Blog of the website «TechCrunch» Прогноз погоды

People

John Smith

John Smith, 49

Joined: 28 January 2014

Interests: No data

Jonnathan Coleman

Jonnathan Coleman, 32

Joined: 18 June 2014

About myself: You may say I'm a dreamer

Interests: Snowboarding, Cycling, Beer

Andrey II

Andrey II, 41

Joined: 08 January 2014

Interests: No data

David

David

Joined: 05 August 2014

Interests: No data

David Markham

David Markham, 65

Joined: 13 November 2014

Interests: No data

Michelle Li

Michelle Li, 41

Joined: 13 August 2014

Interests: No data

Max Almenas

Max Almenas, 53

Joined: 10 August 2014

Interests: No data

29Jan

29Jan, 32

Joined: 29 January 2014

Interests: No data

s82 s82

s82 s82, 26

Joined: 16 April 2014

Interests: No data

Wicca

Wicca, 37

Joined: 18 June 2014

Interests: No data

Phebe Paul

Phebe Paul, 27

Joined: 08 September 2014

Interests: No data

Артем Ступаков

Артем Ступаков, 93

Joined: 29 January 2014

About myself: Радуюсь жизни!

Interests: No data

sergei jkovlev

sergei jkovlev, 59

Joined: 03 November 2019

Interests: музыка, кино, автомобили

Алексей Гено

Алексей Гено, 8

Joined: 25 June 2015

About myself: Хай

Interests: Интерес1daasdfasf, http://apple.com

technetonlines

technetonlines

Joined: 24 January 2019

Interests: No data



Main article: Cryptography

<< Back Forward >>
Topics from 1 to 10 | in all: 173

A security mishap left Remine wide open to hackers

22:52 | 25 February

Security is all too often focused on keeping hackers out and breaches at bay. But in the case of Remine, a real estate intelligence startup, it left its doors wide open for anyone to run rampant.

Remine is a little-known but major player in the real estate analytics and intelligence market. It works by collecting and mining vast amounts of real estate data — from public listings to privately obtained data from brokers and real estate agents from across the United States. The company, which last year raised $30 million in its Series A to help expand its real estate data and intelligence platform, claims it has data “on 150 million properties across all 50 states.”

But that data was only a few clicks away from being easily accessible, thanks to a misconfigured system.

The misconfiguration was found in Remine’s development environment, which although protected by a password, let anyone outside the company register an account to log in.

Thinking it was a secure space, Remine’s developers shared private keys, secrets and other passwords, which if exploited by a malicious hacker would have allowed access to the company’s Amazon Web Services storage servers, databases and also the company’s private Slack workspace.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found the exposed system and reported the findings to TechCruch so we could inform the company of the security lapse.

The exposed private keys, he said, allowed for full access to the company’s storage servers, containing more than a decade’s worth of documents — including title deeds, rent agreements and addresses of customers or sellers, he said.

One of the documents seen by TechCrunch showed personal information, including names, home addresses and other personally identifiable information belonging to a rental tenant.

After TechCrunch reached out, Remine co-founder and chief operating officer Jonathan Spinetto confirmed the security lapse and that its private keys and secrets have been replaced. Spinetto also said it has notified customers with a letter, seen by TechCrunch. And, the company has retained cybersecurity firm Crypsis to handle the investigation, and that the company will “assess and comply” with applicable data breach notification laws based on the findings of the investigation.

Remine escaped bruised rather than breached, a lesson to all companies, large and small, that even the smallest bug can be enough to wreak havoc.

Read more:


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849.

 


0

How much should a startup spend on security?

03:34 | 21 February

One of the questions I frequently ask startup founders is how much they’re spending on security. Unsurprisingly, everyone has a different answer.

Startups and small companies are invariably faced with the prospect that they’re either not spending enough or are spending too much on something that’s hard to quantify in terms of value. It’s a tough sell to sink money into an effort to stop something that might one day happen, particularly for bootstrapped startups that must make every cent count — yet we’re told security is a crucial investment for a company’s future.

Sorry to break it to you, but there is no easy answer.

The reality is that each company is different and there is no single recommended dollar amount to spend. But it’s absolutely certain that some investment is required. We know because we see a lot of security incidents here at TechCrunch — hacks, breaches and especially data exposures, often a result of human error.

We spoke to three security experts — a head of security, a security entrepreneur and a cybersecurity fellow — to understand the questions facing startups.

Know and understand your threat model

Every company has a different threat model — by that, we mean identifying risks and possible ways of attack before they happen. Companies that store tons of user data may be a greater target than companies that don’t. Each firm needs to evaluate which kind of risks they face and identify weaknesses.

 


0

SentinelOne raises $200M at a $1.1B valuation to expand its AI-based endpoint security platform

19:30 | 19 February

As cybercrime continues to evolve and expand, a startup that is building a business focused on endpoint security has raised a big round of funding. SentinelOne — which provides a machine learning-based solution for monitoring and securing laptops, phones, containerised applications and the many other devices and services connected to a network — has picked up $200 million, a Series E round of funding that it says catapults its valuation to $1.1 billion.

The funding is notable not just for its size but for its velocity: it comes just eight months after SentinelOne announced a Series D of $120 million, which at the time valued the company around $500 million. In other words, the company has more than doubled its valuation in less than a year — a sign of the cybersecurity times.

This latest round is being led by Insight Partners, with Tiger Global Management, Qualcomm Ventures LLC, Vista Public Strategies of Vista Equity Partners, Third Point Ventures, and other undisclosed previous investors all participating.

Tomer Weingarten, CEO and co-founder of the company, said in an interview that while this round gives SentinelOne the flexibility to remain in “startup” mode (privately funded) for some time — especially since it came so quickly on the heels of the previous large round — an IPO “would be the next logical step” for the company. “But we’re not in any rush,” he added. “We have one to two years of growth left as a private company.”

While cybercrime is proving to be a very expensive business (or very lucrative, I guess, depending on which side of the equation you sit on), it has also meant that the market for cybersecurity has significantly expanded.

Endpoint security, the area where SentinelOne concentrates its efforts, last year was estimated to be around an $8 billion market, and analysts project that it could be worth as much as $18.4 billion by 2024.

Driving it is the single biggest trend that has changed the world of work in the last decade. Everyone — whether a road warrior or a desk-based administrator or strategist, a contractor or full-time employee, a front-line sales assistant or back-end engineer or executive — is now connected to the company network, often with more than one device. And that’s before you consider the various other “endpoints” that might be connected to a network, including machines, containers and more. The result is a spaghetti of a problem. One survey from LogMeIn, disconcertingly, even found that some 30% of IT managers couldn’t identify just how many endpoints they managed.

“The proliferation of devices and the expanding network are the biggest issues today,” said Weingarten. “The landscape is expanding and it is getting very hard to monitor not just what your network looks like but what your attackers are looking for.”

This is where an AI-based solution like SentinelOne’s comes into play. The company has roots in the Israeli cyberintelligence community but is based out of Mountain View, and its platform is built around the idea of working automatically not just to detect endpoints and their vulnerabilities, but to apply behavioral models, and various modes of protection, detection and response in one go — in a product that it calls its Singularity Platform that works across the entire edge of the network.

“We are seeing more automated and real-time attacks that themselves are using more machine learning,” Weingarten said. “That translates to the fact that you need defence that moves in real time as with as much automation as possible.”

SentinelOne is by no means the only company working in the space of endpoint protection. Others in the space include Microsoft, CrowdStrike, Kaspersky, McAfee, Symantec and many others.

But nonetheless, its product has seen strong uptake to date. It currently has some 3,500 customers, including three of the biggest companies in the world, and “hundreds” from the global 2,000 enterprises, with what it says has been 113% year-on-year new bookings growth, revenue growth of 104% year-on-year, and 150% growth year-on-year in transactions over $2 million. It has 500 employees today and plans to hire up to 700 by the end of this year.

One of the key differentiators is the focus on using AI, and using it at scale to help mitigate an increasingly complex threat landscape, to take endpoint security to the next level.

“Competition in the endpoint market has cleared with a select few exhibiting the necessary vision and technology to flourish in an increasingly volatile threat landscape,” said Teddie Wardi, MD of Insight Partners, in a statement. “As evidenced by our ongoing financial commitment to SentinelOne along with the resources of Insight Onsite, our business strategy and ScaleUp division, we are confident that SentinelOne has an enormous opportunity to be a market leader in the cybersecurity space.”

Weingarten said that SentinelOne “gets approached every year” to be acquired, although he didn’t name any names. Nevertheless, that also points to the bigger consolidation trend that will be interesting to watch as the company grows. SentinelOne has never made an acquisition to date, but it’s hard to ignore that, as the company to expand its products and features, that it might tap into the wider market to bring in other kinds of technology into its stack.

“There are definitely a lot of security companies out there,” Weingarten noted. “Those that serve a very specific market are the targets for consolidation.”

 


0

Better know a CSO: Dropbox head of security Justin Berman

19:26 | 14 February

Justin Berman has one of the most important jobs at Dropbox .

As head of security, he oversees the company’s cybersecurity strategy, its defenses and works daily to keep its more than 600 million users’ data private and secure.

No pressure, then.

Berman joined the file storage and workspace giant a year ago during a period of transition for the company. During its early years, Dropbox was hit by a data breach that saw more than 60 million user passwords stolen during a time where tech giants were entrenched in a “move fast and break things” culture. But things have changed, particularly at Dropbox, which made good on its promise to improve the company’s security and also went far beyond what any Silicon Valley company had done before to better protect security researchers.

In this series, we’ll look at the role of the CSO — the chief security officer — at some of the biggest companies in tech to better understand the role, what it means to keep an organization secure without hindering growth and what advice startups can learn from some of the most experienced security professionals in the industry.

We start with Berman, who discussed in a recent interview what drew him to the company, what it means to be a security chief and what other companies can learn from Dropbox’s groundbreaking security policies

This interview has been edited for length and clarity.

TechCrunch: You’ve been at Dropbox since June. Before this you were at Zenefits, Flatiron Health and Bridgewater. What brought you to Dropbox?

Justin Berman: First and foremost, I think the people here are amazing. And I think the problems I get to solve here are not the ones that a lot of security leaders find themselves solving. Because the company has had a historical commitment to security, privacy, and trust and risk, I’m not coming in and having to boot the culture of security from the ground up. That culture already exists. And the question we ask ourselves is how do we use that culture to do the right level of things as opposed to just doing as much as possible where you might slow down the business?

 


0

Develop a serious cybersecurity strategic plan that incorporates CCM

22:52 | 10 February

Robert R. Ackerman Jr. Contributor
Robert R. Ackerman Jr. is the founder and managing director of AllegisCyber, a venture capital firm specializing in cybersecurity, and the co-founder and executive at DataTribe, a cybersecurity startup foundry which focuses on launching startups based on cyber domain expertise from the intelligence community and national laboratories.

It’s a new year and corporate concerns about cybersecurity risk are high. Which means top executives at Fortune 500 companies will do what they always do — spend big on security technology. Global cybersecurity spending is on a path to exceed $1 trillion cumulatively over the five-year period from 2017 to 2021.

But increasing budgets each year with little strategic forethought is a corporate failing. Further, the lack of proactive monitoring of cyber risk profile almost ensures gaps and vulnerabilities that will be exploited by hackers.

Corporations that don’t formulate a thorough cybersecurity plan and monitor its implementation will encounter more breaches and increasingly become mired in scuttled M&A opportunities. Market research firm Gartner says that 60% of organizations engaging in M&A activity are already weighing a target’s cybersecurity track record, posture and strategy as a key factor in their due diligence. A company that has been hacked is a less attractive acquisition target — hardly a minor point, given that M&A activity globally, led by the U.S., has set records in recent years and is widely expected to maintain or exceed this level going forward.

The most highly publicized example of an M&A-related cybersecurity headache was Verizon’s discovery of a prior data breach at Yahoo a couple of years ago, after formulating an acquisition agreement. The discovery almost killed the deal and ultimately resulted in a $350 million reduction in Verizon’s purchase price.

Enterprises must step up to the plate once and for all and develop meaningful metrics to assess the quality of their cybersecurity protection and monitor its completeness and effectiveness. And the best way to do this is to begin taking steps to incorporate continuous controls monitoring (CCM).

 


0

Dumb things companies do with user security

20:30 | 4 February

After iterating on a few ideas, you’ve found something people are interested in. Users are signing up! You’ve got traction! People with money want to give you that money! Excellent.

In the rush to rapid growth, it can be easy to get caught up in what’s next, like the next new layout, feature launch or product release — the next thing that will make users happy.

Equally important to keep in mind — really, more important — is what makes users mad: getting hacked.

It’s advice we’ve heard from just about every security expert who has ever been onstage at Disrupt: Take security seriously from the start. As soon as anyone cares about your company, it’s a target, and the bigger you get, the bigger that target becomes. The more users you acquire, the more valuable your database becomes. Adding features and pushing code creates more things for hackers to poke at.

Last week, we took a look at some things you can do to help keep your employees from getting hacked. This week, we’re looking at some of what you can do to keep your users safe. It’s by no means exhaustive — but for growing teams, it’s the sort of stuff you need to have in the back of your brain, always.

 


0

Red teams OK to push ethical limits but not on themselves, study says

23:16 | 2 February

Wake up, make breakfast, get the kids to school, drive to work, break into the chief financial officer’s inbox and steal the entire company’s employee tax records. Maybe later you’ll grab a bagel from across the street.

For “red teams” — or offensive security researchers — it’s just another day at work.

These offensive security teams are made up of skilled hackers who are authorized to find vulnerabilities in a company’s systems, networks but also their employees. By hacking a company from within, the company can better understand where it needs to shore up its defenses to help prevent a real future hacker. But social engineering, where hackers manipulate their targets, can have serious consequences on the target. Although red team engagements are authorized and are legal, the ethics of certain attacks and efforts can go unconsidered.

Newly released research looks at the ethics involved in offensive security engagements. Is it ethically acceptable to send phishing emails, bribe a receptionist, or plant compromising documents on a person’s computer if it means preventing a breach down the line?

The findings showed that security professionals, like red teamers and incident responders, were more likely to find it ethically acceptable to conduct certain kinds of hacking activities on other people than they are with having those activities run against themselves.

The research — a survey of over 500 people working in both security and non-security positions, presented for the first time at Shmoocon 2020 in Washington DC this week — found that non-security professionals, such as employees working in legal, human resources, or at the reception desk, are nine-times more likely to object to receiving a phishing email as part of a red team engagement than a security professional, such as a red teamer or incident response.

It is hoped the findings will help start a discussion about the effects of a red team’s engagement on a company’s morale during an internal penetration test, and help companies to help understand the limits of a red team’s rules of engagement.

“When red teamers are forced to confront the fact that their targets are just like themselves, their attitude about what it’s OK to do to another person about testing security on other people changes dramatically after they confront the fact that it could happen to them,” said Tarah Wheeler, a cybersecurity policy fellow at New America and co-author of the research.

The survey asked about a range of potential tactics in offensive security testing, such as phishing, bribery, threats, and impersonation. The respondents were randomly assigned one of two surveys containing all the same questions, except one asked if it was acceptable to conduct the activity and the other asked if it was acceptable if it happened to them.

The findings showed security professionals would object as much as four-times if certain tactics were used against them, such as phishing emails and planting compromising documents.

“Humans are bad at being objective,” said Wheeler.

The findings come at a time where red teams are increasingly making headlines for their activities as part of engagements. Just this week, two offensive security researchers at Coalfire had charges dropped against them for breaking into an Iowa courthouse as part of a red team engagement. The researchers were tasked and authorized by Iowa’s judicial arm to find vulnerabilities in its buildings and computer networks in an effort to improve its security. But the local sheriff caught the pair and objected to their activities, despite presenting a “get out of jail free” letter detailing the authorized engagement. The case gave a rare glimpse into the world of security penetration testing and red teaming, even if the arrests were universally panned by the security community.

The survey also found that security professionals in different parts of the world were more averse to certain activities than others. Security professionals in Central and South America, for example, object more to planting compromising documents whereas those in the Middle East and Africa object more to bribes and threats.

The authors of the research said that the takeaways are not that red teams should avoid certain offensive security practices but to be aware of the impact they can have on the targets, often which include their corporate colleagues.

“When you’re setting up a red team and scoping your targets, consider the impact on your co-workers and clients,” said Roy Iversen, director of security engineering and operations at Fortalice Solutions, who also co-authored the research. Iversen said the findings may also help companies decide if they want an outside red team to carry out an engagement to minimize any internal conflict between a company’s internal red team and the wider staff.

The researchers plan to expand their work over the next year to improve their overall survey count and to better understand the demographics of their respondents to help refine the findings.

“It’s an ongoing project,” said Wheeler.

 


0

Ring’s new security ‘control center’ isn’t nearly enough

23:17 | 30 January

On the same day that a Mississippi family is suing Amazon -owned smart camera maker Ring for not doing enough to prevent hackers from spying on their kids, the company has rolled out its previously announced “control center,” which it hopes will make you forget about its verifiably “awful” security practices.

In a blog post out Thursday, Ring said the new “control center,” “empowers” customers to manage their security and privacy settings.

Ring users can check to see if they’ve enabled two-factor authentication, add and remove users from the account, see which third-party services can access their Ring cameras, and opt-out of allowing police to access their video recordings without the user’s consent.

But dig deeper and Ring’s latest changes still do practically nothing to change some of its most basic, yet highly criticized security practices.

Questions were raised over these practices months ago after hackers were caught breaking into Ring cameras and remotely watching and speaking to small children. The hackers were using previously compromised email addresses and passwords — a technique known as credential stuffing — to break into the accounts. Some of those credentials, many of which were simple and easy to guess, were later published on the dark web.

Yet, Ring still has not done anything to mitigate this most basic security problem.

TechCrunch ran several passwords through Ring’s sign-up page and found we could enter any easy to guess password, like “12345678” and “password” — which have consistently ranked as some of the most common passwords for several years running.

To combat the problem, Ring said at the time users should enable two-factor authentication, a security feature that adds an additional check to prevent account breaches like password spraying, where hackers use a list of common passwords in an effort to brute force their way into accounts.

But Ring still uses a weak form of two-factor, sending you a code by text message. Text messages are not secure and can be compromised through interception and SIM swapping attacks. Even NIST, the government’s technology standards body, has deprecated support for text message-based two-factor. Experts say although text-based two-factor is better than not using it at all, it’s far less secure than app-based two-factor, where codes are delivered over an encrypted connection to an app on your phone.

Ring said it’ll make its two-factor authentication feature mandatory later this year, but has yet to say if it will ever support app-based two-factor authentication in the future.

The smart camera maker has also faced criticism for its cozy relationship with law enforcement, which has lawmakers concerned and demanding answers.

Ring allows police access to users’ videos without a subpoena or a warrant. (Unlike its parent company Amazon, Ring still does not published the number of times police demand access to customer videos, with or without a legal request.)

Ring now says its control center will allow users to decide if police can access their videos or not.

But don’t be fooled by Ring’s promise that police “cannot see your video recordings unless you explicitly choose to share them by responding to a specific video request.” Police can still get a search warrant or a court order to obtain your videos, which isn’t particularly difficult if police can show there’s reasonable grounds that it may contain evidence — such as video footage — of a crime.

There’s nothing stopping Ring, or any other smart home maker, from offering a zero-knowledge approach to customer data, where only the user has the encryption keys to access their data. Ring cutting itself (and everyone else) out of the loop would be the only meaningful thing it could do if it truly cares about its users’ security and privacy. The company would have to decide if the trade-off is worth it — true privacy for its users versus losing out on access to user data, which would effectively kill its ongoing cooperation with police departments.

Ring says that security and privacy has “always been our top priority.” But if it’s not willing to work on the basics, its words are little more than empty promises.

 


0

The US government should stop demanding tech companies compromise on encryption

01:12 | 16 January

In a tweet late Tuesday, President Trump

for refusing “to unlock phones used by killers, drug dealers and other violent criminal elements.” Trump was specifically referring to a locked iPhone that belonged to a Saudi airman who killed three U.S sailors in an attack on a Florida base in December.

It’s only the latest example of the government trying to gain access to a terror suspect’s device it claims it can’t access because of the encryption that scrambles the device’s data without the owner’s passcode.

The government spent the past week bartering for Apple’s help. Apple said it had given to investigators “gigabytes of information,” including “iCloud backups, account information and transactional data for multiple accounts.” In every instance it received a legal demand, Apple said it “responded with all of the information” it had. But U.S. Attorney General William Barr accused Apple of not giving investigators “any substantive assistance” in unlocking the phone.

 


0

Google finally brings its security key feature to iPhones

17:00 | 15 January

More than half a year after Google said Android phones could be used as a security key, the feature is coming to iPhones.

Google said it’ll bring the feature to iPhones in an effort to give at-risk users, like journalist and politicians, access to additional account and security safeguards, effectively removing the need to use a physical security key like a Yubico or a Google Titan key.

Two-factor authentication remains one of the best ways to protect online accounts. Typically it works by getting a code or a notification sent to your phone. By acting as an additional layer of security, it makes it far more difficult for even the most sophisticated and resource-backed attackers to break in. Hardware keys are even stronger. Google’s own data shows that security keys are the gold standard for two-factor authentication than other options, like a text message sent to your phone.

Google said it was bringing the technology to iPhones as part of an effort to give at-risk groups greater access to tools that secure their accounts, particularly in the run-up to the 2020 presidential election, where foreign interference remains a concern.

 


0
<< Back Forward >>
Topics from 1 to 10 | in all: 173

Site search


Last comments

Walmart retreats from its UK Asda business to hone its focus on competing with Amazon
Peter Short
Good luck
Peter Short

Evolve Foundation launches a $100 million fund to find startups working to relieve human suffering
Peter Short
Money will give hope
Peter Short

Boeing will build DARPA’s XS-1 experimental spaceplane
Peter Short
Great
Peter Short

Is a “robot tax” really an “innovation penalty”?
Peter Short
It need to be taxed also any organic substance ie food than is used as a calorie transfer needs tax…
Peter Short

Twitter Is Testing A Dedicated GIF Button On Mobile
Peter Short
Sounds great Facebook got a button a few years ago
Then it disappeared Twitter needs a bottom maybe…
Peter Short

Apple’s Next iPhone Rumored To Debut On September 9th
Peter Short
Looks like a nice cycle of a round year;)
Peter Short

AncestryDNA And Google’s Calico Team Up To Study Genetic Longevity
Peter Short
I'm still fascinated by DNA though I favour pure chemistry what could be
Offered is for future gen…
Peter Short

U.K. Push For Better Broadband For Startups
Verg Matthews
There has to an email option icon to send to the clowns in MTNL ... the govt of India's service pro…
Verg Matthews

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short

CrunchWeek: Apple Makes Music, Oculus Aims For Mainstream, Twitter CEO Shakeup
Peter Short
Noted Google maybe grooming Twitter as a partner in Social Media but with whistle blowing coming to…
Peter Short