LastPass owner GoTo says hackers stole customers’ backups

LastPass’ parent company GoTo — formerly LogMeIn — has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems.

The breach was first confirmed by LastPass on November 30. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data. GoTo, which bought LastPass in 2015, said at the time that it was investigating the incident.

Now, almost two months later, GoTo said in an updated statement that the cyberattack impacted several of its products, including: business communications tool Central; online meetings service; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool.

GoTo said the intruders exfiltrated customers’ encrypted backups from these services — as well as the company’s encryption key for securing the data.

“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information,” said GoTo CEO Paddy Srinivasan. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”

Despite the delay, GoTo provided no remediation guidance or advice for affected customers.

GoTo, which in November cut 12% of its workforce, said the company does not store customers’ credit card or bank details, or collect personal information, such as date of birth, home address, or Social Security numbers. That’s in sharp contrast to the hack affecting its subsidiary, LastPass, during which attackers stole the contents of customers’ encrypted password vaults, along with customers’ names, email addresses, phone numbers, and some billing information.

GoTo did not say how many customers are affected. GoTo has more than 65 million customers, according to its last earnings report. GoTo spokesperson Nikolett Bacso-Albaum has repeatedly declined to comment or respond to TechCrunch’s questions.

Srinivasan says GoTo is contacting affected customers directly, and is advising those impacted to reset passwords and reauthorize MFA settings “out of an abundance of caution.”

LastPass owner GoTo says hackers stole customers’ backups by Carly Page originally published on TechCrunch

Vaultree raises $12.8M to let companies more easily work with encrypted data

Several years ago, on a dairy farm in the small Irish village of Dundrum, four technologists — Maxim Dressler, Ryan Lasmaili, Shaun Mc Brearty and Tilo Weigandt — brainstormed solutions for what they saw as a fundamental problem in data security: unencrypted text files. According to a 2016 survey commissioned by CyberArk, 40% of organizations store admin passwords in a Word document. A separate study from Entrust, published in 2021, found that only 42% of organizations use encryption to secure customer data.

Spurred by the trends (and the large addressable market), Dressler, Lasmaili, Mc Brearty and Weigandt developed software that let companies work with fully encrypted data without first needing to decrypt it. They then commercialized it, founding Vaultree, which sells access to the software in a software-as-a-service model.

“Most companies encrypt data at rest on their server, often sacrificing security for performance speeds to do so. However, when their employees, customers and partners use data in apps, it’s unencrypted and vulnerable,” CEO Lasmaili told TechCrunch via email. “Unencrypted data is shared with third-party companies, creating even more cyber vulnerabilities… We wanted to grab the problem at its root, going straight to fully encrypted data processing in live production database environments and enable a truly encrypted tomorrow.”

Vaultree uses a form of encryption known as “homomorphic encryption” to secure data. Unlike traditional forms of encryption, which make using encrypted data impossible without decryption, homomorphic encryption allows software to perform computations, searches or analytics as if the data wasn’t encrypted. With homomorphic encryption, users don’t have to surrender their encryption keys. And if a data leak occurs, the encryption renders it unusable to bad actors — in theory, at least.

While not new — one of the first homomorphic encryption schemes was proposed in 1978 — recent innovations have made homographic encryption viable to implement at scale on today’s hardware.

“Third-party apps [are] able to work on encrypted ‘Vaultree’d’ data as if it’s decrypted, enabling unlimited, easy collaboration,” Lasmaili said. “Operational performance is not inhibited, and [t]here are no complexities such as plugins, proxies or APIs… [E]xisting tech stack and database architectures can be used.”

There’s a growing market for homomorphic encryption, and Vaultree is just one of several startups rising to meet the demand. (Global Market Insights predicts the industry could be worth $300 million by 2030.) Ravel and Duality are two others; Duality recently scored a $14 million DARPA contract for its hardware-accelerated homomorphic encryption tech.

All homomorphic encryption platforms have their drawbacks, to be clear. As homomorphic encryption struggles with poor performance — encrypted files tend to be larger than their unencrypted counterparts — it’s infeasible for certain computationally heavy applications. It also doesn’t provide “verified computing”; without additional steps, homomorphic encryption offers no guarantee that the correct computation was performed.

Lasmaili didn’t address those limitations directly, save claiming that the Vaultree platform offers better-than-average performance. But he asserted that Vaultree improves upon rival platforms by offering more flexibility in what companies can encrypt: data in use, at rest or in transit.

Vaultree is a Google Cloud partner, delivering what it claims is one of the first fully managed, functional data-in-use encryption schemes. And for on-premises setups, Vaultree provides a software development kit that lets customers slot its tech into their existing software environments.

Investors apparently like what they see. Vaultree this week closed a $12.8 million Series A round led by Molten Ventures with participation from Ten Eleven Ventures, SentinelOne, Elkstone Partners, CircleRock Capital and Cyber Club London, building on an October 2021 seed round totaling $3.3 million.

“An enterprise can opt for which databases, columns and even column names to encrypt or not, with granular access levels to mitigate risks even further,” Lasmaili explained. “Vaultree does not hold client data or keys — control and ownership stays completely with the enterprise using our toolkit.”

Vaultree, which has a staff of 48 and has raised $16.4 million in venture capital to date, claims to have recently onboarded “several multinational corporations,” including U.S., European and “international” healthcare sector organizations and financial institutions as clients. (Lasmaili declined to reveal the size of Vaultree’s customer base or early revenue numbers, or burn rate.) The focus over the coming months will be iterating features and covering new databases to expand support for various tech stacks, Lasmaili said, as Vaultree prepares to make its service generally available after a months-long beta.

“Cybersecurity is one of the most essential tech sectors and pretty strongly positioned to overcome potential headwinds,” he added when asked about the current economic climate and its potential impact on business. “Encryption in particular has been receiving a lot of attention over the last few years and that we were able to secure such a significant investment in these times is proof that the space is growing further in importance and size. Vaultree itself is putting a high focus on R&D with continued efforts in cryptographic innovation development and patent registrations to always be at the forefront of data protection.”

Vaultree raises $12.8M to let companies more easily work with encrypted data by Kyle Wiggers originally published on TechCrunch

Let’s Encrypt issues 3 billion HTTPS certificates

Non-profit certificate authority Let’s Encrypt hit a major milestone earlier this month: it issued its three billionth HTTPS certificate.

Let’s Encrypt project was founded in 2013 to provide websites with free SSL and TLS certificates needed to enable HTTPS and encrypted communications. The organization, run by the Internet Security Research Group (ISRG) and backed by the Electronic Frontier Foundation, issued its first HTTPS certificate in September 2015 for none other than its own domain.

The IRSG announced this week that Let’s Encrypt issued its three billionth certificate earlier this month and is now providing TLS to over 309 million domains, an increase of 12% compared to the year earlier.

While Let’s Encrypt took five years to issue its billionth certificate, it has reached the three billion milestone just two years later.

The ISG also revealed in its 2022 annual report that 82% of web pages loaded by Firefox are using HTTPS globally. When Let’s Encrypt was founded, only 38 percent of website page loads were served over an HTTPS-encrypted connection.

This growth comes as Let’s Encrypt finds itself trusted and integrated by more significant players in the browser, operating system and cloud markets, including Apple, Google, Microsoft, Oracle, and more.

So what’s next for Let’s Encrypt? The organization is aiming to make certificate renewal far easier for websites, especially if the organization is forced to revoke a certificate, such as if a website’s server is compromised. Let’s Encrypt was forced to revoke more than three million certificates because of a bug in its domain validation and issuance software in March 2020, and in January this year revoked millions of active certificates due to “irregularities” in the code.

ISRG executive director Josh Aas said its new specification for renewing certificates is “making its way through the IETF standards process so that the whole ecosystem can benefit, and we plan to deploy it in production at Let’s Encrypt shortly.”

Let’s Encrypt’s ultimate goal is to bring the web up to a 100% encryption rate. While we’re still a way away, this latest milestone suggests it’s more in reach than ever before.

Let’s Encrypt issues 3 billion HTTPS certificates by Carly Page originally published on TechCrunch

New code suggests Twitter is reviving its work on encrypted DMs

Under Elon Musk, Twitter may be reviving a project that would bring end-to-end encryption to its Direct Messaging system. Work appears to have resumed on the feature in the latest version of the Android app, according to independent researcher Jane Manchun Wong, who spotted the changes to Twitter’s code. While Musk himself recently expressed interest in making Twitter DMs more secure, Twitter itself abandoned its earlier efforts in this space after prototyping an encrypted “secret conversations” feature back in 2018.

Had the encrypted DM’s feature launched, it would have allowed Twitter to better challenge other secure messaging platforms like Signal or WhatsApp. But work on the project stopped and Twitter never publicly explained why — nor had it commented on the prototype Wong also found being developed in the app years ago.

Now, Wong says she’s seen work on encrypted DM’s resume, tweeting out a screenshot of Twitter’s code, which references encryption keys and their use in end-to-end encrypted conversations. Another screenshot shows a “Conversation key,” which the app explains is a number generated by the user’s encryption keys from the conversation. “If it matches the number in the recipient’s phone, end-to-end encryption is guaranteed,” the message reads.

In response to Wong’s tweets, Musk replied with a winking face emoji — an apparent confirmation, or at least what stands in for one these days, given that Twitter laid off its communications staff and no longer responds to reporters’ requests for comment.

Unlike the other projects Musk’s Twitter has in the works, like a relaunch of the Twitter Blue subscription now due out later this month, end-to-end encryption is something that cannot — and should not — be rushed out the gate.

Meta, for example, took years to fully roll out end-to-end encryption (E2EE) in Messenger, after having first tested the features in 2016. It wasn’t until this summer that Meta announced it would finally expand its E2EE test to individual Messenger chats. The company explained the delay to launch was, in part, due to the need to address concerns from child safety advocates who had warned the changes could shield abusers from detection. Meta also intended to use AI and machine learning to scan non-encrypted parts of its platform, like user profiles and photos, for other signals that could indicate malicious activity. Plus, it needed to ensure that its abuse-reporting features would continue to work in an E2EE environment.

In short, beyond the technical work required to introduce E2EE itself, there are complicating factors that should be taken into consideration. If Musk announces encrypted DMs in a compressed time frame, it would raise concerns about how secure and well-built the feature may be.

Plus, with Twitter’s 50% workforce reduction and the departure of key staff — including chief information security officer Lea Kissner, who would understand the cryptological challenges of such a project — it’s unclear if the remaining team has the expertise to tackle such a complex feature in the first place.

Musk, however, seems to believe encryption is the right direction for Twitter’s DM product, having recently tweeted “the goal of Twitter DMs is to superset Signal.” And, in response to a user’s question about whether Twitter would merge with telecommunication or become a WhatsApp replacement, Musk responded simply that “X will be the everything app.”

“X” here refers to Musk’s plan to transform Twitter into a “super app” that would combine payments, social networking, entertainment and more into one singular experience. Last week, he spoke in more detail about his plans for the payments portion, suggesting Twitter could one day allow users to hold cash balances, send money to one another and even offer high-yield money market accounts.

New code suggests Twitter is reviving its work on encrypted DMs by Sarah Perez originally published on TechCrunch

WhatsApp confirms some users have access to its new group discussions feature, WhatsApp Communities

WhatsApp Communities, the messaging app’s anticipated expansion aimed at supporting larger discussion groups, has now rolled out to additional users as it nears a public launch. The company declined to share specific details as to how many users or which countries were seeing the new feature as testing expands, but confirmed that more users have now been given early access.

First announced in April, WhatsApp Communities is a significant attempt to re-create the popularity of Facebook’s Groups within a messaging app environment. Created by the app’s end users, communities include features designed to add structure to larger group chats such as support for file sharing, 32-person group calls, emoji reactions, as well as admin tools and moderation controls, among other things.

In addition to capitalizing on WhatsApp’s end-to-end encryption and users’ growing desire to network within private communities outside of larger social networks, WhatsApp Communities also present a challenge to other messaging apps that have grown in popularity, like Telegram. The feature could also appeal to clubs or organizations that today engage in group chats across private platforms and apps like Apple’s iMessage, GroupMe, Band, Remind and others.

What makes the feature appealing to larger groups is that not all the discussions take place in a single chat, which can get busy. Instead, only admins have the ability to share announcements to all Community members through the main announcement group, which can support thousands of users. Meanwhile, members can chat in smaller sub-groups that admins have created or approved.

Unlike Facebook Groups, WhatsApp Communities aren’t public or discoverable on the platform. Users have to be invited to a Community in order to join.

Image Credits: WhatsApp screenshot via WABetaInfo

According to reports by sites including Android Police and WABetaInfo, some WhatsApp beta testers were newly reporting they had gained the ability to create a community in the app. The reports noted that the ability to hide your phone number from other sub-group members wasn’t immediately supported — though it’s expected to be available when the feature publicly launches.

However, the reports claimed it was WhatsApp beta app users who were gaining access to this feature. This isn’t quite accurate, we understand. WhatsApp clarified to TechCrunch it’s the full feature that’s rolling out to a small number of users in a few countries at the moment.

The company declined to share which countries were among those with access but at least one report claims that Malaysia is among them.

Ravel emerges from stealth with privacy-first data tools based on scalable homomorphic encryption

The world has gotten a lot more serious about privacy and data protection, but in many cases business models that rely on personalization of one kind or another have struggled to keep up. Today, a startup out of Paris called Ravel Technologies is emerging from stealth with an approach it believes could be the missing link between those two. It’s built a tool based on homomorphic encryption to keep personally identifiable information (PII) private from end to end without needing to touch the data itself. It’s launching first with a tool to enable “zero-knowledge” advertising services, and another for financial services.

The company has been around for almost four years and was initially bootstrapped, hiring a team of academics and advisors including Fields Medal Recipient Cedric Villani. Now it’s disclosing that Airbus Ventures has led a seed round of an unspecified amount. It has not disclosed any customer names but Mehdi Sabeg, the CEO who co-founded the company, said that it’s in advanced discussions with companies across both products. It notes that French bank BNP Paribas is among those running a proof of concept process.

Homomorphic encryption, as others have described it before, is something of a “holy grail” in the world of security. First conceived of by academics, the technique involves extensive algorithmic encryption of an organization’s data that lets it stay encrypted even as that organization collaborates with third parties to process the data and deliver their own services based on it — as you might, for example, encounter in an advertising network.

The holy grail aspect comes in because while the idea sounds great in theory, in practice it requires enormous computational resources to run, so much so that up to now a lot of efforts to put homomorphic encryption into practice have fallen short.

That’s led other companies who are attempting to build their own approaches to use either modified versions of HE, or to apply it to smaller, well-defined sets of data — approaches that we’ve covered used by the likes of Enveil and Duality, two other HE-based startups that have attracted some interesting attention.

Ravel’s big breakthrough has been a new approach that not only allows it to implement fully homomorphic encryption (FHE) for the first time among all of the others, but to do it at scale, across any-sized data set. Sabeg said that the speed at which Ravel works on data is on “four orders of magnitude faster” than the other HE-based solutions that have been rolled out by others.

Sabeg added that Ravel has put in patent applications on its approach. In general terms, it’s based around a fully encrypted SQL database — the first of its kind, he said — that enables encrypted queries over large volumes of encrypted data.

The current climate for data protection and privacy has created the vacuum that Ravel is hoping to fill.

Today, especially in certain jurisdictions, there are gateways set up over how that data can be sourced and subsequently used, with users able to opt out and essentially remove all personalization, rendering useless a lot of the adtech and other tools that have been created around that concept. Sabeg noted that for companies that adopt its tech — and in the case of the zero-knowledge ad tool, it would be using an API to run the service, and an SDK at the publisher’s end to implement it; while in the case of the financial services tool it would be the financial platform, and, say, a third party tool to execute trades — while something like GDPR gates would still be in place, companies would still be able to run their regular advertising services since the data they were using would no longer be PII-related.

Similarly, in the financial exchanges application, Sabeg said that the aim is to ensure confidentiality and “remove market biases” that come in plaintext data that might, for instance, come up in bidding, which is something that has come up in the context of blockchain exchanges.

It was the emergence of GDPR, in fact, that first led Sabeg, a mathematician by training, to considering how one could apply the concept of HE to the model of online advertising and how DSPs work.

“GDPR was about to be implemented and all the ad customers were complaining about the constraints of it,” he said. “I found GDPR interesting. In its essence, I loved the values it was defending but could understand the problem the ad industry was seeing. I thought we could bring an efficient tech answer. Thought that HE could be used as de-identification tech. A industry could collect and process data while never having to use PII.”

We’ve covered a number of startups looking for ways to apply homomorphic encryption to build more privacy-first data services, but they are not the only ones in pursuit of this idea, in some cases because of how central advertising and other data-heavy services are to them.

Facebook/Meta last year went on a hiring spree to pick up a number of key homomorphic encryption research specialists, including Kristin Lauter, a longtime Microsoft employee, to head up its West Coast AI research, and it’s publishing research on the topic. “It shows the importance they are giving to that technology,” Sabeg said. Others like Google have also dedicated some research into the area, and Apple is also applying it in some of its own privacy tools.

“Given the impressive, major algorithmic breakthroughs achieved by Ravel’s team, Ravel Fully Homomorphic Encryption is orders of magnitude faster than state-of-the-art FHE schemes,” noted Villani in a statement. “With the continual increase of personal and industrial data being processed globally, privacy, and confidentiality protection are of paramount importance. Ravel’s breakthroughs bring an efficient and scalable answer to critical data privacy and security challenges.”

Ex-security chief accuses Twitter of cybersecurity mismanagement in an explosive whistleblower complaint

Twitter’s former head of security Peiter “Mudge” Zatko has accused his former employer of cybersecurity negligence in an explosive whistleblower complaint first obtained by CNN and The Washington Post.

Zatko, a well-known hacker, was recruited by Twitter to head up the company’s security division in late-2020, months after a very public breach saw hackers hijack the Twitter accounts of some of the world’s most famous people, including Joe Biden and Elon Musk. He was let go from the company less than two years later.

Though his time at Twitter was brief, Zatko says he witnessed “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy,” according to his whistleblower complaint dated July 6, which was filed with the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Justice Department. He told the Washington Post that his public whistleblowing comes after his attempts to flag the security lapses with Twitter’s board were ignored.

Zatko alleges in the complaint, reviewed by TechCrunch, that Twitter lacked basic security controls. He said thousands of employee laptops contained complete copies of Twitter’s source code and that about one-third of those devices blocked automatic security fixes, had system firewalls turned off, and had remote desktop access enabled for non-approved purposes. Zatko also accused the company of failing to actively monitor what employees were doing on their computers. As a result, “employees were repeatedly found to be intentionally installing spyware on their work computers at the request of external organizations,” the complaint said.

Zatko also alleges that about 5,000 full-time employees had broad access to the company’s internal software and that access was not closely monitored, giving them the ability to tap into sensitive data and alter how the service worked.

During his time at the company, Zatko said he came across a number of vulnerabilities “waiting to be discovered.” He says he discovered that half of the company’s 500,000 datacenter servers run on outdated software that do not support basic security features, such as encryption for stored data, or no longer received regular security updates from their vendors, This meant that Twitter suffered from an “anomalously high rate” of security incidents, Zatko said, and “reasonably feared Twitter could suffer an Equifax-level hack,” referring to the 2017 credit agency breach that resulted in the theft of close to 150 million Americans’ personal information.

The complaint alleges that the company had approximately one security incident each week serious enough that Twitter was required to report it to government agencies.

“In 2020 alone, Twitter had more than 40 security incidents, 70% of which were access control-related,” the complaint reads. “These included 20 incidents defined as breaches; all but two of which were access control related.”

Beyond claims of serious cybersecurity failings, Zatko also alleges that the Indian government forced Twitter to hire one of its agents and that the company repeatedly violated the terms of a 2011 agreement with the FTC. The complaint alleges Twitter does not reliably delete users’ data — including direct messages — after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do.

The complaint also has potential implications for Twitter’s legal battle with Musk, who is trying to get out of a $44 billion contract to buy the social media platform. Zatko says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and weren’t motivated to do so.

Twitter spokesperson Madeline Broas told TechCrunch in a boilerplate statement: “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

Signal says 1,900 users’ phone numbers exposed by Twilio breach

End-to-end encrypted messaging app Signal says attackers accessed the phone numbers and SMS verification codes for almost 2,000 users as part of the breach at communications giant Twilio last week.

Twilio, which provides phone number verification services to Signal, said on August 8 that malicious actors accessed the data of 125 customers after successfully phishing multiple employees. Twilio did not say who the customers were, but they are likely to include large organizations after Signal on Monday confirmed that it was one of those victims.

Signal said in a blog post Monday that it would notify about 1,900 users whose phone numbers or SMS verification codes were stolen when attackers gained access to Twilio’s customer support console.

“For about 1,900 users, an attacker could have attempted to re-register their number to another device or learned that their number was registered to Signal,” the messaging giant said. “Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered.”

While this didn’t give the attacker access to message history, which Signal doesn’t store, or contact lists and profile information, which is protected by the user’s security PIN, Signal said “in the case that an attacker was able to re-register an account, they could send and receive Signal messages from that phone number.”

For those affected, the company says it will unregister Signal on all devices that the user is currently using — or that an attacker registered them to — and will require users to re-register Signal with their phone number on their preferred device. Signal also advises users to switch on registration lock, a feature that prevents an account from being re-registered on another device without the user’s security PIN.

Although the Twilio breach impacts a fraction of Signal’s 40 million-plus users, users have long bemoaned how Signal — considered one of the most secure messaging apps — requires users to register a phone number to create an account. Other end-to-end encryption apps, such as Wire, allow users to sign up with a username. While Signal has slowly moved to end its reliance on phone numbers, such as with the introduction of Signal PINs in 2020, this incident will likely reignite calls for it to move faster.

What you might have missed at Black Hat and Def Con 2022

Hackers, researchers, cybersecurity companies, and government officials descended on Las Vegas last week for Black Hat and Def Con, a cybersecurity double-bill that’s collectively referred to as “hacker summer camp.”

This year’s cyber gathering was particularly exciting: not only did it mark Black Hat’s 25th anniversary, but also the first time since the start of the pandemic that the attendees have fully returned to the carpeted hallways of the popular security conferences. This meant that amid the mask confusion and subsequent influx of positive tests, there was a lot for the hacking community to catch up on.

We’ve rounded up some of the best announcements from the two shows.

Starlink hacked with $25 homemade modchip

A cybersecurity researcher revealed it’s possible to hack into Starlink terminals using a $25 device. Belgian security researcher Lennert Wouters took to the stage at Black Hat on Thursday to showcase how he was able to hack StarLink’s user terminals — referred to as “Dishy McFlatface” by Elon Musk’s SpaceX employees — using a homemade circuit board, or “modchip.” This gadget permits a fault injection attack that bypasses Starlink’s security system and allows access to control functions that Starlink had intended to keep locked down. Wouters revealed the vulnerability to SpaceX last year, earning his place in the company’s bug bounty hall of fame. Following his talk, SpaceX responded with a six-page paper explaining how it secures its systems along with a firmware update that “makes the attack harder, but not impossible, to execute.”

Zoom installer flaw enables root access on macOS

Thanks to the widespread shift to remote and hybrid working witnessed over the past couple of years, Zoom has become an essential communications tool for many organizations and is installed on millions of devices worldwide. But security researcher Patrick Wardle revealed during a talk at Def Con that a flaw in Zoom’s installer for macOS could allow attackers to gain the highest level of access to the operating system, including system files and sensitive user documents. Wardle discovered the Zoom macOS installer has an auto-update function that runs in the background with elevated privileges, allowing an attacker to run any program through the update function and gain those privileges. Although the flaw was not patched at the time of Wardle’s presentation, Zoom fixed the issue in an update released over the weekend.

Ukraine’s cyber chief makes surprise appearance

Victor Zhora, Ukraine’s lead cybersecurity official, made an unannounced visit to Black Hat, where he spoke to attendees about the state of cyberwarfare in the country’s conflict with Russia. Zhora, who serves as deputy chairman of Ukraine’s State Service of Special Communications and Information Protection, revealed that cyber incidents in the country have tripled since Russia’s invasion in February, adding that Ukraine had detected over 1,600 “major” cyber incidents so far in 2022, including the discovery of the Industroyer2 malware that can manipulate equipment in electrical utilities to control the flow of power.

U.S. unmasks alleged Conti ransomware operative

Also making a surprise appearance was the U.S. Department of State, which used the opportunity to announce a $10 million reward for information leading to the identification and location of five alleged members of the notorious Russia-backed Conti ransomware gang. The reward is offered as part of the State Department’s Rewards for Justice (RFJ) program, which on Thursday shared an image of a known Conti ransomware operator known as “Target,” marking the first time the U.S. government has publicly identified a Conti operative.

Virtru reveals encrypted period-tracking app prototype

The recent overturning of Roe v. Wade sparked fears that period and ovulation-tracking apps could be used to prosecute people who seek an abortion or medical care for a miscarriage and those who assist them. In response, Virtru, best known for its email encryption service for enterprises and consumers, showcased a prototype period-tracking app at Def Con that claims to give users complete control of their private information. SecureCycle, built by a team of Virtru employees in three days during a recent company hackathon, leverages open-source end-to-end encryption offered by OpenTDF and will notify the data owner if any third party attempts to access their data.

‘Basic’ security flaws create major 5G risks

5G commercial networks are starting to roll out, promising exciting new use cases like automated cars, more intelligent healthcare, and smart sensor networks. But Altaf Shaik, a researcher at the Technical University of Berlin, said these 5G networks could also present new security challenges. Shaik and his colleague Shinjo Park examined the APIs offered by 10 mobile carriers that make Internet of Things data accessible to developers and found “basic” API vulnerabilities in every one. Shaik told Wired that though these flaws are simple, they could be abused to reveal SIM card identifiers, SIM card secret keys, billing information and the identity of who purchased which SIM card.

Read more on TechCrunch:

Wire grabs fresh funding for secure messaging tech that’s big with G7 governments

More funding for European end-to-end encrypted messaging app, Wire: The enterprise-focused messaging platform told TechCrunch it’s closed a €24 million Series C round of funding led by growth equity firm Cipio Partners and Iconical, the investment vehicle of Skype co-founder Janus Friis. Existing investor UVC Partners also participating, among other returning backers.

The messaging tool — which launched almost a decade ago — was originally conceived as a fresh take on secure consumer comms, drawing on certain connections to Skype (including early backing from Friis).

But with increasingly fierce competition in the consumer space, from the likes of WhatsApp and Signal (and other E2EE messaging apps), the team pivoted focus to the b2b market — a move that caused a bit of consternation among certain privacy advocates when it emerged, back in 2019, that Wire had taken in its first ever tranche of VC funding and moved its holding company from Europe to the US. (Though the team defended the changes as just a practical reflection of its refocused b2b mission.)

Wire did not close its app off to consumer users entirely, and still offers a free version for download, but these days the tool is fully focused on the enterprise market — offering an extensive suite of collaboration, compliance and user management features, as well as the ability for customers to store the encrypted user data on premise (it says the majority of its customers opt for this) rather than in Wire’s (Europe-based) cloud.

So while Wire may have flown under the radar of many consumers, it has continued growing usage and touts a doubling of its Annual Recurring Revenue (ARR) in the last twelve months — off the back of what it dubs “significant” customer wins across private and public sectors.

It sells in to heavy-weight customers where security is very much front of mind — including governments, militaries and regulated businesses with high compliance requirements around information (such as the finance and healthcare sectors).

This explains why it’s not able to actually name those “significant” recent customer wins — though it can point to having five of the world’s G7 governments on board, including the German federal administration and the federal parliament (aka, the Bundestag). And Wire’s adoption by Germany federal authorities has garnered it some local press attention related to usage by politicians after the app was recommended by the federal office for digital security.

“The last German government was formed on Wire… and what is interesting is we didn’t have a clue about it!” says co-MD and co-founder Alan Duric, chatting to TechCrunch via videocall. He confirms the team only gleaned that particular high level gem of a detail when they read about it in the German press — which is of course a great advert for the robust privacy, between provider and user, that E2EE provides.

Duric, who has occupied a number of roles at Wire throughout its decade run — and is currently splitting the top exec job with a new hire, Andre Kiehne, following a decision by prior CEO, Morten Brogger, to step down to seek his next challenge — says that as well as robust security, “data sovereignty” is a major motivating force for customer adoption.

“Microsoft completely left that space — they are completely cloud-based,” he points out. “We enable a number of customers to run secure collaboration and communication on prem and in a number of cases… there is a number of large networks that are being built that are not even connected to the public Internet.

“For instance the German government — and also we’ve seen it with some of the other prospects — they are running a network which is not connected to the public Internet [for security reasons]. And you will see, I think, more and more of those cases.”

Adapting its product so the software is still able to function in a ‘airgapped’ network scenario, without an Internet connection being on tap, is thus something that distinguishes Wire from more mainstream business comms tools.

He also points to Wire being built on MLS, a security standard for E2EE, as another reason it’s winning government custom in Europe — support for MLS is, he suggests, being seen as important for enabling the secure messaging interoperability envisaged by the EU’s Digital Markets Act (DMA), a regulation which targets Big Tech ‘gatekeepers’ ability to leverage network effects to lock users inside ‘walled garden’ services.

“I hope… [in a couple of years we] will see MLS being a driving force to open up all those big monopolies — from Microsoft, from Google, WhatsApp, from Facebook, so that all of those systems will be able to interoperate,” he adds. “This is… one of the main premise behind the DMA, and this was also something that was very important for the German government — that the solution which they buy is based on open standards.”

In all, wire says it has more than 1,800 customers at this stage — a top-line figure that hasn’t changed since it last raised, a $21M Series B round in April 2021 — but that’s down to the heft of some of the customers, per Duric, with a lot of focus going on chasing down “very large” customers, like governments, which can of course be notoriously slow at procurement. (But he confirms it’s seen double-digit growth in customer numbers since last year.)

While the relatively modest size of the Series C vs last year’s B looks to be a reflection of Wire’s rising revenues mediating its need for external capital — with turnover up 2x since last year and the co-MD saying it’s aiming to double revenues again over the next year.

Duric says the plan for the Series C is to accelerate Wire’s penetration and scale in markets “where we had a pretty good start” — such as in sectors like government and the military — as well as looking to expand its focus on regulated markets, like financial services.

On the latter, he points to some large fines that have recently hit US banks for failing to monitor employees using unauthorized messaging apps as illustrative of the opportunity Wire is spying.

It has created a compliance tool for customers who need to be able to audit employees comms which seeks to tread a tightrope between having E2EE and enabling access to comms data in the clear to meet specific legal requirements. (The short version of how Wire does this is by enabling customers to provision a regulated employee’s account to include a virtual device, running on the server-side, which operates with their same user credentials and copies all their content to auditable storage — but with the individual user being responsible for authorizing the provision, so, basically, there is no silent copying going on; the user has to be aware their data is being cloned for potential audit.)

“I hope we built a solution that is not compromising security at all — or as little as possible — and is providing full compliance to those that need it,” says Duric. “This is one of the segments where we are getting traction.”

He also suggests its approach could stand it in good stead given (potentially) new regulations in the EU, related to combating CSAM, which could put pressure on E2EE platforms to be able to scan content. “[It’s] a very, very difficult area and a question that’s ahead of us but I think there [on the b2b market side] with this Wire compliance module we nailed it,” he responds to a question on that issue, predicting consumer E2EE messaging apps will face a trickier challenge if lawmakers push ahead.

Elsewhere, the war in Ukraine is also generating leads for Wire in the energy sector, according to Duric — who says it’s had inbound from operators of nuclear plants interested in adopting the tool to be a conduit for all of their confidential comms and for “crisis collaboration” — i.e. in the event there’s an outage affecting their day-to-day cloud-based business comms platform. “Anything that is confidential cannot go on Microsoft Teams,” he argues.

On the competition front, a closer rival to Wire than Microsoft is another European startup, Element — which builds on the Matrix protocol — and is similarly touting its “enterprise-grade messaging and collaboration solution” as a fix for the ‘WhatsApp at work’ compliance problem.

Duric agrees Matrix/Element is a key competitor. “Some of the main differences are we are now getting fully based on MLS — they are jumping on that train a bit later,” he suggests. “The other thing is Wire is visibly stronger when it comes to real-time communications: Group video calls, group audio calls, screensharing, all of this real-time comms aspects because there they’ve been relying for quite a bit on Jitsi… So on that side we have [a lead].”

Looking ahead, Duric says the team is “fully focused on execution”.

“We are now tuning some of the things for this next chapter where we are going to be accelerating — and also where we are expecting some of our large customers, like the German government did the digitalization project and a number of other larger projects that they’re going to be working on that is going to be used as fuel for another inflection point,” he tells TechCrunch. “Also one of the areas that we are looking into is with SDKs where you’ll be able to embed Wire into a number of other solutions — either if it is in a banking sector or health sector or a number of other sectors so there it is really, from a number of perspectives, a completely new chapter ahead of us in the next couple of years.”

Wire’s next chapter means Duric will be entering his second decade at the startup — but he remains excited for what’s to come.

“It is kind of like my baby and it still has quite a bit to do before it grows up. And now with MLS I’m super excited because I feel a lot like with my previous startups when we were working on a webRTC technology that we started at Global IP Solutions… and then it got deployed to billions of people and now the big vision is the same with MLS — that MLS gets deployed to billions of people.

“Just before we had a vehicle — Skype — that was used first to deploy [webRTC, a billion-scale technology] and then a number of others deployed it. After [that], now the vehicle in a first phase [is] Wire — I hope that it enables the DMA to start happening and some of these big monopolies get reshaped and we have communication solutions for the next ten years which are not going to be proprietary, which are not going to be closed and they are going to be very secure and respecting users privacy,” he adds. “That’s the mission.”

Friis, Skype’s co-founder and Wire’s investor, also clearly remains bought in. “The need for secure communications is constantly growing. With its end-to-end encryption that has been independently audited and its code that is open source, Wire allows any organisation to deploy a communication product they can trust,” he said in a supporting statement accompanying the Series C.