Security startups to the rescue.
As we continue to ride out the pandemic, security experts are closely monitoring the surge of coronavirus-related cyber threats. Just this week, Google’s Threat Analysis Group, its elite threat hunting unit, says that while the overall number of threats remains largely the same, opportunistic hackers are retooling their efforts to piggyback on coronavirus.
Some startups are downsizing and laying off staff, but several cybersecurity startups are faring better, thanks to an uptick in demand for security protections. As the world continues to pivot toward working from home, it has blown up key cybersecurity verticals in ways we never expected. To wit, identity startups are needed more than ever to make sure only remote employees are getting access to corporate systems.
Can the startups take on the giants at their own game?
THE BIG PICTURE
Another payments processor drops the security ball
For the third time this year, a payments processor has admitted to a security lapse. First it was Cornerstone, then it was nCourt. This time it’s Paay, a New York-based card payment processor startup that left a database on the internet unprotected and without a password. Worse, the data was storing full, plaintext credit card numbers.
Anyone who knew where to look could have accessed the data. Luckily, a security researcher found it and reported it to TechCrunch. We alerted the company; it quickly took the data offline, but Paay denied that the data stored full credit card numbers. We even sent the co-founder a portion of the data showing card numbers stored in plaintext, but he did not respond to our follow-up.
Apple to fix Mail bug dating back to at least iOS 6
A cybersecurity startup found a serious security vulnerability in the software running on Apple iPhones. The bug discovered by ZecOps can be silently and remotely triggered on the most recent versions of iOS 13 but dates back to at least 2012.
ZecOps said the vulnerability is under active attack by at least one threat actor, likely a nation-state. So far, staff at a Fortune 500 company and a journalist in Europe have already fallen victim to the flaw, says ZecOps. It’s a win for the security startup on the side of vulnerability discovery and responsible disclosure. But it’s a loss for the “hackers for hire” startups that acquire and sell these exploits. Some of the most highly sought-after bugs go for as much as $1 million.
A spokesperson for Apple downplayed the report but said the company was working on a fix.
Zoom sets out a new security path
For all its security screw-ups and privacy flubs — and there have been a lot of them — props to Zoom for reversing course. It’s not enough for a company to say it takes your privacy and security seriously. It actually has to execute on that. Zoom did. In its latest major update out next week, Zoom 5.0 will improve accessibility to its security settings and improve video encryption. It’s not true end-to-end encryption, which the company initially claimed, but it’s far more resistant to tampering than it was.
The news couldn’t come soon enough. Now some 300 million people use Zoom daily, per its latest update, up from just 10 million daily users prior to the pandemic. It doesn’t make up for its mistakes, but it’s a start.
MOVERS AND SHAKERS
“We absolutely need help.”
Those are the four words that stood out when TechCrunch spoke to the Air Force’s acquisition chief, Will Roper, this week. Roper spoke about a new project that would see security researchers ethically hack into an orbiting satellite later this year at the DEF CON security conference.
It’s part of the Air Force’s effort to improve the security of the satellites it blasts into space. “We’re stuck in Cold War business practices,” he said, referring to a historical effort to keep systems secret as to not help the adversary. “But in today’s world, that’s not the best security posture. Just because you’re not telling the world about your vulnerabilities doesn’t mean you’re secure to go to war,” he said.
Working with the Defense Digital Service, which its director Brett Goldstein refers to as a “SWAT team of nerds that operates in the Pentagon,” the duo are inviting hackers and researchers to tackle a test satellite kit, which will help to weed out the right technical chops and skills needed for the final.
“Our plan was to use a satellite that had a camera and to see if the team would be able to turn the camera to face the Moon,” he said. “It would be a literal moonshot.”
$ECURITY $TARTUPS
ForgeRock nabbed $93.5 million in its Series E raise. The digital identity management service identifies and authenticates users, allowing them access to internal corporate apps, systems and networks. The identity space is crowded — Duo, Okta and Auth0 to name a few — and is worth about $16 billion as a sector. ForgeRock’s successful raise puts it in prime position for an IPO, said Fran Rosch, the startup’s chief executive.
Corsight AI, an Israeli real-time facial recognition platform, raised $5 million, led by Canadian venture fund Aws Ventures, a specialist in intelligence and security startups. That comes to $70 million to date. It claims its technology can even identify people through masks, which are more common than ever thanks to the COVID-19 pandemic.
And, Seattle-based ExtraHop, which helps companies detect and mitigate threats on their networks, laid off an undisclosed number of employees this week, citing the ongoing pandemic-related economic downturn. CEO Arif Kareem said it was an “extraordinarily difficult decision.” Last year, the company had more than 500 employees. It previously hinted at an IPO in 2020. Looks like that could be off the table for now.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.
