Prevention

Auto Added by WPeMatico

Decrypted: DEA spying on protesters, DDoS attacks, Signal downloads spike

This week saw protests spread across the world sparked by the murder of George Floyd, an unarmed Black man, killed by a white police officer in Minneapolis last month.

The U.S. hasn’t seen protests like this in a generation, with millions taking to the streets each day to lend their voice and support. But they were met with heavily armored police, drones watching from above, and “covert” surveillance by the federal government.

That’s exactly why cybersecurity and privacy is more important than ever, not least to protect law-abiding protesters demonstrating against police brutality and institutionalized, systemic racism. It’s also prompted those working in cybersecurity — many of which are former law enforcement themselves — to check their own privilege and confront the racism from within their ranks and lend their knowledge to their fellow citizens.


THE BIG PICTURE

DEA allowed ‘covert surveillance’ of protesters

The Justice Department has granted the Drug Enforcement Administration, typically tasked with enforcing federal drug-related laws, the authority to conduct “covert surveillance” on protesters across the U.S., effectively turning the civilian law enforcement division into a domestic intelligence agency.

The DEA is one of the most tech-savvy government agencies in the federal government, with access to “stingray” cell site simulators to track and locate phones, a secret program that allows the agency access to billions of domestic phone records, and facial recognition technology.

Lawmakers decried the Justice Department’s move to allow the DEA to spy on protesters, calling on the government to “immediately rescind” the order, describing it as “antithetical” to Americans’ right to peacefully assembly.

Powered by WPeMatico

D-ID, the Israeli company that digitally de-identifies faces in videos and still images, raises $13.5 million

If only Facebook had been using the kind of technology that TechCrunch Startup Battlefield alumnus D-ID was pitching, it could have avoided exposing all of our faces to privacy destroying software services like Clearview AI.

At least, that’s the pitch that D-ID’s founder and chief executive, Gil Perry, makes when he’s talking about the significance of his startup’s technology.

D-ID, which stands for de-identification, is a pretty straightforward service that’s masking some highly involved and very advanced technology to blur digital images so they can’t be cross-referenced to determine someone’s identity.

It’s a technology whose moment has come as governments and private companies around the world ramp up their use of surveillance technologies as the world adjusts to a new reality in the wake of the COVID-19 epidemic.

“Governments around the world and organizations have used this new reality basically as an excuse for mass surveillance,” says Perry. His own government has used a track and trace system that monitors interactions between Israeli citizens using cell phone location data to determine whether anyone had been in contact with a person who had COVID-19.

While awareness of the issue may be increasing among consumers and regulators alike, the damage has, in many cases, already been done. Social media companies have already had their troves of images scraped by companies like Clearview AI, ClearView, HighQ and NTechLabs, and much of our personal information is already circulating online.

D-ID is undeterred. Founded by Perry and two other members of the Israeli army’s cybersecurity and offensive cyber unit, 8200, Sella Blondheim and Eliran Kuta, D-ID thinks the need for anonymizing technologies will continue to expand — thanks to new privacy legislation in Europe and certain states in the U.S. 

Meanwhile, the company is also exploring other applications for its technology. The services that D-ID uses to mask and blur faces can also be used to create deepfakes of images and video.

The market for these types of digital manipulations are still in their earliest days, according to Perry. Still, the company’s pitch managed to intrigue new lead investor AXA Ventures, which joined backers including Pitango, Y Combinator, AI Alliance, Hyundai, Omron, Maverick (U.S.) and Mindset, to participate in the company’s $13.5 million round.

D-ID already sees demand coming from automakers who want to use the technology to anonymize their driving monitoring systems — enabling them to record drivers’ reactions, but not any public identifying information. Security technologies that monitor for threats are another potential customer, according to the company. While closed circuit television monitors a physical space, it doesn’t need to collect the identifying information of people entering and exiting buildings.

“The convergence of increased surveillance and individual privacy protection places enterprises in a position where they must either anonymize their stored footage or risk violating privacy laws and face costly penalties.” said Blondheim.  

The technical wizardry that D-ID has mastered is impressive — and a necessary defensive tool to ensure privacy in the modern world, according to its founders. Consumers are demanding it, according to D-ID’s chief executive.

“Privacy awareness and the importance of privacy enhancing technologies have increased,” Perry said.

Powered by WPeMatico

Private tech companies mobilize to address shortages for medical supplies, masks and sanitizer

Startups across the nation and around the world are looking for ways to relieve shortages of much-needed personal protective equipment and sanitizers used to halt the spread of COVID-19.

While some of the largest privately held technology companies, like SpaceX and Tesla, have shifted to manufacturing ventilators, smaller companies are also trying to pitch in and relieve scarcity locally.

Supplies have been difficult to come by in some of the areas hardest hit by the outbreak of the novel coronavirus, and the shortfalls have been made worse by a lack of coordination from the federal government. In some instances local governments have been bidding for supplies against each other and the federal government to acquire needed personal protective equipment.

On Sunday, New York’s Governor Mario Cuomo pleaded with local governments to not engage in a bidding war. In fact, Kentucky was outbid by the federal government for personal protective equipment.

“FEMA came out and bought it all out from under us,” Kentucky Governor Andy Beshear told a local newspaper. “It is a challenge that the federal government says, ‘States, you need to go and find your supply chain,’ and then the federal government ends up buying from that supply chain.”

Against this backdrop local startups and maker spaces are stepping up to do what they can to fill the gap.

Alcohol brands are turning their attention to making hand sanitizer to distribute in communities experiencing shortages. 3D-printing companies are working on new ways to manufacture personal protective equipment and swabs for COVID-19 testing. And one fast fashion retail startup is teaching its tailors and seamstresses how to make cloth masks for consumer protection.

AirCo, a New York-based startup that developed a process to use captured carbon dioxide to make liquor, shifted its efforts to making hand sanitizer for donations in communities in New York City.

Now, new alcohol brands Bev and Endless West are joining the manufacturing push.

Endless West announced this morning that it would shift production away from its distillery to begin making hand sanitizers. The World Health Organization approved their sanitizers, which the company will produce in its warehouse in San Francisco.

The two-ounce bottles will be donated to local restaurants and bars that remain open for delivery, so that employees can use them and distribute them to customers. Bulk quantities will be distributed to healthcare organizations and facilities that need them.

Endless West also put out a call for other companies to provide supplies to hospitals and health organizations in the San Francisco Bay Area.

“We felt it was imperative to do our part and dedicate what resources we have to assist with shortages in the healthcare and food & beverage industries who keep the engine running and provide such important functions in this time of immense need throughout the community,” said Alec Lee, CEO of Endless West, in a statement.

Los Angeles-based Bev is no different.

“As an alcoholic beverage company, Bev is very lucky in that we are licensed to purchase ethanol directly from our suppliers, who are doing their part by discounting the product to anyone licensed to purchase it,” said Bev chief executive, Alix Peabody. “Community underscores everything we do here at Bev, and as such, we will be producing hand sanitizer and distributing it free of charge to the homeless and elderly communities here in Venice, populations who largely have insufficient access to healthcare and essential goods like sanitizer.”

Hand sanitizer is one sorely needed item in short supply, but there are others — including face masks, surgical masks, face shields, swabs and ventilator equipment that other startups are now switching gears to produce.

(Photo by PAU BARRENA/AFP via Getty Images)

In Canada, INKSmith, a startup that was making design and tech tools accessible for kids, has now moved to making face shields and is hiring up to 100 new employees to meet demand.

“I think in the short term, we’re going to scale up to meet the needs of the province soon. After that, we’re going to meet the demands of Canada,” INKSmith CEO Jeremy Hedges told the Canadian news outlet Global News.

3D-printing companies like Massachusetts-based Markforged and Formlabs are both making personal protective equipment like face shields, as well as nasal swabs to use for COVID-19 testing.

Markforged is pushing ahead with a number of efforts to focus some of the benefits of 3D printing on the immediate problem of personal protective equipment for healthcare workers most exposed to COVID-19.

“We have about 20 people working on this pretty much as much as they can,” said Markforged chief executive, Gregory Mark. “We break it up into three different programs. The first stage is prototyping validation and getting first pass to doctors. The second is clinical trials and the third is production. We are in clinical trials with two. One is the nasal swab and two is the face shield.”

The ability to spin up manufacturing more quickly than traditional production lines using 3D printing means that both companies are in some ways better positioned to address a thousandfold increase in demand for supplies that no one anticipated.

“3D printing is the fastest way to make anything in the world up to a certain number of days, weeks, months or years,” says Mark. “As soon as we get the green light from hospitals, 10,000 printers around the world can be printing face shields and nose swabs.”

Formlabs, which already has a robust business supplying custom-printed surgical-grade healthcare products, is pushing to bring its swabs to market quickly.

“Not only can we help in the development of the swabs, but we can manufacture them ourselves,” says Formlabs chief product officer, David Lakatos.

Swabs for testing are in short supply in part because there are only a few manufacturers in the world who made them — and one of those primary manufacturers is in Italy, which means supplies and staff are in short supply. “There’s a shortage of them and nobody was expecting that we would need to test millions of people in short order,” says Lakatos.

Formlabs is also working on another piece of personal protective equipment — looking at converting snorkeling masks into respirators and face masks. “Our goal is to make one that is reusable,” says Lakatos. “A patient can use it as a respirator and you can put it in an autoclave and reuse it.”

In Brooklyn, Voodoo Manufacturing has repurposed its 5,000-square-foot facility to mass-produce personal protective equipment. The company has set up a website, CombatingCovid.com, where organizations in need of supplies can place orders. Voodoo aims to print at least 2,500 protective face shields weekly and can scale to larger production volumes based on demand, the company said.

STAMFORD, CT – MARCH 23: Nurse Hannah Sutherland, dressed in personal protective equipment (PPE) awaits new patients at a drive-thru coronavirus testing station at Cummings Park on March 23, 2020 in Stamford, Connecticut. Availability of protective clothing for medical workers has become a major issue as COVID-19 cases surge throughout the United States. The Stamford site is run by Murphy Medical Associates. (Photo by John Moore/Getty Images)

Finally, Resonance, the fast fashion startup launched by the founder of FirstMark Capital, Lawrence Lenihan, is using its factory in the Dominican Republic to make face masks for consumers on the island and beyond.

“To contribute to the Dominican health efforts, Resonance is acting to utilize their resources to manufacture safety masks for distribution to local hospitals, nursing homes, and other high-risk facilities as quickly as possible. They have provided user-friendly instructions and material and will pay their sewers who can to make these masks from the security of their homes,” a spokesperson for the company wrote in an email. “Resonance is currently working to share this downloadable platform and simple instructions to their website, so anyone in the world can contribute to their own local communities.”

All of these efforts — and countless others too numerous to mention — point to the ways small companies are hoping to do something to help their communities stay safe and healthy in the midst of this global outbreak.

But many of these extreme measures may not have been necessary had governments around the world actively coordinated their response and engaged in better preparation before the situation became so dire.

There are a litany of errors that governments made — and are still making — in their efforts to respond to the pandemic, even as the private sector steps in and steps up to address them.

Powered by WPeMatico

Is your startup protected against insider threats?

We’ve talked about securing your startup, the need to understand phishing risks and how not to handle a data breach. But we haven’t yet discussed one of the more damaging threats that all businesses large and small face: the insider threat.

The insider threat is exactly as it sounds — someone within your organization who has malicious intent. Your employees will be one of your biggest assets, but human beings are the weakest link in the security chain. Your staff are already in a privileged position — in the sense that they are in a place where they have access to far more than they would as an outsider. That means taking data, either maliciously or inadvertently, is easier for staff than it might be for a hacker.

“Organizations need to understand that the threats coming from inside their organizations are as critical as, if not more dangerous than, the threats coming from the outside,” said Stephanie Carruthers, a social engineering expert who serves as chief people hacker at IBM X-Force Red, a division of Big Blue that looks for breaches in IoT devices before — and after — they go to market.

Insider risks can become active threats for many reasons. Some individuals may become disgruntled, some want to blow the whistle on wrongdoing and others can be approached (or even manipulated) by career criminals over debts or other matters in their private life.

There are plenty of examples, many not too far back in recent history.

Powered by WPeMatico

‘Magic: The Gathering’ game maker exposed 452,000 players’ account data

The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.

The game’s developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket. The database file contained user account information for the game’s online arena. But there was no password on the storage bucket, allowing anyone to access the files inside.

The bucket is not believed to have been exposed for long — since around early-September — but it was long enough for U.K. cybersecurity firm Fidus Information Security to find the database.

A review of the database file showed there were 452,634 players’ information, including about 470 email addresses associated with Wizards’ staff. The database included player names and usernames, email addresses, and the date and time of the account’s creation. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.

None of the data was encrypted. The accounts date back to at least 2012, according to our review of the data, but some of the more recent entries date back to mid-2018.

A formatted version of the database backup file, redacted, containing 452,000 user records. (Image: TechCrunch)

Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.

Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.”

“We removed the database file from our server and commenced an investigation to determine the scope of the incident,” he said. “We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” but the spokesperson did not provide any evidence for this claim.

“However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system,” he said.

Harriet Lester, Fidus’ director of research and development, said it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”

“Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place,” she told TechCrunch.

The game maker said it informed the U.K. data protection authorities about the exposure, in line with breach notification rules under Europe’s GDPR regulations. The U.K.’s Information Commissioner’s Office did not immediately return an email to confirm the disclosure.

Companies can be fined up to 4% of their annual turnover for GDPR violations.

Powered by WPeMatico

Cybereason raises $200 million for its enterprise security platform

Cybereason, which uses machine learning to increase the number of endpoints a single analyst can manage across a network of distributed resources, has raised $200 million in new financing from SoftBank Group and its affiliates. 

It’s a sign of the belief that SoftBank has in the technology, since the Japanese investment firm is basically doubling down on commitments it made to the Boston-based company four years ago.

The company first came to our attention five years ago when it raised a $25 million financing from investors, including CRV, Spark Capital and Lockheed Martin.

Cybereason’s technology processes and analyzes data in real time across an organization’s daily operations and relationships. It looks for anomalies in behavior across nodes on networks and uses those anomalies to flag suspicious activity.

The company also provides reporting tools to inform customers of the root cause, the timeline, the person involved in the breach or breaches, which tools they use and what information was being disseminated within and outside of the organization.

For co-founder Lior Div, Cybereason’s work is the continuation of the six years of training and service he spent working with the Israeli army’s 8200 Unit, the military incubator for half of the security startups pitching their wares today. After his time in the military, Div worked for the Israeli government as a private contractor reverse-engineering hacking operations.

Over the last two years, Cybereason has expanded the scope of its service to a network that spans 6 million endpoints tracked by 500 employees, with offices in Boston, Tel Aviv, Tokyo and London.

“Cybereason’s big data analytics approach to mitigating cyber risk has fueled explosive expansion at the leading edge of the EDR domain, disrupting the EPP market. We are leading the wave, becoming the world’s most reliable and effective endpoint prevention and detection solution because of our technology, our people and our partners,” said Div, in a statement. “We help all security teams prevent more attacks, sooner, in ways that enable understanding and taking decisive action faster.”

The company said it will use the new funding to accelerate its sales and marketing efforts across all geographies and push further ahead with research and development to make more of its security operations autonomous.

“Today, there is a shortage of more than three million level 1-3 analysts,” said Yonatan Striem-Amit, chief technology officer and co-founder, Cybereason, in a statement. “The new autonomous SOC enables SOC teams of the future to harness technology where manual work is being relied on today and it will elevate  L1 analysts to spend time on higher value tasks and accelerate the advanced analysis L3 analysts do.”

Most recently the company was behind the discovery of Operation SoftCell, the largest nation-state cyber espionage attack on telecommunications companies. 

That attack, which was either conducted by Chinese-backed actors or made to look like it was conducted by Chinese-backed actors, according to Cybereason, targeted a select group of users in an effort to acquire cell phone records.

As we wrote at the time:

… hackers have systematically broken in to more than 10 cell networks around the world to date over the past seven years to obtain massive amounts of call records — including times and dates of calls, and their cell-based locations — on at least 20 individuals.

Researchers at Boston-based Cybereason, who discovered the operation and shared their findings with TechCrunch, said the hackers could track the physical location of any customer of the hacked telcos — including spies and politicians — using the call records.

Lior Div, Cybereason’s co-founder and chief executive, told TechCrunch it’s “massive-scale” espionage.

Call detail records — or CDRs — are the crown jewels of any intelligence agency’s collection efforts. These call records are highly detailed metadata logs generated by a phone provider to connect calls and messages from one person to another. Although they don’t include the recordings of calls or the contents of messages, they can offer detailed insight into a person’s life. The National Security Agency  has for years controversially collected the call records of Americans from cell providers like AT&T and Verizon (which owns TechCrunch), despite the questionable legality.

It’s not the first time that Cybereason has uncovered major security threats.

Back when it had just raised capital from CRV and Spark, Cybereason’s chief executive was touting its work with a defense contractor who’d been hacked. Again, the suspected culprit was the Chinese government.

As we reported, during one of the early product demos for a private defense contractor, Cybereason identified a full-blown attack by the Chinese — 10,000 thousand usernames and passwords were leaked, and the attackers had access to nearly half of the organization on a daily basis.

The security breach was too sensitive to be shared with the press, but Div says that the FBI was involved and that the company had no indication that they were being hacked until Cybereason detected it.

Powered by WPeMatico

Duo’s Wendy Nather to talk security at TC Sessions: Enterprise

When it comes to enterprise security, how do you move fast without breaking things?

Enter Duo’s Wendy Nather, who will join us at TC Sessions: Enterprise in San Francisco on September 5, where we will get the inside track on how to keep enterprise networks secure without slowing growth.

Nather is head of advisory CISOs at Duo Security, a Cisco company, and one of the most respected and trusted voices in the cybersecurity community as a regular speaker on a range of topics, from threat intelligence to risk analysis, incident response, data security and privacy issues.

Prior to her role at Duo, she was the research director at the Retail ISAC, and served as the research director of the Information Security Practice at independent analyst firm 451 Research.

She also led IT security for the EMEA region of the investment banking division of Swiss Bank Corporation — now UBS.

Nather also co-authored “The Cloud Security Rules,” and was listed as one of SC Magazine’s Women in IT Security “Power Players” in 2014.

We’re excited to have Nather discuss some of the challenges startups and enterprises face in security — threats from both inside and outside the firewall. Companies large and small face similar challenges, from keeping data in to keeping hackers out. How do companies navigate the litany of issues and threats without hampering growth?

Who else will we have onstage, you ask? Good question! We’ll be joined by some of the biggest names and the smartest and most prescient people in the industry, including Bill McDermott at SAP, Scott Farquhar at Atlassian, Julie Larson-Green at Qualtrics, Aaron Levie at Box and Andrew Ng at Landing AI and many, many more. See the whole agenda right here.

Early-bird tickets are on sale right now! For just $249 you can see Nather and these other awesome speakers live at TC Sessions: Enterprise. But hurry, early-bird sales end on August 9; after that, prices jump up by $100. Book here.

If you’re a student on a budget, don’t worry, we’ve got a super-reduced ticket for just $75 when you apply for a student ticket right here.

Enterprise-focused startups can bring the whole crew when you book a Startup Demo table for just $2,000. Each table gives you a primo location to be seen by attendees, investors and other sponsors, in addition to four tickets to enjoy the show. We only have a limited amount of demo tables and we will sell out. Book yours here.

Powered by WPeMatico

What CISOs need to learn from WannaCry

In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.

The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.

Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.

British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the infection. It took them three hours to realize they had inadvertently stopped the attack dead in its tracks. That domain became the now-infamous “kill switch” that instantly stopped the spread of the ransomware.

As long as the kill switch remains online, no computer infected with WannaCry would have its files encrypted.

But the attack was far from over.

In the days following, the researchers were attacked from an angry botnet operator pummeling the domain with junk traffic to try to knock it offline and two of their servers were seized by police in France thinking they were contributing to the spread of the ransomware.

Worse, their exhaustion and lack of sleep threatened to derail the operation. The kill switch was later moved to Cloudflare, which has the technical and infrastructure support to keep it alive.

Hankins described it as the “most stressful thing” he’s ever experienced. “The last thing you need is the idea of the entire NHS on fire,” he told TechCrunch.

Although the kill switch is in good hands, the internet is just one domain failure away from another massive WannaCry outbreak. Just last month two Cloudflare failures threatened to bring the kill switch domain offline. Thankfully, it stayed up without a hitch.

CISOs and CSOs take note: here’s what you need to know.

Powered by WPeMatico

After account hacks, Twitch streamers take security into their own hands

Twitch has an account hacking problem.

After the breach of popular browser game Town of Salem in January, some 7.8 million stolen passwords quickly became the weakest link not only for the game but gamers’ other accounts. The passwords were stored using a long-deprecated scrambling algorithm, making them easily cracked.

It didn’t take long for security researcher and gamer Matthew Jakubowski to see the aftermath.

In the weeks following, the main subreddit for Amazon-owned game streaming site Twitch — of which Jakubowski is a moderator — was flooded with complaints about account hijacks. One after the other, users said their accounts had been hacked. Many of the hijacked accounts had used their Town of Salem password for their Twitch account.

Jakubowski blamed the attacks on automated account takeovers — bots that cycle through password lists stolen from breached sites, including Town of Salem.

“Twitch knows it’s a problem — but this has been going on for months and there’s no end in sight,” Jakubowski told TechCrunch.

Credential stuffing is a security problem that requires participation from both tech companies and their users. Hackers take lists of usernames and passwords from other breached sites and brute-force their way into other accounts. Customers of DoorDash and Chipotle have in recent months complained of account breaches, but have denied their systems have been hacked, offered little help to their users or shown any effort to bolster their security, and instead washed their hands of any responsibility.

Jakubowski, working with fellow security researcher Johnny Xmas, said Twitch no longer accepting email addresses to log in and incentivizing users to set up two-factor authentication would all but eliminate the problem.

The Russia connection

In new research out Tuesday, Jakubowski and Xmas said Russian hackers are a likely culprit.

The researchers found attackers would run massive lists of stolen credentials against Twitch’s login systems using widely available automation tools. With no discernible system to prevent automated logins, the attackers can hack into Twitch accounts at speed. Once logged in, the attackers then change the password to gain persistent access to the account. Even if they’re caught, some users are claiming a turnaround time of four weeks for Twitch support to get their accounts back.

On the accounts with a stored payment card — or an associated Amazon Prime membership — the attackers follow streaming channels they run or pay a small fee to access, of which Twitch takes a cut. Twitch also has its own virtual currency — bits — to help streamers solicit donations, which can be abused by the attackers to funnel funds into their coffers.

When the attacker’s streaming account hits the payout limit, the attacker cashes out.

The researchers said the attackers stream prerecorded gameplay footage on their own Twitch channels, often using Russian words and names.

“You’ll see these Russian accounts that will stream what appears to be old video game footage — you’ll never see a face or hear anybody talking but you’ll get tons of people subscribing and following in the channel,” said Xmas. “You’ll get people donating bits when nothing is going on in there — even when the channel isn’t streaming,” he said.

This activity helps cloak the attackers’ account takeover and pay-to-follow activity, said Xmas, but the attackers would keep the subscriber counts low enough to garner payouts from Twitch but not draw attention.

“If it’s something easy enough for [Jakubowski] to stumble across, it should be easy for Twitch to handle,” said Xmas. “But Twitch is staying silent and users are constantly being defrauded.”

Two-factor all the things

Twitch, unlike other sites and services with a credential stuffing problem, already lets its 15 million daily users set up two-factor authentication on their accounts, putting much of the onus to stay secure on the users themselves.

Twitch partners, like Jakubowski, and affiliates are required to set up two-factor on their accounts.

But the researchers say Twitch should do more to incentivize ordinary users — the primary target for account hijackers and fraudsters — to secure their accounts.

“I think [Twitch] doesn’t want that extra step between a valid user trying to pay for something and adding friction to that process,” said Jakubowski.

“The hackers have no idea how valuable an account is until they log in. They’re just going to try everyone — and take a shotgun approach.”
Matthew Jakubowski, security researcher and Twitch partner

“Two-factor is important — everyone knows it’s important but users still aren’t using it because it’s inconvenient,” said Xmas. “That’s the bottom line: Twitch doesn’t want to inconvenience people because that loses Twitch money,” he said.

Recognizing there was still a lack of awareness around password security and with no help from Twitch, Jakubowski and Xmas took matters into their own hands. The pair teamed up to write a comprehensive Twitch user security guide to explain why seemingly unremarkable accounts are a target for hackers, and hosted a Reddit “ask me anything” to let users to ask questions and get instant feedback.

Even during Jakubowski’s streaming sessions, he doesn’t waste a chance to warn his viewers about the security problem — often fielding other security-related questions from his fans.

“Every 10 minutes or so, I’ll remind people watching to set-up two factor,” he said.

“The hackers have no idea how valuable an account is until they log in,” said Jakubowski. “They’re just going to try everyone — and take a shotgun approach,” he said.

Xmas said users “don’t realize” how vulnerable they are. “They don’t understand why their account — which they don’t even use to stream — is desirable to hackers,” he said. “If you have a payment card associated with your account, that’s what they want.”

Carrot and the stick

Jakubowski said that convincing the users is the big challenge.

Twitch could encourage users with free perks — like badges or emotes — costing the company nothing, the researchers said. Twitch lets users collect badges to flair their accounts. World of Warcraft maker Blizzard offers perks for setting up two-factor, and Epic Games offers similar incentives to their gamers.

“Rewarding users for implementing two-factor would go a huge way,” said Xmas. “It’s incredible to see how effective that is.”

The two said the company could also integrate third-party leaked credential monitoring services, like Have I Been Pwned, to warn users if their passwords have been leaked or exposed. And, among other fixes, the researchers say removing two-factor by text message would reduce SIM swapping attacks. Xmas, who serves as director of field engineering at anti-bot startup Kasada — which TechCrunch profiled earlier this year — said Twitch could invest in systems that detect bot activity to prevent automated logins.

Twitch, when reached prior to publication, did not comment.

Jakubowski said until Twitch acts, streamers can do their part by encouraging their viewers to switch on the security feature. “Streamers are influencers — more users are likely to switch on two-factor if they hear it from a streamer,” he said.

“Getting more streamers to get on board with security will hopefully go a much longer way,” he said.

Read more:

Powered by WPeMatico

C2A raises $6.5M for its in-car cybersecurity platform

Cars are now essentially computers on wheels — and like every computer, they are susceptible to attacks. It’s no surprise then that there’s a growing number of startups that are working to protect a car’s internal systems from these hacks, especially given that the market for automotive cybersecurity could be worth mor $900 billion by 2026.

One of these companies is Israel’s C2A Security, which offers an end-to-end security platform for vehicles, which today announced that it has raised a $6.5 million Series A funding round.

The round was led by Maniv Mobility, which previously invested in companies like Hailo, drive.ai and Turo, and ICV, which has invested in companies like Freightos and Vayyar. OurCrowd’s Labs/02 also participated in this round.

Like most companies at the Series A stage, C2A plans to use the new funding to grow its team, especially on the R&D side, and help support its customer base. Sadly, C2A does not currently talk about who its customers are.

The promise of C2A is that it offers a full suite of solutions to detect and mitigate attacks. The team behind the company has an impressive security pedigree, with the company’s CMO Nat Meron being an alumn of Israel’s Unit 8200 intelligence unit, for example. C2A founder and CEO Michael Dick previously co-founded NDS, a content security solution, which Cisco acquired for around $5 billion in 2012 (and then recently sold on to Permira, also for $5 billion).

“We are extremely proud to receive the support of such outstanding investors, who will bring tremendous value to the company,” said Dick. “Maniv’s expertise in autotech and strong network across the industry coupled with ICV’s rich experience in cybersecurity brings the perfect combination of skills to the table.”

Powered by WPeMatico