Welcome to a look back at the past week in security and what it means for you. Each week we’ll look at the big news of the week and why it matters.
What will the world look like after the coronavirus pandemic subsides?
Some of us are now in our fifth week of sheltering in place, but there’s no fixed end-date in sight. We’ve gone from a period of confusion and concern to testing and mitigation. Now we’re starting to look ahead at the world post-coronavirus. Things still have to get done. But how do we regain a semblance of normality in the middle of a pandemic?
Tech can be the answer but it’s not a panacea; Apple and Google have explained more about their contact tracing efforts to help better understand the spread of the virus seems promising. But privacy concerns and worries that the system could be abused have raised justified concerns. On the other hand, with a U.S. presidential election slated for later this year, many experts want tech out of the picture in favor of a secure solution that uses paper ballots.
Will tech save the day, or will it kick us while we’re down? Let’s dive in.
THE BIG PICTURE
Voting by mail should be having its moment. Will it?
This year’s U.S. presidential election will still go ahead — it’s in the constitution as an immutable fact — but a pandemic throws a wrench in the works.
But security experts say electronic voting isn’t secure or resilient enough to protect from foreign interference. Even the more established mobile voting offerings have been shown to be deeply flawed.
The obvious answer is to embrace what five states already do: vote-by-mail. It’s low-tech but reliable, more secure, and accessible to the vast majority. But political resistance threatens to get in the way. TechCrunch’s Taylor Hatmaker reports on the vote-by-mail effort. Much of the holdup is a matter of politics: Democrats say mailed ballots will protect public health, while Republicans who prefer in-person voting have hit back with unfounded claims of voter fraud.
“You have to put this in context of where we are,” said Sen. Ron Wyden, speaking to Hatmaker. “At this point in the middle of a pandemic, I don’t think this is a partisan issue.”
Security lapse exposed Clearview AI source code
Surveillance startup Clearview AI has faced a barrage of headlines since it exploded onto the startup scene in January after an exposé in The New York Times.
Its already faced investigations from authorities in New Jersey and San Diego, and several tech companies — including Facebook and Twitter — have demanded that the company stop scraping user photos from its site to fill up its massive facial recognition database. It’s also had to deal with a data breach that saw its customer list stolen. That was a problem for a company that claims it serves only law enforcement clients because its customer list said otherwise.
Now it’s had another security lapse: a backend server that stored Clearview AI source code, internal files, and apps — as well as secret keys and credentials — was left exposed. A security researcher found the exposed system and reported it to the company. Clearview AI has since changed the keys.
North Korea hacking sparks U.S. government warning
For years, the U.S. government has indicted dozens of North Korea-backed hackers, which have for years been at the forefront of some of the most grandiose and damaging cyberattacks in history: the WannaCry ransomware attack, the Sony Pictures breach and a major bank heist in Bangladesh, to name a few.
These financially-focused cyberattacks are said to be core to funding North Korea’s nuclear weapons program.
Review https://t.co/HCEzye09Sj for joint guidance on North Korea’s malicious cyber activities, including recommended steps to mitigate the threat. #HIDDENCOBRA #Cyber #Cybersecurity #InfoSec @State_Cyber @USTreasury @CISAgov @FBI
— CISA Cyber (@CISACyber) April 15, 2020
But playing the blame game isn’t working. North Korea retains some of the most powerful and skilled hackers in the world, and the rogue nation has shown no signs of slowing down. And with no diplomatic way to extradite the hackers, they’re likely to keep on hacking.
Now the U.S. government has put some (but likely not all) of its cards on the table, accusing North Korea of having “the capability to conduct disruptive or destructive cyber activities affecting U.S. critical infrastructure.” That same warning, published this week, is intended to “raise awareness” to private businesses about the threat from the hermit nation, per a statement from the State Department.
MOVERS AND SHAKERS
Auth0 escaped what could’ve been a pretty nasty security incident.
“On July 31st 2019, at 5:11am, we received an email from Insomnia reporting a service vulnerability. By 11:00pm the same day, we had fixed the issue in production,” wrote Auth0’s chief security officer Joan Pepin in a blog post. Insomnia Security found and reported the bug. In its own blog post, Insomnia researcher Ben Knight said the bug could’ve been exploited to bypass two-factor authentication. That’s a pretty big deal for a company whose core offering is two-factor security.
Auth0 is one of the underdogs in the identity management and security space. Now a unicorn, the company rivals Okta, OneLogin and Duo. Thankfully for Auth0, responsible disclosure prevailed and the bug was fixed and a disclosure was put out, helping Auth0 and others to understand what could’ve gone wrong.
It also prompted Auth0 to launch its own bug bounty, something we discussed last week on Extra Crunch.
$ECURITY $TARTUPS
Onfido this week scored more than $100 million in its latest fundraise led by TPG Ventures. The London-based startup uses artificial intelligence to “read” a person’s identity documents and uses biometrics to confirm who they say they are, providing a method of authentication for online services, like banks, governments and other businesses. The company didn’t disclose its valuation but it’s now taken in $200 million to date.
Awake Security, a network traffic analysis startup, raised $36 million, the company announced this week. The Series C round was led by Evolution Equity Partners. The startup also leverages artificial intelligence and a mix of human expertise to spot attack behavior and malicious traffic. Awake has now raised $80 million to date.
And, Q-CTRL also secured an investment from In-Q-Tel, the CIA’s non-profit venture arm. Terms of the investment were not disclosed. The Los Angeles-based startup builds software to reduce noise and errors on quantum computer machines. The funding from In-Q-Tel will help support the startup develop quantum technologies for use in protecting national security. Last year the company raised $15 million.
Send tips securely over Signal and WhatsApp to +1 646-755–8849.
Comment