How much is your palm print worth? If you ask Amazon, it’s about $10 in promotional credit if you enroll your palm prints in its checkout-free stores and link it to your Amazon account.
Last year, Amazon introduced its new biometric palm print scanners, Amazon One, so customers can pay for goods in some stores by waving their palm prints over one of these scanners. By February, the company expanded its palm scanners to other Amazon grocery, book and 4-star stores across Seattle.
Amazon has since expanded its biometric scanning technology to its stores across the U.S., including New York, New Jersey, Maryland and Texas.
The retail and cloud giant says its palm scanning hardware “captures the minute characteristics of your palm — both surface-area details like lines and ridges as well as subcutaneous features such as vein patterns — to create your palm signature,” which is then stored in the cloud and used to confirm your identity when you’re in one of its stores.
Amazon’s latest promotion: $10 promotional credit in exchange for your palm print. (Image: Amazon)
What’s Amazon doing with this data exactly? Your palm print on its own might not do much — though Amazon says it uses an unspecified “subset” of anonymous palm data to improve the technology. But by linking it to your Amazon account, Amazon can use the data it collects, like shopping history, to target ads, offers and recommendations to you over time.
Amazon also says it stores palm data indefinitely, unless you choose to delete the data once there are no outstanding transactions left, or if you don’t use the feature for two years.
While the idea of contactlessly scanning your palm print to pay for goods during a pandemic might seem like a novel idea, it’s one to be met with caution and skepticism given Amazon’s past efforts in developing biometric technology. Amazon’s controversial facial recognition technology, which it historically sold to police and law enforcement, was the subject of lawsuits that allege the company violated state laws that bar the use of personal biometric data without permission.
“The dystopian future of science fiction is now. It’s horrifying that Amazon is asking people to sell their bodies, but it’s even worse that people are doing it for such a low price,” said Albert Fox Cahn, the executive director of the New York-based Surveillance Technology Oversight Project, in an email to TechCrunch.
“Biometric data is one of the only ways that companies and governments can track us permanently. You can change your name, you can change your Social Security number, but you can’t change your palm print. The more we normalize these tactics, the harder they will be to escape. If we don’t [draw a] line in the sand here, I am very fearful what our future will look like,” said Cahn.
When reached, an Amazon spokesperson declined to comment.
Zoom has agreed to pay $85 million to settle a lawsuit that accused the video conferencing giant of violating users’ privacy by sharing their data with third parties without permission and enabling “Zoombombing” incidents.
Zoombombing, a term coined by TechCrunch last year as its usage exploded because of the pandemic, describes unapproved attendees entering and disrupting Zoom calls by sharing offensive imagery, using backgrounds to spread hateful messages, or spouting slurs and profanities.
The lawsuit, filed in March 2020 in the U.S. District Court in the Northern District of California, also accused the firm of sharing personal user data with third parties, including Facebook, Google and LinkedIn.
In addition to agreeing to an $85 million settlement, which could see customers receive a refund of either 15% of their subscription of $25 if the lawsuit achieves class-action status, Zoom has said it will take additional steps to prevent intruders from gatecrashing meetings. This will include alerting users when meeting hosts or other participants use third-party apps in meetings and offering specialized training to employees on privacy and data handling.
“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us,” Zoom said in a statement. “We are proud of the advancements we have made to our platform, and look forward to continuing to innovate with privacy and security at the forefront.”
The settlement requires approval from US District Judge Lucy Koh in San Jose, California, to be finalized.
Columbus, Ohio-based Finite State, a startup that provides supply chain security for connected devices and critical infrastructure, has raised $30M in Series B funding.
The funding lands amid increased focus on the less-secure elements in an organizations’ supply chain, such as Internet of Things devices and embedded systems. The problem, Finite State says, is largely fueled by device firmware, the foundational software that often includes components sourced from third-party vendors or open-source software. This means if a security flaw is baked into the finished product, it’s often without the device manufacturers’ knowledge.
“Cyber attackers see firmware as a weak link to gain unauthorized access to critical systems and infrastructure,” Matt Wyckhouse, CEO of Finite State, tells TechCrunch. “The number of known cyberattacks targeting firmware has quintupled in just the last four years.”
The Finite State platform brings visibility to the supply chains that create connected devices and embedded systems. After unpacking and analyzing every file and configuration in a firmware build, the platform generates a complete bill of materials for software components, identifies known and possible zero-day vulnerabilities, shows a contextual risk score, and provides actionable insights that product teams can use to secure their software.
“By looking at every piece of their supply chain and every detail of their firmware — something no other product on the market offers — we enable manufacturers to ship more secure products, so that users can trust their connected devices more,” Wyckhouse says.
The company’s latest funding round was led by Energize Ventures, with participation from Schneider Electric Ventures and Merlin Ventures, and comes a year after Finite State raised a $12.5 million Series A round. It brings the total amount of funds raised by the firm to just shy of $50 million.
The startup says it plans to use the funds to scale to meet the demands of the market. It plans to increase its headcount too; Finite State currently has 50 employees, a figure that’s expected to grow to more than 80 by the end of 2021.
“We also want to use this fundraising round to help us get out the message: firmware isn’t safe unless it’s safe by design,” Wyckhouse added. “It’s not enough to analyze the code your engineers built when other parts of your supply chain could expose you to major security issues.”
Finite State was founded in 2017 by Matt Wyckhouse, founder and former CTO of Battelle’s Cyber Business Unit. The company showcased its capabilities in June 2019, when its widely-cited Huawei Supply Chain Assessment revealed numerous backdoors and major security vulnerabilities in the Chinese technology company’s networking devices that could be used in 5G networks.
Nozomi Networks, an industry cybersecurity startup that aims to shield critical infrastructure from cyberattacks, has raised $100 million in pre-IPO funding.
The Series D funding round was led by Triangle Peak Partners, and also includes investment from a number of equipment, security, service provider and go-to-market companies including Honeywell Ventures, Keysight Technologies and Porsche Digital.
This funding comes at a critical time for the company. Cyberattacks on industrial control systems (ICS) — the devices necessary for the continued running of power plants, water supplies, and other critical infrastructure — increased both in frequency and severity during the pandemic. Look no further than May and June, which saw ransomware attacks target the IT networks of Colonial Pipeline and meat manufacturing giant JBS, forcing the companies to shut down their industrial operations.
Nozomi Networks, which competes with Dragos and Claroty, claims its industrial cybersecurity solution, which works to secure ICS devices by detecting threats before they hit, aims to prevent such attacks from happening. It provides real-time visibility to help organizations manage cyber risk and improve resilience for industrial operations.
The technology currently supports more than a quarter of a million devices in sectors such as critical infrastructure, energy, manufacturing, mining, transportation, and utilities, with Nozomi Networks doubling its customer base in 2020 and seeing a 5,000% increase in the number of devices its solutions monitor.
The company will use its latest investment, which comes less than two years after it secured $30 million in Series C funding, to scale product development efforts as well as its go-to-market approach globally.
Specifically, Nozomi Networks said it plans to grow its sales, marketing, and partner enablement efforts, and upgrade its products to address new challenges in both the OT and IoT visibility and security markets.
Luxembourg’s National Commission for Data Protection (CNPD) has hit Amazon with a record-breaking €746 million ($887m) GDPR fine over the way it uses customer data for targeted advertising purposes.
Amazon disclosed the ruling in an SEC filing on Friday in which it slammed the decision as baseless and added that it intended to defend itself “vigorously in this matter.”
“Maintaining the security of our customers’ information and their trust are top priorities,” an Amazon spokesperson said in a statement. “There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed.
“We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”
The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that claims to represent the interests of thousands of Europeans to ensure their data isn’t used by big tech companies to manipulate their behavior for political or commercial purposes. The complaint, which also targets Apple, Facebook Google and LinkedIn and was filed on behalf of more than 10,000 customers, alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.
La Quadrature du Net welcomed the fine issued by the CNPD, which “comes after three years of silence that made us fear the worst.”
“The model of economic domination based on the exploitation of our privacy and free will is profoundly illegitimate and contrary to all the values that our democratic societies claim to defend,” the group added in a blog post published on Friday.
The CNPD has also ruled that Amazon must commit to changing its business practices. However, the regulator has not publicly committed on its decision, and Amazon didn’t specify what revised business practices it is proposing.
The record penalty, which trumps the €50 million GDPR penalty levied against Google in 2019, comes amid heightened scrutiny of Amazon’s business in Europe. In November last year, the European Commission announced formal antitrust charges against the company, saying the retailer has misused its position to compete against third-party businesses using its platform. At the same time, the Commission a second investigation into its alleged preferential treatment of its own products on its site and those of its partners.
DevOps is fundamentally about collaboration and agility. Unfortunately, when we add security and compliance to the picture, the message gets distorted.
The term “DevSecOps” has come into fashion the past few years with the intention of seamlessly integrating security and compliance into the DevOps framework. However, the reality is far from the ideal: Security tools have been bolted onto the existing DevOps process along with new layers of automation, and everyone’s calling it “DevSecOps.” This is a misguided approach that fails to embrace the principles of collaboration and agility.
Integrating security into DevOps to deliver DevSecOps demands changed mindsets, processes and technologies. Security and risk management leaders must adhere to the collaborative, agile nature of DevOps for security testing to be seamless in development, making the “Sec” in DevSecOps transparent. — Neil MacDonald, Gartner
In an ideal world, all developers would be trained and experienced in secure coding practices from front end to back end and be skilled in preventing everything from SQL injection to authorization framework exploits. Developers would also have all the information they need to make security-related decisions early in the design phase.
If a developer is working on a type of security control they haven’t worked on before, an organization should provide the appropriate training before there is a security issue.
Once again, the reality falls short of the ideal. While CI/CD automation has given developers ownership over the deployment of their code, those developers are still hampered by a lack of visibility into relevant information that would help them make better decisions before even sitting down to write code.
The entire concept of discovering and remediating vulnerabilities earlier in the development process is already, in some ways, out of date. A better approach is to provide developers with the information and training they need to prevent potential risks from becoming vulnerabilities in the first place.
Consider a developer that is assigned to add PII fields to an internet-facing API. The authorization controls in the cloud API gateway are critical to the security of the new feature. “Shifting left and extending right” doesn’t mean that a scanning tool or security architect should detect a security risk earlier in the process — it means that a developer should have all the context to prevent the vulnerability before it even happens. Continuous feedback is key to up-leveling the security knowledge of developers by orders of magnitude.
Anomaly detection is one of the more difficult and underserved operational areas in the asset-servicing sector of financial institutions. Broadly speaking, a true anomaly is one that deviates from the norm of the expected or the familiar. Anomalies can be the result of incompetence, maliciousness, system errors, accidents or the product of shifts in the underlying structure of day-to-day processes.
For the financial services industry, detecting anomalies is critical, as they may be indicative of illegal activities such as fraud, identity theft, network intrusion, account takeover or money laundering, which may result in undesired outcomes for both the institution and the individual.
There are different ways to address the challenge of anomaly detection, including supervised and unsupervised learning.
Detecting outlier data, or anomalies according to historic data patterns and trends can enrich a financial institution’s operational team by increasing their understanding and preparedness.
Anomaly detection presents a unique challenge for a variety of reasons. First and foremost, the financial services industry has seen an increase in the volume and complexity of data in recent years. In addition, a large emphasis has been placed on the quality of data, turning it into a way to measure the health of an institution.
To make matters more complicated, anomaly detection requires the prediction of something that has not been seen before or prepared for. The increase in data and the fact that it is constantly changing exacerbates the challenge further.
There are different ways to address the challenge of anomaly detection, including supervised and unsupervised learning.
Over the years, I’ve had a front-row seat to the future of technology.
In my role at Y Combinator as director of admissions, I saw hundreds of startup pitches. Many shared a particular attribute: They followed the path of quickly growing users and monetizing the data extracted from the user.
As time went on, I began to see the full picture of what our technologies were creating: A “Minority Report” world where our every move is tracked and monetized. Some companies, like Facebook, lived by the mantra “move fast, break things.” Not only did they break things, they failed us by propagating disinformation and propaganda that, ultimately, cost some people their lives.
And that happened because of a growth-at-all-costs mindset. Some of the biggest consumer-facing Silicon Valley companies in the 21st century flourished by using data to sell ads with little or no consideration for user privacy or security. We have some of the brightest minds in technology; if we really wanted to, we could change things so that, at the very least, people wouldn’t have to worry about privacy and the security of their information.
We could move toward a model where people have more control over their own data and where Silicon Valley explores innovations in privacy and data security. While there are multiple long-term approaches and potential new business models to explore, there are ways to approach a privacy-first mindset in the near term. Here are a couple of ways to start moving toward a future in which people can have control over their data.
We need to approach technology by consciously designing a future where technology works for humans, businesses and society in a secure and ethical way.
Approaching technological growth without understanding or considering the consequences has eroded trust in Silicon Valley. We must do better — and we can start in the workplace by better protecting personal data through self-sovereign identity, an approach that gives people control and ownership over their digital identity.
Using the workplace as a starting point for better privacy and security of people’s digital identities makes sense because many technologies that have been widely adopted — think personal computers, the internet, mobile phones and email — started out in the workplace before they became household technologies, thereby inheriting the foundational principles. With a return to office life on the horizon, there’s no better time than now to reexamine how we might adopt new practices in our workplaces.
We could move toward a model where people have more control over their own data and where Silicon Valley explores innovations in privacy and data security.
So how would employers do this? For starters, they can use the return to office as an impetus for contactless access and digital IDs, which protect against physical and digital data breaches, the latter of which are becoming more common.
Employees could enter offices through their digital IDs, or tokenized IDs, which are stored securely on their phones. They will no longer need to use plastic cards with their personal information and photo imprinted on them, which are easy to fake or duplicate, improving security for both the employer and employee.
Contactless access isn’t a big leap nowadays, either. The pandemic primed us for digital identification — because the use of contactless payment accelerated due to COVID, the change to contactless ID will be seamless for many.
Tokenized identification puts the power in the user’s hands. This is crucial not just for workplace access and identity, but for a host of other, even more important reasons. Tokenized digital IDs are encrypted and can only be used once, making it nearly impossible for anyone to view the data included in the digital ID should the system be breached. It’s like Signal, but for your digital IDs.
As even more sophisticated technologies roll out, more personal data will be produced (and that means more data is vulnerable). It’s not just our driver’s licenses, credit cards or Social Security numbers we must worry about. Our biometrics and personal health-related data, like our medical records, are increasingly online and accessed for verification purposes. Encrypted digital IDs are incredibly important because of the prevalence of hacking and identity theft. Without tokenized digital IDs, we are all vulnerable.
We saw what happened with the Colonial Pipeline ransomware attack recently. It crippled a large portion of the U.S. pipeline system for weeks, showing that critical parts of our infrastructure are extremely vulnerable to breaches.
Ultimately, we need to think about making technology that serves humanity, not vice versa. We also need to ask ourselves if the technology we create is beneficial not just to the user, but to society in general. One way to build technology that better serves humanity is to ensure that it protects users and their values. Self-sovereign identity will be key in our future as other technologies arise. Among other things, we will see our digital wallets house far more than just credit cards, making the need for secure digital IDs more critical. Most importantly, people and companies just need control over their own data, period.
Given the broader general awareness of privacy and security in recent years, employers must take the threat of personal-data vulnerability seriously and lead the way in self-sovereign identity. Through the initial step of contactless access and digital IDs in the workplace, we can begin to inch closer toward a more secure future, at least in terms of our own data and identity.
A large chunk of the internet dropped offline on Thursday. Some of the most popular sites, apps and services on the internet were down, including UPS and FedEx (which have since come back online), Airbnb, Fidelity, and others are reporting Steam, LastPass, and the PlayStation Network are all experiencing downtime.
Many other websites around the world are also affected, including media outlets in Europe.
What appears to be the cause is an outage at Akamai, an internet security giant that provides networking and content delivery services to companies. At around 11am ET, Akamai reported an issue with its Edge DNS, a service that’s designed to keep websites, apps and services running smoothly and securely.
DNS services are critically important to how the internet works, so when things go wrong or there’s an outage, it can cause a knock-on effect to all of the customer websites and services that rely on it.
Akamai said it was “actively investigating the issue,” but when reached a spokesperson would not say if its outage was the cause of the disruption to other sites and services that are currently offline. Akamai would not say what caused the issue but that it was already in recovery.
“We have implemented a fix for this issue, and based on current observations, the service is resuming normal operations. We will continue to monitor to ensure that the impact has been fully mitigated,” Akamai told TechCrunch.
It’s not the first time we’ve seen an outage this big. Last year Cloudflare, which also provides networking services to companies around the world, had a similar outage following a bug that caused major sites to stop loading, including Shopify, Discord and Politico. In November, Amazon’s cloud service also stumbled, which prevented it updating its own status page during the downtime. Online workspace startup Notion also had a high-profile outage this year, forcing the company to turn to Twitter to ask for help.
Thoma Bravo-owned Sophos has announced it’s acquiring Braintrace, a cybersecurity startup that provides organizations visibility into suspicious network traffic patterns. Terms of the deal were not disclosed.
Braintrace, which was founded in 2016 and has raised $10 million in funding, has developed a network detection and response (NDR) solution that helps organizations to easily inspect network traffic to identify and filter out suspicious activity. It does this using remote network packet capture (RNCAP) technology, which provides visibility into network traffic patterns, including encrypted traffic, without the need for man-in-the-middle decryption. It also provides visibility into cloud network traffic, a task that typically needs to be carried out on-site, and supports all of the major cloud providers including AWS and Microsoft Azure.
The deal will see Sophos integrate Braintrace’s NDR technology into its own adaptive cybersecurity ecosystem, which underpins all of its security products and services. The technology will also help Sophos collect data from firewalls, proxies and VPNs, allowing it to look for network traffic that contains instructions for malware like TrickBot, and attackers that misuse Cobalt Strike, as well as pre-empting other malicious traffic that might lead to ransomware attacks
Braintrace’s developers, data scientists and security analysts have joined its global Sophos’ managed threat response (MTR) and rapid response teams as part of the deal.
Commenting on the deal, which Sophos claims will make it one of the largest and fastest-growing managed detection and response (MDR) providers, the company’s CEO Joe Levy said: “We’re excited that Braintrace built this technology specifically to provide better security outcomes to their MDR customers. It’s hard to beat the effectiveness of solutions built by teams of skilled practitioners and developers to solve real-world cybersecurity problems.”
Bret Laughlin, co-founder and CEO of Braintrace, added: “We built Braintrace’s NDR technology from the ground up for detection and now, with Sophos, it will fit into a complete system to provide cross-product detection and response across a multi-vendor ecosystem.”
The deal comes a little over a year after Thoma Bravo completed its $3.9 billion takeover of Sophos, and sees the private equity firm further increasing its reach in the cybersecurity space. It acquired security vendor Proofpoint for $12.3 billion back in April, and recently led a $225 million funding round in zero trust unicorn Illumio.
The deal, the terms of which were not disclosed, is the latest cybersecurity acquisition by Microsoft, which just last week announced that it’s buying threat intelligence startup RiskIQ. The firm also recently acquired IoT security startups CyberX and Refirm Labs as it moved to beef up its security portfolio. Security is big business for Microsoft, which made more than $10 billion in security-related revenue in 2020 — a 40% increase from the year prior.
CloudKnox, which was founded in 2015 and emerged from stealth two years later, helps organizations to enforce least-privilege principles to reduce risk and help prevent security breaches. The startup had raised $22.8 million prior to the acquisition, with backing from ClearSky, Sorenson Ventures, Dell Technologies Capital, and Foundation Capital.
The company’s activity-based authorization service will equip Azure Active Directory customers with “granular visibility, continuous monitoring and automated remediation for hybrid and multi-cloud permissions,” according to a blog post by Joy Chik, corporate vice president of identity at Microsoft.
Chik said that while organizations were reaping the benefits of cloud adoption, particularly as they embrace flexible working models, they often struggled to assess, prevent and enforce privileged access across hybrid and multi-cloud environments.
“CloudKnox offers complete visibility into privileged access,” Chik said. “It helps organizations right-size permissions and consistently enforce least-privilege principles to reduce risk, and it employs continuous analytics to help prevent security breaches and ensure compliance. This strengthens our comprehensive approach to cloud security.”
In addition to Azure Active Directory, Microsoft also plans to integrate CloudKnox with its other cloud security services including 365 Defender, Azure Defender, and Azure Sentinel.
Commenting on the deal, Balaji Parimi, CloudKnox founder and CEO, said: “By joining Microsoft, we can unlock new synergies and make it easier for our mutual customers to protect their multi-cloud and hybrid environments and strengthen their security posture.”
Magic, a San Francisco-based startup that builds “plug and play” passwordless authentication technology, has raised $27 million in Series A funding.
The round, led by Northzone and with participation from Tiger Global, Volt Capital, Digital Currency Group and CoinFund, comes just over a year after Magic launched from stealth, rebranding from its previous name Formatic.
The company, like many others, is on a mission to end traditional password-based authentication. Magic’s flagship SDK, which launched in April 2020, enables developers to implement a variety of passwordless authentication methods with just a few lines of code and integrates with a number of modern frameworks and infrastructures.
Not only does the SDK make it easier for companies and developers to implement passwordless auth methods in their applications, but it could also help to mitigate the expensive fallout that many have to deal with as a result of data breaches.
“This is why the password is so dangerous,” Sean Li, Magic co-founder and CEO tells TechCrunch. “It’s like a Jenga tower right now — a hacker breaching your system can download an entire database of encrypted passwords, and then easily crack them. It’s a huge central point of failure.”
The company recently built out its SDK to add support for WebAuthn, which means it can support hardware-based authentication keys like Yubico, as well as biometric-based Face ID and fingerprint logins on mobile devices.
“It’s less mainstream right now, but we’re making it super simple for developers,” says Li. “This way we can help promote new technologies, and that’s really good for user security and privacy.”
It’s a bet that seems to be working: Magic has recorded a 13% month-over-month increase in developer signups, and the number of identities secured is growing at a rate of 6% weekly, according to Magic. It has also secured a number of big-name customers, from crypto news publisher Decrypt to fundraising platform Fairmint.
Wendy Xiao Schadeck, a partner at Northzone said: “We couldn’t be more excited to support Sean and the Magic team as they redefine authentication for the internet from the bottom up, solving a core pain point for developers, users, and companies.
“It was clear to us that they’re absolutely loved by their customers because the team is so obsessed with serving every single part of the developer journey across several communities. What’s potentially even more exciting is what they will be able to do to empower users and decentralize the identity layer of the web.”
The company now plans to continue to scale its platform and expand its team to meet what Magic describes as “soaring” demand. The startup, which currently has 30 employees that work remotely on a full-time basis, expects to at least double its headcount across all core functions, including product, engineering, design, marketing, finance, people and operations.
It’s also planning to build out the SDK even further; Li says he wants to be able to plug into more kinds of technology, from low-code applications to workflow automations.
“The vision is much bigger than that. We want to be the passport of the internet,” Li adds.
Founded in 2012, Safe Security — formerly known as Lucideus — helps organizations to measure and mitigate enterprise-wide cyber risk using its security assessment framework for enterprises (SAFE) platform. The service, which is used by a number of companies including Facebook, Softbank and Xiaomi, helps businesses understand their likelihood of suffering a major cyberattack, calculates a financial cost to customers’ risks and provides actionable insight on the steps that can be taken to address them.
This funding round saw participation from Safe Security’s existing investors, including former Cisco chairman and chief executive John Chambers, and brings the total amount raised by Safe Security to $49.2 million.
BT said the investment, which is its first major third-party investment in cybersecurity since 2006, reflected its plans to grow rapidly in the sector. Philip Jansen, BT CEO said: “Cybersecurity is now at the top of the agenda for businesses and governments, who need to be able to trust that they’re protected against increasing levels of attack.
“Already one of the world’s leading providers in a highly fragmented security market, this investment is a clear sign of BT’s ambition to grow further.”
The startup’s co-founder and chief executive Saket Modi said he was “delighted” to be working with BT.
“By aligning BT’s global reach and capabilities with SAFE’s ability to provide real-time visibility on cyber risk posture, we are going to fundamentally change how security is measured and managed across the globe,” he said.
As part of the investment, which will see Safe Security double its engineering team by the end of the year, BT will combine the SAFE platform with its managed security services, and gain exclusive rights to use and sell SAFE to businesses and public sector bodies in the UK. BT will also work collaboratively with Safe Security to develop future products, according to an announcement from the company.
DNSFilter, as its name suggests, offers DNS-based web content filtering and threat protection. Unlike the majority of its competitors, which includes the likes of Palo Alto Networks and Webroot, the startup uses proprietary AI technology to continuously scan billions of domains daily, identifying anomalies and potential vectors for malware, ransomware, phishing, and fraud.
“Most of our competitors either rent or lease a database from some third party,” Ken Carnesi, co-founder and CEO of DNSFilter tells TechCrunch. “We do that in-house, and it’s through artificial intelligence that’s scanning these pages in real-time.”
The company, which counts the likes of Lenovo, Newegg, and Nvidia among its 14,000 customers, claims this industry-first technology catches threats an average of five days before competitors and is capable of identifying 76% of domain-based threats. By the end of 2021, DNSFilter says it will block more than 1.1 million threats daily.
DNSFilter has seen rapid growth over the past 12 months as a result of the mass shift to remote working and the increase in cyber threats and ransomware attacks that followed. The startup saw eightfold growth in customer activity, doubled its global headcount to just over 50 employees, and partnered with Canadian software house N-Able to push into the lucrative channel market.
“DNSFilter’s rapid growth and efficient customer acquisition are a testament to the benefits and ease of use compared to incumbents,” Thomas Krane, principal at Insight Partners, who has been appointed as a director on DNSFilter’s board. “The traditional model of top-down, hardware-centric network security is disappearing in favor of solutions that readily plug in at the device level and can cater to highly distributed workforces”
Prior to this latest funding round, which was also backed by Arthur Ventures (the lead investor in DNSFilter’s seed round), CrowdStrike co-founder and former chief technology officer Dmitri Alperovitch also joined DNSFilter’s board of directors.
Carnesi said the addition of Alperovitch to the board will help the company get its technology into the hands of enterprise customers. “He’s helping us to shape the product to be a good fit for enterprise organizations, which is something that we’re doing as part of this round — shifting focus to be primarily mid-market and enterprise,” he said.
The company also recently added former CrowdStrike vice president Jen Ayers as its chief operating officer. “She used to manage their entire managed threat hunting team, so she’s definitely coming on for the security side of things as we build out our domain intelligence team further,” Carnesi said.
With its newly-raised funds, DNSFilter will further expand its headcount, with plans to add more than 80 new employees globally over the next 12 months.
“There’s a lot more that we can do for security via DNS, and we haven’t really started on that yet,” Carnesi said. “We plan to do things that people won’t believe were possible via DNS.”
The company, which acquired Web Shrinker in 2018, also expects there to be more acquisitions on the cards going forward. “There are some potential companies that we’d be looking to acquire to speed up our advancement in certain areas,” Carnesi said.
Over the weekend, an international consortium of news outlets reported that several authoritarian governments — including Mexico, Morocco, and the United Arab Emirates — used spyware developed by NSO Group to hack into the phones of thousands of their most vocal critics, including journalists, activists, politicians and business executives.
A leaked list of 50,000 phone numbers of potential surveillance targets was obtained by Paris-based journalism non-profit Forbidden Stories and Amnesty International, and shared with the reporting consortium, including the Washington Post and The Guardian. Researchers analyzed the phones of dozens of victims to confirm they were targeted by the NSO’s Pegasus spyware, which can access all of the data on a person’s phone. The reports also confirm new details of the government customers themselves, which NSO Group closely guards. Hungary, a member of the European Union where privacy from surveillance is supposed to be a fundamental right for its 500 million residents, is named as an NSO customer.
The reporting shows for the first time how many individuals are likely targets of NSO’s intrusive device-level surveillance. Previous reporting had put the number of known victims in the hundreds or over a thousand.
NSO Group sharply rejected the claims. NSO has long said that it doesn’t know who its customers target, which it reiterated in a statement to TechCrunch on Monday.
Researchers at Amnesty, whose work was reviewed by the Citizen Lab at the University of Toronto, found that NSO can deliver Pegasus by sending a victim a link which when opened infects the phone, or silently and without any interaction at all through a “zero-click” exploit, which takes advantage of vulnerabilities in the iPhone’s software. Citizen Lab researcher Bill Marczak said in a tweet that NSO’s zero-clicks worked on iOS 14.6, which until today was the most up-to-date version.
Amnesty’s researchers showed their working by publishing meticulously detailed technical notes and a toolkit that they said may help others identify if their phones have been targeted by Pegasus.
The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.
The Terminal output from the MVT toolkit, which scans iPhone and Android backup files for indicators of compromise. (Image: TechCrunch)
The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about ten minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.
Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files. In our case, we got one “detection,” which turned out to be a false positive and has been removed from the IOCs after we checked with the Amnesty researchers. A new scan using the updated IOCs returned no signs of compromise.
Given it’s more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device backup for text messages with links to domains known to be used by NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.
The toolkit is — as command line tools go — relatively simple to use, though the project is open source so not before long surely someone will build a user interface for it. The project’s detailed documentation will help you — as it did us.
You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.