Another week in quarantine.
As the world adjusts to working from home under mandatory stay-at-home orders, hackers are keeping busy. Microsoft said this week that coronavirus-related attacks are on the rise but still make up just a fraction of the overall malicious activity. Cybersecurity companies seem to be faring mostly well — in part thanks to the uptick of attacks, but also the challenges of securing the workforce as hundreds of millions work from home.
But as coronavirus dominates the headlines, the wheels of government keep turning. Lawmakers are trying to push through a controversial bill that critics say would undermine encryption, which keeps everything from your phone to your online banking accounts safe. One startup is bracing for a showdown. Signal, the end-to-end encrypted messaging app, sounded the alarm when it warned this week that it may exit the U.S. market if Congress passes the controversial EARN IT Act.
In a blog post this week, Signal engineer Joshua Lund wrote it would “not be possible for a small nonprofit like Signal to continue to operate within the United States.”
Will encryption become the latest causality of this tumultuous year?
THE BIG PICTURE
Zoom slapped with more security woes, but calls in the cavalry
A growing number of companies and governments, from SpaceX and Google to Taiwan and Germany, have banned Zoom. Not even the U.S. Senate is taking any chances with the video-calling software, which has faced a steady stream of headlines critiquing its security practices and privacy policies. But Zoom’s popularity, undoubtedly sparked by the mass working from home to stem the spread of the coronavirus pandemic, seems to be weathering the storm.
CEO Eric Yuan offered his latest mea culpa this week by bringing on former Facebook chief security officer Alex Stamos as an advisor, and has set up a council of security experts. It’s a start — or rather, the start — given that a New York Times interview this week quoted Yuan as saying we “never thought” about the security and privacy implications on its non-enterprise users until they happened.
Twitter’s terribly confusing, not at all alarming privacy policy change
If you, like millions of Twitter users, received a popup out of nowhere this week, it’s because Twitter decided — without asking you — that it would start sharing more private data with advertisers. The setting, which has now been removed from users’ dashboards, prevented Twitter from sharing information about the ads you saw and the advertising tracking code from your phone.
Now, users will have that information shared and users don’t get to opt out — unless you’re a European, of course.
Naturally, few were thrilled at the prospect of having more data shared with advertisers without granting Twitter permission first. The EFF said the European exception was precisely why Americans also need strong privacy laws.
COVID-19 tracking efforts heat up as privacy experts urge caution
With the coronavirus death toll now over 100,000, governments are stepping up their efforts to track the spread of the disease across their populations. Several countries, including France and Iceland, are eyeing technology as a way forward.
But tracking the virus means tracking people, which even during times of global emergency, governments are cautiously aware of the risks of potentially infringing on their citizens’ civil liberties. It’s no surprise, then, that the European Union is calling for a unified, privacy-focused approach across the bloc.
Here in the U.S., where there are no strict privacy laws to reference, things look murkier. MIT researchers have developed a new proximity-based approach to tracing potentially infected people, inspired by Apple’s “Find My” feature, by using Bluetooth signals sent out from every user’s phone. Apple and Google also teamed up to offer a cross-platform coronavirus tracing app, which promises to be privacy-minded and collect as little data as possible.
Meanwhile, the ACLU has warned of the limits to contact tracking, and that any system may not be as reliable as governments think they may be.
Fingerprint tech isn’t as secure as you might think
New research this week showed that fingerprint sensors are not as secure as some might think.
Security researchers at Cisco’s Talos unit found they could spoof a fingerprint using a high-resolution 3D printer to unlock an iPhone 8 and a Samsung S10 nearly every time. That’s obviously a problem for any device that has a fingerprint reader — which is a good portion of mobile devices these days.
The good news is that fingerprint readers are still fine for the vast majority, whose threat model probably doesn’t make them a target for sophisticated nation-state attacks. But anyone who falls into the camps of being a nuclear scientist or a spy — or just someone who’s very paranoid — you might want to rethink your security settings. And, given the shortcomings of existing fingerprint technology, the space is ripe for picking by startups ready to develop their own better-secured sensors.
MOVERS AND SHAKERS
This week, TechCrunch spoke to Michael Sentonas, who in February took over as CrowdStrike’s chief technology officer. The position was previously held by co-founder Dmitri Alperovitch, who left the post to launch a nonprofit policy accelerator.
CrowdStrike, a provider of cloud-based endpoint protection, went public last year. After a pop and a dip, the company is now back to its original opening IPO price. But with coronavirus causing uncertainty and concern, many businesses are struggling. Sentonas said the company is weathering the pandemic well.
“A lot of things haven’t changed for us,” he said, speaking to TechCrunch from his native Australia. “Pretty much our entire business is remote, but that hasn’t been the same for a lot of our customers.”
“The pressure on us right now has been more helping customers and then organizations that contact us during this time. It’s obviously no surprise to anyone that during an event like this, attackers see it as a business opportunity, but that’s the reality. So we’re getting a lot of calls from people that have had issues as a result,” said Sentonas.
Tune in to Extra Crunch next week to read the full interview.
$ECURITY $TARTUPS
Bugcrowd, the vulnerability disclosure and bug bounty platform, secured $30 million in its Series D, led by previous investor Rally Ventures. The company’s chief executive, Ashish Gupta, told TechCrunch he plans to use the funding to expand its platform across new and emerging markets, including Europe and Asia. “The fight against cybercriminals is never-ending and attack surfaces are constantly expanding,” said Gupta. With 65 industries served in 29 countries, Gupta said Bugcrowd wants to “continue that growth trajectory.”
Also, CyberMDX raised $20 million. The company works to secure hospital networks and devices from security threats. That’s no more important than right now to ease the burdens on hospital staff. Like Bugcrowd, CyberMDX hopes to use the funding to roll out its threat-intelligence platform to new markets and geographies.
And, Investcorp has snapped up German security firm Avira. The financial terms were not disclosed, but Avira is said to be valued at $180 million following the acquisition. Avira is not a typical startup in that it was set up in 1986 and has been bootstrapped the entire time, so it has taken no outside funding.
In other startup news:
- Accenture has acquired Revolutionary Security, reports ZDNet. The startup’s portfolio includes risk assessment and breach and attack simulation testing, and has 90 staff across the U.S. It’s the latest grab by Accenture, which now has a growing number of cybersecurity startups under its corporate umbrella, including Redcore, FusionX and iDefense.
- And, London-based Privitar has raised $80 million in its Series C round as investors show interest in cybersecurity during the coronavirus pandemic, which has left vast numbers of people working from home. PitchBook, which reported the news, said venture firms have invested close to $2 billion in cybersecurity startups in more than 100 deals since the start of this year.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.
