Tag: Security

Posted on

Over two dozen encryption experts call on India to rethink changes to its intermediary liability rules

Security and encryption experts from around the world are joining a number of organizations to call on India to reconsider its proposed amendments to local intermediary liability rules.

In an open letter to India’s IT Minister Ravi Shankar Prasad on Thursday, 27 security and cryptography experts warned the Indian government that if it goes ahead with its originally proposed changes to the law, it could weaken security and limit the use of strong encryption on the internet.

The Indian government proposed (PDF) a series of changes to its intermediary liability rules in late December 2018 that, if enforced, would require millions of services operated by anyone from small and medium businesses to large corporate giants such as Facebook and Google to make significant changes.

The originally proposed rules say that intermediaries — which the government defines as those services that facilitate communication between two or more users and have five million or more users in India — will have to proactively monitor and filter their users’ content and be able to trace the originator of questionable content to avoid assuming full liability for their users’ actions.

“By tying intermediaries’ protection from liability to their ability to monitor communications being sent across their platforms or systems, the amendments would limit the use of end-to-end encryption and encourage others to weaken existing security measures,” the experts wrote in the letter, coordinated by the Internet Society .

With end-to-end encryption, there is no way for the service provider to access its users’ decrypted content, they said. Some of these experts include individuals who work at Google, Twitter, Access Now, Tor Project and World Wide Web Consortium.

“This means that services using end-to-end encryption cannot provide the level of monitoring required in the proposed amendments. Whether it’s through putting a ‘backdoor’ in an encryption protocol, storing cryptographic keys in escrow, adding silent users to group messages, or some other method, there is no way to create ‘exceptional access’ for some without weakening the security of the system for all,” they added.

Technology giants have so far enjoyed what is known as “safe harbor” laws. The laws, currently applicable in the U.S. under the Communications Decency Act and India under its 2000 Information Technology Act, say that tech platforms won’t be held liable for the things their users share on the platform.

Many organizations have expressed in recent days their reservations about the proposed changes to the law. Earlier this week, Mozilla, GitHub and Cloudflare requested the Indian government to be transparent about the proposals that they have made to the intermediary liability rules. Nobody outside the Indian government has seen the current draft of the proposal, which it plans to submit to India’s Supreme Court for approval by January 15.

Among the concerns raised by some is the vague definition of “intermediary” itself. Critics say the last publicly known version of the draft had an extremely broad definition of the term “intermediary,” that would be applicable to a wide-range of service providers, including popular instant messaging clients, internet service providers, cyber cafes and even Wikipedia.

Amanda Keton, general counsel of Wikimedia Foundation, requested the Indian government late last month to rethink the requirement to bring “traceability” on online communication, as doing so, she warned, would interfere with the ability of Wikipedia contributors to freely participate in the project.

A senior executive with an American technology company, who requested anonymity, told TechCrunch on Wednesday that even as the proposed changes to the intermediary guidelines need major changes, it is high time that the Indian government decided to look into this at all.

“Action on social media platforms, and instant communications services is causing damage in the real world. Spread of hoax has cost us more than at least 30 lives. If tomorrow, someone’s sensitive photos and messages leak on the internet, there is currently little they can expect from their service providers. We need a law to deal with the modern internet’s challenges,” he said.

Posted on

As ransomware gets craftier, companies must start thinking creatively

Some say ransomware is in decline. Others say it’s getting craftier.

File-encrypting malware, known as ransomware, infects vulnerable computers and scrambles its files, inviting victims to return access to their data once they pay a ransom. Ransomware remains one of the most popular types of malware and is said to be a multi-billion dollar — albeit illegal — industry.

But as companies gain awareness and shore up their cybersecurity defenses, the cat and mouse game continues between ransomware-launching threat actors and their victims, which can range from small businesses to local governments.

“Ransomware is a lucrative business model for the adversary because they get paid directly by the victim,” Steve Grobman, chief technology officer at McAfee, told TechCrunch.

In the past few months, security experts have seen a reduction in the “spray and pay” attacks against a large number of businesses and an increase of more focused efforts against larger corporate targets. Now ransomware-focused threat actors are using creative means to break into systems and deploy ransomware for the threat actor’s payday.

Just this week, foreign currency exchange Travelex was forced to suspend services at its stores after it confirmed a malware infection on December 31. A week later, the company is still largely offline. Travelex said little beyond a prepared statement, but it was reported that the company was hit by the notorious Sodinokibi (or rEvil) ransomware.

Posted on

AvePoint lands $200M investment to expand market for Microsoft cloud governance tools

While Microsoft cloud services such as SharePoint, Microsoft Teams and Office 365 are used widely by large organizations, the products don’t come standard with an enterprise-grade control layer. That’s where AvePoint, a Microsoft independent software (ISV), comes in. Today, the company announced a $200 million Series C investment.

The round was led by TPG Sixth Street Partners with additional participation from prior investor Goldman Sachs and other unnamed investors. The round brings the total raised to $294 million, according to the company.

The company says that the equity investment has a couple of purposes. First of all it wants to provide some liquidity for long-time investors. Secondly, it wants capital for company expansion.

Specifically, it provides a set of governance and migration services for Microsoft SharePoint, Teams and Office 365, and other Microsoft SaaS products. The company has been around for 18 years, but transitioned about five years ago to protecting online services, chief marketing officer Dux Raymond Sy explained. Prior to that it concentrated on services on-prem like SharePoint backup.

Today, AvePoint takes care of few key management tasks. First of all, it provides a policy layer on top of Office 365, Microsoft Teams and SharePoint to give companies the ability to enforce usage rules across these products. For instance, it could define the types of files an employee can share in Teams.

In addition, the company provides backup for the three services and others like Microsoft Dynamics to aid in the event disaster recovery, and finally it has migration tools to move data from a related cloud service to a Microsoft cloud service.

For example, AvePoint could help move documents from Google Drive to Office 365 or Slack data to Microsoft Teams.

Sy says the company has been growing rapidly with four consecutive quarters of record growth, which he said works out to 40% year over year growth. AvePoint currently has 1250 employees serving 16,000 customers. Overall, it is helping to protect 7 million Microsoft cloud service users around the world, but it has a long-term, rather ambitious goal of adding more than 40,000 new customers.

It hopes to expand its market further by adding new services to sell to existing customers, while expanding aggressively into the SMB market. It also wants to enhance relationships with channel partners to sell AvePoint on its behalf. It already has a number of channel partners including Ingram Micro, Synnex and TechData.

The new investment should help the company invest in the engineering, sales, customer service and partner relations that this kind of expansion will no doubt require.

Posted on

Cloudflare acquires stealthy startup S2 Systems, announces Cloudflare for Teams

Cloudflare announced that it has acquired S2 Systems, a browser isolation startup started by former Microsoft execs. The two companies did not reveal the acquisition price.

Matthew Prince, co-founder and CEO at Cloudflare, says that this acquisition is part of a new suite of products called Cloudflare for Teams, which has been designed to protect an organization from threats on the internet. S2 developed a solution specifically to help prevent browser-based code attacks.

Prince said the company had been thinking about how to incorporate this kind of technology into the Cloudflare family of products for some time. As with many companies, it had to decide if it should partner, build or acquire a company. Prince says that when he met the founding team from S2 and tested its technology, he was impressed with the speed and execution.

The team felt like a good fit, so Cloudflare made an offer. It had to bid against some other companies (whom he did not name), but in the end S2 chose Cloudflare. He sees technology like this helping to even the playing field for internet users around the world.

“We’re super excited to have them on board, and we think that combining their better browser isolation technology with our ubiquitous network, we can really redefine how enterprises protect their employees, and over the long term how people generally browse the internet, where we can make it so that a low-end phone can have a similar experience as a brand new modern iPhone,” Prince said. He says that’s due to the tremendous processing power that can take place on its network across 200 cities worldwide, taking that processing burden off of the phone or other device.

The acquisition does not stand in isolation though. It’s part of a broader announcement around a new product category called Cloudflare for Teams. This is designed to provide a set of protections that includes S2 browser isolation as well as VPN and identity protection.

There are two main pieces to Cloudflare for Teams: Cloudflare Access and Cloudflare Gateway. Access is a Zero Trust identity and access management tool designed to help companies ensure their employees are using the most up-to-date software on their devices.

Gateway is designed to protect companies and individuals from threats on the Internet, which is were S2 fits in. The company offers three versions: Gateway, which includes DNS-based filtering and audit logging; Gateway Pro, which secures all Internet-bound traffic; and Gateway Enterprise, which helps prevent data loss and includes the browser isolation tech from S2.

The S2 acquisition closed on December 31st. S2’s 10 employees are now part of the Cloudflare team, and will remain in Kirkland, WA to establish a Cloudflare office there. The company was in stealth prior to the acquisition.

Cloudflare files for initial public offering

Posted on

Homeland Security warns businesses to brace for Iranian cyberattacks

Homeland Security is warning U.S. companies to “consider and assess” the possible impacts and threat of a cyberattack on their businesses following heightened tensions with Iran.

It’s the first official guidance published by the government’s dedicated cyber advisory unit, the Cybersecurity and Infrastructure Security Agency, just days after the killing of a leading Iranian military commander, Qasem Soleimani. The U.S. government had accused Soleimani of targeting and killing U.S. personnel across the Middle East.

Soleimani, an Iranian general who was slated as second-in-command in Iran’s leadership, was killed on Friday by a U.S drone strike authorized by President Trump. The same drone strike killed Abu Mahdi al-Muhandis, a deputy in a coalition of Iran-backed militias in neighboring Iraq.

In its latest advisory, posted Monday, CISA said that the increased geopolitical tensions “may result in cyber and physical attacks against the homeland and also destructive hybrid attacks by proxies against U.S. targets and interests abroad.”

The agency said Iran and its allies could launch “disruptive and destructive cyber operations” against strategic targets, such as phone and energy companies, and also carry out “cyber-enabled espionage” that aim to better understand U.S. foreign policy decision making.

CISA also warned of disinformation campaigns, as well as kinetic attacks — including bombings. Companies should take precautions in the event of cyberattacks — such as setting up offline backups, the agency advised.

The warnings come shortly after security experts in the private sector warned of the possibility of retaliatory action following the drone strikes.

“We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment,” said John Hultquist, director of intelligence analysis at cybersecurity firm FireEye. “We also anticipate disruptive and destructive cyberattacks against the private sphere,” he said.

Iran is one of the world’s most powerful adversaries in cyberspace, experts say.

Tehran has a considerable arsenal of offensive cyber tools, including wipers — malware designed to infiltrate computers and destroy data. Hackers associated with Iran have been active in targeting facilities in the Middle East in recent years. Dmitri Alperovitch, who co-founded security firm Crowdstrike, said in a tweet that Iran may target critical infrastructure, such as energy grids and financial institutions.

More recently, Microsoft said it had notified thousands of customers over the past year who have been targeted by nation-state attackers, including hackers associated with Iran. The software and services giant previously took legal action against Iranian-controlled domains in an effort to disrupt their cyber activities. In October, Microsoft said Iranian hackers targeted a 2020 presidential candidate, which Reuters later confirmed was President Trump’s reelection campaign.

The move to assassinate Soleimani was widely panned by both opponents and allies of the Trump administration. Critics say the government had not thought of the consequences of the strike, including both Iranian retaliation with kinetic force but also cyberattacks.

Sen. Ron Wyden, a senior lawmaker on the Senate Intelligence Committee, said the killing was “a reckless escalation that will take us further down the road to ruinous war.” Meanwhile in a lengthy tweet thread, Rep. Elissa Slotkin, a former CIA analyst who served under President Bush, also criticized the action.

Iran shuts down country’s internet in the wake of fuel protests

Posted on

BigID bags another $50M round as data privacy laws proliferate

Almost exactly 4 months to the day after BigID announced a $50 million Series C, the company was back today with another $50 million round. The Series D came entirely from Tiger Global Management. The company has raised a total of $144 million.

What warrants $100 million in interest from investors in just four months is BigID’s mission to understand the data a company has and manage that in the context of increasing privacy regulation including GDPR in Europe and CCPA in California, which went into effect this month.

BigID CEO and co-founder Dimitri Sirota admits that his company formed at the right moment when it launched in 2016, but says he and his co-founders had an inkling that there would be a shift in how governments view data privacy.

“Fortunately for us, some of the requirements that we said were going to be critical, like being able to understand what data you collect on each individual across your entire data landscape, have come to [pass],” Sirota told TechCrunch. While he understands that there are lots of competing companies going after this market, he believes that being early helped his startup establish a brand identity earlier than most.

Meanwhile, the privacy regulation landscape continues to evolve. Even as California privacy legislation is taking effect, many other states and countries are looking at similar regulations. Canada is looking at overhauling its existing privacy regulations.

Sirota says that he wasn’t actually looking to raise either the C or the D, and in fact still has B money in the bank, but when big investors want to give you money on decent terms, you take it while the money is there. These investors clearly see the data privacy landscape expanding and want to get involved. He recognizes that economic conditions can change quickly, and it can’t hurt to have money in the bank for when that happens.

That said, Sirota says you don’t raise money to keep it in the bank. At some point, you put it to work. The company has big plans to expand beyond its privacy roots and into other areas of security in the coming year. Although he wouldn’t go into too much detail about that, he said to expect some announcements soon.

For a company that is only four years old, it has been amazingly proficient at raising money with a $14 million Series A and a $30 million Series B in 2018, followed by the $50 million Series C last year, and the $50 million round today. And Sirota said, he didn’t have to even go looking for the latest funding. Investors came to him — no trips to Sand Hill Road, no pitch decks. Sirota wasn’t willing to discuss the company’s valuation, only saying the investment was minimally diluted.

BigID, which is based in New York City, already has some employees in Europe and Asia, but he expects additional international expansion in 2020. Overall the company has around 165 employees at the moment and he sees that going up to 200 by mid-year as they make a push into some new adjacencies.

BigID announces $50M Series C investment as privacy takes center stage

Posted on

2019 was a hot mess for cybersecurity, but 2020 shows promise

It’s no secret that I hate predictions — not least because the security field changes rapidly, making it difficult to know what’s next. But given what we know about the past year, we can make some best-guesses at what’s to come.

Ransomware will get worse, and local governments will feel the heat

File-encrypting malware that demands money for the decryption key, known as ransomware, has plagued local and state governments in the past year. There have been a near-constant stream of attacks in the past year — Pensacola, Florida and Jackson County, Georgia to name a few. Governments and local authorities are particularly vulnerable as they’re often underfunded, unresourced and unable to protect their systems from many major threats. Worse, many are without cybersecurity insurance, which often doesn’t pay out anyway.

Sen. Mark Warner (D-VA), who sits on the Senate Intelligence Committee, said ransomware is designed to “inflict fear and uncertainty, disrupt vital services, and sow distrust in public institutions.”

“While often viewed as basic digital extortion, ransomware has had materially adverse impacts on markets, social services like education, water, and power, and on healthcare delivery, as we have seen in a number of states and municipalities across the United States,” he said earlier this year.

As these kinds of cyberattacks increase and victims feel compelled to pay to get their files back, expect hackers to continue to carry on attacking smaller, less prepared targets.

California’s privacy law will take effect — but its repercussions won’t be immediately known

On January 1, California’s Consumer Privacy Act (CCPA) began protecting the state’s 40 million residents. The law, which has similarities to Europe’s GDPR, aims to put much of a consumer’s data back in their control. The law gives consumers a right to know what information companies have on them, a right to have that information deleted and the right to opt-out of the sale of that information.

But many companies are worried — so much so that they’re lobbying for a weaker but overarching federal law to supersede California’s new privacy law. The CCPA’s enforcement provisions will kick in some six months later, starting in July. Many companies are not prepared and it’s unclear exactly what impact the CCPA will have.

One thing is clear: expect penalties. Under GDPR, companies can be fined up to 4% of their global annual revenue. California’s law works on a sliding scale of fines, but the law also allows class action suits that could range into the high millions against infringing companies.

More data exposures to be expected as human error takes control

If you’ve read any of my stories over the past year, you’ll know that data exposures are as bad, if not worse than data breaches. Exposures, where people or companies inadvertently leave unsecured information online rather than an external breach by a hacker, are often caused by human error.

The problem became so bad that Amazon has tried to stem the flow of leaks by providing tools that detect inadvertently public data. Those tools will only go so far. Education and awareness can go far further. Expect more data exposures over the next year, as companies — and staff — continue to make mistakes with their users’ data.

Voter databases and election websites are the next target

Posted on

Travelex suspends services after malware attack

Travelex, a major international foreign currency exchange, has confirmed its suspended some services after it was hit by malware on December 31.

The London-based company, which operates more than 1,500 stores globally, said it took systems offline to “as a precautionary measure in order to protect data” and to stop the spread of the malware.

Its U.K. website is currently offline, displaying a “server error” page. Its corporate site said the site was offline while it makes “upgrades.”  According to a tweet, Travelex said staff are “unable to perform transactions on the website or through the app.” Some stores are said to be manually processing customer requests.

Other companies, like Tesco Bank, which rely on Travelex for some services, have also struggled during the outage.

Travelex’s U.K. website is currently offline. (Screenshot: TechCrunch)

The company said no customer data has been compromised “to date,” but did not elaborate or provide evidence for the claim.

It’s also unclear why the company took two days to disclose the security incident.

The company declined to identify the kind of malware used in the attack, citing an ongoing forensic investigation. In the past year, several high-profile companies have been increasingly targeted by ransomware, a data encrypting malware, which only unscrambles the data once a ransom has been paid. Aluminum manufacturing giant Norsk Hydro and the U.K. Police Federation were both hit in March, then Arizona Beverages and Aebi Schmidt in April, and shipping company Pitney Bowes in October.

Several local and state governments have also been attacked by ransomware. New Orleans declared a state of emergency last month after its systems were hit by ransomware.

A Travelex spokesperson would not comment beyond the statement.

The sinkhole that saved the internet

Posted on

Here’s where California residents can stop companies selling their data

California’s new privacy law is now in effect, allowing state residents to take better control of the data that’s collected on them — from social networks, banks, credit agencies, and more.

There’s just one catch: the companies, many of which lobbied against the law, don’t make it easy.

California’s Consumer Privacy Act (CCPA) allows anyone who resides in the state to access and obtain copies of the data that companies store on them, the right to delete that data, and to opt-out of companies selling or monetizing their data. It’s the biggest state-level overhaul of privacy rules in a generation. State regulators can impose fines and other sanctions for companies that violate the law — although, the law’s enforcement provisions do not take effect until July. That’s probably a good thing for companies, given most major tech giants operating in the state are not ready to comply with the law.

Just as companies did with Europe’s GDPR, many companies have sprung up new privacy policies in preparation and new data portals, which allow consumers access to their data and to opt-out of their data being sold on to third-parties, such as advertisers. But good luck finding them. Most companies aren’t transparent about where their data portals are, often out of sight and buried in privacy policies, near-guaranteeing that nobody will find them.

Just two days into the new law, and some are already fixing it for the average Californian.

Damian Finol created a running directory of company pages that allow California residents to opt-out of their data being sold, and request their information. The directory is updated frequently, and so far includes banks, retail giants, airlines, car rental services, gaming giants, and cell companies — to name a few.

caprivacy.me is a simple directory of links to where California residents can tell companies not to sell their data, and request what data companies store on them. (Screenshot: TechCrunch)

The project is still in its infancy but relies on community contributions (and anyone can submit a suggestion), he said. In less than a day, it already racked up more than 80 links.

“I’m passionate about privacy and allowing people to declare what their personal privacy model is,” Finol told TechCrunch.

“I grew up queer in the Latin America in the 1990s, so keeping private the truth about me was vital. Nowadays, I think of my LGBTQ siblings in places like the Middle East where if their privacy is violated, they can face capital punishment,” he said, explaining his motivations behind the directory.

There’s no easy way — yet — to opt-out in one go. Anyone in California who wants to opt-out has to go through each link. But once it’s done, it’s done. Put on a pot of coffee and get started.

California’s Privacy Act: What you need to know now

Posted on

The California Consumer Privacy Act officially takes effect today

California’s much-debated privacy law officially takes effect today, a year and a half after it was passed and signed — but it’ll be six more months before you see the hammer drop on any scofflaw tech companies that sell your personal data without your permission.

The California Consumer Privacy Act, or CCPA, is a state-level law that requires, among other things, that companies notify users of the intent to monetize their data, and give them a straightforward means of opting out of said monetization.

California’s Privacy Act: What you need to know now

Here’s a top-level summary of some of its basic tenets:

  • Businesses must disclose what information they collect, what business purpose they do so for and any third parties they share that data with.
  • Businesses will be required to comply with official consumer requests to delete that data.
  • Consumers can opt out of their data being sold, and businesses can’t retaliate by changing the price or level of service.
  • Businesses can, however, offer “financial incentives” for being allowed to collect data.
  • California authorities are empowered to fine companies for violations.

The law is described in considerably more detail here, but the truth is that it will probably take years before its implications for businesses and regulators are completely understood and brought to bear. In the meantime the industries that will be most immediately and obviously affected are panicking.

Silicon Valley is terrified of California’s privacy law. Good.

A who’s-who of internet-reliant businesses has publicly opposed the CCPA. While they have been careful to avoid saying such regulation is unnecessary, they have said that this regulation is unnecessary. What we need, they say, is a federal law.

That’s true as far as it goes — it would protect more people and there would be less paperwork for companies that now must adapt their privacy policies and reporting to CCPA’s requirements. But the call for federal regulation is transparently a stall tactic, and an adequate bill at that level would likely take a year or more of intensive work even at the best of times, let alone during an election year while the President is being impeached.

So California wisely went ahead and established protections for its own residents, though as a consequence it will have aroused the ire of many companies based there.

A six-month grace period follows today’s official activation of the CCPA; This is a normal and necessary part of breaking in such a law, when honest mistakes can go unpunished and the inevitable bugs in the system can be squelched.

But starting in June offenses will be assessed with fines at the scale of thousands of dollars per violation, something that adds up real quick at the scales companies like Google and Facebook work in.

Adapting to the CCPA will be difficult, but as the establishment of GDPR in Europe has shown, it’s far from impossible, and at any rate the former’s requirements are considerably less stringent. Still, if your company isn’t already working on getting in compliance, better get started.

California’s new data privacy law brings U.S. closer to GDPR