Tech Crunch

BlackBerry is buying Cylance for $1.4 billion to continue its push into cybersecurity

Tech Crunch Security - 5 hours 15 min ago

BlackBerry was best known for keyboard-totting smartphones, but their demise in recent years has seen the Canadia firm pivot towards enterprise services and in particular cybersecurity. That strategy takes a big step further forward today after BlackBerry announced the acquisition of AI-based cybersecurity company Cylance for a cool $1.4 billion.

Business Insider reported that a deal was close last week, and that has proven true with BlackBerry paying the full amount in cash up front. The deal is set to close before February 2019 — the end of BlackBerry’s current financial year — and it will see Cylance operate as a separate business unit within BlackBerry’s business.

Business Insider’s report suggested Cylance was preparing to go public until BlackBerry swooped in. That suggests BlackBerry wanted Cylance pretty badly, badly enough to part with a large chunk of the $2.4 billion cash pile that it was sitting on prior to today.

Cylance was founded in 2015 by former McAfee/Intel duo Stuart McClure (CEO) and Ryan Permeh (chief scientist) and it differentiates itself by using artificial intelligence, machine learning and more to proactively analyze and detect threats for its customers, which it said include Fortune 100 organizations and governments.

The company has raised nearly $300 million to date from investors that include Blackstone, DFJ, Khosla Ventures, Dell Technologies and KKR. Cylance is headquartered in Irvine, California, with global offices in Ireland, the Netherlands and Japan.

“Cylance’s leadership in artificial intelligence and cybersecurity will immediately complement our entire portfolio, UEM and QNX in particular. We are very excited to onboard their team and leverage our newly combined expertise. We believe adding Cylance’s capabilities to our trusted advantages in privacy, secure mobility, and embedded systems will make BlackBerry Spark indispensable to realizing the Enterprise of Things,” said BlackBerry CEO John Chen in a statement.

Chen has overseen BlackBerry’s move into enterprise services since his arrival in 2013 as part of a takeover by financial holdings firm Fairfax. Initially, things got off to a rocky start but the strategy has borne fruit. The stock price was $6.51 when Chen joined, it closed Thursday at $8.86 down from a peak of $12.66 in January. While some of the progress has been erased this year, Chen has signed on to retain the top role at BlackBerry until at least 2023, giving him a potential 10-year tenure with the company that was once the world’s number one mobile brand.

Categories: Tech Crunch

A leaky database of SMS text messages exposed password resets and two-factor codes

Tech Crunch Security - Thu, 11/15/2018 - 7:31pm

A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.

The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages.

For Sébastien Kaul, a Berlin-based security researcher, it didn’t take long to find.

Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox’s own subdomains. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

An example of one text message containing a user’s phone number and their Microsoft account reset code. (Image: TechCrunch)

Most don’t think about what happens behind the scenes when you get a text message from a company, whether it’s an Amazon shipping notification or a two-factor code for your login. Often, app developers — like HQ Trivia and Viber — will employ technologies provided by firms like Telesign and Nexmo, either to verify a user’s phone number or to send a two-factor authentication code, for example. But it’s firms like Voxox that act as a gateway and converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone.

After an inquiry by TechCrunch, Voxox pulled the database offline. At the time of its closure, the database appeared to have a little over 26 million text messages year-to-date. But the sheer volume of messages processed through the platform per minute — as seen through the database’s visual front-end — suggests that this figure may be higher.

Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used.

Among our findings from a cursory review of the data:

  • We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
  • Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
  • Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
  • Many messages included two-factor verification codes for Google accounts in Latin America;
  • A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
  • We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
  • Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
  • We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
  • Yahoo also used the service to send some account keys by text message;
  • And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.

“Yeah, this is very bad,” said Dylan Katz, a security researcher, who reviewed some of the findings.

The exposure to personal information and phone numbers notwithstanding, the ability to access two-factor codes in near-real-time could have put countless number of accounts at risk of hijack. In some cases, websites will only require a phone number to reset an account. With access to the text message through the exposed database, hijacking an account could take seconds.

“My real concern here is the potential that this has already been abused,” said Katz. “This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”

Kevin Hertz, Voxox’s co-founder and chief technology officer, said in an email that the company is “looking into the issue and following standard data breach policy at the moment,” and that the company is “evaluating impact.”

Many companies, including Facebook, Twitter and Instagram, have rolled out app-based two-factor authentication to thwart SMS-based verification, which has long been seen as vulnerable to interception.

If ever there was an example, this latest exposure would serve well.

Gift Guide: The best security and privacy tech to keep your friends safe

Categories: Tech Crunch

Facebook will pass off content policy appeals to a new independent oversight body

Tech Crunch Security - Thu, 11/15/2018 - 2:14pm

Facebook doesn’t want to be the arbiter of decency when it comes to content policy decisions, similar to how it looked to third-party fact checkers rather than becoming an arbiter of truth. Today on a press call with journalists, Mark Zuckerberg announced that a new external oversight committee would be created in 2019 to handle some of Facebook’s content policy decisions. The body will take appeals and make final decisions. The hope is that beyond the influence of Facebook’s business imperatives or the public’s skepticism about the company’s internal choices, the oversight body can come to the proper conclusions about how to handle false information, calls to violence, hate speech, harassment, and other problems that flow through Facebook’s user generate content network.

“I believe the world is better off when more people have a voice to share their experiences . . . at the same time we have a responsibility to keep people safe” Zuckerberg said. “When you connect 2 billion people, you’re going to see all the good and bad of humanity. Different cultures have different norms, not only about what content is okay, but also about who should be making those decisions in the first place.” He cites how use of a racial slur could be hate speech or condemning hate speech as the kind of decision Facebook could use help with.

Zuckerberg explained that over the past year he’s come to believe that so much power over free expression should not be concentrated solely in Facebook’s hands. That echoes his sentiment from an interview with Ezra Klein earlier this year when he suggested Facebook may need a “supreme court” to decide on controversial issues. Zuckerberg says he sees Facebook’s role as more akin to how a government is expected to reduce crime but not necessarily eliminate it entirely. “Our goal is to err on the side of giving people a voice while preventing real world harm” he writes. “These are not problems you fix, but issues where you continually improve.”

How The Independent Appeals Body Will Work

Zuckerberg describes that when someone initially reports content, Facebook’s systems will do the first level of review. If a person wants an appeal, Facebook will also handle this second level of review and scale up its systems to handle a lot of cases. Then he says “The basic approach is going to be if you’re not happy after getting your appeal answered, you can try to appeal to this broader body. It’s probably not going to review every case like some of the higher courts . . . it might be able to choose which cases it thinks are incredibly important to look at. It will certainly need to be transparent about how it’s making those decisions.

Zuckerberg said Facebook will be working to get the oversight body up and running over the next year. For now, there are plenty of unanswered questions about who will be on the committee, which of the many appeals it will review, and what ensures it’s truly independent from Facebook’s power. “One of the biggest questions we need to figure out in the next year is how to do the selection process for this body so that it’s independent . . . while giving people a voice . . . and keeping people safe. If the group ends up too tightly decided by Facebook it won’t feel like it’s independent enough.” Facebook plans to query experts and start running pilots of the next year to determine what approaches to codify.

Facebook launched an internal appeals system this year that let users request a second review when their content is taken now, and Facebook plans to expand that to allow people to appeal responses when they report other people’s content. But the new independent body will serve as the final level of escalation for appeals

[Update: Since we published this report, Zuckerberg has released a 5000-word letter describing his thoughts on Facebook policy, and the oversight body. You can read it below:]

(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = 'https://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v3.2'; fjs.parentNode.insertBefore(js, fjs);}(document, 'script', 'facebook-jssdk'));

Posted by Mark Zuckerberg on Thursday, November 15, 2018

Here’s the passage about the oversight committee:

In the next year, we’re planning to create a new way for people to appeal content decisions to an independent body, whose decisions would be transparent and binding. The purpose of this body would be to uphold the principle of giving people a voice while also recognizing the reality of keeping people safe.

I believe independence is important for a few reasons. First, it will prevent the concentration of too much decision-making within our teams. Second, it will create accountability and oversight. Third, it will provide assurance that these decisions are made in the best interests of our community and not for commercial reasons. 

This is an incredibly important undertaking — and we’re still in the early stages of defining how this will work in practice. Starting today, we’re beginning a consultation period to address the hardest questions, such as: how are members of the body selected? How do we ensure their independence from Facebook, but also their commitment to the principles they must uphold? How do people petition this body? How does the body pick which cases to hear from potentially millions of requests? As part of this consultation period, we will begin piloting these ideas in different regions of the world in the first half of 2019, with the aim of establishing this independent body by the end of the year.

Over time, I believe this body will play an important role in our overall governance. Just as our board of directors is accountable to our shareholders, this body would be focused only on our community. Both are important, and I believe will help us serve everyone better over the long term.

Avoiding Or Acknowledging The Weight Of Its Decisions?

The past year has seen Facebook criticized for how it handled calls for violence in Myanmar, harassment and fake news by conspiracy theorists like Alex Jones, election interference by Russian, Iranian, and other state actors, and more. Most recently, the New York Times published a scathing report about how Facebook tried to distract from or deflect criticism of its myriad problems, including its failure to prevent election interference ahead of the 2016 Presidential race.

The oversight committee could both help Facebook make smarter decisions that the world can agree with, and give Facebook a stronger defense to this criticism because it’s not the one making the final policy calls. The approach could be seen as Facebook shirking its responsibility, or as it understanding that the gravity of that responsibility exceeds its own capabilities.

[Update: We’ve updated this story with information from Zuckerberg’s Blueprint letter.]

Categories: Tech Crunch

Facebook reports a massive spike in government demands for data, including secret orders

Tech Crunch Security - Thu, 11/15/2018 - 1:37pm

Facebook has published the details of 13 historical national security letters it’s received for user data.

The embattled social media giant said that the letters dated between 2014 and 2017 for several Facebook and Instagram accounts.

These demands for data are effectively subpoenas, issued by the FBI without any judicial oversight, compelling companies to turn over limited amounts of data on an individual whose named in a national security investigation. They’re controversial — not least because they come with a gag order that prevents companies from informing the subject of the letter, let alone disclosing its very existence.

Companies are often told to turn over IP addresses of everyone a person has corresponded with, online purchase information, email records, and also cell-site location data.

But since the introduction of the Freedom Act, passed in the aftermath of the Edward Snowden revelations, the FBI has to periodically review the gag orders.

Chris Sonderby, Facebook’s deputy general counsel, said that the government lifted the non-disclosure orders on the letters over the course of this year.

“We always scrutinize each government request we receive for account data to make sure it is legally valid,” said Sonderby.

It’s not the first time Facebook has disclosed a national security letter. Its first letter, revealed in 2016, dated back to 2015. (You can read all of the disclosed national security letters here.)

News of the national security letters dropped a day after a highly critical report by The New York Times that revealed some of the company’s shady tactics over the years designed to deflect attention from its various scandals, including attempts to discredit activists and protesters.

Facebook’s latest transparency report shows that the number of government demands for data rocketed by 26 percent year-over-year, from 82,341 to 103,815 requests.

The U.S. government’s demands for customer data went up by 30 percent to 42,466 total requests, Facebook said, affecting 70,528 accounts. The company said that more than half including a non-disclosure clause that prevented the company from informing the user.

Most of the legal orders were court-authorized search warrants.

For its latest reporting period, Facebook also said that the number of other national security orders more than doubled year-over-year, from between 12,500-12,999 accounts during July-December 2016 to 25,000-25,499 accounts during January-June 2017.

Under current Justice Dept. reporting rules, companies are subject to a six-month reporting delay.

Facebook’s weapon amid chaos and controversy: misdirection

Categories: Tech Crunch

Facebook’s weapon amid chaos and controversy: misdirection

Tech Crunch Security - Thu, 11/15/2018 - 11:31am

The New York Times’ bombshell report into the past three years at Facebook paint a grotesque picture of the company’s attempts to navigate a string of high profile controversies by using unsavory, unethical and dark PR tactics.

The Times’ report, citing more than 50 sources, accuses the company of:

  • employing a Republican opposition research firm to “discredit activist protesters,” in part by linking them to the liberal billionaire George Soros;
  • using its business relationships to lobby a Jewish civil rights group to flag critics and protesters as anti-Semitic;
  • attempted to shift anti-Facebook rhetoric against its rivals to soak up the blame by planting stories with reporters;
  • posting “less specific” carefully crafted posts about Russian election interference amid claims that the company was slow to act;
  • and urging its senior staff to switch to Android (which Facebook denies) after Apple chief executive Tim Cook made critical remarks about Facebook’s data practices

Not a good look at all. The whole report is worth a read. Facebook responded with its own version of events, calling out “a number of inaccuracies” in the Times’ report.

Facebook, to be fair, has had a rough few years. To be unfair, much of it was of its own making. The Cambridge Analytica scandal. A firehose of criticism over its data practices and privacy issues. Election interference. Its involvement in Myanmar’s genocide. And a major data breach.

And then misinformation, misinformation, and misinformation.

Facebook has shown that it can’t keep its users safe.

But instead of tackling the fires it had created for itself, the company took to discrediting and deflecting in an effort to distance or absolve itself from the responsibility of the mess that it helped create.

Facebook had an uncanny ability to throw out good headlines amid chaos. A day after a lawsuit accused the company of inflating its video figures that put some newsrooms out of business, a stream of headlines (including from TechCrunch!) from Facebook’s makeshift election war room pushed any lingering headlines to the bottom of the pile. With just weeks to go before the midterms, Facebook wanted to paint some good news that it was working to pilot better election campaign security efforts, even though critics said it was way too late. Every opportunity it got to say it took down some misinformation or “inauthentic behavior,” it took it — a mea culpa for its role in failing to prevent the spread of misinformation during the 2016 presidential election, or a cheap way to get some quick, positive headlines? Even the debut of its camera-enabled Facebook Portal product was tone-deaf, announced the same week as its data breach.

Coincidence? Maybe. Suspect? Definitely.

I really hope nobody is buying all this daft Facebook PR. First their undefinable "War Room" that's no more than a sign on a door, now a psuedo-celebrity hire to push the notion they even recognise "global affairs". All a smokescreen for doing nothing.

— Peter Gothard (@petergothard) October 19, 2018

The health of the company — particularly its leadership — doesn’t look good.

The Times’ report is going to reignite needed conversation about whether the executive duopoly, chief executive Mark Zuckerberg and chief operating officer Sheryl Sandberg, are fit to keep running the company. Zuckerberg, who has about 60 percent of voting power, will make it near impossible to remove him from his leadership position.

This time, an apology tour isn’t going to cut it.

Facebook under pressure over Soros smear tactics

Categories: Tech Crunch

Facebook under pressure over Soros smear tactics

Tech Crunch Security - Thu, 11/15/2018 - 11:25am

Facebook is facing calls to conduct an external investigation into its own lobbying and PR activities by an aide to billionaire George Soros.

BuzzFeed reports that Michael Vachon, an advisor to the chairman at Soros Fund Management, made the call in a letter to friends and colleagues.

The call follows an explosive investigation, published yesterday by the New York Times based on interviews with more than 50 sources on the company, which paints an ugly picture of how Facebook’s leadership team responded to growing pressure over election interference, in the wake of the Kremlin ads scandal of 2016, including by engaging an external firm to lobby aggressively on its behalf.

The firm used smear tactics targeted at Soros, according to the NYT report, with the paper writing that: “A research document circulated by Definers [the PR firm engaged by Facebook] to reporters this summer, just a month after the House hearing, cast Mr. Soros as the unacknowledged force behind what appeared to be a broad anti-Facebook movement.”

Wikipedia describes Definers as “an American right leaning opposition research firm… [that] performs media monitoring services, conducts research using the Freedom of Information Act and also creates strategic communication to negatively influence the public image about individuals, firms, candidates and organizations who oppose their clients”.

Facebook has since responded to the NYT article, rejecting some of the report as inaccurate — and denying outright that it ever asked Definers to smear anyone on its behalf.

The New York Times is wrong to suggest that we ever asked Definers to pay for or write articles on Facebook’s behalf – or to spread misinformation,” the company writes. “Our relationship with Definers was well known by the media – not least because they have on several occasions sent out invitations to hundreds of journalists about important press calls on our behalf.

“Definers did encourage members of the press to look into the funding of ‘Freedom from Facebook,’ an anti-Facebook organization. The intention was to demonstrate that it was not simply a spontaneous grassroots campaign, as it claimed, but supported by a well-known critic of our company. To suggest that this was an anti-Semitic attack is reprehensible and untrue.”

In a follow up report today the NYT says Facebook cut ties with the PR firm on Wednesday, after the publication of its article.

In his letter, Vachon describes it as “alarming that Facebook would engage in these unsavory tactics, apparently in response to George’s public criticism in Davos earlier this year of the company’s handling of hate speech and propaganda on its platform”.

“What else is Facebook up to? The company should hire an outside expert to do a thorough investigation of its lobbying and PR work and make the results public,” he adds.

We contacted Facebook for a response to Vachon’s call for an external investigation of its internal conduct. A company spokesman just directed us to its earlier response to the NYT article.

Facebook has recently faced calls for an external security and privacy audit from the European parliament in the wake of the Cambridge Analytica data misuse scandal.

And calls for its CEO and founder to face up to international politicians’ questions over fake news and election interference. Although Zuckerberg has continued to decline to attend.

So the external pressures keep piling up…

A damning story about Facebook which underlines why we need to hold their top people to account – Delay, Deny and Deflect: How Facebook’s Leaders Fought Through Crisis https://t.co/cwJmKVR3qD

— Damian Collins (@DamianCollins) November 15, 2018

The title of the NYT article — “delay, deny and deflect” — hints at the meaty reportage within, with the newspaper presenting a well-sourced view of Facebook’s management team grappling ineptly and then cynically and aggressively with an existential reputation crisis by reaching for smear tactics associated with the worst kind of politics.

“[Facebook COO Sheryl] Sandberg has overseen an aggressive lobbying campaign to combat Facebook’s critics, shift public anger toward rival companies and ward off damaging regulation,” the newspaper writes.

It also alleges that Facebook knew about Russian activity on its platform as early as the spring of 2016 but was slow to investigate.

Again, in its rebuttal, Facebook rejects that characterization — claiming a less inept early handling of the political disinformation threat. “Leading up to Election Day in November 2016, we detected and dealt with several threats with ties to Russia … [including] a group called APT28 … we also saw some new behavior when APT28-related accounts, under the banner of DC Leaks, created fake personas that were used to seed stolen information to journalists. We shut these accounts down for violating our policies,” it writes.

It also denies its then CSO, Alex Stamos, was discouraged by senior management from looking into Russian activity.

Although Stamos clashing with Sandberg over the Russian disinformation threat has previously been causally linked to his departure from Facebook this summer. (And in an internal memo that BuzzFeed obtained earlier this year Stamos does admit to having had “passionate discussions with other execs”.)

“After the election, no one ever discouraged Alex Stamos from looking into Russian activity — as he himself acknowledged on Twitter,” Facebook writes now, rejecting that portion of the NYT report. “Indeed as The New York Times says, “Mark and Sheryl [Sandberg] expanded Alex’s work.”

Facebook has also denied treating Donald Trump’s comments about Muslims — when in December 2015 the US president posted a statement on Facebook calling for a “total and complete shutdown” on Muslims entering the United States — any differently to “other important free speech issues”.

On this the newspaper’s sources told it that Facebook’s management team had delegated key decisions on whether or not Trump’s post constituted hate speech to policy staffers who “construed their task narrowly” yet were also motivated by worries about stoking a conservative backlash.

The post was not deleted. And the NYT writes that it was shared more than 15,000 times on Facebook — “an illustration of the site’s power to spread racist sentiment”.

Categories: Tech Crunch

Tech giants take seats on Homeland Security’s new supply chain task force

Tech Crunch Security - Thu, 11/15/2018 - 8:00am

Homeland Security’s supply chain task force is finally off the ground..

The public-private coalition, set up earlier this year, now has representatives from more than two dozen companies and industry groups signed up to help the government try to combat risks faced by tech companies from threats in the supply chain.

Called the ICT Supply Chain Task Force, government officials hope to better understand to address security issues with global technology supply chains and make recommendations. By collaborating, the group aims to better understand the risks that companies face from industrial espionage, government interference, and other cybersecurity issues that could pose a threat to U.S national security.

One of those new members is Cisco’s Edna Conway, chief security officer for its global value chain. She told TechCrunch that enterprises and governments “can no longer effectively identify, defend against and mitigate the risks across that global value chain in isolation.”

She, like others, have called for a group effort to tackle the threats they face.

The task force couldn’t come soon enough. Although the government has long known of supply chain threats, the group’s official formation comes in the aftermath of Bloomberg’s controversial claims that Chinese intelligence had infiltrated the server hardware supply chain that with tiny chips. Bloomberg’s claims have been largely debunked — or not proven to the standard that many have called for. But it doesn’t diminish the long-known threat that the U.S. electronics and data industries face.

By working together, the task force aims to to create policy recommendations that would incentivize businesses to buy hardware and software directly from original vendors and vetted resellers to reduce the risk of having an unknown, untrusted third-party in the mix. One of the end goals is to ensure that only the trusted vendors, which stick to a strict set of criteria laid out by the task force, will be qualified to bid for contracts.

“Cisco brings to the task force this collaborative spirit, a deep understanding of the operation of global ICT value chains and my expertise in shifting security and risk from ‘limiting damage’ to key enabler of business differentiation,” said Conway.

Cisco joins other tech giants and major telcos at the table, including Accenture, AT&T, CenturyLink, Charter, Comcast, CTIA, CyberRx, Cybersecurity Coalition, Cyxtera, FireEye, Intel, ITI, IT-ISAC, Microsoft, NAB, NCTA, NTCA, Palo Alto Networks, Samsung, Sprint, Threat Sketch, TIA, T-Mobile, US Telecom and Verizon (which, as a reminder, owns TechCrunch).

They will be joined by representatives from Homeland Security, the Defense Dept., the Justice Dept., the Treasury, and the Office of the Director of National Intelligence, among others in government.

Homeland Security under secretary Christopher Krebs said that by bringing together representatives from the public and private sector, the task force has “a unique ability to confront today’s challenges by sharing information across government and industry in real-time and developing the ability to better plan for the risks of the future.”

Bloomberg’s spy chip story reveals the murky world of national security reporting

Categories: Tech Crunch

Mozilla adds website breach notifications to Firefox

Tech Crunch Security - Thu, 11/15/2018 - 6:17am

Mozilla is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has recently reported a data breach.

When a Firefox user lands on a website with a breach in its recent past they’ll see a pop up notification informing them of the barebones details of the breach and suggesting they check to see if their information was compromised.

“We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features,” Mozilla said today. “This new functionality will gradually roll out to Firefox users over the coming weeks.”

Here’s an example of what the site breach notifications look like and the kind of detail they will provide:

Mozilla’s website breach notification feature in Firefox

Mozilla is tying the site breach notification feature to an email account breach notification service it launched earlier this year, called Firefox Monitor, which it also said today is now available in an additional 26 languages.

Firefox users can click through to Monitor when they get a pop up about a site breach to check whether their own email was involved.

As with Firefox Monitor, Mozilla is relying on a list of breached websites provided by its partner, Troy Hunt’s pioneering breach notification service, Have I Been Pwned.

There can of course be a fine line between feeling informed and feeling spammed with too much information when you’re just trying to get on with browsing the web. But Mozilla looks to sensitive to that because it’s limiting breach notifications to one per breached site. It will also only raise a flag if the breach itself occurred in the past 12 months.

Data breaches are an unfortunate staple of digital life, stepping up in recent years in frequency and size along with big data services. That in turn has cranked up awareness of the problem. And in Europe tighter laws were introduced this May to bring in a universal breach disclosure requirement and raise penalties for data protection failures.

The GDPR framework also generally encourages data controllers and processors to improve their security systems given the risk of much heftier fines.

Although it will likely take some time for any increases in security investments triggered by the regulation to filter down and translate into fewer breaches — if indeed the law ends up having that hoped for impact.

But one early win for GDPR is it has greased the pipe for companies to promptly disclose breaches. This means it’s helping to generate more up-to-date security information which consumers can in turn use to inform the digital choices they make. So the regulation looks to be generating positive incentives.

Categories: Tech Crunch

Judge orders Amazon to turn over Echo recordings in double murder case

Tech Crunch Security - Wed, 11/14/2018 - 11:46am

A New Hampshire judge has ordered Amazon to turn over two days of Amazon Echo recordings in a double murder case.

Prosecutors believe that recordings from an Amazon Echo in a Farmington home where two women were murdered in January 2017 may yield further clues to their killer. Although police seized the Echo when they secured the crime scene, any recordings are stored on Amazon servers.

The order granting the search warrant, obtained by TechCrunch, said that there is “probable cause to believe” that the Echo picked up “audio recordings capturing the attack” and “any events that preceded or succeeded the attack.”

Amazon is also directed to turn over any “information identifying any cellular devices that were linked to the smart speaker during that time period,” the order said.

Timothy Verrill, a resident of neighboring Dover, New Hampshire, was charged with two counts of first-degree murder. He pleaded not guilty and awaits trial.

When reached, an Amazon spokesperson did not comment — but the company told the Associated Press last week that it won’t release the information “without a valid and binding legal demand properly served on us.”

New Hampshire doesn’t provide electronic access to court records, so it’s not readily known if Amazon has complied with the order, signed by Justice Steven Houran, on November 5.

A court order signed by New Hampshire Superior Court on November 5 ordering Amazon to turn over Echo recordings. (Image: TechCrunch)

It’s not the first time Amazon has been ordered to turn over recordings that prosecutors believe may help a police investigation.

Three years ago, an Arkansas man was accused of murder. Prosecutors pushed Amazon to turn over data from an Echo found in the house where the body was found. Amazon initially resisted the request citing First Amendment grounds — but later conceded and complied. Police and prosecutors generally don’t expect much evidence from Echo recordings — if any — because Echo speakers are activated with a wake word — usually “Alexa,” the name of the voice assistant. But, sometimes fragment of recordings can be inadvertently picked up, which could help piece together events from a crime scene.

But these two cases represent a fraction of the number of requests Amazon receives for Echo data. Although Amazon publishes a biannual transparency report detailing the number of warrants and orders it receives across its entire business, the company doesn’t — and refuses — to break down how many requests for data it receives for Echo data.

In most cases, any request for Echo recordings are only known through court orders.

In fact, when TechCrunch reached out to the major players in the smart home space, only one device maker had a transparency report and most had no future plans to publish one — leaving consumers in the dark on how these companies protect your private information from overly broad demands.

Although the evidence in the Verrill case is compelling, exactly what comes back from Amazon — or the company’s refusal to budge — will be telling.

Smart home tech makers don’t want to say if the feds come for your data

Categories: Tech Crunch

Mozilla ranks dozens of popular ‘smart’ gift ideas on creepiness and security

Tech Crunch Security - Wed, 11/14/2018 - 11:05am

If you’re planning on picking up some cool new smart device for a loved one this holiday season, it might be worth your while to check whether it’s one of the good ones or not. Not just in the quality of the camera or step tracking, but the security and privacy practices of the companies that will collect (and sell) the data it produces. Mozilla has produced a handy resource ranking 70 of the latest items, from Amazon Echos to smart teddy bears.

Each of the dozens of toys and devices is graded on a number of measures: what data does it collect? Is that data encrypted when it is transmitted? Who is it shared with? Are you required to change the default password? And what’s the worst case scenario if something went wrong?

Some of the security risks are inherent to the product — for example, security cameras can potentially see things you’d rather they didn’t — but others are oversights on the part of the company. Security practices like respecting account deletion, not sharing data with third parties, and so on.

At the top of the list are items getting most of it right — this Mycroft smart speaker, for instance, uses open source software and the company that makes it makes all the right choices. Their privacy policy is even easy to read! Lots of gadgets seem just fine, really. This list doesn’t just trash everything.

On the other hand, you have something like this Dobby drone. They don’t seem to even have a privacy policy — bad news when you’re installing an app that records your location, HD footage, and other stuff! Similarly, this Fredi baby monitor comes with a bad password you don’t have to change, and has no automatic security updates. Are you kidding me? Stay far, far away.

All together 33 of the products met Mozilla’s recently proposed “minimum security standards” for smart devices (and got a nice badge); 7 failed, and the rest fell somewhere in between. In addition to these official measures there’s a crowd-sourced (hopefully not to be gamed) “creep-o-meter” where prospective buyers can indicate how creepy they find a device. But why is BB-8 creepy? I’d take that particular metric with a grain of salt.

Categories: Tech Crunch

SAM nabs $12M for cybersecurity aimed at home routers and devices connected to them

Tech Crunch Security - Wed, 11/14/2018 - 7:17am

A wave of security startups have built solutions for enterprises that are meeting the challenges of “consumerization”, where IT organizations are tasked with securing a range of devices and apps — some brought in by employees, not issued by IT — that are on the organization’s networks. Today, a startup based out of Israel that is taking a similar approach, but aimed at consumers and the plethora of devices now connected to their home networks, is announcing a round of funding. SAM — which provides a system administered by way of a home or small office/home office internet router to monitor connected devices for suspicious activity — has raised a $12 million in funding.

The Series A includes interesting strategic investors. Led by Intel Capital, the round also includes participation from home security giant ADT, NightDragon (a cybersecurity-focused VC founded by Dave DeWalt, the former CEO of FireEye and McAfee) and Blumberg Capital.

Intel is already integrating SAM’s tech into its hardware, and ADT is evaluating how it can do so right now, said Sivan Rauscher, the CEO who first cut her teeth working on cybersecurity in the Israeli army before co-founding SAM with CTO Eilon Lotem and Vice Chairman Shmuel Chafets.

Prior to this round, SAM first emerged from stealth in February 2018 with $4 million from backers that included Team8, the well-supported VC-company incubator, whose co-founders Nadav Zafir, Israel Grimberg, and Liran Grinberg now also serve as advisors to the startup.

One of the reasons for following that up relatively quickly with more funding is because SAM has already signed some deals and it’s making its way into the market. Rauscher said that the first services using the startup’s tech will go live in Germany, Belgium and UK soon. (She declined to name the telcos that will roll it out, since “they want to keep the element of surprise,” she said.) It’s also already deployed across some 4 million devices by way of Israeli carrier Bezeq.

The company is notable because in the world of cybersecurity, many of the most talented people and companies are focused on targeting the enterprise market. In a way, that is not a surprise, since these typically are larger and more complex networks, and a larger amount of data is more immediately at stake.

(And you could argue that in fact this is also an enterprise play, since SAM is working with telcos to provide services to consumers: “We have an agenda to protect the end user but also the carrier as well,” Rauscher said.)

SAM is coming into the market at a key time.

Home networks are increasingly including a range of devices — not just phones, laptops and tablets; but set-top boxes, home security systems, lighting and fire detection, home ‘hubs’, connected appliances and more. Gartner estimates more than 7 billion connected devices in the consumer market for this year, with that number rising to 12.9 billion by 2020.

But perhaps an even bigger urgency is that home routers — which Rauscher describes as “low-hanging fruit” — have increasingly become a target for malicious hackers. A report from Akamai earlier this year estimated that 65,000 home routers have been accessed by hackers; the US and UK governments have further issued warnings that Russian hackers are lying in wait, using compromised routers to lay out long-term cyber warfare operations.

In that context, while the concept of securing a home router might not sound like as lucrative a target on its own compared to multi-million-dollar enterprise contracts (and the billions of dollars and thousands of data points that are at stake), the wider problem is clearly one that is ripe for addressing.

In a nutshell, Rauscher — also, I should add, notable for being one of a handful of female founders in the world of cybersecurity — says that what SAM does is operate by way of the router, but by identifying and providing security wrappers for every device that connects with the router.

“Our software is agnostic to any home router,” she said, adding that once you secure the router, “you secure everything in the network.” The essence of what SAM does is search out suspicious links into and coming out of these devices, and when it detects them, they are blocked, essentially taking the role of an IT department or presenting an enterprise-style deployment designed to work in the home.

“We were impressed with SAM’s technology and level of security for the home network, which is a critical part of building out the future of 5G,” said Dave Flanagan, vice president of Intel Corp. and group managing director of Intel Capital. “Unlike existing solutions, which necessitate buying a new gateway or replacing it with a secure gateway, SAM’s solution provides end-users security, without them needing to do anything. And for telecommunications companies and ISPs, its AI and machine learning capabilities monitor behavior on the network to detect unusual activity and prevent attacks. With the global market for smart home technology predicted to hit $100 billion by 2020, Intel and its partners know security is essential.”

Categories: Tech Crunch

Meet the Magecart hackers, a persistent credit card skimmer group of groups you’ve never heard of

Tech Crunch Security - Tue, 11/13/2018 - 5:49pm

There have been few hacker groups that have been responsible for as many headlines this year as Magecart.

You might not know the name, but you probably haven’t missed their work — highly targeted credit card skimming attacks, hitting Ticketmaster and British Airways, as well as consumer electronics giant Newegg and likely many more sites that have been silently hacked to scrape consumer credit card data at the checkout.

Nobody knows those attacks better than Yonathan Klijnsma, a threat researcher at security firm RiskIQ, who’s been tracking Magecart for more than a year.

In a new report published with risk intelligence firm Flashpoint, Klijnsma has exposed the inner workings of the hackers — a group of groups, rather than a single entity — all with different modus operandi and targets, which he described as a “thriving criminal underworld that has operated in the shadows for years.”

“Magecart is only now becoming a household name,” the researcher said.

Chief among Klijnsma’s findings is that there are at least six distinct groups operating Magecart skimming scams, each taking their own approach. Group 1 began as early as 2014 by targeting thousands of sites with attacks and single-use servers for hosting the malware and storing the collected data, while Group 2 and Group 3 expanded their reach and honed their attacks to hook their card skimming malware on a greater range of payment providers. Group 4 took the bulk of the victims — more than 3,000 sites hacked — with its scattergun approach, grabbing as many cards as it could from as many sites as it could.

The groups have been going where the money is — breaking into websites using known server vulnerabilities, injecting card payment skimming code and siphoning off credit card numbers, names and security codes on an attacker-controlled server, often for months at a time.

If they get caught, they just move on to their next victim.

Magecart’s most high-profile victims were the work of Group 5, which carried out supply chain attacks by hitting third-party code providers — like customer service chat boxes — that are installed on thousands of sites and carrying the group’s malware with it, expanding the group’s reach on a massive scale. It was Group 5 that RiskIQ blames on targeting many of Ticketmaster’s global sites. Group 6, meanwhile, also began highly selective attacks that only targeted major players — including British Airways and Newegg.

Between the half-dozen groups that RiskIQ has identified so far, at least 6,400 sites have been affected.

And that’s just the start.

Once a steady stream of credit card numbers come in, the hackers will sell the data — often on the dark web, making it easier to hide their activities from the law.

Magecart’s credit card skimming cycle. (Image: RiskIQ/Flashpoint)

Klijnsma warned that there will be many more card skimming groups and many more websites affected — larger and lesser-known sites alike that have yet to be discovered.

Case in point: Earlier this year, little-known New Jersey-based electronics retailer TechRabbit disclosed a data breach. Like so many other sites, it went largely unnoticed — except, upon closer inspection, the breach had all the hallmarks of Magecart. Willem de Groot, a security researcher cited in the Magecart report, confirmed on Twitter — and independently verified by TechCrunch — that the site had been hit again months later.

We reached out to the company’s chief executive, Joel Lerner, to inform him of the card skimming malware. “Who is TechCruch [sic] and what do you know about TechRabbit?” he said.

After several emails back and forth, including a screenshot sample of the malware on the site’s checkout pages, he expressed concern but stopped responding.

Klijnsma conceded that although his research has given an unprecedented insight into how the Magecart groups work, “that doesn’t mean we will be able to spot every instance and every attack,” he said. There are likely many more sites affected by card skimming malware — as of yet undetected. “We’d like to call on the industry and everyone who encounters these attacks to help take it down,” he said.

To combat the threat from Magecart, RiskIQ and other cybersecurity firms can sinkhole domains associated with Magecart infrastructure, pulling them offline and out of operation.

Klijnsma said it requires a layered approach — like website owners improving their security with security patches and segregating servers. “You don’t catch this with just one security control but rather you stack them and try to catch it at at least one of these steps,” he said.

“Basically any vector is game among these groups with some groups utilizing all of them to reach their goal of breaching a target,” he said.

Hackers stole customer credit cards in Newegg data breach

Categories: Tech Crunch

MetaCert’s Cryptonite can catch phishing links in your email

Tech Crunch Security - Tue, 11/13/2018 - 3:00pm

MetaCert, founded by Paul Walsh, originally began as a way to watch chat rooms for fake Ethereum scams. Walsh, who was an early experimenter in cryptocurrencies, grew frustrated when he saw hackers dumping fake links into chat rooms, resulting in users regularly losing cash to scammers.

Now Walsh has expanded his software to email. A new product built for email will show little green or red shields next to links, confirming that a link is what it appears to be. A fake link would appear red while a real PayPal link, say, would appear green. The plugin works with Apple’s Mail app on the iPhone and is called Cryptonite.

“The system utilizes the MetaCert Protocol infrastructure/registry,” said Walsh. “It contains 10 billion classified URLs. This is at the core of all of MetaCert’s products and services. It’s a single API that’s used to protect over 1 million crypto people on Telegram via a security bot and it’s the same API that powers the integration that turned off phishing for the crypto world in 2017. Even when links are shortened? MetaCert unfurls them until it finds the real destination site, and then checks the Protocol to see if it’s verified, unknown or classified as phishing. It does all this in less that 300ms.”

Walsh is also working on a system to scan for Fake News in the wild using a similar technology to his anti-phishing solution. The company is raising currently and is working on a utility token.

Walsh sees his first customers as enterprise and expects IT shops to implement the software to show employees which links are allowed, i.e. company or partner links, and which ones are bad.

“It’s likely we will approach this top down and bottom up, which is unusual for enterprise security solutions. But ours is an enterprise service that anyone can install on their phone in less than a minute,” he said. “SMEs isn’t typically a target market for email security companies but we believe we can address this massive market with a solution that’s not scary to setup and expensive to support. More research is required though, to see if our hypothesis is right.”

“With MetaCert’s security, training is reduced to a single sentence ‘if it doesn’t have a green shield, assume it’s not safe,’ ” said Walsh.

Categories: Tech Crunch

Google’s Project Fi gets an improved VPN service

Tech Crunch Security - Tue, 11/13/2018 - 12:00pm

Google’s Project Fi wireless service is getting a major update today that introduces an optional always-on VPN service and a smarter way to switch between Wi-Fi and cellular connections.

By default, Fi already uses a VPN service to protect users when they connect to the roughly two million supported Wi-Fi hotspots. Now, Google is expanding this to cellular connections, as well. “When you enable our enhanced network, all of your mobile and Wi-Fi traffic will be encrypted and securely sent through our virtual private network (VPN) on every network you connect to, so you’ll have the peace of mind of knowing that others can’t see your online activity,” the team writes in today’s announcement.

Google notes that the VPN also shields all of your traffic from Google itself and that it isn’t tied to your Google account or phone number.

The VPN is part of what Google calls its “enhanced network” and the second part of this announcement is that this network now also allows for a faster switch between Wi-Fi and mobile networks. When you enable this — and both of these features are currently in beta and only available on Fi-compatible phones that run Android Pie — your phone will automatically detect when your Wi-Fi connection gets weaker and fill in those gaps with cellular data. The company says that in its testing, this new system reduces a user’s time without a working connection by up to 40 percent.

These new features will start rolling out to Fi users later this week. They are off by default, so you’ll have to head to the Fi Network Tools in the Project Fi app and turn them on to get started. One thing to keep in mind here: Google says your data usage will likely increase by about 10 percent when you use the VPN.

Categories: Tech Crunch

1-877-KARS4KIDS had a data breach

Tech Crunch Security - Tue, 11/13/2018 - 10:00am

Bad news: 1-877-KARS4KIDS had a data breach. Worse news: now you’ll have that awful jingle stuck in your head all day.

The New Jersey-based charity has plagued the American airwaves for years with the “most hated” jingle to try to get consumers to trade in their car — for the kids! In return, you get to write-off the donation from your taxes, and you’re given a “holiday voucher” to sweeten the deal.

But a security lapse left thousands of those donation records exposed for anyone to find.

Bob Diachenko, Hacken.io’s director of cyber risk research, found the company’s MongoDB database on a server, wide open and without a password earlier this month.

The server contained 21,612 records and climbing — representing weeks worth of data, Dianchenko told TechCrunch, prior to blogging his findings. The data included donor email addresses and donation receipts, which included customized links to a donor’s tax receipt. He also found credentials, which he said could have allowed a hacker to access far more sensitive data.

Yet it took Kars4Kids two days to pull the database offline after Diachenko warned of the data exposure, he said.

Dianchenko said that Kars4Kids had told him that customers had been informed, but TechCrunch has found no evidence of the company’s claim.

Under state law, Kars4Kids is obligated to inform New Jersey’s attorney general of the breach.

Kars4Kids spokesperson Wendy Kirwan did not respond to a request for comment sent prior to publication.

It isn’t known how long the database was exposed for, but Dianchenko said he wasn’t the first to discover the database. A note left in the database claimed to have “downloaded and backed up” by a hacker who demanded bitcoin in exchange for the data’s safe return.

The breach represents a portion — though not all — of the cars that Kars4Kids receives annually — reportedly tens of thousands each year. The non-profit has been criticized over the handling of its finances, and currently has a “moderate concern” rating from independent evaluator Charity Navigator.

Gift Guide: The best security and privacy tech to keep your friends safe

Categories: Tech Crunch

Facebook bug let websites read ‘likes’ and interests from a user’s profile

Tech Crunch Security - Tue, 11/13/2018 - 9:00am

Facebook has fixed a bug that let any website pull information from a user’s profile — including their ‘likes’ and interests — without that user’s knowledge.

That’s the findings from Ron Masas, a security researcher at Imperva, who found that Facebook search results weren’t properly protected from cross-site request forgery (CSRF) attacks. In other words, a website could quietly siphon off certain bits of data from your logged-in Facebook profile in another tab.

Masas demonstrated how a website acting in bad faith could embed an IFRAME — used to nest a webpage within a webpage — to silently collect profile information.

“This allowed information to cross over domains — essentially meaning that if a user visits a particular website, an attacker can open Facebook and can collect information about the user and their friends,” said Masas.

The malicious website could open several Facebook search queries in a new tab, and run queries that could return “yes” or “no” responses — such as if a Facebook user likes a page, for example. Masas said that the search queries could return more complex results — such as returning all a user’s friends with a particular name, a user’s posts with certain keywords, and even more personal demographics — such as all of a person’s friends with a certain religion in a named city.

“The vulnerability exposed the user and their friends’ interests, even if their privacy settings were set so that interests were only visible to the user’s friends,” he said.

A snippet from a proof-of-concept built by Masas to show him exploiting the bug. (Image: Imperva/supplied)

In fairness, it’s not a problem unique to Facebook nor is it particularly covert. But given the kind of data available, Masas said this kind of data would be “attractive” to ad companies.

Imperva privately disclosed the bug in May. Facebook fixed the bug days later by adding CSRF protections and paid out $8,000 in two separate bug bounties.

Facebook told TechCrunch that the company hasn’t seen any abuse.

“We appreciate this researcher’s report to our bug bounty program,” said Facebook spokesperson Margarita Zolotova in a statement. “As the underlying behavior is not specific to Facebook, we’ve made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications.”

It’s the latest in a string of data exposures and bugs that have put Facebook user data at risk after the Cambridge Analytica scandal this year, which saw a political data firm vacuum up profiles on 87 million users to use for election profiling — including users’ likes and interests.

Months later, the social media giant admitted millions of user account tokens had been stolen from hackers who exploited a chain of bugs.

Facebook, are you kidding?

Categories: Tech Crunch

Netskope raises $168.7M at a $1B+ valuation for its cloud security platform

Tech Crunch Security - Tue, 11/13/2018 - 9:00am

As organizations continue to grapple with security risks posed by employees using a range of apps and devices in the workplace, a startup that has built a platform to help them to this has raised a significant round of funding. Netskope, which provides a cloud security platform to help set and run policies around different apps and devices, has closed a round of $168.7 million to grow its business, expand its R&D, and bring on more global data centers.

The valuation was not disclosed in Netskope’s announcement, but the company has confirmed to us that it is now over $1 billion. This is a big jump: Netskope in its previous round last year ($100 million) was valued at $525 million post-money in what the CEO Sanjay Beri told us at the time was a significant upround. On a straight line of growth, that would have put the company’s pre-money valuation at $694 million. But the fact that security risks and the predicament that Netskope is addressing have only grown has both helped bump the company’s valuation above that.

As with the previous round, this Series F was led by Lightspeed Venture Partners. Accel, Geodesic Capital, Iconiq Capital, Sapphire Ventures and Social Capital — all existing investors — also participated, alongside new investor Base Partners. Fueled by the vision to tackle the toughest enterprise security challenges, the investment will enable R&D and global data center expansion of the company’s leading enterprise security cloud platform. The round brings Netskope’s total amount raised to just over $400 million.

The issue that Netskope is tackling is one that has become the norm in most businesses: people use a variety of devices at work, ranging from hardware issued by their companies through to phones, tablets and other equipment that they are bringing in themselves. On top of this, they are all also using a mix of apps, with those issued by their organizations sitting alongside apps that have been downloaded by the workers themselves, sometimes for productivity, sometimes for the exact opposite.

While some companies will try to lock down their networks and prohibit anything except what they have issued themselves, in other cases businesses might do the opposite, hoping that providing a more flexible environment will prove to be one way of attracting top talent.

But in both the cases of apps and devices “approved” by companies and those that have not, the same predicament exists: a proliferation of different services makes for a difficult security landscape, and trying to control and monitor all the data and potential leaks of it that can take place becomes a huge challenge.

Netskope aims to provide a way to do this, by creating a layer — based in the cloud — that oversees the full range of all network activity. Once Netskope is turned on by an IT department, it monitors in real time all off the apps and web sites that are visited by people on the network — currently it can ‘see’ thousands of apps and millions of web pages, it says, including all of the well-known workforce collaboration, CRM, accounting and sales apps, as well as those less well known; and also now cloud service providers such as AWS by way of a recent acquisition of Shift.

A dashboard will show to security and IT teams what information is being accessed and where, and allows them to set policies to limit usage, warn of bad practices and more.

“We look at any transactions that are happen between users and applications,” Beri has said previously. “For any activity where data traverses between you and a server, Netskope can perform data analysis on that.”

While some of this might have seemed like a useful application when Netskope launched six years ago, these days, having a tool to do this kind of monitoring has become essential. It’s not the only one addressing that, though. Competitors offering similar services include Microsoft (by way of Adallom), Blue Coat and McAfee.

“Transforming enterprise security is no longer a nice-to-have, but a requirement in order to protect and secure a company’s most important assets,” said Arif Janmohamed, Partner, Lightspeed Venture Partners, in a statement. “Netskope consistently leads the market and is disrupting and transforming the industry landscape through solving some of the toughest enterprise challenges today. Since its launch, the company has continued to adapt to the evolving security landscape and bring innovative solutions to market.”

 

Categories: Tech Crunch

Kaspersky starts processing threat data in Europe as part of trust reboot

Tech Crunch Security - Tue, 11/13/2018 - 6:22am

Security firm Kaspersky Labs has opened its first self-styled ‘Transparency Center’ and begun processing threat-related data from European users in data centers located in Switzerland — flipping the switch on the start of a relocation commitment it announced late last year in the face of suspicion that its antivirus software had been compromised by the Russian government and used to suck up US intelligence. 

The first stage of its fightback strategy to reboot trust, a code review plan, was announced a year ago.

Then, in May, the company announced it would be moving some core infrastructure processes to Zurich in Switzerland, saying also that it would arrange for its processes to be independently supervised by a third party qualified to conduct technical software reviews.

This facility has now begun processing data, starting with European users. Although this is just the start of the reconfiguration.

Software assembly will also move to Zurich in time — but not until phase two of the project, after processing for customers in other regions has also been relocated there.

It writes today:

From November 13, threat-related data coming from European users will start to be processed in two datacenters. These provide world-class facilities in compliance with industry standards to ensure the highest levels of security.

The data, which users have actively chosen to share with Kaspersky Lab, includes suspicious or previously unknown malicious files and corresponding meta-data that the company’s products send to Kaspersky Security Network (KSN) for automated malware analysis.

Files comprise only part of the data processed by Kaspersky Lab technologies, yet the most important one. Protection of customers’ data, together with the safety and integrity of infrastructure is a top priority for Kaspersky Lab, and that is why the file processing relocation comes first and is expected to be fully accomplished by the end of 2019. The relocation of other types of data processed by Kaspersky Lab products, consisting of several kinds of anonymized threat and usage statistics, is planned to be conducted during later phases of the Global Transparency Initiative.

By the end of 2019 the company has said the Zurich facility will be storing and processing all information for users in Europe, North America, Singapore, Australia, Japan and South Korea, with more countries slated to follow in future. Kaspersky is not exiting Russia entirely, though, as products for the Russian market will continue to be developed and distributed out of Moscow.

The Zurich Transparency Center will also provide authorized partners with access to reviews of Kaspersky code, and software updates and threat detection rules — as well as functioning as a secure location where governments and partners can come and ask questions and review documentation.

We’d wager journalists will also be invited on inspection tours.

Commenting in a statement, CEO Eugene Kaspersky claims: “Transparency is becoming the new normal for the IT industry — and for the cybersecurity industry in particular.”

“We are proud to be on the front line of this process. As a technological company, we are focused on ensuring the best IT infrastructure for the security of our products and data, and the relocation of key parts of our infrastructure to Switzerland places them in one of the most secure locations in the world,” he goes on, reiterating that the the intent of the Global Transparency Initiative is to increase “the resilience and visibility of our products”.

Which of course sounds a lot better than saying it’s responding to a trust crisis.

“Through the new Transparency Center, also in Switzerland, trusted partners and governments will be able to see external reviews of our products and make up their own minds. We believe that steps such as these are just the beginning – for the company and for the security industry as a whole. The need to prove trustworthiness will soon become an industry standard,” he adds.

Kaspersky says it has engaged “one of the Big Four professional services firms” to conduct an audit of its engineering practices around the creation and distribution of threat detection rule databases — “with the goal of independently confirming their accordance with the highest industry security practices”.

We’ve asked which third party has been selected to oversee the facility.

“The assessment will be done under the SSAE 18 standard (Statement of Standards for Attestation Engagements). The scope of the assessment includes regular automatic updates of antivirus records, created and distributed by Kaspersky Lab for its products operating on Windows and Unix Servers. The company is planning the assessment under SSAE 18 with the issue of the SOC 2 (The Service and Organization Controls) report for Q2 2019,” it further notes.

A year ago the security firm also announced a hike in its bug bounty rewards — saying it would now pay up to $100K per discovered vulnerability in its main Kaspersky Lab products.

Since then it says it has fixed more than 50 bugs reported by security researchers, claiming several were “acknowledged to be especially valuable”.

Categories: Tech Crunch

Twitter, those ‘verified’ bitcoin-pushing pillocks are pissing everyone off

Tech Crunch Security - Mon, 11/12/2018 - 1:29pm

Elon Musk’s tweets piss me off for two reasons.

When he’s not accusing actual heroes of sex crimes or trolling the federal government, it’s what comes after that drives me batshit. The top reply to most of his tweets is some asshat impersonating him to try to trick his followers into falling for a bitcoin scam.

These “get rich quick” scams are fairly simple. A hacker hijacks a verified Twitter account using stolen or leaked passwords. Then, the hacker swaps the account’s name, bio and photo — almost always to mirror Elon Musk — and drops a reply with “here’s where to send your bitcoin,” or something similar.

The end result appears as though Musk is responding to his own tweet, and nudging hapless bitcoin owners to drop their coins into the scammer’s coffers.

One of the latest “victims” was @FarahMenswear. The clothing retailer — with some 15,500 followers — was hacked this morning to promote a “bitcoin giveaway.” In the short time the scam began, the bitcoin address already had more than 100 transactions and over 5.84 bitcoins — that’s $37,000 in just a few hours’ work. Many Twitter users said that the scammers “promoted” the tweet — amplifying the scam to reach many more people.

On one hand, this scam is depressingly easy to pull off that even I could’ve done it. Depressing on the other, because that’s half a year’s wages for the average reporter.

Still, that $37,000 is a drop in the ocean to some of the other successful scam artists out there. One scammer last week, this time using @PantheonBooks, made $180,000 in a single day by tricking people into turning over their bitcoin and promising great returns.

Another day, another Elon Musk-themed bitcoin scam. (Image: screenshot)

Why is the scam so easy?

Granted, it’s clever. But it’s a widespread problem that can be largely attributed to Twitter’s nonchalant, “laissez-faire” approach to account security.

The common thread to all of these cryptocurrency scams involve hijacking accounts. Often, hackers use credential stuffing — that’s using the same passwords stolen from other breaches on other sites and services — to break into Twitter accounts. In nearly all successful cases, the hacked Twitter accounts aren’t protected with two-factor authentication. Brand accounts shared by multiple social media users almost never use two-factor, because it’s hard to share access tokens.

For its part, a Twitter spokesperson said it’s improved how it handles cryptocurrency scams and has seen a significant reduction in the amount of users who see scammy tweets. The company also said that scammers are constantly changing their methods and Twitter is trying to stay one step ahead. In many cases, these scams are nuked from the site before they’re even reported.

And, Twitter said it regularly reminds account owners to switch on stronger security settings, like two-factor authentication.

Well, enough’s enough, Twitter. You can lead a horse to water but you can’t make it drink. So maybe it’s about time you bring the water a little closer.

Until something better comes along, Twitter should make two-factor authentication mandatory for verified accounts, especially high-profile accounts — like politicians. It’s no more of an inconvenience than switching on two-factor for your email inbox or other social networking account. The settings are already there — it even rolled out the more secure app-based authentication a year ago to give users the option of switching from the less-secure text message system.

If the only other option is to stop Elon Musk from tweeting…

Categories: Tech Crunch

Cloudflare rolls out its 1.1.1.1 privacy service to iOS, Android

Tech Crunch Security - Sun, 11/11/2018 - 8:00am

Months after announcing its privacy-focused DNS service, Cloudflare is bringing 1.1.1.1 to mobile users.

Granted, nothing ever stopped anyone from using 1.1.1.1 on their phones or tablets already. But now the app, now available for iPhones, iPads and Android devices, aims to make it easier for anyone to use its free consumer DNS service.

The app is a one-button push to switch on and off again. That’s it.

Cloudflare rolled out 1.1.1.1 earlier this year on April Fools’ Day, no less, but privacy is no joke to the San Francisco-based networking giant. In using the service, you let Cloudflare handle all of your DNS information, like when an app on your phone tries to connect to the internet, or you type in the web address of any site. By funneling that DNS data through 1.1.1.1, it can make it more difficult for your internet provider to know which sites you’re visiting, and also ensure that you can get to the site you want without having your connection censored or hijacked.

It’s not a panacea to perfect privacy, mind you — but it’s better than nothing.

The service is also blazing fast, shaving valuable seconds off page loading times — particularly in parts of the world where things work, well, a little slower.

“We launched 1.1.1.1 to offer consumers everywhere a better choice for fast and private Internet browsing,” said Matthew Prince, Cloudflare chief executive said. “The 1.1.1.1 app makes it even easier for users to unlock fast and encrypted DNS on their phones.”

Cloudflare’s new ‘privacy-focused’ DNS service speeds up your web browsing

Categories: Tech Crunch

Pages