Tech Crunch

Millions of Instagram influencers had their private contact data scraped and exposed

Tech Crunch Security - 3 hours 59 min ago

A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online.

The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by the hour.

From a brief review of the data, each record contained public data scraped from influencer Instagram accounts, including their bio, profile picture, the number of followers they have, if they’re verified and their location by city and country, but also contained their private contact information, such as the Instagram account owner’s email address and phone number.

Security researcher Anurag Sen discovered the database and alerted TechCrunch in an effort to find the owner and get the database secured. We traced the database back to Mumbai-based social media marketing firm Chtrbox, which pays influencers to post sponsored content on their accounts. Each record in the database contained a record that calculated the worth of each account, based off the number of followers, engagement, reach, likes and shares they had. This was used as a metric to determine how much the company could pay an Instagram celebrity or influencer to post an ad.

TechCrunch found several high-profile influencers in the exposed database, including prominent food bloggers, celebrities and other social media influencers.

We contacted several people at random whose information was found in the database and provided them their phone numbers. Two of the people responded and confirmed their email address and phone number found in the database was used to set up their Instagram accounts. Neither had any involvement with Chtrbox, they said.

Shortly after we reached out, Chtrbox pulled the database offline. Pranay Swarup, the company’s founder and chief executive, did not respond to a request for comment and several questions, including how the company obtained private Instagram account email addresses and phone numbers.

The scraping effort comes two years after Instagram admitted a security bug in its developer API allowed hackers to obtain the email addresses and phone numbers of six million Instagram accounts. The hackers later sold the data for bitcoin.

Months later, Instagram — now with more than a billion users — choked its API to limit the number of requests apps and developers can make on the platform.

Facebook, which owns Instagram, said it was looking into the matter. “Scraping data of any kind is prohibited on Instagram,” said a spokesperson. “We’re investigating how and what data was obtained and will share an update soon.”

Hackers claim to have personal info of millions of Instagram accounts, including celebs

Categories: Tech Crunch

Amazon under greater shareholder pressure to limit sale of facial recognition tech to the government

Tech Crunch Security - 6 hours 5 min ago

This week could mark a significant setback for Amazon’s facial recognition business if privacy and civil liberties advocates — and some shareholders — get their way.

Months earlier, shareholders tabled a resolution to limit the sale of Amazon’s facial recognition tech giant calls Rekognition to law enforcement and government agencies. It followed accusations of bias and inaccuracies with the technology, which they say can be used to racially discriminate against minorities. Rekognition, which runs image and video analysis of faces, has been sold to two states so far and Amazon has pitched Immigrations & Customs Enforcement. A second resolution will require an independent human and civil rights review of the technology.

Now the ACLU is backing the measures and calling on shareholders to pass the the resolutions.

“Amazon has stayed the course,” said Shankar Narayan, director of the Technology and Liberty Project at the ACLU Washington, in a call Friday. “Amazon has heard repeatedly about the dangers to our democracy and vulnerable communities about this technology but they have refused to acknowledge those dangers let alone address them,” he said.

“Amazon has been so non-responsive to these concerns,” said Narayan, “even Amazon’s own shareholders have been forced to resort to putting these proposals addressing those concerns on the ballot.”

It’s the latest move in a concerted effort by dozens of shareholders and investment firms, tech experts and academics, and privacy and rights groups and organizations who have decried the use of the technology.

Critics say Amazon Rekognition has accuracy and bias issues. (Image: TechCrunch)

In a letter to be presented at Amazon’s annual shareholder meeting Wednesday, the ACLU will accuse Amazon of “failing to act responsibly” by refusing to stop the sale of the technology to the government.

“This technology fundamentally alters the balance of power between government and individuals, arming governments with unprecedented power to track, control, and harm people,” said the letter, shared with TechCrunch. “It would enable police to instantaneously and automatically determine the identities and locations of people going about their daily lives, allowing government agencies to routinely track their own residents. Associated software may even display dangerous and likely inaccurate information to police about a person’s emotions or state of mind.”

“As shown by a long history of other surveillance technologies, face surveillance is certain to be disproportionately aimed at immigrants, religious minorities, people of color, activists, and other vulnerable communities,” the letter added.

“Without shareholder action, Amazon may soon become known more for its role in facilitating pervasive government surveillance than for its consumer retail operations,” it read.

Facial recognition has become one of the most hot button topics in privacy in years. Amazon Rekognition, its cloud-based facial recognition system, remains in its infancy yet one of the most prominent and available systems available. But critics say the technology is flawed. Exactly a year prior to this week’s shareholder meeting, the ALCU first raised “profound” concerns with Rekognition and its installation at airports, public places and by police. Since then, the technology was shown to struggle to detect people of color. In its tests, the system struggled to match 28 congresspeople who were falsely matched in a mugshot database who had been previously arrested.

But there has been pushback — even from government. Several municipalities have rolled out surveillance-curtailing laws and ordnances in the past year. San Francisco last week became the first major U.S. city government to ban the use of facial recognition.

“Amazon leadership has failed to recognize these issues,” said the ACLU’s letter to be presented Wednesday. “This failure will lead to real-life harm.”

The ACLU said shareholders “have the power to protect Amazon from its own failed judgment.”

Amazon has pushed back against the claims by arguing that the technology is accurate — largely by criticizing how the ACLU conducted its tests using Rekognition.

Amazon did not comment when reached prior to publication.

Read more:

Categories: Tech Crunch

Google’s own data proves two-factor is the best defense against most account hacks

Tech Crunch Security - 7 hours 35 min ago

Every once in a while someone will ask me what is the best security advice.

The long answer is “it depends on your threat model,” which is just a fancy way of saying what’s good security advice for the vast majority isn’t necessarily what nuclear scientists and government spies require.

My short answer is, “turn on two-factor.” Yet, nobody believes me.

Ask almost any cybersecurity professional and it’ll likely rank as more important as using unique or strong passwords. Two-factor, which adds an additional step in your usual log-in process by sending a unique code to a device you own, is the greatest defense between a hacker and your online account data.

But don’t take my word for it. Google data out this week shows how valuable even the weakest, simplest form of two-factor can be against attacks.

The research, with help from New York University and the University of California, San Diego, shows that any device-based challenge — such as a text message or an on-device prompt — can in nearly every case prevent the most common kind of mass-scale attacks.

Google’s data showed having a text message sent to a person’s phone prevented 100 percent of automated bot attacks that use stolen lists of passwords against login pages and 96 percent of phishing attacks that try to steal your password.

Account takeover preventing rates by challenge type. (Image: Google)

Not all two-factor options are created equal. We’ve explained before that two-factor codes sent by text message can be intercepted by semi-skilled hackers, but it’s still better than not using two-factor at all. Its next best replacement, getting a two-factor code through an authenticator app on your phone, is far more secure.

Only a security key, designed to protect the most sensitive accounts, prevented both automated bot and phishing attacks but also highly targeted attackers, typically associated with nation states. Just one in a million users face targeted attackers, Google said.

For everyone else, adding a phone number to your account and getting even the most basic two-factor set up is better than nothing. Better yet, go all in and shoot for the app.

Your non-breached online accounts will thank you.

Cybersecurity 101: Two-factor authentication can save you from hackers

Categories: Tech Crunch

Identity platform Auth0 raises $103M, pushing its valuation over $1B

Tech Crunch Security - 8 hours 5 min ago

Auth0, a 2013-founded identity and authentication platform, has pushed into unicorn territory with a $1 billion valuation after raising $103 million in its latest Series E round.

The round was led by Sapphire Ventures, with participation from K9 Ventures, Telstra Ventures and several others. In all, Auth0 total funding tops $210 million to date.

Auth0 — pronounced “auth-zero” — provides authentication-as-a-service to its corporate customers — or, to everyone else, a secure login system used to properly authenticate the identity of employees. Anyone working in a medium-to-large business will know the process all too well. Auth0 provides login and authentication systems for a bevy of device types — including Internet of Things devices — in a variety of formats, including single-sign-on, multi-factor authentication and passwordless logins.

By securing the perimeter to a corporate network, the company says it can prevent data breaches from unauthorized logins and improper access.

The company touts more than 7,000 enterprise customers with more than 2.5 billion logins per month. It’s come a long way since its $2.4 million seed round in 2016.

Auth0 chief executive Eugenio Pace said its Series E was “validation” that the company is doing things right.

Clearly it is: it says customer growth and revenue has doubled year-over-year, and its employee numbers have increased by more than half in two years. Its latest Series D funding round that led its international expansion has seen offices also open in Buenos Aires, London, and Sydney.

Auth0 said the Series E will help support the growth of its five international offices. Pace said he was “truly grateful” for his investors’ support.

Cybersecurity 101: Two-factor authentication can save you from hackers

Categories: Tech Crunch

Huawei responds to Android ban with service and security guarantees, but its future is unclear

Tech Crunch Security - 11 hours 37 min ago

Huawei has finally gone on the record about a ban on its use of Android, but the company’s long-term strategy on mobile still remains unclear.

In an effort to appease its worried customer base, the embattled Chinese company said today that it will continue to provide security updates and after-sales support to its existing lineup of smartphones, but it’s what the company didn’t say that will spark concerns.

Huawei was unable to make guarantees about whether existing customers will continue to receive Android software updates, while its statement is bereft of any mention of whether future phones will ship with the current flavor of Android or something else.

The company, which is the world’s second largest smartphone vendor based on shipments, said it will continue to develop a safe software ecosystem for its customers across the globe. Huawei will also extend the support to Honor, a brand of smartphones it owns. Nearly 50 percent of all of Huawei’s sales comes from outside China, research firm Counterpoint told TechCrunch.

Here’s the statement in full:

Huawei has made substantial contributions to the development and growth of Android around the world. As one of Android’s key global partners, we have worked closely with their open-source platform to develop an ecosystem that has benefitted both users and the industry,

Huawei will continue to provide security updates and after sales services to all existing Huawei and Honor smartphone and tablet products covering those have been sold or still in stock globally. We will continue to build a safe and sustainable software ecosystem, in order to provide the best experience for all users globally.

In addition, the company said it plans to launch the Honor 20 as planned. The device is set to be unveiled at an event in London tomorrow. While Honor is a sub-brand, any sanctions levied on Huawei will likely be reflected in its business, too.

Huawei’s lukewarm response isn’t unexpected. Earlier, Google issued a similarly non-committal statement that indicated that owners of Huawei phones will continue to be able to access the Google Play Store and Google Play Protect, but — like the Chinese firm — it made no mention of the future, and that really is the key question.

Indeed, sources within both Google and Huawei have told TechCrunch that the immediate plan of action for what happens next remains unclear.

It could turn out that Huawei is forced to use the open source version of Android, AOSP, which comes stripped of Google Mobile Services, a suite for Google services such as Google Play Store, Gmail, and YouTube. That’s unless it doesn’t plump for its own homespun alternative, which media reports have claimed it has built in the case of an emergency situation.

Huawei’s response comes a day after Reuters reported that Google had suspended some of its businesses with the Chinese technology giant. The Android-maker is complying with a U.S. Commerce Department’s directive that placed Huawei and 70 of its affiliates on an “entity list” that requires any U.S. company to gain government approval before doing business with the Chinese tech company.

In the meantime, the troubles are mounting for Huawei. In addition to Android, the U.S. government’s move has seen Intel, Qualcomm, Xilinx, and Broadcom reportedly pause supplying chips to Huawei until a resolution has been reached.

Categories: Tech Crunch

Google says its app store will continue to work for existing Huawei smartphone owners

Tech Crunch Security - 14 hours 11 min ago

Google said today that existing users of Huawei Android devices can continue to use Google Play app store, offering some relief to tens of millions of users worldwide even as it remains unclear if the Chinese tech giant will be able to use the fully-functioning version of Android in its future phones.

Existing Huawei phone users will also be able to enjoy security protections delivered through Google Play Protect, the company said in a statement to TechCrunch. Google Play Protect is a built-in malware detector that uses machine learning to detect and weed out rogue apps. Google did not specify whether Huawei devices will receive future Android updates.

The statement comes after Reuters reported on Sunday that Google is suspending some businesses with Huawei, the world’s second largest smartphone maker that shipped over 200 million handsets last year. The report claimed, a point not addressed by Google, that future Android devices from Huawei will not run Google Mobile Services, a host of services offered by Google including Google Play Store, and email client Gmail. A Huawei spokesperson said the company is looking into the situation but has nothing to share beyond this.

For Huawei users' questions regarding our steps to comply w/ the recent US government actions: We assure you while we are complying with all US gov't requirements, services like Google Play & security from Google Play Protect will keep functioning on your existing Huawei device.

— Android (@Android) May 20, 2019

 

It’s a major setback for Huawei, which unless resolved in the next few weeks, could significantly disrupt its phone business outside of China. The top Android phone vendor, which is already grappling with controversy over security concerns, will have to rethink its software strategy for future phones if there is no resolution. Dearth — or delay in delivery — of future Android updates would also hurt the company’s reputation among its customers around the globe.

“We are complying with the order and reviewing the implications,” a company spokesperson said in a statement.

The two tech companies find themselves in this awkward situation as a result of the latest development in the ongoing U.S-China trade war. Huawei and 70 of its affiliates have been put on an “entity list” by the U.S. Commerce Department over national security concerns, requiring local giants such as Google and Intel to take approval from the government before conducting business with the Chinese firm.

Huawei may have already foreseen this. A company executive revealed recently that Huawei had built its own Android-based operating system in case a future event prevented it from using existing systems. Per Reuters, Huawei can also continue to use AOSP, the open source Android operating system that ships stripped off Google Mobile Services. And on paper, it can also probably have an app store of its own. But convincing enough stakeholders to make their apps available on Huawei’s store and continually push updates could prove incredibly challenging.

Categories: Tech Crunch

‘Crypto exchange’ Goxtrade caught using other people’s photos on its staff page

Tech Crunch Security - Fri, 05/17/2019 - 4:42pm

Alleged cryptocurrency exchange Goxtrade bills itself as a “trusted platform for trading bitcoins,” but its staff page is filled with photos of people pulled seemingly at random from the internet.

The alleged exchange, which claimed to debut in 2017 yet its website is only a little more than a week old, used photos taken from social media profiles and other company websites not associated with the company.

Bizarrely, the alleged exchange didn’t bother to change all of the names of the people whose photos it used.

Amber Baldet, co-founder of Clovyr, a prominent figure in the blockchain community, and listed in Fortune’s 40 Under 40, was one of the people whose name and photos appeared on the site.

“Fraud alert: I am not a developer at Goxtrade and probably their entire business is a lie,” she tweeted Friday.

Nearly all of the names are accurate but have no connection to the site (Image: TechCrunch)

Goxtrade claims to be an exchange that lets users “receive, send and trade cryptocurrency.” After we created an account and signed in, it’s not clear if the site even works. But the online chat room has hundreds of messages of users trying to trade their cryptocurrencies. The site’s name appears to associate closely with Mt. Gox, a failed cryptocurrency exchange that collapsed after it was hacked. At its 2014 peak, the exchange handled more than 70% of all bitcoin transactions. More than $450 million in bitcoins were stolen in the apparent breach.

Baldet isn’t the only person wrongly associated with the suspect site.

TechCrunch has confirmed the other photos on the site belong to other people seemingly chosen at random — including a claims specialist in Illinois, a lawyer in Germany and an operations manager in Melbourne.

Another person whose photo was used without permission is Tom Blomfield, chief executive of digital bank Monzo. In a tweet, Blomfield — who was listed on the alleged exchange as “Arnold Blomfield” — said his legal team has filed complaints with the site’s hosts.

But things get weirder than just stolen staff photos.

Hours after the site was first flagged, Cloudflare now warns users that the alleged exchange is a suspected phishing site (Image: TechCrunch)

Goxtrade lists its registered address as Heron Tower, one of the new skyscrapers in London. We checked the listings and there’s no company listed in the building of the same name. There’s also no mention of Goxtrade in the U.K.’s registry of companies and businesses. When we checked its listed registered number per its terms and conditions page, the listing points to an entirely unrelated clothing company in Birmingham that dissolved two years ago.

Later in the day, networking giant Cloudflare, which provides its service, flagged the site as a phishing site.

We reached out to Goxtrade by email prior to publication but did not hear back. When we checked, Goxtrade’s mail records was pointing to an email address run by Yandex, a Russian internet company.

It’s not the first time a cryptocurrency startup has been called into question for using other people’s photos on their staff pages. After raising more than $830,000, Miroskii was caught listing actor Ryan Gosling as one of its graphic designers. Almost every photo later transpired to have been lifted from another source. The company later claimed it was hacked.

Cryptocurrency-related scams are not rare. Many have taken what they’ve raised and gone dark, never to be seen again. We’ve covered a fair number here on TechCrunch, including a massive $660 million scam from 2018.

A fair warning with Goxtrade: all signs seem to point to yet another scam.

Read more:

Categories: Tech Crunch

After breach, Stack Overflow says some user data exposed

Tech Crunch Security - Fri, 05/17/2019 - 2:01pm

After disclosing a breach earlier this week, Stack Overflow has confirmed some user data was accessed.

In case you missed it, the developer knowledge sharing site confirmed Thursday a breach of its systems last weekend, resulting in unauthorized access to production systems — the front-facing servers that actively powers the site. The company gave few details, except that customer data was unaffected by the breach.

Now the company said the intrusion on the website began about a week earlier and “a very small number” of users had some data exposed.

“The intrusion originated on May 5 when a build deployed to the development tier for stackoverflow.com contained a bug, which allowed an attacker to log in to our development tier as well as escalate their access on the production version of stackoverflow.com,” said Mary Ferguson, vice president of engineering.

“This change was quickly identified and we revoked their access network-wide, began investigating the intrusion, and began taking steps to remediate the intrusion,” she said.

Although the user database wasn’t compromised, “we have identified privileged web requests that the attacker made that could have returned IP address, names, or emails” for some users.

The company didn’t immediately quantify how many users were affected. Stack Overflow has 10 million registered users. We’ve asked for clarification, but spokesperson Khalid El Khatib did not immediately comment

Affected users will be notified, said Ferguson.

Stack Overflow’s teams, business and enterprise customers are on separate, unaffected infrastructure, she said, and there’s “no evidence” that those systems were accessed. The company’s advertising and talent business is said to be unaffected.

In response to the incident, the company terminated the unauthorized access and is conducting an “extensive” audit of its logs to gauge the level of access gained by the attacker.

Read more:

Categories: Tech Crunch

Stack Overflow confirms breach, but customer data said to be unaffected

Tech Crunch Security - Thu, 05/16/2019 - 6:04pm

Developer knowledge sharing site Stack Overflow has confirmed hackers breached its systems, but said customer data is unaffected.

“Over the weekend, there was an attack on Stack Overflow,” wrote Mary Ferguson, vice president of engineering. “We have confirmed that some level of production access was gained on May 11.”

“We discovered and investigated the extent of the access and are addressing all known vulnerabilities,” said Ferguson. “We have not identified any breach of customer or user data,” she said.

An investigation into the breach is ongoing.

The company otherwise remained tight-lipped about the breach, its cause and the effect. We’ve sent several questions to the company but did not immediately hear back.

Stack Overflow, founded in 2008, has more than 50 million monthly active users who use the site to share code and knowledge. It remains one of the top 50 most popular sites on the web, according to rankings by internet analytics site Alexa. The company is backed by Andreessen Horowitz and Bezos Expeditions, raising $40 million in its most recent Series D funding round in 2015.

Read more:

Categories: Tech Crunch

Europol, DOJ announce the takedown of the GozNym banking malware

Tech Crunch Security - Thu, 05/16/2019 - 8:24am

Europol and the U.S. Justice Department, with the help from six other countries, have disrupted and dismantled the GozNym malware, which they say stole more than $100 million from bank accounts since it first emerged.

In a press conference in The Hague, prosecutors said 10 defendants in five countries are accused of using the malware to steal money from more than 41,000 victims, mostly businesses and financial institutions.

Five defendants were arrested in Moldova, Bulgaria, Ukraine and Russia. The leader of the criminal network and his technical assistant are being prosecuted in Georgia.

Five defendants remain on the run, said prosecutors.

The takedown was described as an “unprecedented international effort” by Scott Brady, U.S. attorney for Western Philadelphia — where a grand jury indicted the defendants — at the press conference announcing the charges.

GozNym is a powerful banking malware that spread across the U.S., Canada, Germany and Poland, and made up from two existing malware families, both of which had their source code leaked years earlier: Nymaim, a two-stage malware dropper that infects computers through exploit kits from malicious links or emails; and Gozi, a web injection module used to hook into the web browser, allowing the attacker to steal login credentials and passwords.

The banking malware hit dozens of banks and credit unions since it first emerged in 2016.

Described as malware “as a service,” the leader of the network obtained the code for the two malware families and built GozNym, then recruited accomplices and advertised the new malware on Russian speaking forums. The malware used encryption and other obfuscation techniques to avoid detection by antivirus tools. Then, spammers sent hundreds of thousands of phishing emails to infect staff at businesses and banks. After the malware infected its victim computers, the malware would steal the passwords control of bank accounts, which the criminals would later log in and cash out.

Prosecutors said the malware network was hosted and operated through a bulletproof service, a domain and web hosting known for lax attitudes towards cybercrime and favored by criminals. Europol said the 2016 takedown of Avalanche, an infrastructure platform used by hundreds of criminals to host and run their malware campaigns.

More soon…

Categories: Tech Crunch

Google discloses security bug in its Bluetooth Titan Security Keys, offers free replacement

Tech Crunch Security - Wed, 05/15/2019 - 1:02pm

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to be within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attacker can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attacker can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that users should continue to use the keys until they get a replacement. “It is much safer to use the affected key instead of no key at all. Security keys are the strongest protection against phishing currently available,” the company writes in today’s announcement.

The company also offers a few tips for mitigating the potential security issues here.

Some of Google’s competitors in the security key space, including Yubico, decided against using Bluetooth because of potential security issues and criticized Google for launching a Bluetooth key. “While Yubico previously initiated development of a BLE security key, and contributed to the BLE U2F standards work, we decided not to launch the product as it does not meet our standards for security, usability and durability,” Yubico founder Stina Ehrensvärd wrote when Google launched its Titan keys.

Google takes on Yubico and builds its own hardware security keys

Categories: Tech Crunch

Egnyte brings native G Suite file support to its platform

Tech Crunch Security - Wed, 05/15/2019 - 9:10am

Egnyte announced today that customers can now store G Suite files inside its storage, security and governance platform. This builds on the support the company previously had for Office 365 documents.

Egnyte CEO and co-founder Vineet Jain says that while many enterprise customers have seen the value of a collaborative office suite like G Suite, they might have stayed away because of compliance concerns (whether that was warranted or not).

He said that Google has been working on an API for some time that allows companies like Egnyte to decouple G Suite documents from Google Drive. Previously, if you wanted to use G Suite, you no choice but to store the documents in Google Drive.

Jain acknowledges that the actual integration is pretty much the same as his competitors because Google determined the features. In fact, Box and Dropbox announced similar capabilities over the last year, but he believes his company has some differentiating features on its platform.

“I honestly would be hard pressed to tell you this is different than what Box or Dropbox is doing, but when you look at the overall context of what we’re doing…I think our advanced governance features are a game changer,” Jain told TechCrunch.

What that means is that G Suite customers can open a document and get the same editing experience as they would get were they inside Google Drive, while getting all the compliance capabilities built into Egnyte via Egnyte Protect. What’s more, they can store the files wherever they like, whether that’s in Egnyte itself, an on-premises file store or any cloud storage option that Egnyte supports, for that matter.

G Suite documents stored on the Egnyte platform.

Long before it was commonplace, Egnyte tried to differentiate itself from a crowded market by being a hybrid play where files can live on-premises or in the cloud. It’s a common way of looking at cloud strategy now, but it wasn’t always the case.

Jain has always emphasized a disciplined approach to growing the company, and it has grown to 15,000 customers and 600 employees over 11 years in business. He won’t share exact revenue, but says the company is generating “multi-millions in revenue” each month.

He has been talking about an IPO for some time, and that remains a goal for the company. In a recent letter to employees that Egnyte shared with TechCrunch, Jain put it this way. “Our leadership team, including our board members, have always looked forward to an IPO as an interim milestone — and that has not changed. However, we now believe this company has the ability to not only be a unicorn but to be a multi-billion dollar company in the long-term. This is a mindset that we all need to have moving forward,” he wrote.

Egnyte was founded in 2007 and has raised over $137 million, according to Crunchbase data.

Egnyte hauls in $75M investment led by Goldman Sachs

Categories: Tech Crunch

CrowdStrike, a cybersecurity unicorn, files to go public

Tech Crunch Security - Tue, 05/14/2019 - 6:48pm

If you thought Uber’s disastrous initial public offering last week would deter fellow venture-backed technology companies from pursuing the public markets in 2019, you thought wrong.

CrowdStrike, yet another multi-billion-dollar Silicon Valley “unicorn,” has filed to go public. The cloud-based cybersecurity platform valued at $3.3 billion in 2018 revealed its IPO prospectus Tuesday afternoon.

The company plans to trade on the Nasdaq under the ticker symbol “CRWD.” According to the filing, it intends to raise an additional $100 million, though that figure is typically a placeholder amount. To date, CrowdStrike has raised $480 million in venture capital funding from Warburg Pincus, which owns a 30.3% pre-IPO stake, Accel (20.3%) and CapitalG (11.2%).

As we’ve come to expect of these companies, CrowdStrike’s financials are a bit concerning. While its revenues are growing at an impressive rate, from $53 million in 2017 to $119 million in 2018 to $250 million in the year ending January 31, 2019, its spending is far outweighing its gross profit. Most recently, the company posted a gross profit of $163 million on total operating expenses of about $300 million.

CrowdStrike is not yet profitable. Its total losses are increasing year-over-year from $91 million in 2017, to $135 million in 2018 and $140 million in 2019.

Headquartered in Sunnyvale, the business was founded in 2011 by chief executive officer George Kurtz and chief technology officer Dmitri Alperovitch, former McAfee executives. CrowdStrike, which develops security technology that looks at changes in user behavior on networked devices and uses that information to identify potential cyber threats, has reportedly pondered an IPO for some time.

The business sells its endpoint protection software to enterprises on a subscription basis, competing with Cylance, Carbon Black and others. In its S-1, CrowdStrike makes a case for its offering based on the rise of cloud computing and the growing threat of cybersecurity breaches. It estimates a total addressable market worth $29.2 billion by 2021.

“We founded CrowdStrike in 2011 to reinvent security for the cloud era,” the company writes. “When we started the company, cyberattackers had a decided, asymmetric advantage over existing security products. We turned the tables on the adversaries by taking a fundamentally new approach that leverages the network effects of crowdsourced data applied to modern technologies such as artificial intelligence, or AI, cloud computing, and graph databases.”

Uber had an abysmal second day of trading

Categories: Tech Crunch

Apple, Google and Microsoft release patches for ZombieLoad chip flaws

Tech Crunch Security - Tue, 05/14/2019 - 1:39pm

Big tech is stepping in to patch newly disclosed security flaws affecting almost every Intel chip since 2011.

Researchers on Tuesday released details of the vulnerability, known as ZombieLoad — or microarchitectural data sampling as its technical name — which can leaked sensitive data stored in the processor, such as passwords, secret keys and account tokens and private messages.

You can read our coverage here. In short, don’t panic — but you should patch your systems. Here’s how.

Apple released macOS fixes

Apple has fixes out for every Mac and MacBook released during and after 2011.

The tech giant said in an advisory that any system running macOS Mojave 10.14.5, released Monday, is patched. This will prevent an attack from being run through Safari and other apps. Most users won’t experience any decline in performance. But some Macs could face up to a 40 percent performance hit for those who opt-in to the full set of mitigations.

The security update will also be pushed to Sierra and High Sierra versions. iPhones, iPads and Apple Watch devices aren’t affected by the bugs.

Google patches Android, will update Chrome

The search and browser maker also confirmed it has released patches to mitigate against ZombieLoad.

Google said the “vast majority” of Android devices aren’t affected but Intel-only devices will need to be patched once device makers make updates available

Chrome OS devices, such as Chromebooks, are already protected in the latest version and permanent mitigations will be pushed to devices in the next version.

And, the company’s Chrome team has a technical advisory out but said users should rely on patches for their computer. “Operating system vendors may release updates to improve isolation, so users should ensure they install any updates and follow any additional guidance from their operating system vendor,” said Google. In other words, make sure your Windows PC or your Mac is patched.

Google also rolled out patches to its datacenters, so cloud customers are already patched but should be aware of the company’s guidance.

Microsoft rolls out Windows updates

Microsoft has released patches for its operating system and cloud.

Jeff Jones, a senior director at Microsoft, said the software and cloud giant has been “working closely with affected chip manufacturers to develop and test mitigations” for its customers. “We are working to deploy mitigations to cloud services and release security updates to protect Windows customers against vulnerabilities affecting supported hardware chips,” he said.

In a TechNet article, the company said customers may need to obtain microcode updates for their processor directly from their device maker. Microsoft is pushing many of the microcode updates itself through Windows Update, but are also available from its website.

Software updates will be released Tuesday also through Windows Update. Microsoft also has a page with guidance for how to protect against the new attacks.

Microsoft Azure customers are already protected, the company said.

Amazon and Mozilla did not return a request for comment. We’ll update if we hear back.

Read more:

Categories: Tech Crunch

New secret-spilling flaw affects almost every Intel chip since 2011

Tech Crunch Security - Tue, 05/14/2019 - 1:00pm

Security researchers have found a new class of vulnerabilities in Intel chips which, if exploited, can be used to steal sensitive information directly from the processor.,

The bugs are reminiscent of Meltdown and Spectre, which exploited a weakness in speculative execution, an important part of how modern processors work. Speculative execution helps processors predict to a certain degree what an application or operating system might need next and in the near-future, making the app run faster and more efficient. The processor will execute its predictions if they’re needed, or discard them if they’re not.

Both Meltdown and Spectre leaked sensitive data stored briefly in the processor, including secrets — such as passwords, secret keys and account tokens, and private messages.

Now some of the same researchers are back with an entirely new round of data-leaking bugs.

“ZombieLoad,” as it’s called, is a side-channel attack targeting Intel chips, allowing hackers to effectively exploit design flaws rather than injecting malicious code. Intel said ZombieLoad is made up of four bugs, which the researchers reported to the chip maker just a month ago.

Almost every computer with an Intel chips dating back to 2011 are affected by the vulnerabilities. AMD and ARM chips are not said to be vulnerable like earlier side-channel attacks.

ZombieLoad takes its name from a “zombie load,” an amount of data that the processor can’t understand or properly process, forcing the processor to ask for help from the processor’s microcode to prevent a crash. Apps are usually only able to see their own data, but this bug allows that data to bleed across those boundary walls. ZombieLoad will leak any data currently loaded by the processor’s core, the researchers said. Intel said patches to the microcode will help clear the processor’s buffers, preventing data from being read.

Practically, the researchers showed in a proof-of-concept video that the flaws could be exploited to see which websites a person is visiting in real-time, but could be easily repurposed to grab passwords or access tokens used to log into a victim’s online accounts.

https://techcrunch.com/wp-content/uploads/2019/05/demo_720.mp4

Like Meltdown and Spectre, it’s not just PCs and laptops affected by ZombieLoad — the cloud is also vulnerable. ZombieLoad can be triggered in virtual machines, which are meant to be isolated from other virtual systems and their host device.

Daniel Gruss, one of the researchers who discovered the latest round of chip flaws, said it works “just like” it PCs and can read data off the processor. That’s potentially a major problem in cloud environments where different customers’ virtual machines run on the same server hardware.

Although no attacks have been publicly reported, the researchers couldn’t rule them out nor would any attack necessarily leave a trace, they said.

What does this mean for the average user? There’s no need to panic, for one.

These are far from drive-by exploits where an attacker can take over your computer in an instant. Gruss said it was “easier than Spectre” but “more difficult than Meltdown” to exploit — and both required a specific set of skills and effort to use in an attack.

But if exploit code was compiled in an app or delivered as malware, “we can run an attack,” he said.

There are far easier ways to hack into a computer and steal data. But the focus of the research into speculative execution and side channel attacks remains in its infancy. As more findings come to light, the data-stealing attacks have the potential to become easier to exploit and more streamlined.

But as with any vulnerability where patches are available, install them.

Intel has released microcode to patch vulnerable processors, including Intel Xeon, Intel Broadwell, Sandy Bridge, Skylake and Haswell chips, Intel Kaby Lake, Coffee Lake, Whiskey Lake and Cascade Lake chips are affected, and all Atom and Knights processors.

But other tech giants, like consumer PC and device manufacturers, are also issuing patches as a first line of defense against possible attacks.

Computer makers Apple and Microsoft and browser makers Google and Mozilla are releasing patches today.

In a call with TechCrunch, Intel said the microcode updates, like previous patches, would have an impact on processor performance. An Intel spokesperson told TechCrunch that most patched consumer devices could take a 3 percent performance hit at worst, and as much as 9 percent in a datacenter environment. But, the spokesperson said, it was unlikely to be noticeable in most scenarious.

And either Intel nor Gruss and his team have not released exploit code, so there’s no direct and immediate threat to the average user.

But with patches rolling out today, there’s no reason to pass on a chance to prevent such an attack in any eventuality.

Read more:

Categories: Tech Crunch

You probably weren’t a target of the WhatsApp surveillance hack

Tech Crunch Security - Tue, 05/14/2019 - 12:00pm

Every once in a while a major bug, vulnerability or security scare will spark panic. In most cases, it’s absolutely unnecessary panic.

Take yesterday’s reported vulnerability. Israeli hacking outfit NSO Group, a developer of malware typically used by governments, was caught using a hack targeting WhatsApp that allowed the attackers to remotely spy on the victim’s phone. The exploit was almost invisible, according to Financial Times, which broke the story. The only indication that a phone might have been hacked is a missed call, often later deleted from the call log.

WhatsApp owner Facebook said it detected the hack and pushed out a fix to the app stores last night. WhatsApp didn’t mention the attack in its release notes, sparking criticism from some security experts for downplaying the risk of the vulnerability.

There was just one small missing piece of information from most reports: You probably weren’t a target.

Unless you’re a nuclear scientist or a government spy — or in this case a human rights lawyer — you’re probably not of any interest.

WhatsApp has just pushed out updates to close a vulnerability. We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer. Now is a great time to update your WhatsApp software https://t.co/pJvjFMy2aw https://t.co/e8VQUraZWQ

— Citizen Lab (@citizenlab) May 13, 2019

Exploits like the ones used in WhatsApp require a lot of time and effort to develop. They also have to be effective, undetected and reusable. Every time an exploit is used against a target runs the risk that someone finds out — the very opposite of covert surveillance.

“This attack was not about mass surveillance, it was used against highly targeted people,” said Alan Woodward, a computer science professor at the University of Surrey. “The likely cost and risks to those deploying this exploit means they would have used it only on very selective targets,” he said.

It’s becoming increasingly common to report hacks and breaches without offering context to the victims involved. Every time we report a security lapse, we try to contextualize it so confirmed or possible victims can take measures to protect themselves. The risk is if we don’t, it sparks panic and uncertainty. Worse, confusion leads to misinterpretation, which results in shoddy reporting and a misinformed public.

It’s sometimes called “hack porn,” where fanciful and obscure hacking techniques are covered like they’re drive-by downloads, or nation states are hacking everyone en masse. There’s no harm in reporting the information, but in a way that’s proportional to the risk posed to the possible victims involved.

“The general public should be aware, update the software, but certainly not rush to abandon the application,” said Woodward. “To their credit, WhatsApp found this almost invisible attack,” he said.

“No software is 100% secure,” said Woodward. “As long as you practice good security hygiene such as keeping your passwords secure and your apps up to date, the vast majority should be quite safe from this attack, even if you are a target.”

Yesterday’s news is a reminder that as much as sophisticated, nation state-backed hacks exist to target a fraction of the 1%, it never hurts to keep your apps up to date.

Read more:

Categories: Tech Crunch

WhatsApp exploit let attackers install government-grade spyware on phones

Tech Crunch Security - Mon, 05/13/2019 - 7:30pm

WhatsApp just fixed a vulnerability that allowed malicious actors to remotely install spyware on affected phones, and an unknown number reportedly did so with a commercial-grade snooping package usually sold to nation-states.

The vulnerability (documented here) was discovered by the Facebook-owned WhatsApp in early May, the company confirmed to TechCrunch. It apparently leveraged a bug in the audio call feature of the app to allow the caller to allow the installation of spyware on the device being called, whether the call was answered or not.

The spyware in question that was detected as having been installed was Israel-based NSO Group’s Pegasus, which is usually (ostensibly) licensed to governments looking to infect targets of investigations and gain access to various aspects of their devices.

This is, as you can imagine, an extremely severe security hole, and it is difficult to fix the window during which it was open, or how many people were affected by it. Without knowing exactly what the exploit was and what data WhatsApp keeps regarding that type of activity, we can only speculate.

The company said that it suspects a relatively small number of users were targeted, since it would be nontrivial to deploy, limiting it to advanced and highly motivated actors..

Once alerted to the issue’s existence, the company said it took less than 10 days to make the required changes to its infrastructure that would render the attack inoperable. After that, an update went out to the client that further secured against the exploit.

“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” the company said in a statement.

So what about NSO Group? Is this attack their work as well? The company told the Financial Times, which first reported the attack, that it was investigating the issue. But it noted that it is careful not to involve itself with the actual applications of its software — it vets its customers and investigates abuse, it said, but it has nothing to do with how its code is used or against whom.

WhatsApp did not name NSO in its remarks, but its suspicions seem clear:

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”

Naturally when a security-focused app like WhatsApp finds that a private company has, potentially at least, been secretly selling a known and dangerous exploit of its protocols, there’s a certain amount of enmity. But it’s all part of the 0-day game, an arms race to protect against or breach the latest security measures.

You should, as WhatsApp suggests, always keep your apps up to date for situations like this, although in this case the problem was able to be fixed in the backend before clients could be patched.

Categories: Tech Crunch

Boost Mobile says hackers broke into customer accounts

Tech Crunch Security - Mon, 05/13/2019 - 2:18pm

Boost Mobile, a virtual mobile network owned by Sprint, has confirmed hackers have broken into an unknown number of customer accounts.

The company quietly posted a notification of its data breach almost exactly two months after March 14, when Boost said the breach happened.

“Boost.com experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code,” said the notification. “The Boost Mobile fraud team discovered the incident and was able to implement a permanent solution to prevent similar unauthorized account activity.”

It’s not known exactly how the hackers obtained customer PINs — or how many Boost customers are affected. The company also notified the California attorney general, which companies are required to do if more than 500 people in the state are affected by the same security incident.

Boost Mobile reportedly had 15 million customers in 2018.

The hackers used those phone numbers and account PINs to break into customer accounts using the company’s website Boost.com, said the notification. These codes can be used to alter account settings. Hackers can automate account logins using lists of exposed usernames and passwords — or in this case phone numbers and PIN codes — in what’s known as a credential stuffing attack.

Boost said it has sent to affected customers a text with a temporary PIN.

A spokesperson for Sprint did not immediately comment. We’ll have more when we get it.

Cybersecurity 101: How to protect your cell phone number and why you should care

Categories: Tech Crunch

Yes, Americans can opt-out of airport facial recognition. Here’s how

Tech Crunch Security - Mon, 05/13/2019 - 11:56am

Whether you like it or not, facial recognition tech to check in for your flight will soon be coming to an airport near you.

Over a dozen U.S. airports are already rolling out the technology, with many more to go before the U.S. government hits its target of enrolling the largest 20 airports in the country before 2021.

Facial recognition is highly controversial and has many divided. On the one hand, it reduces paper tickets and meant to be easier for travelers to check in at the airport before their flight. But facial recognition also has technical problems. According to a Homeland Security watchdog, the facial recognition systems used at airports only worked in 85 percent in some cases. Homeland Security said the system is getting better over time and will be up to scratch by the supposed 2021 deadline — even if the watchdog has its doubts.

Many also remain fearful of the privacy and legal concerns. After all, it’s not Customs and Border Protection collecting your facial recognition data directly — it’s the airlines — and they pass it onto the government.

Delta debuted the tech last year, scanning faces before passengers fly. JetBlue also followed suit, and many more airlines are expected to sign up. That data is used to verify boarding passes before travelers get to their gate. But it’s also passed onto Customs and Border Protection to check passengers against their watchlists — and to crack down on those who overstay their visas.

Clearly that’s rattling travelers. In a recent Twitter exchange with JetBlue, the airline said customers are “able to opt out of this procedure.”

That’s technically true, although you might not know it if you’re at one of the many U.S. airports. The Electronic Frontier Foundation found that it’s not easy to opt-out but it is possible.

A sign allowing U.S. citizens to opt-out of facial scans. (Image: Twitter/Juli Lyskawa)

If you’re a U.S. citizen, you can opt out by telling an officer or airline employee at the time of a facial recognition scan. You’ll need your U.S. passport with you — even if you’re flying domestically. Border officials or airline staff will manually check your passport or boarding pass like they would normally do before you’ve boarded a plane.

Be on the lookout for any signs that say you can opt-out, but also be mindful that there may be none at all. You may have to opt-out multiple times from arriving at the airport until you reach your airplane seat.

“It might sound trite, but right now, the key to opting out of face recognition is to be vigilant,” wrote EFF’s Jason Kelley.

Bad news if you’re not an American: you will not be allowed to opt-out.

“Once the biometric exit program is a nationally-scaled, established program, foreign nationals will be required to biometrically confirm their exit from the United States at the final [boarding] point,” said CBP spokesperson Jennifer Gabris in an earlier email to TechCrunch. “This has been and is a Congressional mandate,” she said.

There are a few exceptions, such as Canadian citizens who don’t require a visa to enter the U.S. are exempt, and diplomatic and government visa holders.

Facial recognition data collected by the airlines on U.S. citizens is stored by Customs and Border Protection for between 12 hours and two weeks, and 75 years for non-citizens. That data is stored in several government databases, which border officials can pull up when you’re arriving or leaving the U.S.

Why should you opt-out? As an American, it’s your right to refuse. Homeland Security once said Americans who didn’t want their faces scanned at the airport should “refrain from traveling.” Now all it takes is a “no, thanks.”

Read more:

Categories: Tech Crunch

Sweden reopens rape case against Julian Assange

Tech Crunch Security - Mon, 05/13/2019 - 6:56am

Sweden’s prosecution authority has reopened a preliminary investigation into Wikileaks founder Julian Assange on an allegation of rape dating back to 2010.

It said today it will issue a European Arrest Warrant for Assange, and submit an application for a detention order to Uppsala District Court — as the suspected crime took place in Enköping municipality.

An earlier attempt by the Swedish prosecution authority to investigate the alleged sex crime was dropped after Assange fled to the Ecuadorian embassy in London, UK, in 2012.

A second sex crime allegation against Assange involving a separate Swedish woman cannot be reopened as the legal time-limit on pursuing a case has been exceeded.

The Wikileaks founder was arrested at the Ecuadorian embassy in London last month, after it withdrew diplomatic asylum. He was then quickly found guilty of breaching his 2012 bail conditions.

A judge at Southwark Crown Court then sentenced him to 50 weeks earlier this month. He is now serving that sentence in a UK prison.

Sweden’s deputy director of public prosecution, Eva-Marie Persson, said today that any conflict between the European Arrest Warrant and an existing US extradition request for Assange will be decided by UK authorities.

It would be up to UK courts — and potentially the home secretary, Sajid Javid — to make a final decision where to send Assange if there are conflicting extradition requests.

Once in UK police custody last month the Wikileaks founder was also almost immediately rearrested on behalf of the U.S. — which is seeking his extradition on a charge of conspiracy to hack into a classified computer relating to the leaking of military secrets to Wikileaks by whistleblower, Chelsea Manning.

“I am well aware of the fact that an extradition process is ongoing in the UK and that he could be extradited to the US. In the event of a conflict between a European Arrest Warrant and a request for extradition from the US, UK authorities will decide on the order of priority. The outcome of this process is impossible to predict. However, in my view the Swedish case can proceed concurrently with the proceedings in the UK,” said Persson in a statement regarding potential extradition conflict.

In wider comments regarding reopening the case she said simply that circumstances have changed.

“On account of Julian Assange leaving the Ecuadorian embassy, the circumstances in this case have changed. I take the view that there exists the possibility to take the case forward.”

She also noted that UK authorities have told her office Assange must serve 25 weeks of his sentence before he can be released.

Reopening the investigation against Assange means “a number of investigative measures will take place”, she added, suggesting her office could seek to question Assange while he is detained in UK prison — while noting he would have to agree to co-operate with any interview.

“In my opinion a new interview with the suspect is required. It may be necessary, with the support of a European Investigation Order, to request an interview with [Assange] be held in the UK. Such an interview, however, requires [hi]s consent,” she said.

Wikileaks’ editor-in-chief, Kristinn Hrafnsson, has responded to Sweden reopening the rape allegation investigation with a statement in which he claims the country is doing so “under intense political pressure” and that the case “has been mishandled throughout”.

He also denies Assange ever sought to evade the investigation, despite fleeing to and remaining within the Ecuadorian Embassy for seven years, and suggests that a fresh investigation “will give Julian a chance to clear his name”.

In a statement in UK court ahead of his sentencing for breaching bail conditions Assange apologized “unreservedly to those who consider that I have disrespected them by the way I have pursued my case”, adding that he regretted his decision to flee.

“Assange was always willing to answer any questions from the Swedish authorities and repeatedly offered to do so, over six years. The widespread media assertion that Assange ‘evaded’ Swedish questioning is false,” Hrafnsson writes now, leaving little wiggle room should Assange decline to be interviewed by Swedish prosecutors while behind bars in the UK.

Statement regarding the reopening of a preliminary investigation in Sweden.

Facts on the Swedish Investigation:https://t.co/5J1PtxWXgX pic.twitter.com/VbhBAON1ek

WikiLeaks (@wikileaks) May 13, 2019

Last month a cross-party coalition of 70 UK MPs wrote to the home secretary calling for him to “champion action” to ensure Assange is extradited to Sweden should prosecutors request it, as they now have.

Their letter called for Javid to “stand with the victims of sexual violence and seek to ensure the case against Mr Assange can now be properly investigated”, to ensure “due process” is followed for the complainant.

Parliamentarians also pointed out that the legal expiry date in this case of alleged rape is August 2020, meaning there’s only a short window to take a case against Assange to court — arguing that the Swedish prosecutors should therefore be given priority in any extradition conflict with the US.

Tonight over 70 parliamentarians stand with victims of sexual violence, and are calling on both the Home Secretary and the shadow Home Sec to urge them both to be champions of action to ensure Julian Assange faces Swedish authorities and is extradited there if they so request: pic.twitter.com/uaJMM984Cc

— stellacreasy (@stellacreasy) April 12, 2019

Assange is challenging the US extradition request — appearing at a court hearing May 2, via videolink, to say he did not consent to being sent to the US, per the Guardian, while the court heard that the extradition process would take “many months”.

Categories: Tech Crunch

Pages