cryptography

Auto Added by WPeMatico

Decrypted: Tesla’s ransomware near miss, Palantir’s S-1 risk factors

Another busy week in cybersecurity.

In case you missed it: A widely used messaging app used by over a million protesters has several major security flaws; a little-known loophole has let the DMV sell driver’s licenses and Social Security records to private investigators; and the U.S. government is suing to reclaim over $2.5 million in cryptocurrency stolen by North Korean hackers from two major exchanges.

But this week we are focusing on how a Tesla employee foiled a ransomware attack, and, ahead of Palantir’s debut on the stock market, how much of a risk factor is the company’s public image?


THE BIG PICTURE

Russian charged with attempted Tesla ransomware attack

$1 million. That’s how much a Tesla employee would have netted if they accepted a bribe from a Russian operative to install malware on Tesla’s Gigafactory network in Nevada. Instead, the employee told the FBI and the Russian was arrested.

The Justice Department charged the 27-year-old Russian, Egor Igorevich, weeks later as he tried to flee the United States. According to the indictment, his plan was to ask the employee to deliberately deploy ransomware on the Gigafactory’s network, grinding the network to a halt for a ransom of several million dollars. The would-be insider threat is likely the first of its kind, one ransomware expert told Wired, as financially driven hackers continue to up their game.

Tesla founder Elon Musk tweeted earlier this week confirming that Tesla was the target of the failed attack.

The attack, if carried out, could have been devastating. The indictment said that the malware was designed to extract data from the network before locking its files. This data-stealing ransomware is an increasing trend. These hacker groups not only encrypt a victim’s files but also exfiltrate the data to their servers. The hackers typically threaten to publish the victim’s files if the ransom isn’t paid.

Powered by WPeMatico

Eight trends accelerating the age of commercial-ready quantum computing

Ethan Batraski
Contributor

Ethan Batraski is a partner at Venrock, where he invests across sectors with a particular focus on hard engineering problems such as developer infrastructure, advanced computing and space.

Every major technology breakthrough of our era has gone through a similar cycle in pursuit of turning fiction to reality.

It starts in the stages of scientific discovery, a pursuit of principle against a theory, a recursive process of hypothesis-experiment. Success of the proof of principle stage graduates to becoming a tractable engineering problem, where the path to getting to a systemized, reproducible, predictable system is generally known and de-risked. Lastly, once successfully engineered to the performance requirements, focus shifts to repeatable manufacturing and scale, simplifying designs for production.

Since theorized by Richard Feynman and Yuri Manin, quantum computing has been thought to be in a perpetual state of scientific discovery. Occasionally reaching proof of principle on a particular architecture or approach, but never able to overcome the engineering challenges to move forward.

That’s until now. In the last 12 months, we have seen several meaningful breakthroughs from academia, venture-backed companies, and industry that looks to have broken through the remaining challenges along the scientific discovery curve. Moving quantum computing from science fiction that has always been “five to seven years away,” to a tractable engineering problem, ready to solve meaningful problems in the real world.

Companies such as Atom Computing* leveraging neutral atoms for wireless qubit control, Honeywell’s trapped ions approach, and Google’s superconducting metals, have demonstrated first-ever results, setting the stage for the first commercial generation of working quantum computers.

While early and noisy, these systems, even at just 40-80 error-corrected qubit range, may be able to deliver capabilities that surpass those of classical computers. Accelerating our ability to perform better in areas such as thermodynamic predictions, chemical reactions, resource optimizations and financial predictions.

As a number of key technology and ecosystem breakthroughs begin to converge, the next 12-18 months will be nothing short of a watershed moment for quantum computing.

Here are eight emerging trends and predictions that will accelerate quantum computing readiness for the commercial market in 2021 and beyond:

1. Dark horses of QC emerge: 2020 will be the year of dark horses in the QC race. These new entrants will demonstrate dominant architectures with 100-200 individually controlled and maintained qubits, at 99.9% fidelities, with millisecond to seconds coherence times that represent 2x -3x improved qubit power, fidelity and coherence times. These dark horses, many venture-backed, will finally prove that resources and capital are not sole catalysts for a technological breakthrough in quantum computing.

Powered by WPeMatico

Google is making autofill on Chrome for mobile more secure

Google today announced a new autofill experience for Chrome on mobile that will use biometric authentication for credit card transactions, as well as an updated built-in password manager that will make signing in to a site a bit more straightforward.

Image Credits: Google

Chrome already uses the W3C WebAuthn standard for biometric authentication on Windows and Mac. With this update, this feature is now also coming to Android .

If you’ve ever bought something through the browser on your Android phone, you know that Chrome always asks you to enter the CVC code from your credit card to ensure that it’s really you — even if you have the credit card number stored on your phone. That was always a bit of a hassle, especially when your credit card wasn’t close to you.

Now, you can use your phone’s biometric authentication to buy those new sneakers with just your fingerprint — no CVC needed. Or you can opt out, too, as you’re not required to enroll in this new system.

As for the password manager, the update here is the new touch-to-fill feature that shows you your saved accounts for a given site through a standard Android dialog. That’s something you’re probably used to from your desktop-based password manager already, but it’s definitely a major new built-in convenience feature for Chrome — and the more people opt to use password managers, the safer the web will be. This new feature is coming to Chrome on Android in the next few weeks, but Google says that “is only the start.”

Image Credits: Google

 

Powered by WPeMatico

Cape Privacy launches data science collaboration platform with $5.06M seed investment

Cape Privacy emerged from stealth today after spending two years building a platform for data scientists to privately share encrypted data. The startup also announced $2.95 million in new funding and $2.11 million in funding it got when the business launched in 2018, for a total of $5.06 million raised.

Boldstart Ventures and Version One led the round, with participation from Haystack, Radical Ventures and Faktory Ventures.

Company CEO Ché Wijesinghe says that data science teams often have to deal with data sets that contain sensitive data and share data internally or externally for collaboration purposes. It creates a legal and regulatory data privacy conundrum that Cape Privacy is trying to solve.

“Cape Privacy is a collaboration platform designed to help focus on data privacy for data scientists. So the biggest challenge that people have today from a business perspective is managing privacy policies for machine learning and data science,” Wijesinghe told TechCrunch.

The product breaks down that problem into a couple of key areas. First of all it can take language from lawyers and compliance teams and convert that into code that automatically generates policies about who can see the different types of data in a given data set. What’s more, it has machine learning underpinnings so it also learns about company rules and preferences over time.

It also has a cryptographic privacy component. By wrapping the data with a cryptographic cypher, it lets teams share sensitive data in a safe way without exposing the data to people who shouldn’t be seeing it because of legal or regulatory compliance reasons.

“You can send something to a competitor as an example that’s encrypted, and they’re able to process that encrypted data without decrypting it, so they can train their model on encrypted data,” company co-founder and CTO Gavin Uhma explained.

The company closed the new round in April, which means they were raising in the middle of a pandemic, but it didn’t hurt that they had built the product already and were ready to go to market, and that Uhma and his co-founders had already built a successful startup, GoInstant, which was acquired by Salesforce in 2012. (It’s worth noting that GoInstant debuted at TechCrunch Disrupt in 2011.)

Uhma and his team brought Wijesinghe on board to build the sales and marketing team because, as a technical team, they wanted someone with go-to-market experience running the company so they could concentrate on building product.

The company has 14 employees and is already an all-remote team, so the team didn’t have to adjust at all when the pandemic hit. While it plans to keep hiring fairly limited for the foreseeable future, the company has had a diversity and inclusion plan from the start.

“You have to be intentional about about seeking diversity, so it’s something that when we sit down and map out our hiring and work with recruiters in terms of our pipeline, we really make sure that diversity is one of our objectives. You just have it as a goal, as part of your culture, and it’s something that when we see the picture of the team, we want to see diversity,” he said.

Wijesinghe adds, “As a person of color myself, I’m very sensitive to making sure that we have a very diverse team, not just from a color perspective, but a gender perspective as well.”

The company is gearing up to sell the product  and has paid pilots starting in the coming weeks.

Powered by WPeMatico

Decrypted: iOS 13.5 jailbreak, FBI slams Apple, VCs talk cybersecurity

It was a busy week in security.

Newly released documents shown exclusively to TechCrunch show that U.S. immigration authorities used a controversial cell phone snooping technology known as a “stingray” hundreds of times in the past three years. Also, if you haven’t updated your Android phone in a while, now would be a good time to check. That’s because a brand-new security vulnerability was found — and patched. The bug, if exploited, could let a malicious app trick a user into thinking they’re using a legitimate app that can be used to steal passwords.

Here’s more from the week.


THE BIG PICTURE

Every iPhone now has a working jailbreak

Powered by WPeMatico

Decrypted: No warrants for web data, UK grid cyberattack, CyberArk buys Idaptive

One vote.

That’s all it needed for a bipartisan Senate amendment to pass that would have stopped federal authorities from further accessing millions of Americans’ browsing records. But it didn’t. One Republican was in quarantine, another was AWOL. Two Democratic senators — including former presidential hopeful Bernie Sanders — were nowhere to be seen and neither returned a request for comment.

It was one of several amendments offered up in the effort to reform and reauthorize the Foreign Intelligence Surveillance Act, the basis of U.S. spying laws. The law, signed in 1978, put restrictions on who intelligence agencies could target with their vast listening and collection stations. But after the Edward Snowden revelations in 2013, lawmakers champed at the bit to change the system to better protect Americans, who are largely protected from the spies within its borders.

One privacy-focused amendment, brought by Sens. Mike Lee and Patrick Leahy, passed — permits for more independent oversight to the secretive and typically one-sided Washington, D.C. court that authorizes government surveillance programs, the Foreign Intelligence Surveillance Court. That amendment all but guarantees the bill will bounce back to the House for further scrutiny.

Here’s more from the week.


THE BIG PICTURE

Three years after WannaCry, U.S. still on North Korea’s tail

A feature-length profile in Wired magazine looks at the life of Marcus Hutchins, one of the heroes who helped stop the world’s biggest cyberattack three years to the day.

The profile — a 14,000-word cover story — examines his part in halting the spread of the global WannaCry ransomware attack and how his early days led him into a criminal world that prompted him to plead guilty to felony hacking charges. Thanks in part to his efforts in saving the internet, he was sentenced to time served and walked free.

Powered by WPeMatico

Decrypted: Contact-tracing privacy, Zoom buys Keybase, Microsoft eyes CyberX

As the world looks to reopen after weeks of lockdown, governments are turning to contact tracing to understand the spread of the deadly coronavirus.

Most nations are leaning toward privacy-focused apps that use Bluetooth signals to create an anonymous profile of where a person has been and when. Some, like Israel, are bucking the trend and are using location and cell phone data to track the spread, prompting privacy concerns.

Some of the biggest European economies — Germany, Italy, Switzerland and Ireland — are building apps that work with Apple and Google’s contact-tracing API. But the U.K., one of the worst-hit nations in Europe, is going it alone.

Unsurprisingly, critics have both security and privacy concerns, so much so that the U.K. may end up switching over to Apple and Google’s system anyway. Given that one of Israel’s contact-tracing systems was found on an passwordless server this week, and India denied a privacy issue in its contact-tracing app, there’s not much wiggle-room to get these things wrong.

Turns out that even during a pandemic, people still care about their privacy.

Here’s more from the week.


THE BIG PICTURE

Zoom acquires Keybase, but questions remain

When Zoom announced it acquired online encryption key startup Keybase, for many, the reaction was closer to mild than wild. Even Keybase, a service that lets users store and manage their encryption keys, acknowledged its uncertain future. “Keybase’s future is in Zoom’s hands, and we’ll see where that takes us,” the company wrote in a blog post. Terms of the deal were not disclosed.

Zoom has faced security snafu after snafu. But after dancing around the problems, it promised to call in the cavalry and double down on fixing its encryption. So far, so good. But where does Keybase, largely a consumer product, fit into the fray? It doesn’t sound like even Zoom knows yet, per enterprise reporter Ron Miller. What’s clear is that Zoom needs encryption help, and few have the technical chops to pull that off.

Keybase’s team might — might — just help Zoom make good on its security promises.

Powered by WPeMatico

Decrypted: Space hacking, iPhone vulnerability, Zoom’s security boom

Security startups to the rescue.

As we continue to ride out the pandemic, security experts are closely monitoring the surge of coronavirus-related cyber threats. Just this week, Google’s Threat Analysis Group, its elite threat hunting unit, says that while the overall number of threats remains largely the same, opportunistic hackers are retooling their efforts to piggyback on coronavirus.

Some startups are downsizing and laying off staff, but several cybersecurity startups are faring better, thanks to an uptick in demand for security protections. As the world continues to pivot toward working from home, it has blown up key cybersecurity verticals in ways we never expected. To wit, identity startups are needed more than ever to make sure only remote employees are getting access to corporate systems.

Can the startups take on the giants at their own game?


THE BIG PICTURE

Another payments processor drops the security ball

For the third time this year, a payments processor has admitted to a security lapse. First it was Cornerstone, then it was nCourt. This time it’s Paay, a New York-based card payment processor startup that left a database on the internet unprotected and without a password. Worse, the data was storing full, plaintext credit card numbers.

Anyone who knew where to look could have accessed the data. Luckily, a security researcher found it and reported it to TechCrunch. We alerted the company; it quickly took the data offline, but Paay denied that the data stored full credit card numbers. We even sent the co-founder a portion of the data showing card numbers stored in plaintext, but he did not respond to our follow-up.

Powered by WPeMatico

How much should a startup spend on security?

One of the questions I frequently ask startup founders is how much they’re spending on security. Unsurprisingly, everyone has a different answer.

Startups and small companies are invariably faced with the prospect that they’re either not spending enough or are spending too much on something that’s hard to quantify in terms of value. It’s a tough sell to sink money into an effort to stop something that might one day happen, particularly for bootstrapped startups that must make every cent count — yet we’re told security is a crucial investment for a company’s future.

Sorry to break it to you, but there is no easy answer.

The reality is that each company is different and there is no single recommended dollar amount to spend. But it’s absolutely certain that some investment is required. We know because we see a lot of security incidents here at TechCrunch — hacks, breaches and especially data exposures, often a result of human error.

We spoke to three security experts — a head of security, a security entrepreneur and a cybersecurity fellow — to understand the questions facing startups.

Know and understand your threat model

Every company has a different threat model — by that, we mean identifying risks and possible ways of attack before they happen. Companies that store tons of user data may be a greater target than companies that don’t. Each firm needs to evaluate which kind of risks they face and identify weaknesses.

Powered by WPeMatico

SentinelOne raises $200M at a $1.1B valuation to expand its AI-based endpoint security platform

As cybercrime continues to evolve and expand, a startup that is building a business focused on endpoint security has raised a big round of funding. SentinelOne — which provides a machine learning-based solution for monitoring and securing laptops, phones, containerised applications and the many other devices and services connected to a network — has picked up $200 million, a Series E round of funding that it says catapults its valuation to $1.1 billion.

The funding is notable not just for its size but for its velocity: it comes just eight months after SentinelOne announced a Series D of $120 million, which at the time valued the company around $500 million. In other words, the company has more than doubled its valuation in less than a year — a sign of the cybersecurity times.

This latest round is being led by Insight Partners, with Tiger Global Management, Qualcomm Ventures LLC, Vista Public Strategies of Vista Equity Partners, Third Point Ventures and other undisclosed previous investors all participating.

Tomer Weingarten, CEO and co-founder of the company, said in an interview that while this round gives SentinelOne the flexibility to remain in “startup” mode (privately funded) for some time — especially since it came so quickly on the heels of the previous large round — an IPO “would be the next logical step” for the company. “But we’re not in any rush,” he added. “We have one to two years of growth left as a private company.”

While cybercrime is proving to be a very expensive business (or very lucrative, I guess, depending on which side of the equation you sit on), it has also meant that the market for cybersecurity has significantly expanded.

Endpoint security, the area where SentinelOne concentrates its efforts, last year was estimated to be around an $8 billion market, and analysts project that it could be worth as much as $18.4 billion by 2024.

Driving it is the single biggest trend that has changed the world of work in the last decade. Everyone — whether a road warrior or a desk-based administrator or strategist, a contractor or full-time employee, a front-line sales assistant or back-end engineer or executive — is now connected to the company network, often with more than one device. And that’s before you consider the various other “endpoints” that might be connected to a network, including machines, containers and more. The result is a spaghetti of a problem. One survey from LogMeIn, disconcertingly, even found that some 30% of IT managers couldn’t identify just how many endpoints they managed.

“The proliferation of devices and the expanding network are the biggest issues today,” said Weingarten. “The landscape is expanding and it is getting very hard to monitor not just what your network looks like but what your attackers are looking for.”

This is where an AI-based solution like SentinelOne’s comes into play. The company has roots in the Israeli cyberintelligence community but is based out of Mountain View, and its platform is built around the idea of working automatically not just to detect endpoints and their vulnerabilities, but to apply behavioral models, and various modes of protection, detection and response in one go — in a product that it calls its Singularity Platform that works across the entire edge of the network.

“We are seeing more automated and real-time attacks that themselves are using more machine learning,” Weingarten said. “That translates to the fact that you need defence that moves in real time as with as much automation as possible.”

SentinelOne is by no means the only company working in the space of endpoint protection. Others in the space include Microsoft, CrowdStrike, Kaspersky, McAfee, Symantec and many others.

But nonetheless, its product has seen strong uptake to date. It currently has some 3,500 customers, including three of the biggest companies in the world, and “hundreds” from the global 2,000 enterprises, with what it says has been 113% year-on-year new bookings growth, revenue growth of 104% year-on-year and 150% growth year-on-year in transactions over $2 million. It has 500 employees today and plans to hire up to 700 by the end of this year.

One of the key differentiators is the focus on using AI, and using it at scale to help mitigate an increasingly complex threat landscape, to take endpoint security to the next level.

“Competition in the endpoint market has cleared with a select few exhibiting the necessary vision and technology to flourish in an increasingly volatile threat landscape,” said Teddie Wardi, managing director of Insight Partners, in a statement. “As evidenced by our ongoing financial commitment to SentinelOne along with the resources of Insight Onsite, our business strategy and ScaleUp division, we are confident that SentinelOne has an enormous opportunity to be a market leader in the cybersecurity space.”

Weingarten said that SentinelOne “gets approached every year” to be acquired, although he didn’t name any names. Nevertheless, that also points to the bigger consolidation trend that will be interesting to watch as the company grows. SentinelOne has never made an acquisition to date, but it’s hard to ignore that, as the company to expand its products and features, that it might tap into the wider market to bring in other kinds of technology into its stack.

“There are definitely a lot of security companies out there,” Weingarten noted. “Those that serve a very specific market are the targets for consolidation.”

Powered by WPeMatico