Security

A vacuum vulnerability could mean your Roomba knockoff is hoovering up surveillance

Yet again we are reminded that the mild conveniences of the smart home are all well and good, right up until someone decides to turn one of those wifi-connected things you invited in against you. But you probably didn’t think it was going to be the vacuum, did you? Two researchers with enterprise security company Positive Technologies discovered vulnerabilities affecting the Dongguan Diqee 360 line of robotic vacuum cleaners and have shared details of the security flaw. The vacuum cleaners, manufactured by Chinese smart home manufacturer Diqee, are equipped with wifi and a 360 degree camera for a mode known as “dynamic monitoring” that turns the machine into a home surveillance device. The camera is probably what you need to be worried about. The remote code vulnerability, known as CVE-201...

PureSec exits stealth to secure serverless code

PureSec, a startup out of Israel emerged from stealth today to provide a way to make serverless computing more secure. Serverless computing reduces programming to writing functions, so that when a certain event happens, it triggers an automated action. The cloud vendor takes care of the underlying infrastructure and developers just write the code. It may sound like Shangri La for tech, but in reality there are still security concerns. You might think that a process that lasts only milliseconds wouldn’t be subject to conventional kinds of attacks, but the fact is serverless functions are designed to take human checks and balances out of the equation, says company co-founder Ory Segal, and if you don’t set up the functions correctly you could be vulnerable. As with any type of cloud security...

3D printed guns are now legal… What’s next?

Jon Stokes Contributor More posts by this contributor How President Trump could abuse big data and the surveillance state How Intel missed the iPhone revolution On Tuesday, July 10, the DOJ announced a landmark settlement with Austin-based Defense Distributed, a controversial startup led by a young, charismatic anarchist whom Wired once named one of the 15 most dangerous people in the world. Hyper-loquacious and media-savvy, Cody Wilson is fond of telling any reporter who’ll listen that Defense Distributed’s main product, a gun fabricator called the Ghost Gunner, represents the endgame for gun control, not just in the US but everywhere in the world. With nothing but the Ghost Gunner, an internet connection, and some raw materials, anyone, anywhere can make an unmarked, untraceable gun in t...

Netskope nabs Sift Security to enhance infrastructure cloud security

Netskope, a company that focuses on security in the cloud, announced today it has acquired Sift Security, a startup launched in 2014 to help secure cloud infrastructure services like Amazon, Microsoft and Google using machine learning. The company did not share terms of the deal, but Sift’s 10 technical employees will become part of Netskope’s 500+ person team and Sift CEO Neil King will lead the Netskope IaaS product management team moving forward. While Netskope provides comprehensive cloud and website security from a single interface, Sift uses machine learning to provide breach detection and automated response for Infrastructure as a Service environments, even across multiple clouds. Netskope founder and CEO Sanjay Beri says together the two companies can offer more security visibility...

RIP “crypto”

RIP “crypto”. You had a good run. This week veteran cryptographer Matt Blaze, finally gave in — to what must have been a near-constant, low-level drone of ‘CAn Buy Crypto.com???$$$$!’ spam — and sold the pithy domain name he registered in 1993, in the midst of the PC era crypto wars, to use as an encryption policy resource, to Monaco, a Zug, Switzerland-based payments and cryptocurrency platform startup whose self-styled mission is “accelerating the world’s transition to cryptocurrency”, positioning itself at the nexus of the current crypto craze. So crypto.com now points to cryptocurrencies. Which seems a fitting moment to say RIP “crypto” as shorthand terminology for an entire domain of cryptographic work that underpins so many more things than just Bitcoin or Ether or Ripple or Litecoin...

Tinder bolsters its security to ward off hacks and blackmail

This week, Tinder responded to a letter from Oregon Senator Ron Wyden calling for the company to seal up security loopholes in its app that could lead to blackmail and other privacy incursions. In a letter to Sen. Wyden, Match Group General Counsel Jared Sine describes recent changes to the app, noting that as of June 19, “swipe data has been padded such that all actions are now the same size.” Sine added that images on the mobile app are fully encrypted as of February 6, while images on the web version of Tinder were already encrypted. The Tinder issues were first called out in a report by a research team at Checkmarx describing the app’s “disturbing vulnerabilities” and their propensity for blackmail: The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacke...

Hackers too over the Gentoo Linux Github repository

Popular Linux distribution Gentoo has been completely “totally pwned” according to researchers at Sophos and none of the current code can be trusted. The team immediately posted an update and noted that none of the real code has been compromised. However, they have pulled the Github repository until they can upload a fresh copy of the unadulterated code. “Today 28 June at approximately 20:20 UTC unknown individuals have gained control of the Github Gentoo organization, and modified the content of repositories as well as pages there. We are still working to determine the exact extent and to regain control of the organization and its repositories. All Gentoo code hosted on github should for the moment be considered compromised,” wrote Gentoo administrators. “This does NOT affect any code hos...

ProtonMail suffers DDoS attack that takes its email service down for minutes

It’s been an unexpectedly slack day for digital comms services. It’s not just workplace IM tool Slack suffering outages but end-to-end encrypted email service ProtonMail too. In the latter case, the company has blamed several hours’ worth of sporadic outages on a major DDoS attack. Our network has been under sustained attack this morning. We are working with our upstream providers to mitigate the attack. Emails are delayed but will not be lost. Thank you for your patience. — ProtonMail (@ProtonMail) June 27, 2018 In a statement on Reddit the company says the attack is “unlike the more ‘generic’ DDoS attacks that we deal with on a daily basis” — which in turn meant its upstream DDoS protection service (Radware) needed more time than usual to mitigate the attack. The longest outage has been ...

Balbix raises $20M for a predictive approach to enterprise cybersecurity

Security breaches are a disaster for corporate companies, but good news if you’re someone who offers preventative solutions. Today in 2018, wide-ranging attacks on the likes of Equifax, Sony Pictures and Target have only added value to those charged with safeguarding companies. Balbix, one such solutions provider, has pulled in a $20 million Series B to grow its business and try to prevent high-profile cybersecurity disasters using a predictive model of measuring and assessing threats. The round is led by Singtel Innov8, the corporate fund of Singapore telco Singtel which owns Trustwave and is active in the security space, and Mubadala Ventures, the Abu Dhabi firm that’s well known for backing SoftBank’s $100 billion Vision Fund. Existing Balbix investor Mayfield Fund also took part alongs...

Social SafeGuard scores $11M to sell alerts for brand-damaging fakes

Social SafeGuard, a 2014-founded U.S. startup which sells security services to enterprises aimed at mitigating a range of digital risks that lie outside the corporate firewall, has closed an $11 million Series B funding round, from AllegisCyber and NightDragon Security. It’s hoping to ride the surge in awareness around social media fakery — putting the new funding towards sales and marketing, plus some product dev. “As one of the few dedicated cybersecurity venture firms, we know how big this challenge has become for today’s security executives,” said Spencer Tall, MD of AllegisCyber, in a supporting statement. Tall is joining the Social SafeGuard board. “This is no longer a fringe need that can be ignored or deferred. Digital risk protection should be on the shortlist of corporate securit...

BigID scores $30 million Series B months after closing A round

BigID announced a big $30 million Series B round today, which comes on the heels of closing their $14M A investment in January. It’s been a whirlwind year for the NYC data security startup as GDPR kicked in and companies came calling for their products. The round was led by Scale Venture Partners with participation from previous investors ClearSky Security, Comcast Ventures, Boldstart Ventures, Information Venture Partners and SAP.io. BigID has a product that helps companies inventory their data, even extremely large data stores, and identify the most sensitive information, a convenient feature at a time where GDPR data privacy rules, which went into effect at the end of May, require that companies doing business in the EU have a grip on their customer data. That’s certainly something that...

Purdue’s PHADE technology lets cameras ‘talk’ to you

It’s become almost second nature to accept that cameras everywhere — from streets, to museums and shops — are watching you, but now they may be able to communicate with you, as well. New technology from Purdue University computer science researchers has made this dystopian prospect a reality in a new paper published today. But, they argue, it’s safer than you might think. The system is called PHADE, which allows for something called “private human addressing,” where camera systems and individual cell phones can communicate without transmitting any personal data, like an IP or Mac address. Instead of using an IP or Mac address, the technology relies on motion patterns for the address code. That way, even if a hacker intercepts it, they won’t be able to access the person’s physical location....