to topple the leadership of REvil Incorporated.

The criminal gang using the name REvil may have enabled ransomware attacks on thousands of small businesses worldwide this summer — but the ransomware problem is bigger than REvil, LockBit or DarkSide. REvil has disappeared from the internet, but the ransomware problem persists.

REvil is a symptom, not the cause. I advise Tony Stark and his fellow Avengers to look past any one criminal organization — because there is no evil mastermind. Ransomware is just the latest in the 50,000-year evolution of petty criminals discovering get-rich-quick schemes.

The massive boom in the number of ransomware occurrences arises from the lack of centralized control. More than 304 million ransomware attacks hit global businesses last year, with costs surpassing $178,000 per event. Technology has created a market where countless petty criminals can make good money fast. The best way to fight this kind of threat is with a market-based approach.

The spike in global ransomware attacks reflects a massive “dumbing down” of criminal activity. People looking to make an illicit buck have many more options available to them today than they did even two years ago. Without technical chops, people can steal your data, hold it for ransom and coerce you to pay to get it back. Law enforcement has not yet responded to combat this form of cybercrime, and large, sophisticated criminal networks have likewise not yet figured out how to control the encroaching upstarts.

The spike in ransomware attacks is attributable to the “as a service” economy. In this case, we’re talking about RaaS, or ransomware as a service. This works because each task in the ransomware chain benefits from the improved sophistication enabled by the division of labor and specialization.

Someone finds a vulnerable target. Someone provides bulletproof infrastructure outside of the jurisdiction of responsible law enforcement. Someone provides the malicious code. The players all come together without knowing each other’s names. No need to meet in person as Mr. Pink, Mr. Blonde and Mr. Orange because the ability to coordinate tasks has become simple. The rapid pace of technological innovation created a decentralized market, enabling amateurs to engage in high-dollar crimes.

There’s a gig economy for the underworld just like there is for the legal business world. I’ve built two successful software companies, even though I’m an economist. I use open source software and rent infrastructure via cloud technologies. I operated my first software company for six years before I sought outside capital, and I used that money for marketing and sales more than technology.

This tech advancement is both good and bad. The global economy did better than expected during a global pandemic because technology enabled many people to work from anywhere.

But the illicit markets of crime also benefited. REvil provided a service — a piece of a larger network — and earned a share of proceeds from ransomware attacks committed by others — like Jeff Bezos and Amazon get a share of my company’s revenues for the services they provide to me.

To fight ransomware attacks, appreciate the economics — the markets that enable ransomware — and change the market dynamics. Specifically, do three things:

1. Analyze the market like a business executive

Any competitive business thinks about what’s allowing competitors to succeed and how they can outcompete. The person behind a ransomware strike is an entrepreneur or a worker in a firm engaged in cybercrime, so start with good business analytics using data and smart business questions.

Can the crypto technologies that enable the crime also be used to enable entity resolution and deny anonymity/pseudonymity? Can technology undermine a criminal’s ability to recruit, coordinate or move, store and spend the proceeds from criminal activities?

2. Define victory in market terms

Doing the analytics to understand competing firms allows one to more clearly see the market for ransomware. Eliminating one “firm” often creates a power vacuum that will be filled by another, provided the market remains the same.

REvil disappeared, but ransomware attacks persist. Victory in market terms means creating markets in which criminals choose not to engage in the activity in the first place. The goal is not to catch criminals, but to deter the crime. Victory against ransomware happens when arrests drop because attempted attacks drop to near zero.

3. Combat RaaS as an entrepreneur in a competitive market

To prevent ransomware is to fight against criminal entrepreneurs, so the task requires one to think and fight crime like an entrepreneur.

Crime-fighting entrepreneurs require collaboration — networks of government officials, banking professionals and technologists in the private sector across the globe must come together.

Through artificial intelligence and machine learning, the capability to securely share data, information and knowledge while preserving privacy exists. The tools of crime become the tools to combat crime.

No evil mastermind sits in their lair laughing at the chaos inflicted on the economy. Instead, growing numbers of amateurs are finding ways to make money quickly. Tackling the ransomware industry requires the same coordinated focus on the market that enabled amateurs to enter cybercrime in the first place. Iron Man would certainly agree.

#column, #computer-security, #crime, #cybercrime, #machine-learning, #malware, #open-source-software, #ransomware, #security, #security-breaches, #tc

Microsoft now lets you sign-in without a password

Microsoft is further nudging users away from passwords by rolling out passwordless sign-in options to all consumer Microsoft accounts.

The tech giant, like many others in the industry, has waged a war against traditional password-based authentication for some time. This is because passwords are a prime target for cyberattacks, since weak or reused passwords can be guessed or brute-forced through automated attacks.

To that end, and as it gears up to launch Windows 11 in just a few weeks time, Microsoft is rolling out its passwordless sign-in option, previously available only to commercial customers, to all Microsoft accounts. This means that users will be able to sign in to services, such as Outlook and OneDrive, without having to use a password. Instead, users can use the Microsoft Authenticator app, Windows Hello, a security key, and SMS or emailed codes.

Some Microsoft apps will still continue to require a password, however, including Office 2010 or earlier, Remote Desktop and Xbox 360. Similarly, those using now-unsupported versions of Windows won’t be able to ditch their passwords just yet either, as the feature will only be supported on Windows 10 and Windows 11.

Microsoft says that passwordless sign-in will be rolled out to consumer accounts over the coming weeks, so you might not be able to get rid of your password just yet. It added that it’s also working on a way to eliminate passwords for Azure AD accounts, with admins set to be able to choose whether passwords are required, allowed, or don’t exist for specific users.

#security

Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware

Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware

Enlarge (credit: Aurich Lawson | Getty Images)

Apple has released several security updates this week to patch a “FORCEDENTRY” vulnerability on iOS devices. The “zero-click, zero-day” vulnerability has been actively exploited by Pegasus, a spyware app developed by the Israeli company NSO Group, which has been known to target activists, journalists, and prominent people around the world.

Tracked as CVE-2021-30860, the vulnerability needs little to no interaction by an iPhone user to be exploited—hence the name “FORCEDENTRY.”

Discovered on a Saudi activist’s iPhone

In March, researchers at The Citizen Lab decided to analyze the iPhone of an unnamed Saudi activist who was targeted by NSO Group’s Pegasus spyware. They obtained an iTunes backup of the device, and a review of the dump revealed 27 copies of a mysterious GIF file in various places—except the files were not images.

Read 11 remaining paragraphs | Comments

#apple, #biz-it, #imessage, #ios, #iphone, #nso-group, #pegasus, #security, #spyware, #tech, #vulnerability, #zero-day

Apple patches a NSO zero-day flaw affecting all devices

Apple has released security updates for a newly discovered zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices.

The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said “may have been actively exploited.”

Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones belonging to at least one Bahraini activist.

Last month, Citizen Lab said the zero day flaw — named as such since it gives companies zero days to roll out a fix — took advantage of a flaw in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone. The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But also the vulnerabilities broke through new iPhone defenses that Apple had baked into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code. Citizen Lab calls this particular exploit ForcedEntry for its ability to skirt Apple’s BlastDoor protections.

In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, running at the time the latest version of iOS. Citizen Lab now says that the same ForcedEntry exploit works on all Apple devices running, until today, the latest software.

Citizen Lab said it reported its findings to Apple on September 7. Apple pushed out the updates for the vulnerability, known officially as CVE-2021-30860. Citizen Lab said it attributes the ForcedEntry exploit to NSO Group with high confidence, citing evidence it has seen that it has not previously published.

When reached, Apple declined to comment. NSO Group did not immediately comment.

Developing… More soon…

#apple, #imessage, #ios, #ipad, #ipads, #iphone, #mobile-phones, #nso-group, #operating-systems, #pegasus, #security, #smartphones, #spyware, #technology

The past, present and future of IoT in physical security

When Axis Communications released the first internet protocol (IP) camera after the 1996 Olympic games in Atlanta, there was some initial confusion. Connected cameras weren’t something the market had been clamoring for, and many experts questioned whether they were even necessary.

Today, of course, traditional analog cameras have been almost completely phased out as organizations have recognized the tremendous advantage that IoT devices can offer, but that technology felt like a tremendous risk during those early days.

To say that things have changed since then would be a dramatic understatement. The growth of the Internet of Things (IoT) represents one of the ways physical security has evolved. Connected devices have become the norm, opening up exciting new possibilities that go far beyond recorded video. Further developments, such as the improvement and widespread acceptance of the IP camera, have helped power additional breakthroughs including improved analytics, increased processing power, and the growth of open-architecture technology. On the 25th anniversary of the initial launch of the IP camera, it is worth reflecting on how far the industry has come — and where it is likely to go from here.

Tech improvements herald the rise of IP cameras

Comparing today’s IP cameras to those available in 1996 is almost laughable. While they were certainly groundbreaking at the time, those early cameras could record just one frame every 17 seconds — quite a change from what cameras can do today.

But despite this drawback, those on the cutting edge of physical security understood what a monumental breakthrough the IP camera could represent. After all, creating a network of cameras would enable more effective remote monitoring, which — if the technology could scale — would enable them to deploy much larger systems, tying together disparate groups of cameras. Early applications might include watching oil fields, airport landing strips or remote cell phone towers. Better still, the technology had the potential to usher in an entirely new world of analytics capabilities.

Of course, better chipsets were needed to make that endless potential a reality. Groundbreaking or not, the limited frame rate of the early cameras was never going to be effective enough to drive widespread adoption of traditional surveillance applications. Solving this problem required a significant investment of resources, but before long these improved chipsets brought IP cameras from one frame every 17 seconds to 30 frames per second. Poor frame rate could no longer be listed as a justification for shunning IP cameras in favor of their analog cousins, and developers could begin to explore the devices’ analytics potential.

Perhaps the most important technological leap was the introduction of embedded Linux, which made IP cameras more practical from a developer point of view. During the 1990s, most devices used proprietary operating systems, which made them difficult to develop for.

Even within the companies themselves, proprietary systems meant that developers had to be trained on a specific technology, costing companies both time and money. There were a few attempts at standardization within the industry, such as the Wind River operating system, but these ultimately failed. They were too small, with limited resources behind them — and besides, a better solution already existed: Linux.

Linux offered a wide range of benefits, not the least of which was the ability to collaborate with other developers in the open source community. This was a road that ran two ways. Because most IP cameras lacked the hard disk necessary to run Linux, hardware known as JFFS was developed that would allow a device to use a Flash memory chip as a hard disk. That technology was contributed to the open source community, and while it is currently on its third iteration, it remains in widespread use today.

Compression technology represented a similar challenge, with the more prominent data compression models in the late ’90s and early 2000s poorly suited for video. At the time, video storage involved individual frames being stored one-by-one — a data storage nightmare. Fortunately, the H.264 compression format, which was designed with video in mind, became much more commonplace in 2009.

By the end of that year, more than 90% of IP cameras and most video management systems used the H.264 compression format. It is important to note that improvements in compression capabilities have also enabled manufacturers to improve their video resolution as well. Before the new compression format, video resolution had not changed since the ’60s with NTSC/PAL. Today, most cameras are capable of recording in high definition (HD).

1996: First IP camera is released.
2001: Edge-based analytics with video motion detection arrive.
2006: First downloadable, edge-based analytics become available.
2009: Full HD becomes the standard video resolution; H.264 compression goes mainstream.
2015: Smart compression revolutionizes video storage.

The growth of analytics

Analytics is not exactly a “new” technology — customers requested various analytics capabilities even in the early days of the IP camera — but it is one that has seen dramatic improvement. Although it might seem quaint by today’s high standards, video motion detection was one of the earliest analytics loaded onto IP cameras.

Customers needed a way to detect movement within certain parameters to avoid having a tree swaying in the wind, or a squirrel running by, trigger a false alarm. Further refinement of this type of detection and recognition technology has helped automate many aspects of physical security, triggering alerts when potentially suspicious activity is detected and ensuring that it is brought to human attention. By taking human fallibility out of the equation, analytics has turned video surveillance from a reactive tool to a proactive one.

Reliable motion detection remains one of the most widely used analytics, and while false alarms can never be entirely eliminated, modern improvements have made it a reliable way to detect potential intruders. Object detection is also growing in popularity and is increasingly capable of classifying cars, people, animals and other objects.

License plate recognition is popular in many countries (though less so in the United States), not just for identifying vehicles involved in criminal activity, but for uses as simple as parking recognition. Details like car model, shirt color or license plate number are easy for the human eye to miss or fail to notice — but thanks to modern analytics, that data is cataloged and stored for easy reference. The advent of technology like deep learning, which features better pattern recognition and object classification through improved labeling and categorization, will drive further advancements in this area of analytics.

The rise of analytics also helps highlight why the security industry has embraced open-architecture technology. Simply put, it is impossible for a single manufacturer to keep up with every application that its customers might need. By using open-architecture technology, they can empower those customers to seek out the solutions that are right for them, without the need to specifically tailor the device for certain use cases. Hospitals might look to add audio analytics to detect signs of patient distress; retail stores might focus on people counting or theft detection; law enforcement might focus on gunshot detection — with all of these applications housed within the same device model.

It is also important to note that the COVID-19 pandemic drove interesting new uses for both physical security devices and analytics — though some applications, such as using thermal cameras for fever measurement, proved difficult to implement with a high degree of accuracy. Within the healthcare industry, camera usage increased significantly — something that is unlikely to change. Hospitals have seen the benefit of cameras within patient rooms, with video and intercom technology enabling healthcare professionals to monitor and communicate with patients while maintaining a secure environment.

Even simple analytics like cross-line detection can generate an alert if a patient who is a fall risk attempts to leave a designated area, potentially reducing accidents and overall liability. The fact that analytics like this bear only a passing mention today highlights how far physical security has come since the early days of the IP camera.

Looking to the future of security

That said, an examination of today’s trends can provide a glimpse into what the future might hold for the security industry. For instance, video resolution will certainly continue to improve.

Ten years ago, the standard resolution for video surveillance was 720p (1 megapixel), and 10 years before that it was the analog NTSC/PAL resolution of 572×488, or 0.3 megapixels. Today, the standard resolution is 1080p (2 megapixels), and a healthy application of Moore’s law indicates that 10 years from now it will be 4K (8 megapixels).

As ever, the amount of storage that higher-resolution video generates is the limiting factor, and the development of smart storage technologies such as Zipstream has helped tremendously in recent years. We will likely see further improvements in smart storage and video compression that will help make higher-resolution video possible.

Cybersecurity will also be a growing concern for both manufacturers and end users.

Recently, one of Sweden’s largest retailers was shut down for a week because of a hack, and others will meet the same fate if they continue to use poorly secured devices. Any piece of software can contain a bug, but only developers and manufacturers committed to identifying and fixing these potential vulnerabilities can be considered reliable partners. Governments across the globe will likely pass new regulations mandating cybersecurity improvements, with California’s recent IoT protection law serving as an early indicator of what the industry can expect.

Finally, ethical behavior will continue to become more important. A growing number of companies have begun foregrounding their ethics policies, issuing guidelines for how they expect technology like facial recognition to be used — not abused.

While new regulations are coming, it’s important to remember that regulation always lags behind, and companies that wish to have a positive reputation will need to adhere to their own ethical guidelines. More and more consumers now list ethical considerations among their major concerns—especially in the wake of the COVID-19 pandemic—and today’s businesses will need to strongly consider how to broadcast and enforce responsible product use.

Change is always around the corner

Physical security has come a long way since the IP camera was introduced, but it is important to remember that these changes, while significant, took place over more than two decades. Changes take time — often more time than you might think. Still, it is impossible to compare where the industry stands today to where it stood 25 years ago without being impressed. The technology has evolved, end users’ needs have shifted, and even the major players in the industry have come and gone according to their ability to keep up with the times.

Change is inevitable, but careful observation of today’s trends and how they fit into today’s evolving security needs can help today’s developers and device manufacturers understand how to position themselves for the future. The pandemic highlighted the fact that today’s security devices can provide added value in ways that no one would have predicted just a few short years ago, further underscoring the importance of open communication, reliable customer support and ethical behavior.

As we move into the future, organizations that continue to prioritize these core values will be among the most successful.

#column, #facial-recognition, #hardware, #internet-protocol, #ip-camera, #linux, #opinion, #physical-security, #security, #surveillance, #tc

BitSight raises $250M from Moody’s and acquires cyber risk startup VisibleRisk

BitSight, a startup that assesses the likelihood that an organization will be breached, has received a $250 million investment from credit rating giant Moody’s, and acquired Israeli cyber risk assessment startup VisibleRisk for an undisclosed sum.

Boston-based BitSight says the investment from Moody’s, which has long warned that cyber risk can impact credit ratings, will enable it to create a cybersecurity risk platform, while the credit ratings giant said it plans to make use of BitSight’s cyber risk data and research across its integrated risk assessment product offerings.

The investment values BitSight at $2.4 billion and makes Moody’s the largest shareholder in the company.

“Creating transparency and enabling trust is at the core of Moody’s mission,” Moody’s president and CEO Rob Fauber said in a statement. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of cyber loss.”

Meanwhile, BitSight’s purchase of VisibleRisk, a cyber risk ratings joint venture created by Moody’s and Team8, brings in-depth cyber risk assessment capabilities to BitSight’s platform, enabling the startup to better analyze and calculate an organization’s financial exposure to cyber risk. VisibleRisk, which has raised $25 million to date, says its so-called “cyber ratings” are based on cyber risk quantification, which allows companies to benchmark their cyber risk against those of their peers, and to better understand and manage the impact of cyber threats to their businesses.

Following the acquisition, BitSight will also create a risk solutions division focused on delivering a suite of critical solutions and analytics serving stakeholders including chief risk officers, C-suite executives, and boards of directors. This division will be led by VisibleRisk co-founder and CEO Derek Vadala, who previously headed up Moody’s cyber risk group.

Steve Harvey, president and CEO of BitSight, said the company’s partnership with Moody’s and its acquisition of VisibleRisk will expand its reach to “help customers manage cyber risk in an increasingly digital world.”

BitSight was founded in 2011 and has raised a total of $155 million in outside funding, most recently closing a $60 million Series D round led by Warburg Pincus. The startup has just shy of 500 employees and more than 2,300 global customers, including government agencies, insurers and asset managers. 

#articles, #boston, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #leader, #risk, #risk-analysis, #risk-management, #safety, #security, #team8, #warburg-pincus

Rezilion raises $30M help security operations teams with tools to automate their busywork

Security operations teams face a daunting task these days, fending off malicious hackers and their increasingly sophisticated approaches to cracking into networks. That also represents a gap in the market: building tools to help those security teams do their jobs. Today, an Israeli startup called Rezilion that is doing just that — building automation tools for DevSecOps, the area of IT that addresses the needs of security teams and the technical work that they need to do in their jobs — is announcing $30 million in funding.

Guggenheim Investments is leading the round with JVP and Kindred Capital also contributing. Rezilion said that unnamed executives from Google, Microsoft, CrowdStrike, IBM, Cisco, PayPal, JP Morgan Chase, Nasdaq, eBay, Symantec, RedHat, RSA and Tenable are also in the round. Previously, the company had raised $8 million.

Rezilion’s funding is coming on the back of strong initial growth for the startup in its first two years of operations.

Its customer base is made up of some of the world’s biggest companies, including two of the “Fortune 10” (the top 10 of the Fortune 500). CEO Liran Tancman, who co-founded Rezilion with CTO Shlomi Boutnaru, said that one of those two is one of the world’s biggest software companies, and the other is a major connected device vendor, but he declined to say which. (For the record, the top 10 includes Amazon, Apple, Alphabet/Google, Walmart and CVS.)

Tancman and Boutnaru had previously co-founded another security startup, CyActive, which was acquired by PayPal in 2015; the pair worked there together until leaving to start Rezilion.

There are a lot of tools out in the market now to help automate different aspects of developer and security operations. Rezilion focuses on a specific part of DevSecOps: large businesses have over the years put in place a lot of processes that they need to follow to try to triage and make the most thorough efforts possible to detect security threats. Today, that might involve inspecting every single suspicious piece of activity to determine what the implications might be.

The problem is that with the volume of information coming in, taking the time to inspect and understand each piece of suspicious activity can put enormous strain on an organization: it’s time-consuming, and as it turns out, not the best use of that time because of the signal to noise ratio involved. Typically, each vulnerability can take 6-9 hours to properly investigate, Tancman said. “But usually about 70-80% of them are not exploitable,” meaning they may be bad for some, but not for this particular organization and the code it’s using today. That represents a very inefficient use of the security team’s time and energy.

“Eight of out ten patches tend to be a waste of time,” Tancman said of the approach that is typically made today. He believes that as its AI continues to grow and its knowledge and solution becomes more sophisticated, “it might soon be 9 out of 10.”

Rezilion has built a taxonomy and an AI-based system that essentially does that inspection work as a human would do: it spots any new, or suspicious, code, figures out what it is trying to do, and runs it against a company’s existing code and systems to see how and if it might actually be a threat to it or create further problems down the line. If it’s all good, it essentially whitelists the code. If not, it flags it to the team.

The stickiness of the product has come out of how Tancman and Boutnaru understand large enterprises, especially those heavy with technology stacks, operate these days in what has become a very challenging environment for cybersecurity teams.

“They are using us to accelerate their delivery processes while staying safe,” Tancman said. “They have strict compliance departments and have to adhere to certain standards,” in terms of the protocols they take around security work, he added. “They want to leverage DevOps to release that.”

He said Rezilion has generally won over customers in large part for simply understanding that culture and process and helping them work better within that: “Companies become users of our product because we showed them that, at a fraction of the effort, they can be more secure.” This has special resonance in the world of tech, although financial services, and other verticals that essentially leverage technology as a significant foundation for how they operate, are also among the startup’s user base.

Down the line, Rezilion plans to add remediation and mitigation into the mix to further extend what it can do with its automation tools, which is part of where the funding will be going, too, Boutnaru said. But he doesn’t believe it will ever replace the human in the equation altogether.

“It will just focus them on the places where you need more human thinking,” he said. “We’re just removing the need for tedious work.”

In that grand tradition of enterprise automation, then, it will be interesting to watch which other automation-centric platforms might make a move into security alongside the other automation they are building. For now, Rezilion is forging out an interesting enough area for itself to get investors interested.

“Rezilion’s product suite is a game changer for security teams,” said Rusty Parks, senior MD of Guggenheim Investments, in a statement. “It creates a win-win, allowing companies to speed innovative products and features to market while enhancing their security posture. We believe Rezilion has created a truly compelling value proposition for security teams, one that greatly increases return on time while thoroughly protecting one’s core infrastructure.”

#agile-software-development, #alphabet, #amazon, #apple, #articles, #artificial-intelligence, #automation, #ceo, #cisco, #computer-security, #crowdstrike, #cto, #cyactive, #devops, #ebay, #energy, #entrepreneurship, #europe, #financial-services, #funding, #google, #ibm, #jp-morgan-chase, #kindred-capital, #maryland, #microsoft, #paypal, #security, #software, #software-development, #startup-company, #symantec, #technology

Technology giant Olympus hit by BlackMatter ransomware

Olympus said in a brief statement Sunday that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.

“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.

But according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident prior to Olympus acknowledging the incident on Sunday.

A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. “Your network is encrypted, and not currently operational,” it reads. “If you pay, we will provide you the programs for decryption.” The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter to communicate with its victims.

Read more on TechCrunch

Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site in the ransom note is associated with the BlackMatter group.

BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the U.S. government, which promised to take action if critical infrastructure was hit again.

Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.

Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but that the total number of victims is likely to be significantly higher.

Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it, and later threaten to publish the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and touts stolen data, did not have an entry for Olympus at the time of publication.

Japan-headquartered Olympus manufactures optical and digital reprography technology for the medical and life sciences industries. Until recently, the company built digital cameras and other electronics until it sold its struggling camera division in January.

Olympus said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Christian Pott, a spokesperson for Olympus, did not respond to emails and text messages requesting comment.

#africa, #colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #digital-cameras, #electronics, #kaseya, #middle-east, #olympus, #ransomware, #security, #spokesperson, #u-s-government, #united-states

Have ‘The Privacy Talk’ with your business partners

As a parent of teenagers, I’m used to having tough, sometimes even awkward, conversations about topics that are complex but important. Most parents will likely agree with me when I say those types of conversations never get easier, but over time, you tend to develop a roadmap of how to approach the subject, how to make sure you’re being clear, and how to answer hard questions.

And like many parents, I quickly learned that my children have just as much to teach me as I can teach them. I’ve learned that tough conversations build trust.

I’ve applied this lesson about trust-building conversations to an extremely important aspect of my role as the chief legal officer at Foursquare: Conducting “The Privacy Talk.”

The discussion should convey an understanding of how the legislative and regulatory environment are going to affect product offerings, including what’s being done to get ahead of that change.

What exactly is ‘The Privacy Talk’?

It’s the conversation that goes beyond the written, publicly-posted privacy policy, and dives deep into a customer, vendor, supplier or partner’s approach to ethics. This conversation seeks to convey and align the expectations that two companies must have at the beginning of a new engagement.

RFIs may ask a lot of questions about privacy compliance, information security, and data ethics. But it’s no match for asking your prospective partner to hop on a Zoom to walk you through their broader approach. Unless you hear it first-hand, it can be hard to discern whether a partner is thinking strategically about privacy, if they are truly committed to data ethics, and how compliance is woven into their organization’s culture.

#column, #digital-advertising, #digital-rights, #ec-column, #ec-how-to, #foursquare, #identity-management, #lawyers, #privacy, #security, #startups, #terms-of-service, #verified-experts

Snyk snags another $530M as valuation rises to $8.4B

Snyk, the Boston-based late-stage startup that is trying to help developers deliver more secure code, announced another mega-round today. This one was for $530 million, with $300 million in new money and $230 million in secondary funding, the latter of which is to help employees and early investors cash in some of their stock options.

The long list of investors includes an interesting mix of public investors, VC firms and strategics. Sands Capital Ventures and Tiger Global led the round, with participation from new investors Baillie Gifford, Koch Industries, Lone Pine Capital, T. Rowe Price and Whale Rock Capital Management. Existing investors also came along for the ride, including Accel, Addition, Alkeon, Atlassian Ventures, BlackRock, Boldstart Ventures, Canaan Partners, Coatue, Franklin Templeton, Geodesic Capital, Salesforce Ventures and Temasek.

This round brings the total raised in funding to $775 million, excluding secondary rounds, according to the company. With secondary rounds, it’s up to $1.3 billion, according to Crunchbase data. The company has been raising funds at a rapid clip (note that the last three rounds include the Snyk money plus secondary rounds):

Snyk's last four funding rounds

While the company wouldn’t share specific revenue figures, it did say that ARR has grown 158% YoY; given the confidence of this list of investors and the valuation, it would suggest the company is making decent money.

Snyk CEO Peter McKay says that the additional money gives him flexibility to make some acquisitions if the right opportunity comes along, what companies often refer to as “inorganic” growth. “We do believe that a portion of this money will be for inorganic expansion. We’ve made three acquisitions at this point and all three have been very, very successful for us. So it’s definitely a muscle that we’ve been developing,” McKay told me.

The company started this year with 400 people and McKay says they expect to double that number by the end of this year. He says that when it comes to diversity, the work is never really done, but it’s something he is working hard at.

“We’ve been able to build a lot of good programs around the world to increase that diversity and our culture has always been inclusive by nature because we’re highly distributed.” He added, “I’m not by any means saying we’re even remotely close to where we want to be. So I want to make that clear. There’s a lot we still have to do,” he said.

McKay says that today’s investment gives him added flexibility to decide when to take the company public because whenever that happens it won’t have to be because they need another fundraising event. “This raise has allowed us to set up with strong, highly reputable public investors, and it gives us the financial resources to pick the timing. We are in control of when we do it and we will do it when it’s right,” he said.

#boston-startups, #developer, #funding, #recent-funding, #sands-capital-ventures, #security, #snyk, #startups, #tiger-global

Thoma Bravo takes a stake in threat intelligence provider Intel 471

Private equity giant Thoma Bravo has taken a stake in Intel 471, a provider of cyber threat intelligence for enterprises and governments.

The strategic growth investment, which comes as organizations double-down on cybersecurity amid a pandemic-fueled rise in cyber threats, will enable Intel 471 to evolve its product suite, broaden its go-to-market strategy and continue to “aggressively pursue innovation,” according to Thoma Bravo. Financial terms of the deal were not disclosed.

Intel 471, a Texas-based firm founded in 2014, takes a preventative approach to cybersecurity. It leverages its access to forums and dark web marketplaces to equip organizations with intelligence and monitoring on threat actors and malware attacks. Using the company’s platform, businesses can track threat actor activity and vulnerability exploits, analyze near-real-time monitoring of malware activity, trace threats that could cause security breaches, and receive alerts on compromised credentials.

“As cybercriminals and their tactics become increasingly sophisticated, our monitoring and intelligence solutions have become mission-critical, with organizations of all sizes looking to us to help them protect against attacks,” said Mark Arena, CEO of Intel 471.

Arena, along with fellow co-founder Jason Passwaters, will continue to lead Intel 471 and will retain a “significant” ownership position

Thoma Bravo’s investment in Intel 471 sees the private equity firm continue its cybersecurity investing spending-spree. Its recent $12.3 billion purchase of Proofpoint, for example, said to be the largest acquisition in cybersecurity history, trumps Broadcom’s $10.7 billion purchase of Symantec, Intel’s $7.6 billion acquisition of McAfee, and Okta’s proposed $6.5 billion acquisition of Auth0.

Thoma Bravo also previously acquired Sophos for $3.9 billion, took a majority stake in LogRhythm and paid $544 million for authentication startup Imprivata. 

#auth0, #broadcom, #ceo, #computing, #cybercrime, #cyberwarfare, #logrhythm, #mcafee, #security, #security-software, #sophos, #symantec, #technology, #texas, #thoma-bravo

TrueFort snares $30M Series B to expand zero trust application security solution

As companies try to navigate an ever-changing security landscape, it can be challenging to protect everything. Security startup TrueFort has built a zero trust solution focussing on protecting enterprise applications. Today, the company announced a $30 million Series B.

Shasta Ventures led today’s round with participation from new firms Canaan and Ericsson Ventures along with existing investors Evolution Equity Partners, Lytical Ventures and Emerald Development Managers. Under the terms of the agreement Nitin Chopra, managing director at Shasta Ventures will be joining the company board. Today’s investment brings the total raised to almost $48 million.

CEO and co-founder Sameer Malhotra says that TrueFort protects customers by analyzing at each application and figuring out what normal behavior looks like. Once it understands that, it will flag anything that falls outside of the norm. The company achieves this by gathering data from partners like CrowdStrike and from multiple points within the application and infrastructure.

“Once we get this telemetry, whether it’s networks, endpoints, servers or third party partners, we then help the customer build a picture of what those applications are doing and what’s normal behavior. We then help them baseline that, and monitor that in real time with response and real time controls to continue those applications through their normal life cycle,” he said.

Zero trust is a concept where as a matter of policy you assume that you cannot trust any individual or device until the entity proves it belongs on your systems. Malhotra says that customers are becoming more comfortable with the concept and in 2020 the company saw massive 650% revenue growth.

“We are seeing the demand, especially as zero trust is becoming a more familiar vernacular amongst the security community […]. Again, it’s having the visibility and understanding, and then being able to then reduce it to the limited number of acceptable relationships or executions,” he said. And he believes that it all comes down to understanding your applications and how they operate.

TrueFort co-founders Nazario Parsacala and Sameer Malhotra

TrueFort co-founders Nazario Parsacala and Sameer Malhotra

The company currently has 60 employees with hopes of reaching 85 or 90 by the end of the year. Malhotra says that as they build the employee base, they are driving to make it diverse at every level.

“We look at diversity across our whole management team, all the way from the board down to our different levels. We are quite aggressive in hiring diverse candidates, whether they’re women or LGBTQ or people of color. And we have focused programs where we work with different universities […] to bring on new employees from a diverse talent pool. We also work with different recruiters from that perspective, and our focus is always to look at a different palette and to make sure that we’re as diverse an organization as we can,” he said.

The company was founded in 2015 by Malhotra and his partner Nazario Parsacala, both of whom spent more than 20 years working at big financial services companies — Goldman Sachs and JP Morgan. They worked for a couple of years building the program, launching the first beta in 2017 before bringing the first generally available product to market the following year.

Currently customers can install the solution on prem or in the cloud of their choice, but the company has a SaaS solution in the works as well, that will be ready in the next couple of months.

#application-security, #enterprise, #funding, #recent-funding, #security, #shasta-ventures, #startups, #tc, #truefort, #zero-trust

Howard University cancels classes after ransomware attack

Washington D.C’s Howard University has canceled classes after becoming the latest educational institution to be hit by a ransomware attack.

The incident was discovered on September 3, just weeks after students returned to campus, when the University’s Enterprise Technology Services (ETS) detected “unusual activity” on the University’s network and intentionally shut it down in order to investigate.

“Based on the investigation and the information we have to date, we know the University has experienced a ransomware cyberattack,” the university said in a statement. While some details remain unclear — it’s unknown who is behind the attack or how much of a ransom was demanded — Howard University said that there is no evidence so far to suggest that personal data of its 9,500 undergraduate and graduate students been accessed or exfiltrated. 

“However, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed,” the statement said.

In order to enable its IT team to fully assess the impact of the ransomware attack, Howard University has canceled Tuesday’s classes, opening its campus to essential employees only. Campus Wi-Fi will also be down while the investigation is underway, though cloud-based software will remain available to students and teachers. 

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data,” the university said. “We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering.”

But the university warned that that remediation will be “a long haul — not an overnight solution.”

Howard University is the latest in a long line of educational institutions to be hit by ransomware since the start of the pandemic, with the FBI’s Cyber Division recently warning that cybercriminals using this type of attack are focusing heavily on schools and universities due to the widespread shift to remote learning. Last year, the University of California paid $1.14 million to NetWalker hackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

According to Emsisoft threat analyst Brett Callow last month, ransomware attacks have disrupted 58 U.S. education organizations and school districts, including 830 individual schools, so far in 2021. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

“We’ll likely see a significant increase in ed sector incidents in the coming weeks,” Callow tweeted on Tuesday.

#california, #cloud-based-software, #crime, #crimes, #cyberattacks, #cybercrime, #federal-bureau-of-investigation, #ransomware, #security, #united-states, #university-of-california, #utah, #washington

Texas Right to Life website exposed job applicants’ resumes

Anti-abortion group Texas Right to Life exposed the personal information of hundreds of job applicants after a website bug allowed anyone to access their resumes, which were stored in an unprotected directory on its website.

A security researcher told TechCrunch that the group’s main website, built largely in WordPress, was not properly protecting the file storage on its website, which it used to store resumes of more than 300 job applicants, as well as other files uploaded to the website. The resumes contained names, phone numbers, addresses, and details of a person’s employment history.

The website bug was fixed over the weekend, a short time after details of the leak were posted on Twitter. The group’s website no longer lists any of the exposed files.

“We are taking action to protect the concerned individuals,” said Kimberlyn Schwartz, a spokesperson for Texas Right to Life told TechCrunch, referring to those who “sought and circulated the information.”

When asked, Schwartz would not say if the organization planned on informing those whose personal information was exposed by its security lapse.

Texas Right to Life sparked anger when last week it publicized a “whistleblower” website that encouraged Texas residents to report when someone might be seeking an abortion in violation of the state’s restrictive new abortion law. The law allows anyone to sue someone seeking an abortion, or anyone “aiding and abetting” an abortion after six weeks. That provision has been widely interpreted as targeting doctors who perform these procedures, but also potentially anyone who gets involved, such as contributing money or driving a friend to a clinic.

It didn’t take long for the “whistleblower” website to be flooded with fake tips, memes, and Shrek porn in protest. The site briefly fell offline Thursday, which coincided with an activist releasing an iOS shortcut to help anyone pre-fill the website’s form with fake information.

But by the weekend, GoDaddy, the company hosting the website, told Texas Right to Life that the site violated its terms of service and gave the group 24 hours to find another host. It did — briefly — by way of Epik, a web host that helped other controversial sites like far-right social networks Gab get back online. But that didn’t last long either.

As of Monday, the “whistleblower” website pointed to Texas Right to Life’s main website.

 

#abortion, #godaddy, #government, #health, #human-rights, #humans, #privacy, #security, #spokesperson, #texas, #womens-rights

Apple delays plans to roll out CSAM detection in iOS 15

Apple has delayed plans to roll out its child sexual abuse (CSAM) detection technology that it chaotically announced last month, citing feedback from customers and policy groups.

That feedback, if you recall, has been largely negative. The Electronic Frontier Foundation said this week it had amassed more than 25,000 signatures from consumers. On top of that, close to 100 policy and rights groups, including the American Civil Liberties Union, also called on Apple to abandon plans to roll out the technology.

In a statement on Friday morning, Apple told TechCrunch:

“Last month we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them, and limit the spread of Child Sexual Abuse Material. Based on feedback from customers, advocacy groups, researchers and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.”

Apple’s so-called NeuralHash technology is designed to identify known CSAM on a user’s device without having to possess the image or knowing the contents of the image. Because a user’s photos stored in iCloud are end-to-end encrypted so that even Apple can’t access the data, NeuralHash instead scans for known CSAM on a user’s device, which Apple claims is more privacy-friendly than the current blanket scanning that cloud providers use.

But security experts and privacy advocates have expressed concern that the system could be abused by highly resourced actors, like governments, to implicate innocent victims or to manipulate the system to detect other materials that authoritarian nation states find objectionable.

Within a few weeks of announcing the technology, researchers said they were able to create “hash collisions” using NeuralHash, effectively tricking the system into thinking two entirely different images were the same.

iOS 15 is expected out later in the next few weeks.

Read more:

#abuse, #american-civil-liberties-union, #apple, #apple-inc, #child-pornography, #communication-tools, #companies, #electronic-frontier-foundation, #security

FBI says Chinese authorities are hacking US-based Uyghurs

The FBI has warned that the Chinese government is using both in-person and digital techniques to intimidate, silence and harass U.S.-based Uyghur Muslims. 

The Chinese government has long been accused of human rights abuses over its treatment of the Uyghur population and other mostly Muslim ethnic groups in China’s Xinjiang region. More than a million Uyghurs have been detained in internment camps, according to a United Nations human rights committee, and many other Uyghurs have been targeted and hacked by state-backed cyberattacks. China has repeatedly denied the claims.

In recent months, the Chinese government has become increasingly aggressive in its efforts to shut down foreign critics, including those based in the United States and other Western democracies. These efforts have now caught the attention of the FBI.

In an unclassified bulletin, the FBI warned that officials are using transnational repression — a term that refers to foreign government transgression of national borders through physical and digital means to intimidate or silence members of diaspora and exile communities — in an attempt to compel compliance from U.S.-based Uyghurs and other Chinese refugees and dissidents, including Tibetans, Falun Gong members, and Taiwan and Hong Kong activists.

“Threatened consequences for non-compliance routinely include detainment of a U.S.-based person’s family or friends in China, seizure of China-based assets, sustained digital and in-person harassment, Chinese government attempts to force repatriation, computer hacking and digital attacks, and false representation online,” the FBI bulletin warns. 

The bulletin was reported by video surveillance news site IPVM.

The FBI highlighted four instances of U.S.-based individuals facing harassment. In one case from June, the Chinese government imprisoned dozens of family members of six U.S.-based Uyghur journalists in retaliation for their continued reporting on China and its repression of Uyghurs for the U.S. government-funded news service Radio Free Asia. The bulletin said that between 2019 and March 2021, Chinese officials used WeChat to call and text a U.S.-based Uyghur to discourage her from publicly discussing Uyghur mistreatment. Members of this person’s family were later detained in Xinjiang detention camps. 

“The Chinese government continues to conduct this activity, even as the U.S. government has sanctioned Chinese officials and increased public and diplomatic messaging to counter China’s human rights and democratic abuses in Xinjiang over the past year,” the FBI states. “This transnational repression activity violates US laws and individual rights.

The FBI has urged U.S. law enforcement personnel, as well as members of the public, to report any suspected incidents of Chinese government harassment.

Read more:

#china, #cybersecurity, #falun-gong, #federal-bureau-of-investigation, #hacking, #mobile-security, #privacy, #security, #us-government, #uyghurs, #xinjiang

FTC bans spyware maker SpyFone, and orders it to notify hacked victims

The Federal Trade Commission has unanimously voted to ban the spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry, the first order of its kind, after the agency accused the company of harvesting mobile data on thousands of people and leaving it on the open internet.

The agency said SpyFone “secretly harvested and shared data on people’s physical movements, phone use, and online activities through a hidden device hack,” allowing the spyware purchaser to “see the device’s live location and view the device user’s emails and video chats.”

SpyFone is one of many so-called “stalkerware” apps that are marketed under the guise of parental control but are often used by spouses to spy on their partners. The spyware works by being surreptitiously installed on someone’s phone, often without their permission, to steal their messages, photos, web browsing history, and real-time location data. The FTC also charged that the spyware maker exposed victims to additional security risks because the spyware runs at the “root” level of the phone, which allows the spyware to access off-limits parts of the device’s operating system. A premium version of the app included a keylogger and “live screen viewing,” the FTC says.

But the FTC said that SpyFone’s “lack of basic security” exposed those victims’ data, because of an unsecured Amazon cloud storage server that was spilling the data its spyware was collecting from more than 2,000 victims’ phones. SpyFone said it partnered with a cybersecurity firm and law enforcement to investigate, but the FTC says it never did.

Practically, the ban means SpyFone and its CEO Zuckerman are banned from “offering, promoting, selling, or advertising any surveillance app, service, or business,” making it harder for the company to operate. But FTC Commissioner Rohit Chopra said in a separate statement that stalkerware makers should also face criminal sanctions under U.S. computer hacking and wiretap laws.

The FTC has also ordered the company to delete all the data it “illegally” collected, and, also for the first time, notify victims that the app had been secretly installed on their devices.

In a statement, the FTC’s consumer protection chief Samuel Levine said: “This case is an important reminder that surveillance-based businesses pose a significant threat to our safety and security.”

The EFF, which launched the Coalition Against Stalkerware two years ago, a coalition of companies that detects, combats and raises awareness of stalkerware, praised the FTC’s order. “With the FTC now turning its focus to this industry, victims of stalkerware can begin to find solace in the fact that regulators are beginning to take their concerns seriously,” said EFF’s Eva Galperin and Bill Budington in a blog post.

This is the FTC’s second order against a stalkerware maker. In 2019, the FTC settled with Retina-X after the company was hacked several times and eventually shut down.

Over the years, several other stalkerware makers were either hacked or inadvertently exposed their own systems, including mSpy, Mobistealth, and Flexispy. Another stalkerware maker, ClevGuard, left thousands of hacked victims’ phone data on an exposed cloud server.

Read more:


If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911.

Did you receive a notification and want to tell your story? You can contact this reporter on Signal and WhatsApp at +1 646-755-8849 or zack.whittaker@techcrunch.com by email.

#cybercrime, #espionage, #law-enforcement, #mobile-applications, #privacy, #security, #stalkerware, #stalking

Corelight secures $75M Series D to bolster its network defense offering

Corelight, a San Francisco-based startup that claims to offer the industry’s first open network detection and response (NDR) platform, has raised $75 million in Series D investment led by Energy Impact Partners. 

The round — which also includes a strategic investment from Capital One Ventures, Crowdstrike Falcon Fund and Gaingels — brings Corelight’s total raised to $160 million, following a $50 million Series C in October 2019, a $25 million Series B in September 2018, and a $9.2 million Series A in July 2017.

While it’s raised plenty of capital in the past few years, the startup isn’t planning its exit just yet. Brian Dye, CEO of Corelight, tells TechCrunch that given Corelight’s market opportunity and performance — the startup claims to be the fastest-growing NDR player at scale — it plans to invest in growth and expects to raise additional capital in the future. 

“Public listing timeframes are always hard to forecast, and we view the private markets as attractive in the short term, so we expect to remain private for the next couple years and will look at market conditions then to decide our next step,” Dye said, adding that the Corelight plans to use its latest investment to fuel the acceleration of its global market presence and to develop new data and cloud-based offerings.

“Aside from go-to-market expansion, we are investing to ensure that the insight we provide both continues to lead the industry and can be readily used by customers of all types,” he added. 

Corelight, which competes with the likes of FireEye and STG-owned McAfee, was founded in 2013 when Dr. Vern Paxson, a professor of computer science at the University of California, Berkeley, joined forces with Robin Sommer and Seth Hall to build a network visibility solution on top of an open-source framework called Zeek (formerly Bro). 

Paxson began developing Zeek in 1995 when he was working at Lawrence Berkeley National Laboratory (LBNL). The software is now widely regarded as the gold standard for both network security monitoring and network traffic analysis and has been deployed by thousands of organizations around the world, including the U.S. Department of Energy, various agencies in the U.S. government, and research universities like Indiana University, Ohio State, and Stanford.

#advanced-threat-detection, #cyberattacks, #cybersecurity, #network-security, #security, #startups

SEC fines brokerage firms over email hacks that exposed client data

The U.S. Securities and Exchange Commission has fined several brokerage firms a total of $750,000 for exposing the sensitive personally identifiable information of thousands of customers and clients after hackers took over employee email accounts.

A total of eight entities belonging to three companies have been sanctioned by the SEC, including Cetera (Advisor Networks, Investment Services, Financial Specialists, Advisors, and Investment Advisers), Cambridge Investment Research (Investment Research and Investment Research Advisors), and KMS Financial Services.

In a press release, the SEC announced that it had sanctioned the firms for failures in their cybersecurity policies and procedures that allowed hackers to gain unauthorized access to cloud-based email accounts, exposing the personal information of thousands of customers and clients at each firm

In the case of Cetera, the SEC said that cloud-based email accounts of more than 60 employees were infiltrated by unauthorized third parties for more than three years, exposing at least 4,388 clients’ personal information.

The order states that none of the accounts featured the protections required by Cetera’s policies, and the SEC also charged two of the Cetera entities with sending breach notifications to clients containing “misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.”

The SEC’s order against Cambridge concludes that the personal information exposure of at least 2,177 Cambridge customers and clients was the result of lax cybersecurity practices at the firm. 

“Although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information,” the SEC said. 

The order against KMS is similar; the SEC’s order states that the data of almost 5,000 customers and clients were exposed as a result of the company’s failure to adopt written policies and procedures requiring additional firm-wide security measures until May 2020. 

“Investment advisers and broker-dealers must fulfill their obligations concerning the protection of customer information,” said Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit. “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

All of the parties agreed to resolve the charges and to not commit future violations of the charged provisions, without admitting or denying the SEC’s findings. As part of the settlements, Cetera will pay a penalty of $300,000, while Cambridge and KMS will pay fines of $250,000 and $200,000 respectively.  

Cambridge told TechCrunch that it does not comment on regulatory matters, but said it has and does maintain a comprehensive information security group and procedures to ensure clients’ accounts are fully protected. Cetera and KMS have yet to respond.

This latest action by the SEC comes just weeks after the Commission ordered London-based publishing and education giant Pearson to pay a $1 million fine for misleading investors about a 2018 data breach at the company.

#chief, #computer-security, #data-breach, #data-security, #security

Apple secures first states to support digital driver’s licenses, but privacy questions linger

Apple’s plan to digitize your wallet is slowly taking shape. What started with boarding passes and venue tickets later became credit cards, subway tickets, and student IDs. Next on Apple’s list to digitize are driver’s licenses and state IDs, which it plans to support in its iOS 15 update expected out later this year.

But to get there it needs help from state governments, since it’s the states that issue driver’s licenses and other forms of state identification, and every state issues IDs differently. Apple said today it has so far secured two states, Arizona and Georgia, to bring digital driver’s license and state IDs.

Connecticut, Iowa, Kentucky, Maryland, Oklahoma, and Utah are expected to follow, but a timeline for rolling out wasn’t given.

Apple said in June that it would begin supporting digital licenses and IDs, and that the TSA would be the first agency to begin accepting a digital license from an iPhone at several airports, since only a state ID is required for traveling by air domestically within the United States. The TSA will allow you to present your digital wallet by tapping it on an identity reader. Apple says the feature is secure and doesn’t require handing over or unlocking your phone.

The digital license and ID data is stored on your iPhone but a driver’s license must be verified by the participating state. That has to happen at scale and speed to support millions of drivers and travelers while preventing fake IDs from making it through.

The goal of digitizing licenses and IDs is convenience, rather than fixing a problem. But the move hasn’t exactly drawn confidence from privacy experts, who bemoan Apple’s lack of transparency about how it built this technology and what it ultimately gets out of it.

Apple still has not said much about how the digital ID technology works, or what data the state obtains as part of the process to enroll a digital license. Apple is working on a new security verification feature that takes selfies to validate the user. It’s not to say these systems aren’t inherently problematic, but there are privacy questions that Apple will have to address down the line.

But the fragmented picture of digital licenses and IDs across the U.S. isn’t likely to get less murky overnight, even after Apple enters the picture. A recent public records request by MuckRock showed Apple was in contact with some states as early as 2019 about bringing digital licenses and IDs to iPhones, including California and Illinois, yet neither state has been announced by Apple today.

Wisconsin, South Carolina, and Rhode Island are likely further behind, after finding out about Apple’s digital license plan the very day it was announced at WWDC.

#apple-wallet, #california, #digital-wallet, #driver, #iphone, #mobile-phones, #privacy, #security, #wisconsin

A popular smart home security system can be remotely disarmed, researchers say

A cybersecurity company says a popular smart home security system has a pair of vulnerabilities that can be exploited to disarm the system altogether.

Rapid7 found the vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors, and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.

But the cybersecurity company said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give to companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Riling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities.

Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.

The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.

Vishwakarma said homeowners could add a plus-tagged email address with a long, unique string of letters and numbers in place of a password as a stand-in for a password. But there was little for homeowners to do for the radio signal bug until Fortress addresses it.

Fortress has not said if it has fixed or plans to fix the vulnerabilities. It’s not clear if Fortress is able to fix the vulnerabilities without replacing the hardware. It’s not known if Fortress builds the device itself or buys the hardware from another manufacturer.

Read more:

#api, #computer-security, #cryptography, #cyberwarfare, #hacking, #law, #massachusetts, #password, #rapid7, #security, #software-testing, #vulnerability

Ragnarok ransomware gang shuts down and releases its decryption key

Ragnarok, a ransomware gang operational since 2019 that gained notoriety after launching attacks against unpatched Citrix ADC servers, has shut down and released a free decryption key for its victims.

The gang, sometimes referred to as Asnarok, last week replaced all 12 of the victims listed on its dark web portal with a short instruction on how to decrypt files. This was accompanied by the release of a decryptor, which experts at Emsisoft confirmed contains the master decryption key. The security firm, known for assisting ransomware victims with data decryption, has also released a universal decryptor for Ragnarok ransomware.

Ragnarok is best known for using the Ragnar Locker ransomware to target IT networks. It claimed dozens of victims after exploiting a Citrix ADC vulnerability to search for Windows computers that are vulnerable to the EternalBlue vulnerability — the same vulnerability behind the now-notorious WannaCry attack — and has racked up more than $4.5 million in ransom payments, according to the Ransomwhe.re payments tracker.

In April 2020, the cybercriminals stole 10 terabytes of data belonging to Portuguese energy giant EDP and threatened to leak it if a ransom of $10.9 million was not paid. The gang went on to exfiltrate up to 2TB of data, including bank statements, employee records, and celebrity agreements, from the servers of Italian liquor giant Campari Group, and demanded it hands over $15 million in ransom.

And in November, the short-lived ransomware gang also targeted Capcom, the Japanese video games giant behind titles such as Street Fighter, Resident Evil, and Devil May Cry. The gang reportedly stole the personal data of 390,000 customers, business partners, and other external parties from Capcom’s systems.

News of the shut down was first reported by Bleeping Computer.

With no formal departure note, it’s not clear why Ragnarok has seemingly decided to call it quits. But other ransomware gangs have adopted a similar self-destruction tactic in the face of increasing pressure from the U.S. government, which earlier this year branded ransomware as a national security threat; REvil, the gang behind the JBS attack, mysteriously disappeared from the internet, and DarkSide, the gang behind the Colonial Pipeline incident, also announced it was retiring.

Other ransomware gangs, including Ziggy Avaddon, SynAck, and Fonix, have also all retired from hacking this year, each giving up their keys to help victims recover from their attacks.

Of course, it remains to be seen whether Ragnarok’s disappearance is permanent, or whether it will simply rebrand; the infamous DoppelPayment ransomware gang recently reappeared as Grief Ransomware after months of no activity.

“Even though I am sure is only temporary, it is nice to see another win,” tweeted Allan Liska, from Recorded Future’s Computer Security Incident Response Team.

#security