The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.
United Nations experts are calling for an investigation after a forensic report said Saudi officials “most likely” used a mobile hacking tool built by the NSO Group to hack into the phone of Amazon founder Jeff Bezos .
The report, carried out by FTI Consulting, said it was “highly probable” that the phone hack was triggered by a malicious video sent over WhatsApp to Bezos’ phone. Within hours, large amounts of data on Bezos’ phone had been exfiltrated.
Netflix addressed the competitive landscape in its Q4 earnings report, arguing that there’s “ample room for many services to grow as linear TV wanes,” noting that during the quarter, “our viewing per membership grew both globally and in the U.S. on a year over year basis, consistent with recent quarters.”
Tencent is cementing its position as one of the world’s biggest video and online gaming companies by revenue. Funcom, meanwhile, is traded publicly on the Oslo Stock Exchange, and the board has already recommended accepting the offer — which is being made at around 27% higher than Tuesday’s closing share price.
The new apps include a Screen Stopwatch for tracking screen time, another that lets you visualize your phone usage as bubbles and a third that lets you put your phone in an envelope. And no, that last one’s not a joke — the envelope would still allow you to make and receive calls, and to use the camera to take photos.
If you own a Zone Player, Connect, first-generation Play:5, CR200, Bridge or pre-2015 Connect:Amp, FYI: Sonos is going to stop shipping updates to those devices. And if Spotify and Apple Music update their application programming interface in the future, your devices could stop working with those services altogether.
GM subsidiary Cruise now employs more than 1,700 people, a considerable chunk of whom are software engineers. Less well-known is the company’s strategy of building out a hardware team, which will eventually take over Cruise’s 140,000-square-foot building on San Francisco’s Bryant Street.
Faida tells us that the company is trying to thread a fine line between conflicting interests and string together a critical mass of internet users who want to get rid of unwelcome distractions; along with digital publishers and ad purveyors who want to maximize eyeballs on their stuff — and are likely especially keen to reach a tech-savvy, ad-blocking demographic. (Extra Crunch membership required.)
Reuters reported yesterday, citing six sources familiar with the matter, that the FBI pressured Apple into dropping a feature that would allow users to encrypt iPhone backups stored in Apple’s cloud.
The decision to abandon plans to end-to-end encrypt iCloud-stored backups was reportedly made about two years ago. The feature, if rolled out, would have locked out anyone other than the device owner — including Apple — from accessing a user’s data. In doing so, it would have made it more difficult for law enforcement and federal investigators, warrant in hand, to access a user’s device data stored on Apple’s servers.
Reuters said it “could not determine exactly” why the decision to drop the feature was made, but one source said “legal killed it,” referring to the company’s lawyers. One of the reasons that Apple’s lawyers gave, per the report, was a fear that the government would use the move as “an excuse for new legislation against encryption.”
It’s the latest in a back and forth between Apple and the FBI since a high-profile legal battle four years ago, which saw the FBI use a little-known 200-year-old law to demand the company create a backdoor to access the iPhone belonging to the San Bernardino shooter. The FBI’s case against Apple never made it to court, after the bureau found hackers who were able to break into the device, leaving the question of whether the government can compel a company to backdoor their own products in legal limbo.
The case has prompted debate — again — whether or not companies should build technologies that lock out law enforcement from data, even when they have a warrant.
TechCrunch managing editor Danny Crichton says companies shouldn’t make it impossible for law enforcement to access their customers’ data with a warrant. Security editor Zack Whittaker disagrees, and says it’s entirely within their right to protect customer data.
Zack: Tech companies are within their rights — both legally and morally — to protect their customers’ data from any and all adversaries, using any legal methods at their disposal.
Apple is a great example of a company that doesn’t just sell products or services, but one that tries to sell you trust — trust in a device’s ability to keep your data private. Without that trust, companies cannot profit. Companies have found end-to-end encryption is one of the best, most efficient, and most practical ways of ensuring that their customers’ data is secured from anyone, including the tech companies themselves, so that nobody other than the owner can access it. That means even if hackers break into Apple’s servers and steal a user’s data, all they have is an indecipherable cache of data that cannot be read.
But the leaks from last decade which revealed the government’s vast surveillance access to their customers data prompted the tech companies to start seeing the government as an adversary — one that will use any and all means to acquire the data it wants. Companies are taking the utilitarian approach of giving their customers as much security as they can. That is how you build trust — by putting that trust directly in the hands of the customer.
Danny: Zack is right that trust is critical between technology companies and users — certainly the plight of Facebook the past few years bears that out. But there also has to be two-way trust between people and their government, a goal thwarted by end-to-end encryption.
No one wants the government poking their heads into our private data willy-nilly, scanning our interior lives seeking out future crimes à la Minority Report. But as citizens, we also want to empower our government with certain tools to make us safer — including mechanisms such as the use of search warrants to legally violate a citizen’s privacy with the authorization of the judiciary to investigate and prosecute suspected crimes.
In the past, the physical nature of most data made such checks-and-balances easy to enforce. You could store your private written notebooks in a physical safe, and if a warrant was issued by an appropriate judge, the police could track down that safe, and drill it open if necessary to access the contents inside. Police had no way to scan all the private safes in the country, and so users had privacy with their data, while the police had reasonable access to seize that data when certain circumstances authorized them to do so.
Today, end-to-end encryption completely undermines this necessary judicial process. A warrant may be issued for data stored on let’s say iCloud, but without a suspect’s cooperation, the police and authorities may have no recourse to seize data they legally are allowed to acquire as part of their investigation. And it’s not just law enforcement — the evidential discovery process at the start of any trial could similarly be undermined. A judiciary without access to evidence will be neither fair nor just.
I don’t like the sound or idea of a backdoor anymore than Zack does, not least because the technical mechanisms of a backdoor seem apt for hacking and other nefarious activities. However, completely closing off legitimate access to law enforcement could make entire forms of crime almost impossible to prosecute. We have to find a way to get the best of both worlds.
Zack: Yes, I want the government to be able to find, investigate and prosecute criminals. But not at the expense of our privacy or by violating our rights.
The burden to prosecute an individual is on the government, and the Fourth Amendment is clear. Police need a warrant, based on probable cause, to search and seize your property. But a warrant is only an authority to access and obtain information pursuant to a crime. It’s not a golden key that says the data has to be in a readable format.
If it’s really as difficult for the feds to gain access to encrypted phones as they say it is, it needs to show us evidence that stands up to scrutiny. So far the government has shown it can’t act in good faith on this issue, nor can it be trusted. The government has for years vastly artificially inflated the number of encrypted devices it said it can’t access. It’s also claimed it needs the device makers, like Apple, to help unlock devices when the government has long already had the means and the technologies capable of breaking into encrypted devices. And the government has refused to say how many investigations are actively harmed by encrypted devices that can’t be unlocked, effectively giving watchdogs no tangible way to adequately measure how big of a problem the feds claim it is.
But above all else, the government has repeatedly failed to rebut a core criticism from security engineers and cryptography experts that a “backdoor” designed only for law enforcement to access would not inadvertently get misused, lost, or stolen and exploited by nefarious actors, like hackers.
Encryption is already out there, there’s no way the encryption genie will ever float its way back into bottle. If the government doesn’t like the law, it has to come up with a convincing argument to change the law.
Danny: I go back to both of our comments around trust — ultimately, we want to design systems built on that foundation. That means knowing that our data is not being used for ulterior, pecuniary interests by tech companies, that our data isn’t being ingested into a massive government tracking database for broad-based population surveillance, and that we ultimately have reasonable control over our own privacy.
I agree with you that a warrant simply says that the authorities have access to what’s “there.” In my physical safe example, if a suspect has written their notes in a coded language and stored them in the safe and the police drill it open and extract the papers, they are no more likely to read those notes than they are the encrypted binary files coming out of an end-to-end encrypted iCloud.
That said, technology does allow scaling up that “coded language” to everyone, all the time. Few people consistently encoded their notes thirty years ago, but now your phone could potentially do that on your behalf, every single time. Every single investigation — again, with a reasonable search warrant — could potentially be a multi-step process just to get basic information that we otherwise would want law enforcement to know in the normal and expected course of their duties.
What I’m calling for then is a deeper and more pragmatic conversation about how to protect the core of our system of justice. How do we ensure privacy from unlawful search and seizure, while also allowing police access to data (and the meaning of that data, i.e. unencrypted data) stored on servers with a legal warrant? Without a literal encoded backdoor prone to malicious hacking, are there technological solutions that might be possible to balance these two competing interests? In my mind, we can’t have and ultimately don’t want a system where fair justice is impossible to acquire.
Now as an aside on the comments about data: the reality is that all justice-related data is complicated. I agree these data points would be nice to have and would help make the argument, but at the same time, the U.S. has a decentralized justice system with thousands of overlapping jurisdictions. This is a country that can barely count the number of murders, let alone other crimes, let alone the evidentiary standards related to smartphones related to crimes. We are just never going to have this data, and so in my view, an opinion of waiting until we have it is unfair.
Zack: The view from the security side is that there’s no flexibility. These technological solutions you think of have been considered for decades — even longer. The idea that the government can dip into your data when it wants to is no different from a backdoor. Even key escrow, where a third-party holds onto the encryption keys for safe keeping, is also no different from a backdoor. There is no such thing as a secure backdoor. Something has to give. Either the government stands down, or ordinary privacy-minded folk give up their rights.
The government says it needs to catch pedophiles and serious criminals, like terrorists and murderers. But there’s no evidence to show that pedophiles, criminals, and terrorists use encryption any more than the average person.
We have as much right to be safe in our own homes, towns and cities as we do to privacy. But it’s not a trade-off. Everyone shouldn’t have to give up privacy because of a few bad people.
Encryption is vital to our individual security, or collective national security. Encryption can’t be banned or outlawed. Like the many who have debated these same points before us, we may just have to agree to disagree.
A new United Nations report says a mobile hacking tool built by mobile spyware maker, the NSO Group, was “most likely” used to hack into the Amazon founder Jeff Bezos’ phone.
The report, published by U.N. human rights experts on Wednesday, said the Israeli-based spyware maker likely used its Pegasus mobile spyware to exfiltrate gigabytes of data from Bezos’ phone in May 2018, about six months after the Saudi government first obtained the spyware.
It comes a day after reports emerged, citing a forensics report commissioned by the Amazon founder, that the malware was delivered from a number belonging to Saudi crown prince Mohammed bin Salman. The report said it was “highly probable” that the phone hack was triggered by a malicious video sent over WhatsApp to Bezos’ phone.
Within hours, large amounts of data on Bezos’ phone had been exfiltrated.
NSO Group said in a statement that its technology “was not used in this instance,” saying its technology “cannot be used on U.S. phone numbers.” The company said any suggestion otherwise was “defamatory” and threatened legal action.
But the report left open the possibility that technology developed by another mobile spyware maker may have been used.
U.N. experts Agnes Callamard and Davie Kaye, who authored the report, said the breach of Bezos’ phone was part of “a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities.”
Forensics experts are said to have began looking at Bezos’ phone after he accused the National Enquirer of blackmail last year. In a tell-all Medium post, Bezos described how he was targeted by the tabloid, which obtained and published private text messages and photos from his phone, prompting an investigation into the leak. The subsequent forensic report, which TechCrunch has not yet seen, claims the initial breach began after Bezos and the Saudi crown prince exchanged phone numbers in April 2018, a month before the hack.
The report said several other prominent figures, including Saudi dissidents and political activists, also had their phones infected with the same mobile malware around the time of the Bezos phone breach. Some whose phones were infected including those close to Jamal Khashoggi, a prominent Saudi critic and columnist for the Washington Post — which Bezos owns — who was murdered five months later.
“The information we have received suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post’s reporting on Saudi Arabia,” the U.N. experts said.
U.S. intelligence concluded that bin Salman ordered Khashoggi’s death.
The U.N. experts said the Saudis purchased the Pegasus malware, and used WhatsApp as a way to deliver the malware to Bezos’ phone.
WhatsApp, which is owned by Facebook, filed a lawsuit against the NSO Group for creating and using the Pegasus malware, which exploits a since-fixed vulnerability in the the messaging platform. Once exploited, sometimes silently and without the target knowing, the operators can download data from the user’s device. Facebook said at the time more than the malware was delivered on more than 1,400 targeted devices.
The U.N. experts said they will continue to investigate the “growing role of the surveillance industry” used for targeting journalists, human rights defenders, and owners of media outlets.
Amazon did not immediately comment.
Octarine, a startup that helps automate security of Kubernetes workloads, released an open source scanning tool today. The tool, which is called KubeScan, is designed to help developers understand the level of security risk in their Kubernetes clusters.
The company is also open sourcing a second tool called KCSS, which is the underlying configuration framework used in KubeScan.
As Ocatrine’s head of product Julien Sobrier points out, there are 30 security settings in Kubernetes and KubeScan can help you see where you might be vulnerable on any one of them, measured on a scale of 0-10, with 10 being extremely vulnerable.
“Kubernetes gives a lot of flexibility and a lot of power to developers. There are over 30 security settings, and understanding how they interact with each other, which settings make security worse, which one make it better, and the impact of each selection is not something that’s easy to measure or explain,” Sobrier told TechCrunch.
Octarine wants to help with these two open source tools. It started by building KCSS, a vulnerability model based on the industry standard Common Vulnerability Scoring System (CVSS), to provide a risk assessment framework for KubeScan.
“We’ve taken this model of CVSS and applied into Kubernetes. This helps explain to users, what are the security settings that are causing risk? What is the danger to the workload in terms of availability of the cluster, integrity of the cluster and confidentiality of the cluster,” Sobrier explained. This gives developers and operations a common system for understanding of the security posture of the cluster, and makes it easier for them to decide whether the risk is acceptable or not.
They have then taken the KCSS framework and built KubeScan. This takes the settings as defined in KCSS and applies a score, which measure the level of risk for each setting in the Kubernetes cluster you run it on. “KubeScan is basically an implementation of the KCSS framework. So it’s software, a container, that will run on your cluster and show you the risk of all the [settings] on a scale from zero, not risky to 10, highly risky, and then give you all the details about what the grade is and the possible remediation that you that you can put in place,” he said.
While it obviously could work hand-in-glove with Octarine’s own security tools, Rafael Feitelberg, VP of commercialization, says the project has been more about helping companies see their Kubernetes cluster risk level, and giving them information to fix the problems it finds.”A lot of these things can be remediated by adjusting the Kubernetes configuration, and you can explicitly see see how you can remediate [the problem] in KubeScan,” he said.
Feitelberg says that Octarine is something separate, designed to help you automate your security settings. “Our commercial product is more about the automation of the process, of doing this continuously, so it’s part of your CI/CD [pipeline] and your DevOps process,” he said.
Both of the open source tools are available today on GitHub.
Thundra, an early stage serverless tooling startup, announced a $4 million Series A today led by Battery Ventures. The company spun out from OpsGenie after it was sold to Atlassian for $295 million in 2018.
York IE, Scale X Ventures and Opsgenie founder Berkay Mollamustafaoglu also participated in the round. Battery’s Neeraj Agarwal is joining the company’s board under the terms of the agreement.
The startup also announced that it had recently hired Ken Cheney as CEO with technical founder Serkan Ozal becoming CTO.
Originally, Thundra helped run the serverless platform at OpsGenie. As a commercial company, it helps monitor, debug and secure serverless workloads on AWS Lambda. These three tasks could easily be separate tools, but Cheney says it makes sense to include them all because they are all related in some way.
“We bring all that together and provide an end-to-end view of what’s happening inside the application, and this is what really makes Thundra unique. We can actually provide a high-level distributed view of that constantly-changing application that shows all of the components of that application, and how they are interrelated and how they’re performing. It can also troubleshoot down to the local service, as well as go down into the runtime code to see where the problems are occurring and let you know very quickly,” Cheney explained.
He says that this enables developers to get this very detailed view of their serverless application that otherwise wouldn’t be possible, helping them concentrate less on the nuts and bolts of the infrastructure, the reason they went serverless in the first place, and more on writing code.
Thundra is able to do all of this in a serverless world, where there isn’t a fixed server and resources are ephemeral, making it difficult to identity and fix problems. It does this by installing an agent at the Lambda (AWS’ serverless offering) level on AWS, or at runtime on the container at the library level,” he said.
Battery’s Neeraj Agarwal says having invested in OpsGenie, he knew the engineering team and was confident in the team’s ability to take it from internal tool to more broadly applicable product.
“I think it has to do with the quality of the engineering team that built OpsGenie. These guys are very microservices oriented, very product oriented, so they’re very quick at iterating and developing products. Even though this was an internal tool I think of it as very much productized, and their ability to now sell it to the broader market is very exciting,” he said.
The company offers a free version, then tiered pricing based on usage, storage and data retention. The current product is a cloud service, but it plans to add an on prem version in the near future.
As the total cost of cybercrime reaches into trillions of dollars and continues to rise, a firm called Intezer — which has built a way to analyse, identify and eradicate malware by way of an ordering system similar to what’s used when mapping out DNA — has raised $15 million to double down on growth.
The funding, a Series B, is being led by OpenView Partners, the VC with a focus on expansion rounds for enterprise software companies, with participation from previous investors Intel Capital (which led the Series A in 2017), Magma, Samsung NEXT, USAA, and Alon Cohen, the founder and former CEO of CyberArk, who is also a co-founder of Intezer. The company is not disclosing its funding; it has raised a relatively modest $25 million to date.
Itai Tevet, Intezer’s other co-founder and CEO who had previously run the Cyber Incident Response Team (CERT) in Israel’s IDF, notes that the startup’s customers include “Fortune 500 companies, late stage startups, and elite government agencies” (it doesn’t disclose any specific names). In an interview, he said Intezer will be using the funding both to expand that list — through two products it currently offers, Intezer Protect and Intezer Analyze (which comes without remediation) — and also to explore how to apply its model to other areas under threat from malicious cyberattacks not traditionally associated with malware.
“Because our technology deals with binary code in general, it’s applicable in many different ways,” he said. “Since any digital device runs binary code (even drones, medical devices, smart phones, …), our technology has the potential to create a big impact in numerous aspects of cyber security to provide visibility, control and protection from any unauthorized and malicious code.”
Intezer describes its technique as “genetic malware analysis”, and the basic premise is that “all software, whether legitimate or malicious, is comprised of previously written code,” Tevet said. (He said he first came up with this revelation at the IDF, where he was “dealing with the best cyber attackers in the world,” later working with Cohen and a third co-founder Roy Halevi, to perfect the idea.)
Intezer therefore has built software that can “map” out different malware, making connections by detecting code reuse and code similarities, which in turn can help it identify new threats, and help put a stop to them.
There is a reason why cybercriminals reuse code, and it has to do with economies of scale: they can reuse and work faster. Conversely, it also becomes “exponentially harder for them to launch a new attack campaign since they would need to start completely from scratch,” Tevet notes.
While there are literally hundreds of startups now on the market building ways to identify, mitigate and remediate the effects of malware on systems, Intezer claims to stand apart from the pack.
“The vast majority of security systems in the market today detect threats by looking for anomalies and other indicators of compromise,” usually using machine learning and AI, but Tevet adds that this “can be evaded by ‘blending in’ as normal activity.” One consequence of that is that these methods also drown security teams with vague and false-positive alerts, he added. “On the other hand, Intezer doesn’t look for the symptoms of the attack, but can actually uncover the origins of the root cause of nearly all cyber attacks — the code itself.”
The startup’s proof is in the pudding so to speak: it has scored some notable successes to date through its use. Intezer was the first to identify that WannaCry came out of North Korea; it built a code map that helped provide the links between the Democratic National Committee breach and Russian hackers; and most recently it identified a new malware family called “HiddenWasp” linked specifically to Linux systems.
Itai Tevet, the co-founder and CEO, says that “hands down,” Linux-focused threats are the biggest issue of the moment.
“Everybody’s talking about cloud security but it is rarely discussed that Linux malware is a thing,” he said in an interview. “Since the dawn of cloud and IoT, Linux has become the most common operating system and, in turn, the biggest prize for hackers.” He added that in the more traditional enterprise landscape, “banking trojans such as Emotet and Trickbot remain the most common malware families seen in the wild.”
“Itai, Roy and the team at Intezer possess a rare expertise in incident response, malware analysis, and reverse engineering having mitigated many nation-state sponsored threats in the past,” said Scott Maxwell, founder and managing partner of OpenView, in a statement. “The Genetic Malware Analysis technology they’ve developed represents the next-generation of cyber threat detection, classification, and remediation. We’re excited to support them as they build a category-defining company.”
Snyk, the company that wants to help developers secure their code as part of the development process, announced a $150 million investment today. The company indicated the investment brings its valuation to over $1 billion (although it did not share the exact figure).
Today’s round was led by Stripes, a New York City investment firm with help from Coatue, Tiger Global, BoldStart,Trend Forward, Amity and Salesforce Ventures. The company reports it has now raised over $250 million.
The idea behind Snyk is to fit security firmly in the development process. Rather than offloading it to a separate team, something that can slow down a continuous development environment, Snyk builds in security as part of the code commit.
The company offers an open source tool that helps developers find open source vulnerabilities when they commit their code to GitHub, Bitbucket, GitLab or any CI/CD tool. It has built up a community of over 400,000 developers with this approach.
Snyk makes money with a container security product, and by making the underlying vulnerability database they use in the open source product available to companies as a commercial product.
CEO Peter McKay, who came on board last year as the company was making a move to expand into the enterprise, says the open source product drives the revenue-producing products and helped attract this kind of investment. “Getting to [today’s] funding round was the momentum in the open source model from the community to freemium to [land] and expand — and that’s where we are today,” he told TechCrunch.
He said that the company wasn’t looking for this money, but investors came knocking and gave them a good offer, based on Snyk’s growing market momentum. “Investors said we want to take advantage of the market, and we want to make sure you can invest the way you want to invest and take advantage of what we all believe is this very large opportunity,” McKay said.
In fact, the company has been raising money at a rapid clip since it came out of the gate in 2016 with a $3 million seed round. A $7 million Series A and $22 million Series B followed in 2018 with a $70 million Series C last fall.
The company reports over 4X revenue growth in 2019 (without giving exact revenue figures), and some major customer wins including the likes of Google, Intuit, Nordstrom and Salesforce. It’s worth noting that Salesforce thought enough of the company that it also invested in this round through its Salesforce Ventures investment arm.
- A look back at the Israeli cyber security industry in 2018
- Trends in Israel’s cybersecurity investments
- A look back at the Israeli cyber security industry in 2018
- The state of Israel’s cybersecurity market
As the global cybersecurity market becomes increasingly crowded, the Start Up Nation remains a bulwark of innovation and opportunity generation for investors and global cyber companies alike. It achieved this chiefly in 2019 by adapting to the industry’s competitive developments and pushing forward its most accomplished entrepreneurs in larger numbers to meet them.
New data illustrates how Israeli entrepreneurs have seized on the country’s reputation for building radically cutting-edge technologies as the number of new Israeli cybersecurity startups addressing nascent sectors eclipses its more traditional counterparts. Moreover, related findings highlight how cybersecurity companies looking to expand beyond their traditional offerings are entering Israel’s cybersecurity ecosystem in larger numbers through highly strategic acquisitions.
Broadly, new findings also reveal the Israeli cybersecurity market’s overall coming of age, seasoned entrepreneurial dominance and greater appetite for longer-term visions and strategies — the latter of which received record-breaking investor backing in 2019.Breaking records
Facebook spying on teens, Twitter accounts hijacked by terrorists, and sexual abuse imagery found on Bing and Giphy were amongst the ugly truths revealed by TechCrunch’s investigating reporting in 2019. The tech industry needs more watchdogs than ever as its size enlargens the impact of safety failures and the abuse of power. Whether through malice, naivety, or greed, there was plenty of wrongdoing to sniff out.
Led by our security expert Zack Whittaker, TechCrunch undertook more long-form investigations this year to tackle these growing issues. Our coverage of fundraises, product launches, and glamorous exits only tell half the story. As perhaps the biggest and longest running news outlet dedicated to startups (and the giants they become), we’re responsible for keeping these companies honest and pushing for a more ethical and transparent approach to technology.
If you have a tip potentially worthy of an investigation, contact TechCrunch at email@example.com or by using our anonymous tip line’s form.
Here are our top 10 investigations from 2019, and their impact:Facebook pays teens to spy on their data
Josh Constine’s landmark investigation discovered that Facebook was paying teens and adults $20 in gift cards per month to install a VPN that sent Facebook all their sensitive mobile data for market research purposes. The laundry list of problems with Facebook Research included not informing 187,000 users the data would go to Facebook until they signed up for “Project Atlas”, not receiving proper parental consent for over 4300 minors, and threatening legal action if a user spoke publicly about the program. The program also abused Apple’s enterprise certificate program designed only for distribution of employee-only apps within companies to avoid the App Store review process.
The fallout was enormous. Lawmakers wrote angry letters to Facebook. TechCrunch soon discovered a similar market research program from Google called Screenwise Meter that the company promptly shut down. Apple punished both Google and Facebook by shutting down all their employee-only apps for a day, causing office disruptions since Facebookers couldn’t access their shuttle schedule or lunch menu. Facebook tried to claim the program was above board, but finally succumbed to the backlash and shut down Facebook Research and all paid data collection programs for users under 18. Most importantly, the investigation led Facebook to shut down its Onavo app, which offered a VPN but in reality sucked in tons of mobile usage data to figure out which competitors to copy. Onavo helped Facebook realize it should acquire messaging rival WhatsApp for $19 billion, and it’s now at the center of anti-trust investigations into the company. TechCrunch’s reporting weakened Facebook’s exploitative market surveillance, pitted tech’s giants against each other, and raised the bar for transparency and ethics in data collection.
Protecting The WannaCry Kill Switch
Zack Whittaker’s profile of the heroes who helped save the internet from the fast-spreading WannaCry ransomware reveals the precarious nature of cybersecurity. The gripping tale documenting Marcus Hutchins’ benevolent work establishing the WannaCry kill switch may have contributed to a judge’s decision to sentence him to just one year of supervised release instead of 10 years in prison for an unrelated charge of creating malware as a teenager.
The dangers of Elon Musk’s tunnel
TechCrunch contributor Mark Harris’ investigation discovered inadequate emergency exits and more problems with Elon Musk’s plan for his Boring Company to build a Washington D.C.-to-Baltimore tunnel. Consulting fire safety and tunnel engineering experts, Harris build a strong case for why state and local governments should be suspicious of technology disrupters cutting corners in public infrastructure.
Bing image search is full of child abuse
Josh Constine’s investigation exposed how Bing’s image search results both showed child sexual abuse imagery, but also suggested search terms to innocent users that would surface this illegal material. A tip led Constine to commission a report by anti-abuse startup AntiToxin (now L1ght), forcing Microsoft to commit to UK regulators that it would make significant changes to stop this from happening. However, a follow-up investigation by the New York Times citing TechCrunch’s report revealed Bing had made little progress.
Expelled despite exculpatory data
Zack Whittaker’s investigation surfaced contradictory evidence in a case of alleged grade tampering by Tufts student Tiffany Filler who was questionably expelled. The article casts significant doubt on the accusations, and that could help the student get a fair shot at future academic or professional endeavors.
Burned by an educational laptop
Natasha Lomas’ chronicle of troubles at educational computer hardware startup pi-top, including a device malfunction that injured a U.S. student. An internal email revealed the student had suffered a “a very nasty finger burn” from a pi-top 3 laptop designed to be disassembled. Reliability issues swelled and layoffs ensued. The report highlights how startups operating in the physical world, especially around sensitive populations like students, must make safety a top priority.
Giphy fails to block child abuse imagery
Sarah Perez and Zack Whittaker teamed up with child protection startup L1ght to expose Giphy’s negligence in blocking sexual abuse imagery. The report revealed how criminals used the site to share illegal imagery, which was then accidentally indexed by search engines. TechCrunch’s investigation demonstrated that it’s not just public tech giants who need to be more vigilant about their content.
Airbnb’s weakness on anti-discrimination
Megan Rose Dickey explored a botched case of discrimination policy enforcement by Airbnb when a blind and deaf traveler’s reservation was cancelled because they have a guide dog. Airbnb tried to just “educate” the host who was accused of discrimination instead of levying any real punishment until Dickey’s reporting pushed it to suspend them for a month. The investigation reveals the lengths Airbnb goes to in order to protect its money-generating hosts, and how policy problems could mar its IPO.
Expired emails let terrorists tweet propaganda
Zack Whittaker discovered that Islamic State propaganda was being spread through hijacked Twitter accounts. His investigation revealed that if the email address associated with a Twitter account expired, attackers could re-register it to gain access and then receive password resets sent from Twitter. The article revealed the savvy but not necessarily sophisticated ways terrorist groups are exploiting big tech’s security shortcomings, and identified a dangerous loophole for all sites to close.
Porn & gambling apps slip past Apple
Josh Constine found dozens of pornography and real-money gambling apps had broken Apple’s rules but avoided App Store review by abusing its enterprise certificate program — many based in China. The report revealed the weak and easily defrauded requirements to receive an enterprise certificate. Seven months later, Apple revealed a spike in porn and gambling app takedown requests from China. The investigation could push Apple to tighten its enterprise certificate policies, and proved the company has plenty of its own problems to handle despite CEO Tim Cook’s frequent jabs at the policies of other tech giants.
Bonus: HQ Trivia employees fired for trying to remove CEO
This Game Of Thrones-worthy tale was too intriguing to leave out, even if the impact was more of a warning to all startup executives. Josh Constine’s look inside gaming startup HQ Trivia revealed a saga of employee revolt in response to its CEO’s ineptitude and inaction as the company nose-dived. Employees who organized a petition to the board to remove the CEO were fired, leading to further talent departures and stagnation. The investigation served to remind startup executives that they are responsible to their employees, who can exert power through collective action or their exodus.
If you have a tip for Josh Constine, you can reach him via encrypted Signal or text at (585)750-5674, joshc at TechCrunch dot com, or through Twitter DMs
Microsoft has confirmed a security flaw affecting Internet Explorer is currently being used by hackers, but that it has no immediate plans to fix.
In a late-evening tweet, US-CERT, the division of Homeland Security tasked with reporting on major security flaws, tweeted a link to a security advisory detailing the bug, describing it as “being exploited in the wild.”
Microsoft said all supported versions of Windows are affected by the flaw, including Windows 7, which after this week no longer receives security updates.
The vulnerability was found in how Internet Explorer handles memory. An attacker could use the flaw to remotely run malicious code on an affected computer, such as tricking a user into opening a malicious website from a search query or a link sent by email.
It’s believed to be a similar vulnerability as one disclosed by Mozilla, the maker of the Firefox browser, earlier this week. Both Microsoft and Mozilla credited Qihoo 360, a China-based security research team, with finding flaws under active attack. Earlier in the week, Qihoo 360 reportedly deleted a tweet referencing a similar flaw in Internet Explorer.
Neither Qihoo, Microsoft, nor Mozilla said how attackers were exploiting the bug, who the attackers were, or who was being targeted. The U.S. government’s cybersecurity advisory unit also issued a warning about current exploitation.
Microsoft told TechCrunch that it was was “aware of limited targeted attacks” and was “working on a fix,” but that it was unlikely to release a patch until its next round of monthly security fixes — scheduled for February 11.
Microsoft assigned the bug with a common vulnerability identifier, CVE-2020-0674, but specific details of the bug have yet to be released.
When reached, a Microsoft spokesperson did not comment.
Cyral, an early stage startup that helps protect data stored in cloud repositories, announced an $11 million Series A today. The company also revealed a previous undisclosed $4.1 million angel investment, making the total $15.1 million.
The Series A was led by Redpoint Ventures. A.Capital Ventures, Costanoa VC, Firebolt, SV Angel and Trifecta Capital also participated in on the round.
Cyral co-founder and CEO Manav Mital says the company’s product acts as a security layer on top of cloud data repositories — whether databases, data lakes, data warehouse or other data repository — helping identify issues like faulty configurations or anomalous activity.
Mital says that unlike most security data products of this ilk, Cyral doesn’t use an agent or watch points to try to detect signals that indicate something is happening to the data. Instead, he says that Cyral is a security layer attached directly to the data.
“The core innovation of Cyral is to put a layer of visibility attached right to the data endpoint, right to the interface where application services and users talk to the data endpoint, and in real time see the communication,” Mital explained.
As an example, he says that Cyral could detect that someone has suddenly started scanning rows of credit card data, or that someone was trying to connect to a database on an unencrypted connection. In each of these cases, Cyral would detect the problem, and depending on the configuration, send an alert to the customer’s security team to deal with the problem, or automatically shut down access to the database before informing the security team.
It’s still early days for Cyral with 15 employees and a handful of early access customers. Mital says for this round he’s working on building a product to market that’s well designed and easy to use.
He says that people get the problem he’s trying to solve. “We could walk into any company and they are all worried about this problem. So for us getting people interested has not been an issue. We just want to make sure we build an amazing product,” he said.
In a tweet late Tuesday, President Trump criticized Apple for refusing “to unlock phones used by killers, drug dealers and other violent criminal elements.” Trump was specifically referring to a locked iPhone that belonged to a Saudi airman who killed three U.S sailors in an attack on a Florida base in December.
It’s only the latest example of the government trying to gain access to a terror suspect’s device it claims it can’t access because of the encryption that scrambles the device’s data without the owner’s passcode.
The government spent the past week bartering for Apple’s help. Apple said it had given to investigators “gigabytes of information,” including “iCloud backups, account information and transactional data for multiple accounts.” In every instance it received a legal demand, Apple said it “responded with all of the information” it had. But U.S. Attorney General William Barr accused Apple of not giving investigators “any substantive assistance” in unlocking the phone.
Presidential candidate Pete Buttigieg has lost his campaign’s chief information security officer, who cited “differences” with the campaign over its security practices.
Mick Baccio, who served under the former South Bend mayor’s campaign for the White House, left his position earlier this month.
The Wall Street Journal first reported the news. TechCrunch also confirmed Baccio’s resignation, who left less than a year after joining the Buttigieg campaign. It remains unclear exactly what specific issues Baccio had with the campaign’s cybersecurity program.
“We thank him for the work he did to protect our campaign against attacks,” said Buttigieg spokesperson Chris Meagher. The spokesperson said that the campaign had retained a new security firm, but would not say which company.
Baccio was the only known staffer to oversee cybersecurity out of all the presidential campaigns. News of his departure comes at a time just months to go before millions of Americans are set to vote in the 2020 presidential campaign.
But concerns have been raised about the overall security posture of the candidates’ campaigns, as well as voting and election infrastructure across the United States, ahead of the vote.
A report from a government watchdog last March said Homeland Security “does not have dedicated staff” focused on election infrastructure. Since then, security researchers found many of the largest voting districts are vulnerable to simple cyberattacks, such as sending malicious emails designed to look like a legitimate message, a type of tactic used by Russian operatives during the 2016 presidential election.
In October, Iran-backed hackers unsuccessfully targeted President Trump’s re-election campaign.
More than half a year after Google said Android phones could be used as a security key, the feature is coming to iPhones.
Google said it’ll bring the feature to iPhones in an effort to give at-risk users, like journalist and politicians, access to additional account and security safeguards, effectively removing the need to use a physical security key like a Yubico or a Google Titan key.
Two-factor authentication remains one of the best ways to protect online accounts. Typically it works by getting a code or a notification sent to your phone. By acting as an additional layer of security, it makes it far more difficult for even the most sophisticated and resource-backed attackers to break in. Hardware keys are even stronger. Google’s own data shows that security keys are the gold standard for two-factor authentication than other options, like a text message sent to your phone.
Google said it was bringing the technology to iPhones as part of an effort to give at-risk groups greater access to tools that secure their accounts, particularly in the run-up to the 2020 presidential election, where foreign interference remains a concern.
Network security giant Cloudflare said it will provide its security tools and services to U.S. political campaigns for free, as part of its efforts to secure upcoming elections against cyberattacks and election interference.
The company said its new Cloudflare for Campaigns offering will include distributed denial-of-service attack mitigation, load balancing for campaign websites, a website firewall, and anti-bot protections.
It’s an expansion of the company’s security offering for journalists, civil rights activists and humanitarian groups under its Project Galileo, which aims to protect against disruptive cyberattacks. The project later expanded to smaller state and local government sites in 2018, with an aim of protecting servers containing voter registration data and other election infrastructure from attacks.
Cloudflare’s co-founder and chief executive Matthew Prince said there was a “clear need” to help campaigns secure not only their public facing websites but also their internal data security.
The company said it’s working with the non-partisan, non-profit organization Defending Digital Campaigns to provide its services to campaigns. Last year the Federal Elections Commission changed the rules to allow political campaigns to receive discounted cybersecurity assistance, which was previously a campaign finance violation.
Not the city, the $57 million-funded cryptocurrency custodian startup. When someone wants to keep tens or hundreds of millions of dollars in Bitcoin, Ethereum, or other coins safe, they put them in Anchorage’s vault. And now they can trade straight from custody so they never have to worry about getting robbed mid-transaction.
With backing from Visa, Andreessen Horowitz, and Blockchain Capital, Anchorage has emerged as the darling of the cryptocurrency security startup scene. Today it’s flexing its muscle and war chest by announcing the acquisition of crypto risk modeling company Merkle Data.
Anchorage has already integrated Merkle’s technology and team to power today’s launch of its new trading feature. It eliminates the need for big crypto owners to manually move assets in and out of custody to buy or sell, or to set up their own in-house trading. Instead of grabbing some undisclosed spread between the spot price and the price Anchorage quotes its clients, it charges a transparent per transaction fee of a tenth of a percent.
It’s stressful enough trading around digital fortunes. Anchorage gives institutions and token moguls peace of mind throughout the process while letting them stake and vote while their riches are in custody. Anchorage CEO Nathan McCauley tells me “Our clients want to be able to fund a bank account with USD and have it seamlessly converted into crypto, securely held in their custody accounts. Shockingly, that’s not yet the norm–but we’re changing that.”Buy and sell safely
Founded in 2017 by leaders behind Docker and Square, Anchorage’s core business is its omnimetric security system that takes passwords that can be lost or stolen out of the equation. Instead, it uses humans and AI to review scans of your biometrics, nearby networks, and other data for identity confirmation. Then it requires consensus approval for transactions from a set of trusted managers you’ve whitelisted.
With Anchorage Trading, the startup promises efficient order routing, transparent pricing, and multi-venue liquidity from OTC desks, exchanges, and market makers. “Because trading and custody are directly integrated, we’re able to buy and sell crypto from custody, without having to make risky external transfers or deal with multiple accounts from different providers” says Bart Stephens, founder and managing partner of Blockchain Capital.
Trading isn’t Anchorage’s primary business, so it doesn’t have to squeeze clients on their transactions and can instead try to keep them happy for the long-term. That also sets up Anchorage to be foundational part of the cryptocurrency stack. It wouldn’t disclose the terms of the Merkle Data acquisition, but the Pantera Capital-backed company brings quantative analysts to Anchorage to keep its trading safe and smart.
“Unlike most traditional financial assets, crypto assets are bearer assets: in order to do anything with them, you need to hold the underlying private keys. This means crypto custodians like Anchorage must play a much larger role than custodians do in traditional finance” says McCauley. “Services like trading, settlement, posting collateral, lending, and all other financial activities surrounding the assets rely on the custodian’s involvement, and in our view are best performed by the custodian directly.”
Anchorage will be competing with Coinbase, which offers integrated custody and institutional brokerage through its agency-only OTC desk. Fidelity Digital Assets combines trading and brokerage, but for Bitcoin only. BitGo offers brokerage from custody through a partnership with Genesis Global Trading. But Anchorage hopes its experience handling huge sums, clear pricing, and credentials like membership in Facebook’s Libra Association will win it clients.
McCauley says the biggest threat to Anchorage isn’t competitors, thoguh, but hazy regulation. Anchorage is building a core piece of the blockchain economy’s infrastructure. But for the biggest financial institutions to be comfortable getting involved, lawmakers need to make it clear what’s legal.
Microsoft has released a security patch for a dangerous vulnerability affecting hundreds of millions of computers running Windows 10.
The vulnerability is found in a decades-old Windows cryptographic component, known as CryptoAPI. The component has a range of functions, one of which allows developers to digitally sign their software, proving that the software has not been tampered with. But the bug may allow attackers to spoof legitimate software, potentially making it easier to run malicious software — like ransomware — on a vulnerable computer.
“The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider,” Microsoft said.
CERT-CC, the the vulnerability disclosure center at Carnegie Mellon University, said in its advisory that the bug can also be used to intercept and modify HTTPS (or TLS) communications.
Microsoft said it found no evidence to show that the bug has been actively exploited by attackers, and classified the bug as “important.”
Independent security journalist Brian Krebs first reported details of the bug.
The National Security Agency confirmed in a call with reporters that it found the vulnerability and turned over the details to Microsoft, allowing the company to build and ready a fix.
Only two years ago the spy agency was criticized for finding and using a Windows vulnerability to conduct surveillance instead of alerting Microsoft to the flaw. The agency used the vulnerability to create an exploit, known as EternalBlue, as a way to secretly backdoor vulnerable computers. But the exploit was later leaked and was used to infect thousands of computers with the WannaCry ransomware, causing millions of dollars’ worth of damage.
Anne Neuberger, NSA’s director of cybersecurity, told TechCrunch that once the vulnerability was discovered, it went through the vulnerabilities equities process, a decision-making process used by the government to determine if it should retain control of the flaw for use in offensive security operations or if it should be disclosed to the vendor. It’s not known if the NSA used the bug for offensive operations before it was reported to Microsoft.
“It’s encouraging to see such a critical vulnerability turned over to vendors rather than weaponized.”
Neuberger confirmed Microsoft’s findings that NSA had not seen attackers actively exploiting the bug.
Jake Williams, a former NSA hacker and founder of Rendition Infosec, told TechCrunch that it was “encouraging” that the flaw was turned over “rather than weaponized.”
“This one is a bug that would likely be easier for governments to use than the common hacker,” he said. “This would have been an ideal exploit to couple with man in the middle network access.”
Microsoft is said to have released patches for Windows 10 and Windows Server 2016, which is also affected, to the U.S. government, military and other high-profile companies ahead of Tuesday’s release to the wider public, amid fears that the bug would be abused and vulnerable computers could come under active attack.
The software giant kept a tight circle around the details of the vulnerabilities, with few at the company fully aware of their existence, sources told TechCrunch. Only a few outside the company and the NSA — such as the government’s cybersecurity advisory unit Cybersecurity and Infrastructure Security Agency — were briefed.
CISA also issued a directive, compelling federal agencies to patch the vulnerabilities.
Williams said this now-patched flaw is like “a skeleton key for bypassing any number of endpoint security controls,” he told TechCrunch.
Skilled attackers have long tried to pass off their malware as legitimate software, in some cases by obtaining and stealing certificates. Last year, attackers stole a certificate belonging to computer maker Asus to sign a backdoored version of its software update tool. By pushing the tool to the company’s own servers, “hundreds of thousands” of Asus customers were compromised as a result.
When certificates are lost or stolen, they can be used to impersonate the app maker, allowing them to sign malicious software and make it look like it came from the original developer.
Dmitri Alperovitch, co-founder and chief technology officer at security firm CrowdStrike, said in a tweet that the NSA-discovered bug was a “critical issue.”
“Everyone should patch. Do not wait,” he said.
Instagram will finally let you chat from your web browser, but the launch contradicts Facebook’s plan for end-to-end encryption in all its messaging apps. Today Instagram began testing Direct Messages on the web for a small percentage of users around the globe, a year after TechCrunch reported it was testing web DMs.
When fully rolled out, Instagram tells us its website users will be able to see when they’ve received new DMs, view their whole inbox, start new message threads or group chats, send photos (but not capture them), double click to Like, and share posts from your feed via Direct so you can gossip or blast friends with memes. You won’t be able to send videos but can view non-disappearing ones. Instagram’s CEO Adam Mosseri tweeted that he hopes to “bring this to everyone soon” once the kinks are worked out.
Web DMs could help office workers, students, and others stuck on a full-size computer all day or who don’t have room on their phone for another app to spend more time and stay better connected on Instagram. Direct is crucial to Instagram’s efforts to stay ahead of Snapchat, which has seen its Stories product mercilessly copied by Facebook but is still growing thanks to its rapid fire visual messaging feature that’s popular with teens.
But as Facebook’s former Chief Security Officer Alex Stamos tweeted, “This is fascinating, as it cuts directly against the announced goal of E2E encrypted compatibility between FB/IG/WA. Nobody has ever built a trustworthy web-based E2EE messenger, and I was expecting them to drop web support in FB Messenger. Right hand versus left?”
A year ago Facebook announced it planned to eventually unify Facebook Messenger, WhatsApp, and Instagram Direct so users could chat with each other across apps. It also said it would extend end-to-end encryption from WhatsApp to include Instagram Direct and all of Facebook Messenger, though it could take years to complete. That security protocol means that only the sender and recipient would be able to view the contents of a message, while Facebook, governments, and hackers wouldn’t know what was being shared.
“Fixing this problem is extremely hard and would require fundamental changes to how the WWW [world wide web] works” says Stamos. At least we know Instagram has been preparing for today’s launch since at least February when mobile researcher Jane Manchun Wong. We’ve asked Instagram for more details on how it plans to cover web DMs with end-to-end encryption or whether they’ll be exempt from the plan. [Update: An Instagram spokesperson tells me that as with Instagram Direct on mobile, messages currently are not encypted. The company is working on making its messaging products end-to-end encrypted, and it continues to consider ways to accomplish this.”
On encryption, on background, as with Instagram Direct on mobile, messages on web are not encrypted. We are working on making our messaging products end-to-end encrypted, and continue to consider and think through ways to do this.
Critics have called the messaging unification a blatant attempt to stifle regulators and prevent Facebook, Instagram, and WhatsApp from being broken up. Yet Facebook has stayed the course on the plan while weathering a $5 billion fine plus a slew of privacy and transparency changes mandated by an FTC settlement for its past offenses.
Personally I’m excited because it will make DMing sources via Instagram easier, and mean I spend less time opening my phone and potentially being distracted by other apps while working. Almost 10 years after Instagram’s launch and 6 years since adding Direct, the app seems to finally be embracing its position as a utility, not just entertainment.
Hello and welcome back to our regular morning look at private companies, public markets and the gray space in between.
Today we’re continuing our series on companies that have reached the $100 million annual recurring revenue (ARR) threshold, or are about to. ExtraHop is the company of the day, a Seattle-based firm that deals with cloud analytics and a portion of the security world called “network detection and response.”
ExtraHop is interesting because of its scale, its IPO plans and its history of capital efficiency. Regular readers will recall that we’ve praised Braze and Egnyte in this series, noting that, compared to some unicorns and other members of the $100 million ARR club, they had raised modest sums. Both have raised a multiple of ExtraHop’s own known capital tally.
In conjunction with its ARR and IPO notes that we’ll deal with shortly, ExtraHop announced a number of financial metrics this morning, including: more than $150 million in bookings in 2019, up from over $100 million in 2018; and, revenue growth of “more than” 40% in 2019, a threshold it also cleared in 2018.
Amazon has fired a number of employees after they shared customer email address and phone numbers with a third-party “in violation of our policies.”
The email to customers sent Friday afternoon, seen by TechCrunch, said an employee was “terminated” for sharing the data, and that the company is supporting law enforcement in their prosecution.
Amazon confirmed the incident in an email to TechCrunch. A spokesperson said a number of employees were fired. But little else is known about the employees, when the information was shared and with whom, and how many customers are affected.
“No other information related to your account was shared. This is not a result of anything you have done, and there is no need for you to take any action,” the email read to customers.
It’s not the first time it has happened. Amazon was just as vague about a similar breach of email addresses last year, in which Amazon declined to comment further.
In a separate incident, Amazon said this week that it fired four employees at Ring, one of the retail giant’s smart camera and door bell subsidiaries. Ring said it fired the employees for improperly viewing video footage from customer cameras.
Updated headline to clarify that an unknown number of employees were fired.