Tag: Security

Posted on

Thoma Bravo completes $3.9B Sophos acquisition

Thoma Bravo announced today that it had closed its hefty $3.9 billion acquisition of security firm, Sophos, marking yet another private equity deal in the books.

The deal was originally announced in October. Stockholders voted to approve the deal in December.

They were paid $7.40 USD per share for their trouble, according to the company, and it indicated that as part of the closing, the stock had ceased trading on the London Stock Exchange. It also pointed out that investors who got in at the IPO price In June 2015 made a 168% premium on that investment.

Sophos hopes its new owner can help the company continue to modernize the platform. “With Thoma Bravo as a partner, we believe we can accelerate our progress and get to the future even faster, with dramatic benefits for our customers, our partners and our company as a whole,” Sophos CEO Kris Hagerman said in a statement. Whether it will enjoy those benefits or not, time will tell.

As for the buyer, it sees a company with a strong set of channel partners that it can access to generate more revenue moving forward under the Thoma Bravo umbrella. Sophos currently partners with 53,000 resellers and managed service providers, and counts more than 420,000 companies as customers. The platform currently helps protect 100 million users, according to the company. The buyer believes it can help build on these numbers.

The company was founded way back in 1985, and raised over $500 million before going public in 2015, according to Pitchbook data. Products include Managed Threat Response, XG Firewall and Intercept X Endpoint.

Thoma Bravo makes $3.9 billion offer to acquire security firm Sophos

Posted on

Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach

A precision parts maker for space and defense contractors has confirmed a “cybersecurity incident,” which TechCrunch has learned was likely caused by ransomware.

Visser Precision, a Denver, Colorado-based manufacturer, makes custom parts for a number of industries, including automotive and aeronautics. In a brief statement, the company confirmed it was “the recent target of a criminal cybersecurity incident, including access to or theft of data.”

The company said it “continues its comprehensive investigation of the attack, and business is operating normally,” a spokesperson told TechCrunch.

Security researchers say the attack was caused by the DoppelPaymer ransomware, a new kind of file-encrypting malware which first exfiltrates the company’s data. The ransomware threatens to publish the stolen files if the ransom is not paid.

DoppelPaymer is the latest in an emerging list of data-stealing ransomware. In December, security staffing firm Allied Universal was one of the first companies that had sensitive employee and business data published after the company declined to pay a $2.3 million ransom for the data.

Brett Callow, a threat analyst at security firm Emsisoft, first alerted TechCrunch to the website that was publishing files stolen by the DoppelPaymer ransomware.

The website contains a list of files stolen from Visser, including folders with customer names — including Tesla, SpaceX, and aircraft maker Boeing, and defense contractor Lockheed Martin. A portion of the files were made available for download. (We are not linking to the ransomware’s website.) The documents included non-disclosure agreements between Visser and both Tesla and SpaceX. Another file appeared to be a partial schematic for a missile antenna was marked as containing “Lockheed Martin proprietary information.”

Spokespeople for Tesla, SpaceX, Boeing and Lockheed Martin did not immediately comment.

The DoppelPaymer ransomware has been active since mid-last year, and its victims have included the Chilean government and Pemex, Mexico’s state-owned petroleum company. But unlike the Maze ransomware, from which DoppelPaymer derives much of its data-stealing inspiration, the ransom note does not say that data has been stolen. Instead, it’s only disclosed if the company goes to the ransomware’s website to pay.

“Some companies may not even realize that their data has been exfiltrated prior to it being published,” said Callow.

The website hosting the stolen files said there was a “lot” more files to be published.

“Data theft is a strategy that multiple groups have now adopted and, consequently, ransomware incidents should be treated as data breaches until it can be established they are not,” said Callow.

As ransomware gets craftier, companies must start thinking creatively

Posted on

Particle lays off 10% staff and co-founder departs after ‘turbulent period’

San Francisco-based startup Particle was one of the rising stars in the Internet of Things space, raising more than $81 million to date on the promise of helping to manage and secure the next-generation of connected devices.

But the company is only now emerging from what it’s co-founder and chief executive Zach Supalla called a “turbulent period,” prompting layoffs and cost-cutting to help stay afloat, TechCrunch has learned.

Founded in 2012, Particle snagged $40 million in its Series C fundraise last October from big industrial investors including Qualcomm Ventures and Energy Impact Partners, signaling strong support for the company’s mission. The startup pitches its flagship platform as an all-in-one solution to manage and secure IoT devices with encryption and security, but also scalability and data autonomy.

But a recent email sent by Supalla to his staff — obtained by TechCrunch — shows the company is course-correcting after a recent revenue miss.

The email, which the company confirmed was sent by the chief executive, said Particle laid off 14 staff earlier this month, representing about 10% of the company. The layoffs of both engineering and support staff came just weeks after co-founder and chief technology officer Zachary Crockett quietly departed the company for “unrelated” reasons, said Supalla. (Crockett did not respond to a request for comment.)

According to Supalla’s email to staff, Particle’s revenue goal in 2019 was $16 million but it ended the year with $10.3 million. Supalla cited, among other things, “operational challenges” with the business that he said kept the company “from executing as well as we could.”

Supalla said that the company still has a “flush” bank account with more than $30 million in the bank, but the company’s current burn rate of $2 million per month is “uncomfortably high.”

“We would only have until early 2021 to prepare for the next stage of financing the company,” he said.

The email added that the company is bringing on $10 million in venture debt, but Supalla told TechCrunch that the deal is “still in progress.” Particle is aiming to reduce its burn rate to about $1.6 million per month, which Supalla’s email said would be achievable with the recent layoffs but also reducing discretionary budgets, including marketing.

The cost-cutting will “put us in a position of financial strength,” the email said, adding that the company has “no intentions” of further layoffs.

Although the 14 staff have been given severance, one source said that some are still waiting for the payouts — some two weeks after the announcement — which Supalla confirmed in an email. TechCrunch also learned that former staff were asked to sign non-disclosure agreements. Supalla told TechCrunch that these agreements come with non-disparagement clauses, but that anyone laid off that wanted to be released from the non-disparagement terms would be.

Supalla’s email is hardly the death knell for the company, but questions remain about its revenue targets and its efforts to reduce its monthly burn rate. The chief executive’s email said, candidly, that while layoffs can signal financial duress, they’re all too often made too late and “as a last resort.”

“That’s not what’s happening here,” said Supalla. “We have plenty of money in the bank and are making prudent cuts to strengthen the business.”

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.

Posted on

A security mishap left Remine wide open to hackers

Security is all too often focused on keeping hackers out and breaches at bay. But in the case of Remine, a real estate intelligence startup, it left its doors wide open for anyone to run rampant.

Remine is a little-known but major player in the real estate analytics and intelligence market. It works by collecting and mining vast amounts of real estate data — from public listings to privately obtained data from brokers and real estate agents from across the United States. The company, which last year raised $30 million in its Series A to help expand its real estate data and intelligence platform, claims it has data “on 150 million properties across all 50 states.”

But that data was only a few clicks away from being easily accessible, thanks to a misconfigured system.

The misconfiguration was found in Remine’s development environment, which although protected by a password, let anyone outside the company register an account to log in.

Thinking it was a secure space, Remine’s developers shared private keys, secrets and other passwords, which if exploited by a malicious hacker would have allowed access to the company’s Amazon Web Services storage servers, databases and also the company’s private Slack workspace.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found the exposed system and reported the findings to TechCruch so we could inform the company of the security lapse.

The exposed private keys, he said, allowed for full access to the company’s storage servers, containing more than a decade’s worth of documents — including title deeds, rent agreements and addresses of customers or sellers, he said.

One of the documents seen by TechCrunch showed personal information, including names, home addresses and other personally identifiable information belonging to a rental tenant.

After TechCrunch reached out, Remine co-founder and chief operating officer Jonathan Spinetto confirmed the security lapse and that its private keys and secrets have been replaced. Spinetto also said it has notified customers with a letter, seen by TechCrunch. And, the company has retained cybersecurity firm Crypsis to handle the investigation, and that the company will “assess and comply” with applicable data breach notification laws based on the findings of the investigation.

Remine escaped bruised rather than breached, a lesson to all companies, large and small, that even the smallest bug can be enough to wreak havoc.

Read more:

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.

Posted on

Firefox to enable DNS-over-HTTPS by default to US users

Mozilla will bring its new DNS-over-HTTPS security feature to all Firefox users in the U.S. by default in the coming weeks, the browser maker has confirmed.

It follows a year-long effort to test the new security feature, which aims to make browsing the web more secure and private.

Whenever you visit a website — even if it’s HTTPS enabled — the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. DNS-over-HTTPS, or DoH, encrypts the request so that it can’t be intercepted or hijacked in order to send a user to a malicious site.

These unencrypted DNS queries can also be used to snoop on which websites a user visits.

DoH works at the app-level, and is baked into Firefox. The feature relies on sending DNS queries to third-party providers — such as Cloudflare and NextDNS — both of which will have their DoH offering baked into Firefox and will process DoH queries.

But the move is not without controversy. Last year, an internet industry group branded Mozilla an “internet villain” for pressing ahead the security feature. The trade group claimed it would make it harder to spot terrorist materials and child abuse imagery. But even some in the security community are split, amid warnings that it could make incident response and malware detection more difficult.

The move to enable DoH by default will no doubt face resistance, but browser makers have argued it’s not a technology that browser makers have shied away from. Firefox became the first browser to implement DoH — with others, like Chrome, Edge, and Opera — quickly following suit.

Firefox said users outside of the U.S. can also enable DoH, just as users inside the U.S. can choose to disable it. Mozilla also said it plans to expand to other DoH providers and regions.

How much should a startup spend on security?

Posted on

Deviceplane wants to bring over-the-air updates to Linux edge devices

Deviceplane, a member of the Y Combinator Winter 2020 class is developing an open source toolset to manage, monitor and update Linux devices running at the edge,

“We solve the hard infrastructure problems that all these companies face including network conductivity, SSH access, orchestrating and deployment of remote updates, hosting, application monitoring and access and security controls. It’s 100% open source, available under an Apache License. You can either host it yourself or you can run on the hosted version,” company founder and CEO Josh Curl told TechCrunch.

He could see this working with a variety of hardware including robotics, consumer appliances, drones, autonomous vehicles and medical devices.

Curl, who has a background in software engineering, was drawn to this problem and found that most companies were going with home-grown solutions. He said once he studied the issue, he found that the set of infrastructure resources required to manage, monitor and update these devices didn’t change that much across industries.

The over-the-air updates are a big part of keeping these devices secure, a major concern with edge devices. “Security is challenging, and one of the core tenets of security is just the ability to update things. So if you as a company are hesitant to update because you’re afraid that things are going to break, or you don’t have a proper infrastructure to do those upgrades, that makes you more hesitant to do upgrades, and it slows down development velocity,” Curl said.

Customers can connect to the Deviceplane API via WiFi, cellular or ethernet. If you’re worried about someone tapping into that, Curl says the software assigns the device a unique identity that is difficult to spoof.

“Devices are assigned an identity in Deviceplane and this identity is what authorizes it to make API calls to Deviceplane. The access key for this identity is stored only on the device, which makes it impossible for someone else to spoof this device without physical access to it.

“Even if someone were able to spoof this identity, they would not be able to deploy malicious code to the spoofed device. Devices never have access to control what software they’re running — this is something that can be done only by the developer pushing out updates to devices,” Curl explained.

The company intends to offer both the hosted version and installed versions of the software as open source, something that he considers key. He hopes to make money supporting companies with more complex installations, but he believes that by offering the software as open source, it will drive developer interest and help build a community around the project.

As for joining YC, Curl said he has friends that had been through the program in the past, and had recommended he join as well. Curl sees being part of the cohort as a way to build his business. “We were excited to be tapping into the YC network — and then being able to tap into that network in the future. I think that YC has funded many companies in the past that can be DevicePlane customers, and that can accelerate going forward.”

Curl wasn’t ready to share download numbers just yet, but it’s still an early stage startup looking  to build the company. It’s using an open source model to drive interest, while helping solve a sticky problem.

Posted on

Rallyhood exposed a decade of users’ private data

Rallyhood says it’s “private and secure.” But for some time, it wasn’t.

The social network designed to help groups communicate and coordinate left one of its cloud storage buckets containing user data open and exposed. The bucket, hosted on Amazon Web Services (AWS), was not protected with a password, allowing anyone who knew the easily-guessable web address access to a decade’s worth of user files.

Rallyhood boasts users from Girl Scout and Boy Scout troops, and Komen, Habitat for Humanities, and YMCA factions. The company also hosts thousands of smaller groups, like local bands, sports teams, art clubs, and organizing committees. Many flocked to the site after Rallyhood said it would help migrate users from Yahoo Groups, after Verizon (which also owns TechCrunch) said it would shut down the discussion forum site last year.

The bucket contained group data as far back to 2011 up to and including last month. In total, the bucket contained 4.1 terabytes of uploaded files, representing millions of users’ files.

Some of the files we reviewed contained sensitive data, like shared password lists and contracts or other permission slips and agreements. The documents also included non-disclosure agreements and other files that were not intended to be public.

Where we could identify contact information of users whose information was exposed, TechCrunch reached out to verify the authenticity of the data.

A security researcher who goes by the handle Timeless found the exposed bucket and informed TechCrunch, so that the bucket and its files could be secured.

When reached, Rallyhood chief technology officer Chris Alderson initially claimed that the bucket was for “testing” and that all user data was stored “in a highly secured bucket,” but later admitted that during a migration project, “there was a brief period when permissions were mistakenly left open.”

It’s not known if Rallyhood plans to warn its users and customers of the security lapse. At the time of writing, Rallyhood has made no statement on its website or any of its social media profiles of the incident.

Stop saying, ‘We take your privacy and security seriously’

Posted on

How much should a startup spend on security?

One of the questions I frequently ask startup founders is how much they’re spending on security. Unsurprisingly, everyone has a different answer.

Startups and small companies are invariably faced with the prospect that they’re either not spending enough or are spending too much on something that’s hard to quantify in terms of value. It’s a tough sell to sink money into an effort to stop something that might one day happen, particularly for bootstrapped startups that must make every cent count — yet we’re told security is a crucial investment for a company’s future.

Sorry to break it to you, but there is no easy answer.

The reality is that each company is different and there is no single recommended dollar amount to spend. But it’s absolutely certain that some investment is required. We know because we see a lot of security incidents here at TechCrunch — hacks, breaches and especially data exposures, often a result of human error.

We spoke to three security experts — a head of security, a security entrepreneur and a cybersecurity fellow — to understand the questions facing startups.

Know and understand your threat model

Every company has a different threat model — by that, we mean identifying risks and possible ways of attack before they happen. Companies that store tons of user data may be a greater target than companies that don’t. Each firm needs to evaluate which kind of risks they face and identify weaknesses.

Posted on

How to identify and remove KidsGuard ‘stalkerware’ from your phone

We reported today on KidsGuard, a powerful mobile spyware. Not only is the app secretly installed on thousands of Android phones without the owners’ consent, it also left a server open and unprotected, exposing the data it siphoned off from victims’ infected devices to the internet.

This consumer-grade spyware also goes by “stalkerware.” It’s often used by parents to monitor their kids, but all too frequently it’s repurposed for spying on a spouse without their knowledge or consent. These spying apps are banned from Apple and Google’s app stores, but those bans have done little to curb the spread of these privacy invading apps, which can read a victim’s messages, listen to their phone calls, track their real-time locations, and steal their contacts, photos, videos, and anything else on their phones.

Stalkerware has become so reviled by privacy experts, security researchers, and lawmakers that antivirus makers have promised to do more to better detect the spyware.

TechCrunch obtained a copy of the KidsGuard app. Using a burner Android phone with the microphones and cameras sealed, we tested the spyware’s capabilities. We also uploaded the app to online malware scanning service VirusTotal, which runs uploaded files against dozens of different antivirus makers. Only eight antivirus engines flagged the sample as malicious — including Kaspersky, a member of the Coalition Against Stalkerware, and F-Secure.

Yoong Jien Chiam, a researcher at F-Secure’s Tactical Defense unit, analyzed the app and found it can obtain “GPS locations, account name, on-screen screenshots, keystrokes, and is also accessing photos, videos, and browser history.”

KidsGuard’s developer, ClevGuard, does not make it easy to uninstall the spyware. But this brief guide will help you to identify if the spyware is on your device and how to remove it.

Before you continue, some versions of Android may have slightly different menu options, and you take these following steps at your own risk. This only removes the spyware, and does not delete any data that was uploaded to the cloud.

How to identify the spyware

If you have an Android device, go to SettingsApps, then scroll down and see if “System Update Service” is listed. This is what ClevGuard calls the app to disguise it from the user. If you see it, it is likely that you are infected with the spyware.

First, remove the spyware as a “device administrator”

Go to Settings > Security, then Device administrators then untick the “System Update Service” box, then hit Deactivate.

Then remove the app’s “usage access”

Now, go back to Settings > Security then scroll to Apps with usage access. Once here, tap on “System Update Service” then switch off the permit usage toggle.

Also remove the spyware’s “notification access”

Once that is done, go back to Settings > Sound & notification then go to Notification access. Now switch off the toggle for “System Update Service.”

Now you can uninstall the spyware from your device

Following those steps, you have effectively disabled the spyware. Now you are able to uninstall it. Go to Settings > Apps and scroll down to “System Update Service.” You should be able to hit Uninstall, but you may need to hit Force Stop first. Tap OK to uninstall the app. This may take a few minutes.

Secure your device again

Now that you’ve ridden your device of the spyware, you’ll need to enable a couple of settings that were switched off when your device was first infected. Firstly, go back to Settings > Security then switch off the toggle for Unknown sources. Secondly, go to the Play Store > Play Protect. If you have the option, select Turn on. Once it’s on, you should check to ensure that it “Looks good.”

Posted on

A ‘stalkerware’ app leaked phone data from thousands of victims

A spyware app designed to “monitor everything” on a victim’s phone has been secretly installed on thousands of phones.

The app, KidsGuard, claims it can “access all the information” on a target device, including its real-time location, text messages, browser history, access to its photos, videos and app activities, and recordings of phone calls.

But a misconfigured server meant the app was also spilling out the secretly uploaded contents of victims’ devices to the internet.

These consumer-grade spyware apps — also known as “stalkerware” — have come under increased scrutiny in recent years for allowing and normalizing surveillance, often secretly and without obtaining permission from their victims. Although many of these apps are marketed toward parents to monitor their child’s activities, many have repurposed the apps to spy on their spouses. That’s prompted privacy groups and security firms to work together to help better identify stalkerware.

KidsGuard is no different. Its maker, ClevGuard, pitches the spyware app as a “stealthy” way to keep children safe, but also can be used to “catch a cheating spouse or monitor employees.”

But the security lapse offers a rare insight into how pervasive and intrusive these stalkerware apps can be.

ClevGuard’s website, which makes the KidsGuard phone spyware (Image: TechCrunch)

TechCrunch obtained a copy of the Android app from Till Kottman, a developer who reverse-engineers apps to understand how they work.

Kottman found that the app was exfiltrating the contents of victims’ phones to an Alibaba cloud storage bucket — which was named to suggest that the bucket only stored data collected from Android devices. It’s believed the bucket was inadvertently set to public, a common mistake made — often caused by human error — nor was it protected with a password.

Using a burner Android device with the microphone sealed and the cameras covered, TechCrunch installed the app and used a network traffic analysis tool to understand what data was going in and out of the device — and was able to confirm Kottman’s findings.

The app, which has to be bought and downloaded from ClevGuard directly, can be installed in a couple of minutes. (ClevGuard claims it also supports iPhones by asking for iCloud credentials to access the contents of iCloud backups, which is against Apple’s policies.) The app has to be installed by a person with physical access to a victim’s phone, but the app does not require rooting or jailbreaking. The Android app also requires that certain in-built security features are disabled, such as allowing non-Google approved apps to be installed and disabling Google Play Protect, which helps to prevent malicious apps from running.

Once installed, ClevGuard says its app works in “stealth” and isn’t visible to the victim. It does that by masquerading itself as an Android “system update” app, which looks near-indistinguishable from legitimate system services.

And because there’s no app icon, it’s difficult for a victim to know their device has been compromised.

KidsGuard is designed to look like an Android app (Image: TechCrunch)

Because we only had the Android app and not a paid subscription to the service, we were limited in how much we could test. Through our testing, TechCrunch found that the app silently and near-continually siphons off content from a victim’s phone, including what’s stored in their photos and video apps, and recordings of the victim’s phone calls.

The app also gives whomever install the app access to who the victim is talking to and when on a variety of apps, such as WhatsApp, Instagram, Viber and Facebook Messenger, and the app also boasts the ability to monitor a victim’s activities on dating apps like Tinder. The app secretly takes screenshots of a victim’s conversations in apps like Snapchat and Signal to capture the messages before they are set to disappear.

The spyware app maker can also record and monitor the precise location of a device, and access their browsing history.

Although the app says it can access a victim’s contacts, the uploaded data stored in the exposed bucket did not include contact lists or easily identifiable information on the victim, making it difficult for TechCrunch to notify victims in bulk.

But one victim we spoke to said she found out just a few days earlier that spyware had been installed on her phone.

“It was my husband,” said the victim. The two had been separated, she said, but he was able to access her private messages by secretly installing the spyware on her phone. “I gave him the choice to show me how he was doing it or I was getting a divorce, so he finally showed me last night,” she said.

ClevGuard shut down the exposed cloud storage bucket after we contacted the company. We also contacted Alibaba, which also alerted the company of the exposure.

“This is evidence that not only are spouseware and stalkerware companies morally bankrupt, they are also often failing to protect their stolen user data once they have it,” said Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation, who also examined the app.

“The fact that this also includes the data of young children is both alarming and sickening,” said Quintin. “This one tiny company had around 3,000 infections worldwide, which lays bare the massive scope of the spouseware and stalkerware industry.”

It’s the latest in a long stream of spyware companies that have either had data breaches or exposed systems. Vice tech news site Motherboard has reported on many, including mSpy, Mobistealth and Flexispy. The Federal Trade Commission also launched legal action against one spyware app maker, Retina-X, which had two data breaches involving sensitive victim data.

If you think you are a victim of KidsGuard, this is how you can identify and remove the malware.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.

How to identify and remove KidsGuard ‘stalkerware’ from your phone