FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Signal now has built-in face blurring for photos

By Devin Coldewey

Apps like Signal are proving invaluable in these days of unrest, and anything we can do to simplify and secure the way we share sensitive information is welcome. To that end Signal has added the ability to blur faces in photos sent via the app, making it easy to protect someone’s identity without leaving any trace on other, less secure apps.

After noting Signal’s support of the protests occurring all over the world right now against police brutality, the company’s founder Moxie Marlinspike writes in a blog post that “We’ve also been working to figure out additional ways we can support everyone in the street right now. One immediate thing seems clear: 2020 is a pretty good year to cover your face.”

Fortunately there are perfectly good tools out there both to find faces in photographs and to blur imagery (presumably irreversibly, given Signal’s past attention to detail in these matters, but the company has not returned request for comment). Put them together and boom, a new feature that lets you blur all the faces in a photo with a single tap.

This is helpful for the many users of Signal who use it to send sensitive information, including photos where someone might rather not be identifiable. Normally one would blur the face in another photo editor app, which is simple enough but not necessarily secure. Some editing apps, for instance, host computation-intensive processes on cloud infrastructure and may retain a copy of a photo being edited there — and who knows what their privacy or law enforcement policy may be?

If it’s sensitive at all, it’s better to keep everything on your phone and in apps you trust. And Signal is among the few apps trusted by the justifiably paranoid.

All face detection and blurring takes place on your phone, Marlinspike wrote. But he warned that the face detection isn’t 100 percent reliable, so be ready to manually draw or expand blur regions in case someone isn’t detected.

The new feature should appear in the latest versions of the app as soon as those are approved by Google and Apple.

Lastly Marlinspike wrote that the company is planning “distributing versatile face coverings to the community free of charge”; the picture shows a neck gaiter like those sold for warmth and face protection. Something to look forward to, then.

VMware acquires network security firm Lastline, said to lay off 40% of staff

By Zack Whittaker

VMware is acquiring network security firm Lastline, TechCrunch has learned.

Since its launch in 2012, Lastline raised about $52.2 million, according to Crunchbase. Investors include Thomvest Ventures, which led the company’s $28.5 million Series C round in 2017, Redpoint and e.ventures, which led the company’s 2013 funding round, as well as Barracuda Networks, NTT Finance and Dell Technologies Capital.

A source tells us that VMware will let go some 40 percent of Lastline’s employees — about 50 staffers — as part of the acquisition. We asked a Lastline spokesperson for comment prior to publication but did not hear back. A spokesperson for VMware also did not respond to a request for comment.

After we published, Lastline confirmed the acquisition in a blog post.

“By joining forces with VMware, we will be able to offer additional capabilities to our customers and bring to market comprehensive security solutions for the data center, branch office and remote and mobile users,” said Lastline’s chief executive John DiLullo.

Terms of the deal were not disclosed. The deal, subject to regulatory approvals is expected to close by the end of July.

Lastline provides threat detection services mostly focus on the network level, but they range from malware analysis to intrusion detection and network traffic analysis. The company prides itself on being a cloud native platform and as such, it promises to secure cloud deployments and on-premises networks, as well as multi-cloud and hybrid environments.

Recently, support for cloud-native hybrid- and multi-cloud deployments has very much been a focus for VMware, which makes Lastline a pretty obvious fit for its overall strategy. This also marks VMware’s third security acquisition this year, after it picked up network analytics firm Nyansa in January and cloud-native security platform Octarine in May. VMware also acquired security firm Carbon Black in August 2019. The trend here is pretty obvious and VMware is obviously trying to position itself as the provider of choice for enterprises that are looking for cloud-native

The company was founded by Christopher Kruegel, Engin Kirda, Giovanni Vigna, a team of computer science professors from the University of California, Santa Barbara and Northeastern University.

News of the acquisition comes a week after VMware announced solid Q1 earnings of $386 million, or $0.92 a share. Revenues came in at $2.73 billion, up about 12% on the same period a year ago. VMware CEO Pat Gelsinger attributed the quarter to the shift to work-from-home sparked by the coronavirus pandemic.

VMware shares were down slightly at Thursday’s market close.

Updated to include Lastline’s blog post on the acquisition.

Google says Iranian, Chinese hackers targeted Trump, Biden campaigns

By Zack Whittaker

Google security researchers say they’ve identified efforts by at least two nation state-backed hackers against the Trump and Biden presidential campaigns.

Shane Huntley, director for Google’s Threat Analysis Group, said in a tweet that hackers backed by China and Iran recently targeted the campaigns using malicious phishing emails. But, Huntley said, there are “no signs of compromise” and that the campaigns were both alerted to the attempts.

Recently TAG saw China APT group targeting Biden campaign staff & Iran APT targeting Trump campaign staff with phishing. No sign of compromise. We sent users our govt attack warning and we referred to fed law enforcement. https://t.co/ozlRL4SwhG

— Shane Huntley (@ShaneHuntley) June 4, 2020

When reached by TechCrunch, a Google spokesperson reiterated the findings:

“We can confirm that our Threat Analysis Group recently saw phishing attempts from a Chinese group targeting the personal email accounts of Biden campaign staff and an Iranian group targeting the personal email accounts of Trump campaign staff. We didn’t see evidence that these attempts were successful. We sent the targeted users our standard government-backed attack warning and we referred this information to federal law enforcement. We encourage campaign staff to use extra protection for their work and personal emails, and we offer security resources such as our Advanced Protection Program and free security keys for qualifying campaigns.”

Spokespeople for the Biden and Trump campaigns did not immediately comment. We’ll update if we hear back.

Huntley said in a follow-up tweet that the hackers were identified as China’s APT31 and Iran’s APT35, both of which are known to target government officials. But it’s not the first time that the Trump campaign has been targeted by Iranian hackers. Microsoft last year blamed APT35 group for targeting what later transpired to be the Trump campaign.

Since last year’s attempted attacks, both the Democrats and Republicans improved their cybersecurity at the campaign level. The Democrats recently updated their security checklist for campaigns and published recommendations for countering disinformation, and the Republicans have put on training sessions to better educate campaign officials.

A new Java-based ransomware targets Windows and Linux

By Zack Whittaker

Security researchers have discovered a new kind of ransomware that uses a little-known Java file format to make it more difficult to detect before it detonates its file-encrypting payload.

Consulting giant KPMG’s incident response unit was called in to run the recovery effort at an unnamed European educational institute hit by a ransomware attack. BlackBerry’s security research unit, which partners with KPMG, analyzed the malware and published its findings Thursday.

BlackBerry’s researchers said that a hacker broke into the institute’s network using a remote desktop server connected to the internet, and deployed a persistent backdoor in order to gain easy access to the network after they leave. After a few days of inactivity to prevent detection, the hacker re-enters the network again through the backdoor, disables any running anti-malware service, spreads the ransomware module across the network, and detonates the payload, encrypting each computer’s files and holding them hostage for a ransom.

The researchers said it was the first time they’ve seen a ransomware module compiled into a Java image file format, or JIMAGE. These files contain all the components needed for the code to run — a bit like a Java application — but are rarely scanned by anti-malware engines and can go largely undetected.

BlackBerry named the ransomware ‘Tycoon,” referencing a folder name found in the decompiled code. The researchers said the module had code that allows the ransomware to run on both Windows and Linux computers.

Ransomware operators typically use strong, off-the-shelf encryption algorithms to scramble victims’ files in exchange for a ransom, often demanded in cryptocurrency. For most victims, their only options are to hope they have a backup or pay the ransom. (The FBI has long discouraged victims from paying the ransom.)

But the researchers said there was hope that some victims could recover their encrypted files without paying the ransom. Early versions of the Tycoon ransomware used the same encryption keys to scramble their victims’ files. That means one decryption tool could be used to recover files for multiple victims, the researchers said. But newer versions of Tycoon seem to have fixed this weakness.

BlackBerry’s Eric Milam and Claudiu Teodorescu told TechCrunch that they have observed about a dozen “highly targeted” Tycoon infections in the past six months, suggesting the hackers carefully select their victims, including educational institutions and software houses.

But, as is often the case, the researchers said that the actual number of infections is likely far higher.

Top cybersecurity VCs share how COVID-19 has changed investing

By Zack Whittaker

The coronavirus pandemic is, without doubt, the greatest challenge the world has faced in a generation. But the wheels of the world keep turning, albeit slower than during normal times.

But where the world has faced challenges, the cybersecurity industry remains largely unscathed. In fact, some cybersecurity businesses are doing better than ever because cybersecurity has emerged as one of the few constants we all need — even during a pandemic.

The vast majority of the global workforce is (or has been) working from home since the start of the lockdown, and the world had to quickly adjust. Tech companies pushed their technology and services to the cloud. Businesses had to shift from not just securing their office network but also preventing threats against their highly distributed employees working from their own homes. And, hackers are retooling their attacks to be coronavirus themed, making them far more likely to succeed.

All of these things — and more — need security. Or, as one investor told us: “Many of these trends were already underway, but COVID-19 is an accelerant.” That’s helped cybersecurity firms weather the storm of this pandemic.

We spoke to a dozen cybersecurity VCs to hear their thoughts on how COVID-19 has changed the investment landscape:

Here’s what they told us. (Answers have been edited for clarity.)

Ariel Tseitlin, Scale Venture Partners

Security budgets haven’t been affected nearly as much as broader IT spend. We continue to see existing portfolio companies raise follow-on financings, and we continue to meet with companies for new potential investments. The big change in my criteria for new investments is that a company must be able to continue growing in the current environment. We don’t know how long this downturn will last, so I don’t buy into the promise of “as soon as the economy recovers, growth will resume.”

Shardul Shah, Index Ventures

On Microsoft’s last earnings call, chief executive Satya Nadella said: “As COVID-19 impacts every aspect of our work and life, we have seen two years worth of digital transformation in two months.” This acceleration has actually created momentum for a number of cybersecurity businesses, which is why the best companies continue to draw significant interest from investors. I serve on the board of security firm Expel, which raised $50 million in the middle of this crisis.

Anti-phishing startup Inky raises $20M to ramp up enterprise adoption

By Zack Whittaker

Anti-phishing startup Inky has raised $20 million in its Series B round of funding, led by Insight Partners .

The funding will help the company push for greater enterprise adoption and expand to international markets including Europe, Asia and Latin America.

Inky started out a decade ago with a bold mission to reinvent email with its desktop app focused on helping users better organize and filter their inboxes. The company pivoted away from its email improvement efforts in 2018 to focus on its cloud-based anti-phishing technology. A year later, it raised $5.6 million in its Series A round.

This latest investment pushes the total amount Inky raised to $31.6 million.

Phishing is a continual headache for all organizations. These attacks rely on tricking users into thinking an email is genuine and turning over personal information or passwords. Verizon’s yearly data breach report said 22% of all breaches are caused by phishing, a technique used more than any other attack vector. Attackers also use spoofed emails to trick human resources or finance staff into turning over sensitive employee files, like W-2 tax forms, on instructions from senior leadership. These so-called business email scams have cost businesses billions of dollars a year.

Inky’s technology works by hooking into existing email systems, like Exchange, Office 365, and G-Suite and alerting users if an incoming email looks safe, unusual, or malicious. The company uses machine learning and other technologies to detect if an email looks like it’s spam, a phish attempt, or leveraging a security vulnerability like an XSS — or cross-site script — that can be used to steal data.

Inky says it blocks hundred of thousands of suspicious or malicious emails a month for the average customer.

“This Series B funding gives us the resources we need to serve the incredible demand we’re seeing from enterprise customers in particular, and will allow us to expand our go-to-market efforts globally,” said Inky’s co-founder and chief executive Dave Baggett.

RiskIQ adds National Grid Partners as securing data becomes a strategic priority for utilities

By Jonathan Shieber

RiskIQ, a startup providing application security, risk assessment and vulnerability management services, has added National Grid Partners as a strategic investor. 

The funding from the investment arm of National Grid, a multinational energy provider, is part of a $15 million new round of financing designed to take the company’s technology into critical industrial infrastructure — with National Grid as a point of entry.

More than 6,000 companies use the company’s services, and the roster list and technology on offer has attracted some of the biggest names in investing, including Summit Partners, Battery Ventures, Georgian Partners and MassMutual Ventures.

“We view NGP’s show of support as an incredible opportunity to help customers in new markets thrive as their attack surfaces expand outside the firewall, especially now amid the COVID-19 pandemic,” RiskIQ chief executive Lou Manousos said in a statement. 

RiskIQ has spent the past 10 years spidering the internet looking for all of the exploits that hackers use to penetrate networks and have built that into a database of threats. This inventory gives the company an ability to identify which assets within a company present the most obvious threats. Its automated services constantly scan third-party code, internet-connected devices and mobile applications for potential vulnerabilities, the company said.

As a staple platform in their core security environment, our cyber threat analysts use RiskIQ regularly to enrich and identify incoming threats,” said Lisa Lambert, president of National Grid Partners and chief technology and innovation officer of National Grid, in a statement.

National Grid’s investment is a piece of a deeper partnership that will see NGP providing strategic advice for the security company as it looks to expand its commercial operations among industrial and utility customers.

 

Zoom's End-to-End Encryption Will Be for Paying Customers Only

By Lily Hay Newman
The videoconferencing company says it wants to be able to work with law enforcement to catch bad actors on its platform.

The Pentagon’s Hand-Me-Downs Helped Militarize Police. Here’s How

By Brian Barrett
Over several decades, the 1033 program has shipped over $7.4 billion of Defense Department property to more than 8,000 law enforcement agencies.

‘Nonlethal’ Anti-Protest Weapons Can Cause Serious Harm

By Louise Matsakis
Rubber bullets and tear gas are billed as relatively safe. They're anything but.

Facebook 'Manage Activity' Is a Long Overdue Privacy Feature

By Lily Hay Newman
The new Manage Activity feature will let you archive and bulk delete posts for the first time.

This Bot Hunts Software Bugs for the Pentagon

By Tom Simonite
Mayhem emerged from a 2016 government-sponsored contest at a Las Vegas casino hotel. Now it's used by the military.

How to Protest Safely in the Age of Surveillance

By Andy Greenberg, Lily Hay Newman
Law enforcement has more tools than ever to track your movements and access your communications. Here's how to protect your privacy if you plan to protest.

Apple has just patched the recent iOS 13.5 jailbreak

By Zack Whittaker

Well that didn’t last long.

Apple has patched a security vulnerability that allowed hackers to build a jailbreak tool allowing deep access to the iPhone software.

In a security advisory, Apple acknowledged that it had fixed the vulnerability in iOS 13.5.1, posted Monday. The technology giant credited the unc0ver team, which released the jailbreak just last week, for finding the vulnerability.

Although details of the vulnerability are not yet public, Apple typically works quickly to patch vulnerabilities that allow jailbreaks, fearing that the same vulnerability could also be abused by malicious hackers.

In a tweet, one of the lead jailbreakers confirmed that updating to iOS 13.5.1 will close the vulnerability and render the jailbreak useless.

I can confirm the new *OS updates have patched the kernel vulnerability used by the #unc0ver jailbreak.

If you are on iOS 13.5, stay and save blobs.

If you are not on iOS 13.5, update to it with the IPSW using a computer while it is still being signed and save blobs.

— @Pwn20wnd (@Pwn20wnd) June 1, 2020

Jailbreaking is a popular way to allow users to break free from Apple’s “jail” — hence the term — that prevents deep access to an iPhone’s operating system. Apple has does this to improve device security and to reduce the surface area in which hackers can attack the software. But jailbreakers say breaking through those restrictions allows them greater customization over their iPhones in a way that most Android users are already used to.

Security experts typically advise against jailbreaking as it can expose a device owner to a greater range of attacks, while advising users to install their devices and software as soon as update become available.

Apple said iOS 13.5.1 also comes with new Memoji stickers and other bug fixes and improvements.

Update today. If security isn’t your thing, at least do it for the Memoji stickers.

After a spate of device hacks, Google beefs up Nest security protections

By Zack Whittaker

Google has added its line of Nest smart home devices to its Advanced Protection Program, a security offering that adds stronger account protections for high-risk users like politicians and journalists.

The program, launched in 2017, allows anyone who signs up access to a range of additional account security features, like limiting third-party access to account data, anti-malware protections, and allowing the use of physical security keys to help thwart some of the most advanced cyberattacks.

Google said that adding Nest to the program was a “top request” from users.

Smart home devices are increasingly a target for hackers largely because many internet-connected devices lack basic security protections and are easy to hack, prompting an effort by states and governments to help device makers improve their security. A successful hack can allow hackers to snoop in on smart home cameras, or ensnare the device into a massive collection of vulnerable devices — a botnet — that can be used to knock websites offline with large amounts of junk traffic.

Although Nest devices are more secure than most, its users are not immune from hackers.

Earlier this year Google began requiring that Nest users must enable two-factor authentication after a spate of reported automated attacks targeting Nest cameras. Google said its systems had not been breached, but warned that hackers were using passwords stolen in other breaches to target Nest users.

Other devices makers, like Amazon-owned Ring, were also targeted by hackers using reused passwords.

While two-factor authentication virtually eliminates these kinds of so-called credential stuffing attacks, Google said its new security improvements will add “yet another layer of protection” to users’ Nest devices.

This $350 "Anti-5G" Device Is Apparently Just a USB Stick

By Lily Hay Newman
Plus: A LiveJournal hack, Qatar's contact-tracing privacy failure, and more of the week's top security news.

Twitter, Reddit challenge US rules forcing visa applicants to disclose their social media handles

By Zack Whittaker

Twitter and Reddit have filed an amicus brief in support of a lawsuit challenging a U.S. government rule change compelling visa applicants to disclose their social media handles.

The lawsuit, brought by the Knight First Amendment Institute at Columbia University, the Brennan Center for Justice and law firm Simpson Thacher & Bartlett, seeks to undo both the State Department’s requirement that visa applicants must disclose their social media handles prior to obtaining a U.S. visa, as well as related rules over the retention and dissemination of those records.

Last year, the State Department began asking visa applicants for their current and former social media usernames, a move that affects millions of non-citizens applying to travel to the United States each year. The rule change was part of the Trump administration’s effort to expand its “enhanced” screening protocols. At the time, it was reported that the information would be used if the State Department determines that “such information is required to confirm identity or conduct more rigorous national security vetting.”

In a filing supporting the lawsuit, both Twitter and Reddit said the social media policies “unquestionably chill a vast quantity of speech” and that the rules violate the First Amendment rights “to speak anonymously and associate privately.”

Twitter and Reddit, which collectively have more than 560 million users, said their users — many of which don’t use their real names on their platforms — are forced to “surrender their anonymity in order to travel to the United States,” which “violates the First Amendment rights to speak anonymously and associate privately.”

“Twitter and Reddit vigorously guard the right to speak anonymously for people on their platforms, and anonymous individuals correspondingly communicate on these platforms with the expectation that their identities will not be revealed without a specific showing of compelling need,” the brief said.

“That expectation allows the free exchange of ideas to flourish on these platforms.”

Jessica Herrera-Flanigan, Twitter’s policy chief for the Americas, said the social media rule “infringes both of those rights and we are proud to lend our support on these critical legal issues.” Reddit’s general counsel Ben Lee called the rule an “intrusive overreach” by the government.

It’s not known how many, if any, visa applicants have been denied a visa because of their social media content. But since the social media rule went into effect, cases emerged of approved visa holders denied entry to the U.S. for other people’s social media postings. Ismail Ajjawi, a then 17-year-old freshman at Harvard University, was turned away at Boston Logan International Airport after U.S. border officials searched his phone after taking issue with social media postings of Ajjawi’s friends — and not his own.

Abed Ayoub, legal and policy director at the American-Arab Anti-Discrimination Committee, told TechCrunch at the time that Ajjawi’s case was not isolated. A week later, TechCrunch learned of another man who was denied entry to the U.S. because of a WhatsApp message sent by a distant acquaintance.

A spokesperson for the State Department did not immediately comment on news of the amicus brief.

NSA: Russia's Sandworm Hackers Have Hijacked Mail Servers

By Andy Greenberg
In a rare public warning, the US spy agency says the notorious arm of Russian military intelligence is targeting a known vulnerability in Exim.

The secret to trustworthy data strategy

By Walter Thompson
Daniel Wu Contributor
Dan Wu is a Privacy Counsel & Legal Engineer at Immuta, an automated data governance platform for analytics. He’s advocated for data ethics, inclusive urban innovation, and diversity in TechCrunch, Harvard Business Review, and FastCompany. He's helped Fortune 500 companies, governments, and startups with ethical & agile data strategies. He holds a Harvard J.D. & Ph.D.
Eugene Kolker Contributor
Eugene Kolker, PhD is the Chief Economist and Head of XLAB at Fabuwood Corp., an Adjunct Professor at New York University’s Tandon School of Engineering, and President of 1Ekaroni, a consulting and services company. He was formerly the Chief Data Officer of IBM Global Services and the Chief Data and Analytics Officer of Seattle Children's Healthcare System. He has also co-founded three digital technology and healthcare startups.
Leandro DalleMule Contributor
Leandro DalleMule is the General Manager for North America for Planck. He's the former Chief Data Officer and Head of Information Management at AIG. Leandro holds an MBA from the Kellogg School of Management at Northwestern University, graduating magna cum laude, a graduate certificate in applied mathematics from Columbia University, and a B.Sc. in mechanical engineering from University of Sao Paulo, Brazil.
Barbara Cohn Contributor
Barbara Cohn is the managing member of BLC Strategic Advisors. She previously served as the first Chief Data Officer for the State of New York, having led its successful open data initiative for Governor Andrew Cuomo. Prior to that, she was Executive Counsel/HHS Connect Data Interoperability Initiative under Mayor Bloomberg, as well as served in multiple leadership positions in NYS agencies and Office of the NYS Governor.

Shortly after its use exploded in the post-office world of COVID-19, Zoom was banned by a variety of private and public actors, including SpaceX and the government of Taiwan. Critics allege its data strategy, particularly its privacy and security measures, were insufficiently robust, especially putting vulnerable populations, like children, at risk. NYC’s Department of Education, for instance, mandated teachers switch to alternative platforms like Microsoft Teams.

This isn’t a problem specific to Zoom. Other technology giants, from Alphabet, Apple to Facebook, have struggled with these strategic data issues, despite wielding armies of lawyers and data engineers, and have overcome them.

To remedy this, data leaders cannot stop at identifying how to improve their revenue-generating functions with data, what the former Chief Data Officer of AIG (one of our co-authors) calls “offensive” data strategy. Data leaders also protect, fight for, and empower their key partners, like users and employees, or promote “defensive” data strategy. Data offense and defense are core to trustworthy data-driven products.

While these data issues apply to most organizations, highly-regulated innovators in industries with large social impact (the “third wave”) must pay special attention. As Steve Case and the World Economic Forum articulate, the next phase of innovation will center on industries that merge the digital and the physical worlds, affecting the most intimate aspects of our lives. As a result, companies that balance insight and trust well, Boston Consulting group predicts, will be the new winners.

Drawing from our work across the public, corporate, and startup worlds, we identify a few “insight killers” — then identify the trustworthy alternative. While trustworthy data strategy should involve end users and other groups outside the company as discussed here, the lessons below focus on the complexities of partnering within organizations, which deserve attention in their own right.

Insight-killer #1: “Data strategy adds no value to my life.”

From the beginning of a data project, a trustworthy data leader asks, “Who are our partners and what prevents them from achieving their goals?” In other words: listen. This question can help identify the unmet needs of the 46% of surveyed technology and business teams who found their data groups have little value to offer them.

Putting this to action is the data leader of one highly-regulated AI health startup — Cognoa — who listened to tensions between its defensive and offensive data functions. Cognoa’s Chief AI Officer identified how healthcare data laws, like the Health Insurance Portability and Accountability Act, resulted in friction between his key partners: compliance officers and machine learning engineers. Compliance officers needed to protect end users’ privacy while data and machine learning engineers wanted faster access to data.

To meet these multifaceted goals, Cognoa first scoped down its solution by prioritizing its highest-risk databases. It then connected all of those databases using a single access-and-control layer.

This redesign satisfied its compliance officers because Cognoa’s engineers could then only access health data based on strict policy rules informed by healthcare data regulations. Furthermore, since these rules could be configured and transparently explained without code, it bridged communication gaps between its data and compliance roles. Its engineers were also elated because they no longer had to wait as long to receive privacy-protected copies.

Because its data leader started by listening to the struggles of its two key partners, Cognoa met both its defensive and offensive goals.

Google Chrome Is Getting a Bunch of New Privacy Features

By Matt Burgess, WIRED UK
The next version of the browser will be more secure than ever. Here’s what you need to know.
❌