Cyberwarfare

Auto Added by WPeMatico

A SonicWall cloud bug exposed corporate networks to hackers

A newly discovered bug in a cloud system used to manage SonicWall firewalls could have allowed hackers to break into thousands of corporate networks.

Enterprise firewalls and virtual private network appliances are vital gatekeepers tasked with protecting corporate networks from hackers and cyberattacks while still letting in employees working from home during the pandemic. Even though most offices are empty, hackers frequently look for bugs in critical network gear in order to break into company networks to steal data or plant malware.

Vangelis Stykas, a researcher at security firm Pen Test Partners, found the new bug in SonicWall’s Global Management System (GMS), a web app that lets IT departments remotely configure their SonicWall devices across the network.

But the bug, if exploited, meant any existing user with access to SonicWall’s GMS could create a user account with access to any other company’s network without permission.

From there, the newly created account could remotely manage the SonicWall gear of that company.

In a blog post shared with TechCrunch, Stykas said there were two barriers to entry. Firstly, a would-be attacker would need an existing SonicWall GMS user account. The easiest way — and what Stykas did to independently test the bug — was to buy a SonicWall device.

The second issue was that the would-be attacker would also need to guess a unique seven-digit number associated with another company’s network. But Stykas said that this number appeared to be sequential and could be easily enumerated, one after the other.

Once inside a company’s network, the attacker could deliver ransomware directly to the internal systems of their victims, an increasingly popular tactic for financially driven hackers.

SonicWall confirmed the bug is now fixed. But Stykas criticized the company for taking more than two weeks to patch the vulnerability, which he described as “trivial” to exploit.

“Even car alarm vendors have fixed similar issues inside three days of us reporting,” he wrote.

A SonicWall spokesperson defended the decision to subject the fix to a “full” quality check before it was rolled out, and said it is “not aware” of any exploitation of the vulnerability.

Powered by WPeMatico

StackHawk, the Denver-based bug-detecting service, hires developer of open-source project Zed Attack Proxy

StackHawk, the Denver-based software startup offering service to detect and fix security bugs, is doubling down on its support for the popular open-source OWASP Zed Attack Proxy web app security scanner by bringing on board its founder, Simon Bennetts.

At StackHawk, Bennetts will continue to focus on the development of the open-source project, which the company said is among the world’s most frequently used security scanning tools.

StackHawk already uses the open-source project for its underlying scanning technology and has built a business by layering on security test automation, integrations with development tools and functionality for new development paradigms. 

“Since founding ZAP, the vision has always been to deliver application security to developers,” Bennetts said, in a statement. “While the project has been widely adopted by security teams and pen testers, I’m excited to work with a team dedicated to delivering our original vision of AppSec for devs and that also believes in growing the open source community.” 

StackHawk founders Joni Klippert, Scott Gerlach and Ryan Severns and Bennetts found common cause in their belief that bug-editing tools are too often built for external enterprise security teams instead of the developers who are closest to the apps they’re building.

“Simon’s work on the ZAP project has both changed the security and open-source worlds for the better. It became clear that we were highly aligned in our mission to bring application security into the hands of developers,” said Klippert, the chief executive and founder of StackHawk, in a statement. “Simon joining the StackHawk team provides an exciting opportunity to invest more in the ZAP open source project, while also building capabilities that make it easy for enterprise development teams to streamline AppSec into their CI/CD pipelines.” 

In the eleven years since Bennetts first began working on ZAP, the OWASP Foundation-incorporated security scanner has become popular among the developer community for its dynamic application security testing.

After the hire, StackHawk said that nothing much will change. Bennetts will continue to work on the open-source project while the company will continue to build functionality around the scanner.

The Denver-based company has raised nearly $5 million in financing from investors including Flybridge, Costanoa Ventures, Matchstick Ventures and Foundry Group .

Powered by WPeMatico

Decrypted: DEA spying on protesters, DDoS attacks, Signal downloads spike

This week saw protests spread across the world sparked by the murder of George Floyd, an unarmed Black man, killed by a white police officer in Minneapolis last month.

The U.S. hasn’t seen protests like this in a generation, with millions taking to the streets each day to lend their voice and support. But they were met with heavily armored police, drones watching from above, and “covert” surveillance by the federal government.

That’s exactly why cybersecurity and privacy is more important than ever, not least to protect law-abiding protesters demonstrating against police brutality and institutionalized, systemic racism. It’s also prompted those working in cybersecurity — many of which are former law enforcement themselves — to check their own privilege and confront the racism from within their ranks and lend their knowledge to their fellow citizens.


THE BIG PICTURE

DEA allowed ‘covert surveillance’ of protesters

The Justice Department has granted the Drug Enforcement Administration, typically tasked with enforcing federal drug-related laws, the authority to conduct “covert surveillance” on protesters across the U.S., effectively turning the civilian law enforcement division into a domestic intelligence agency.

The DEA is one of the most tech-savvy government agencies in the federal government, with access to “stingray” cell site simulators to track and locate phones, a secret program that allows the agency access to billions of domestic phone records, and facial recognition technology.

Lawmakers decried the Justice Department’s move to allow the DEA to spy on protesters, calling on the government to “immediately rescind” the order, describing it as “antithetical” to Americans’ right to peacefully assembly.

Powered by WPeMatico

RiskIQ adds National Grid Partners as securing data becomes a strategic priority for utilities

RiskIQ, a startup providing application security, risk assessment and vulnerability management services, has added National Grid Partners as a strategic investor. 

The funding from the investment arm of National Grid, a multinational energy provider, is part of a $15 million new round of financing designed to take the company’s technology into critical industrial infrastructure — with National Grid as a point of entry.

More than 6,000 companies use the company’s services, and the roster list and technology on offer has attracted some of the biggest names in investing, including Summit Partners, Battery Ventures, Georgian Partners and MassMutual Ventures.

“We view NGP’s show of support as an incredible opportunity to help customers in new markets thrive as their attack surfaces expand outside the firewall, especially now amid the COVID-19 pandemic,” RiskIQ chief executive Lou Manousos said in a statement. 

RiskIQ has spent the past 10 years spidering the internet looking for all of the exploits that hackers use to penetrate networks and have built that into a database of threats. This inventory gives the company an ability to identify which assets within a company present the most obvious threats. Its automated services constantly scan third-party code, internet-connected devices and mobile applications for potential vulnerabilities, the company said.

As a staple platform in their core security environment, our cyber threat analysts use RiskIQ regularly to enrich and identify incoming threats,” said Lisa Lambert, president of National Grid Partners and chief technology and innovation officer of National Grid, in a statement.

National Grid’s investment is a piece of a deeper partnership that will see NGP providing strategic advice for the security company as it looks to expand its commercial operations among industrial and utility customers.

 

Powered by WPeMatico

Decrypted: iOS 13.5 jailbreak, FBI slams Apple, VCs talk cybersecurity

It was a busy week in security.

Newly released documents shown exclusively to TechCrunch show that U.S. immigration authorities used a controversial cell phone snooping technology known as a “stingray” hundreds of times in the past three years. Also, if you haven’t updated your Android phone in a while, now would be a good time to check. That’s because a brand-new security vulnerability was found — and patched. The bug, if exploited, could let a malicious app trick a user into thinking they’re using a legitimate app that can be used to steal passwords.

Here’s more from the week.


THE BIG PICTURE

Every iPhone now has a working jailbreak

Powered by WPeMatico

6 CISOs share their game plans for a post-pandemic world

Oren Yunger
Contributor

Oren Yunger is an investor at GGV Capital, focused on enterprise IT infrastructure, development tools and cybersecurity. He was previously chief information security officer at a SaaS company and a public financial institution.

Like all business leaders, chief information security officers (CISOs) have shifted their roles quickly and dramatically during the COVID-19 pandemic, but many have had to fight fires they never expected.

Most importantly, they’ve had to ensure corporate networks remain secure even with 100% of employees suddenly working from home. Controllers are moving millions between corporate accounts from their living rooms, HR managers are sharing employees’ personal information from their kitchen tables and tens of millions of workers are accessing company data using personal laptops and phones.

This unprecedented situation reveals once and for all that security is not only about preventing breaches, but also about ensuring fundamental business continuity.

While it might take time, everyone agrees the pandemic will end. But how will the cybersecurity sector look in a post-COVID-19 world? What type of software will CISOs want to buy in the near future, and two years down the road?

To find out, I asked six of the world’s leading CISOs to share their experiences during the pandemic and their plans for the future, providing insights on how cybersecurity companies should develop and market their solutions to emerge stronger:

The security sector will experience challenges, but also opportunities

The good news is, many CISOs believe that cybersecurity will weather the economic storm better than other enterprise software sectors. That’s because security has become even more top of mind during the pandemic; with the vast majority of corporate employees now working remotely, a secure network has never been more paramount, said Rinki Sethi, CISO at Rubrik. “Many security teams are now focused on ensuring they have controls in place for a completely remote workforce, so endpoint and network security, as well as identity and access management, are more important than ever,” said Sethi. “Additionally, business continuity and disaster recovery planning are critical right now — the ability to respond to a security incident and have a robust plan to recover from it is top priority for most security teams, and will continue to be for a long time.”

That’s not to say all security companies will necessarily thrive during this current economic crisis. Adrian Ludwig, CISO at Atlassian, notes that an overall decline in IT budgets will impact security spending. But the silver lining is that some companies will be acquired. “I expect we will see consolidation in the cybersecurity markets, and that most new investments by IT departments will be in basic infrastructure to facilitate work-from-home,” said Ludwig. “Less well-capitalized cybersecurity companies may want to begin thinking about potential exit opportunities sooner rather than later.”

Powered by WPeMatico

Decrypted: Post-coronavirus, Auth0’s close call, North Korea warning, Awake’s Series C

Welcome to a look back at the past week in security and what it means for you. Each week we’ll look at the big news of the week and why it matters.

What will the world look like after the coronavirus pandemic subsides?

Some of us are now in our fifth week of sheltering in place, but there’s no fixed end-date in sight. We’ve gone from a period of confusion and concern to testing and mitigation. Now we’re starting to look ahead at the world post-coronavirus. Things still have to get done. But how do we regain a semblance of normality in the middle of a pandemic?

Tech can be the answer but it’s not a panacea; Apple and Google have explained more about their contact tracing efforts to help better understand the spread of the virus seems promising. But privacy concerns and worries that the system could be abused have raised justified concerns. On the other hand, with a U.S. presidential election slated for later this year, many experts want tech out of the picture in favor of a secure solution that uses paper ballots.

Will tech save the day, or will it kick us while we’re down? Let’s dive in.


THE BIG PICTURE

Voting by mail should be having its moment. Will it?

This year’s U.S. presidential election will still go ahead — it’s in the constitution as an immutable fact — but a pandemic throws a wrench in the works.

But security experts say electronic voting isn’t secure or resilient enough to protect from foreign interference. Even the more established mobile voting offerings have been shown to be deeply flawed.

Powered by WPeMatico

How much should a startup spend on security?

One of the questions I frequently ask startup founders is how much they’re spending on security. Unsurprisingly, everyone has a different answer.

Startups and small companies are invariably faced with the prospect that they’re either not spending enough or are spending too much on something that’s hard to quantify in terms of value. It’s a tough sell to sink money into an effort to stop something that might one day happen, particularly for bootstrapped startups that must make every cent count — yet we’re told security is a crucial investment for a company’s future.

Sorry to break it to you, but there is no easy answer.

The reality is that each company is different and there is no single recommended dollar amount to spend. But it’s absolutely certain that some investment is required. We know because we see a lot of security incidents here at TechCrunch — hacks, breaches and especially data exposures, often a result of human error.

We spoke to three security experts — a head of security, a security entrepreneur and a cybersecurity fellow — to understand the questions facing startups.

Know and understand your threat model

Every company has a different threat model — by that, we mean identifying risks and possible ways of attack before they happen. Companies that store tons of user data may be a greater target than companies that don’t. Each firm needs to evaluate which kind of risks they face and identify weaknesses.

Powered by WPeMatico

SentinelOne raises $200M at a $1.1B valuation to expand its AI-based endpoint security platform

As cybercrime continues to evolve and expand, a startup that is building a business focused on endpoint security has raised a big round of funding. SentinelOne — which provides a machine learning-based solution for monitoring and securing laptops, phones, containerised applications and the many other devices and services connected to a network — has picked up $200 million, a Series E round of funding that it says catapults its valuation to $1.1 billion.

The funding is notable not just for its size but for its velocity: it comes just eight months after SentinelOne announced a Series D of $120 million, which at the time valued the company around $500 million. In other words, the company has more than doubled its valuation in less than a year — a sign of the cybersecurity times.

This latest round is being led by Insight Partners, with Tiger Global Management, Qualcomm Ventures LLC, Vista Public Strategies of Vista Equity Partners, Third Point Ventures and other undisclosed previous investors all participating.

Tomer Weingarten, CEO and co-founder of the company, said in an interview that while this round gives SentinelOne the flexibility to remain in “startup” mode (privately funded) for some time — especially since it came so quickly on the heels of the previous large round — an IPO “would be the next logical step” for the company. “But we’re not in any rush,” he added. “We have one to two years of growth left as a private company.”

While cybercrime is proving to be a very expensive business (or very lucrative, I guess, depending on which side of the equation you sit on), it has also meant that the market for cybersecurity has significantly expanded.

Endpoint security, the area where SentinelOne concentrates its efforts, last year was estimated to be around an $8 billion market, and analysts project that it could be worth as much as $18.4 billion by 2024.

Driving it is the single biggest trend that has changed the world of work in the last decade. Everyone — whether a road warrior or a desk-based administrator or strategist, a contractor or full-time employee, a front-line sales assistant or back-end engineer or executive — is now connected to the company network, often with more than one device. And that’s before you consider the various other “endpoints” that might be connected to a network, including machines, containers and more. The result is a spaghetti of a problem. One survey from LogMeIn, disconcertingly, even found that some 30% of IT managers couldn’t identify just how many endpoints they managed.

“The proliferation of devices and the expanding network are the biggest issues today,” said Weingarten. “The landscape is expanding and it is getting very hard to monitor not just what your network looks like but what your attackers are looking for.”

This is where an AI-based solution like SentinelOne’s comes into play. The company has roots in the Israeli cyberintelligence community but is based out of Mountain View, and its platform is built around the idea of working automatically not just to detect endpoints and their vulnerabilities, but to apply behavioral models, and various modes of protection, detection and response in one go — in a product that it calls its Singularity Platform that works across the entire edge of the network.

“We are seeing more automated and real-time attacks that themselves are using more machine learning,” Weingarten said. “That translates to the fact that you need defence that moves in real time as with as much automation as possible.”

SentinelOne is by no means the only company working in the space of endpoint protection. Others in the space include Microsoft, CrowdStrike, Kaspersky, McAfee, Symantec and many others.

But nonetheless, its product has seen strong uptake to date. It currently has some 3,500 customers, including three of the biggest companies in the world, and “hundreds” from the global 2,000 enterprises, with what it says has been 113% year-on-year new bookings growth, revenue growth of 104% year-on-year and 150% growth year-on-year in transactions over $2 million. It has 500 employees today and plans to hire up to 700 by the end of this year.

One of the key differentiators is the focus on using AI, and using it at scale to help mitigate an increasingly complex threat landscape, to take endpoint security to the next level.

“Competition in the endpoint market has cleared with a select few exhibiting the necessary vision and technology to flourish in an increasingly volatile threat landscape,” said Teddie Wardi, managing director of Insight Partners, in a statement. “As evidenced by our ongoing financial commitment to SentinelOne along with the resources of Insight Onsite, our business strategy and ScaleUp division, we are confident that SentinelOne has an enormous opportunity to be a market leader in the cybersecurity space.”

Weingarten said that SentinelOne “gets approached every year” to be acquired, although he didn’t name any names. Nevertheless, that also points to the bigger consolidation trend that will be interesting to watch as the company grows. SentinelOne has never made an acquisition to date, but it’s hard to ignore that, as the company to expand its products and features, that it might tap into the wider market to bring in other kinds of technology into its stack.

“There are definitely a lot of security companies out there,” Weingarten noted. “Those that serve a very specific market are the targets for consolidation.”

Powered by WPeMatico

Israel’s cybersecurity startup scene spawned new entrants in 2019

Yoav Leitersdorf
Contributor

Yoav Leitersdorf is the Silicon Valley-based Managing Partner at YL Ventures, where he accelerates cybersecurity startups in the U.S. market.

Ofer Schreiber
Contributor

Ofer Schreiber is partner and head of Israel Office at YL Ventures, where he seeds and accelerates cybersecurity startups.

As the global cybersecurity market becomes increasingly crowded, the Start Up Nation remains a bulwark of innovation and opportunity generation for investors and global cyber companies alike. It achieved this chiefly in 2019 by adapting to the industry’s competitive developments and pushing forward its most accomplished entrepreneurs in larger numbers to meet them.

New data illustrates how Israeli entrepreneurs have seized on the country’s reputation for building radically cutting-edge technologies as the number of new Israeli cybersecurity startups addressing nascent sectors eclipses its more traditional counterparts. Moreover, related findings highlight how cybersecurity companies looking to expand beyond their traditional offerings are entering Israel’s cybersecurity ecosystem in larger numbers through highly strategic acquisitions.

Broadly, new findings also reveal the Israeli cybersecurity market’s overall coming of age, seasoned entrepreneurial dominance and greater appetite for longer-term visions and strategies — the latter of which received record-breaking investor backing in 2019.

Breaking records

Powered by WPeMatico