Chinese government admits collection of deleted WeChat messages

Chinese authorities revealed over the weekend that they have the capability of retrieving deleted messages from the almost universally used WeChat app. The admission doesn’t come as a surprise to many, but it’s rare for this type of questionable data collection tactic to be acknowledged publicly.

As noted by the South China Morning Post, an anti-corruption commission in Hefei province posted Saturday to social media that it has “retrieved a series of deleted WeChat conversations from a subject” as part of an investigation.

The post was deleted Sunday, but not before many had seen it and understood the ramifications. Tencent, which operates the WeChat service used by nearly a billion people (including myself), explained in a statement that “WeChat does not store any chat histories — they are only stored on users’ phones and computers.”

The technical details of this storage were not disclosed, but it seems clear

Continue reading “Chinese government admits collection of deleted WeChat messages”

Microsoft built its own custom Linux kernel for its new IoT service

At a small press event in San Francisco, Microsoft today announced the launch of a secure end-to-end IoT product that focuses on microcontroller-based devices — the kind of devices that use tiny and relatively low-powered microcontrollers (MCUs) for basic control or connectivity features. Typically, these kinds of devices, which could be anything from a toy to a household gadget or an industrial application, don’t often get updated and hence, security often suffers. At the core of Azure Sphere is a new class of certified MCUs. As Microsoft president and chief legal officer Brad Smith stressed in today’s announcement, Microsoft will license these new Azure Sphere chips for free, in hopes to jump-start the Azure Sphere ecosystem. Because it’s hard to secure a device you can’t update or get telemetry from, it’s no surprise that these devices will feature built-in connectivity. And with that connectivity, these devices can also connect to
Continue reading "Microsoft built its own custom Linux kernel for its new IoT service"

Microsoft launches a phishing attack simulator and other security tools

Just in time for the annual RSA conference in San Francisco, Microsoft today announced a number of new security tools for its business users that range from new tools to prevent phishing attacks to a new service that only allows you to access certain online services if your device also has a clean bill of health. Attackers know that humans are typically the weakest link in any company’s security protocols and the rise of phishing attacks bears witness to that. Some larger companies have long run simulated phishing exercises that test their employee’s responses. Here at Oath, we all regularly get notices about speeding in the company parking lot, for example. Most small and medium businesses don’t have the resources to do this, but Microsoft is now making this easier with the launch of a new phishing attack simulator that allows IT to easily create a fake phishing email to
Continue reading "Microsoft launches a phishing attack simulator and other security tools"

Windows 10 will soon get passwordless logins with Yubico’s Security Key

Last week, Yubico, the company behind the popular YubiKey USB authentication dongles, announced the launch of its $20 Security Key with support for the FIDO2/WebAuthn standard. With a bit of luck, FIDO2 may just herald the end of passwords and, as the company announced today, Microsoft is putting its weight behind this by announcing upcoming support for the Yubico Security Key for Windows 10 and Azure Active Directory users. This new feature is currently in limited preview and only available to Windows Technology Adoption Program users. Wider support for FIDO2 passwordless logins will roll out with the next Windows 10 update. When that’s coming remains a bit of a mystery, though. Once it does, you’ll be able to sign into a device that’s managed with Azure Active Directory without the need for entering a password. Microsoft’s FIDO2 implementation using the Security Key by Yubico is just the beginning
Continue reading "Windows 10 will soon get passwordless logins with Yubico’s Security Key"

Diversity and inclusion, data privacy and security ops will be on everyone’s mind at RSA

This week, 50,000 security professionals will descend upon San Francisco for the 27th Annual RSA Security Conference, arguably the largest global security event of the year. And for the security community to win against “the bad guys,” we’re going to need at least 50,000 more people.

Yes, the well-established “security skills gap” will be a hot point of discussion at this year’s RSA Conference. But in a year fueled by industry controversy (including backlashagainst RSA Conference itself), the conversations on stage and in the Expo Hall are expected to be the most lively since 2014, when the debate around Edward Snowden came to the forefront on security’s biggest stage. Unlike RSA’s

Continue reading "Diversity and inclusion, data privacy and security ops will be on everyone’s mind at RSA"

The United States needs a Department of Cybersecurity

This week over 40,000 security professionals will attend RSA in San Francisco to see the latest cyber technologies on display and discuss key issues. No topic will be higher on the agenda than the Russian sponsored hack of the American 2016 election with debate about why the country has done so little to respond and what measures should be taken to deter future attempts at subverting our democracy. For good reason. There is now clear evidence of Russian interference in the election with Special Counsel Mueller’s 37-page indictment of 13
Continue reading "The United States needs a Department of Cybersecurity"

How to save your privacy from the Internet’s clutches

Another week, another massive privacy scandal. When it’s not Facebook admitting it allowed data on as many as 87 million users to be sucked out by a developer on its platform who sold it to a political consultancy working for the Trump campaign, or dating app Grindr ‘fessing up to sharing its users’ HIV status with third party A/B testers, some other ugly facet of the tech industry’s love affair with tracking everything its users do slides into view. Suddenly, Android users discover to their horror that Google’s mobile platform tells the company where they are all the time — thanks to baked-in location tracking bundled with Google services like Maps and Photos. Or Amazon Echo users realize Jeff Bezos’ ecommerce empire has amassed audio recordings of every single interaction they’ve had with their cute little smart speaker. The problem, as ever with the tech industry’s teeny-weeny greyscaled legalise,
Continue reading "How to save your privacy from the Internet’s clutches"

Are hardware makers doing enough to keep Android phones secure?

For all the good of Android’s open-source approach, one of the clear and consistent downsides is that the onus to issue software updates falls on the manufacturer. That can mean frustration for those waiting for the latest and greatest feature updates — and in some cases, it can put your phone at risk with delayed or missed security updates.

A pair of researchers at Security Research Labs recently shared a study with Wired highlighting some of these risks. The team’s findings are the result of testing 1,200 Android handsets from all the major manufacturers over the course of two years, examining whether manufacturers had offered the security patches as advertised.

According to SRL, missed security patches were discovered on a wide range of different handsets across manufacturers. Sony and Samsung were both flagged as having missed some security patches — in some cases in spite of reporting that they were

Continue reading "Are hardware makers doing enough to keep Android phones secure?"

Cloudflare launches Spectrum to protect the internet beyond the web

When it launched back in 2010, Cloudflare was all about speeding up websites and protecting them from hackers. Today, with the launch of Spectrum, it’s taking a major step to move beyond the web and into protecting — and potentially speeding up — other parts of the internet. While Cloudflare’s regular services work well for apps, APIs and websites, all of which tend to use regular web protocols, Spectrum is about all of the other traffic that moves across the internet. Or as the company puts it: Spectrum extends Cloudflare to 65,533 ports. To be clear, this is not a self-serve product like the majority of Cloudflare’s existing services. It’s also mostly about security, not performance (though somewhat incidentally, it does often speed up connections, too). This is very much a product for large enterprises that want to ensure their various services sit behind a secure connection. As Cloudflare
Continue reading "Cloudflare launches Spectrum to protect the internet beyond the web"

DroneShield is keeping hostile UAVs away from NASCAR events

If you were hoping to get some sweet drone footage of a NASCAR race in progress, you may find your quadcopter grounded unceremoniously by a mysterious force: DroneShield is bringing its anti-drone tech to NASCAR events at the Texas Motor Speedway. The company makes a handful of products, all aimed at detecting and safely intercepting drones that are flying where they shouldn’t. That’s a growing problem, of course, and not just at airports or Area 51. A stray drone at a major sporting event could fall and interrupt the game, or strike someone, or at a race it may even cause a major accident. Most recently it introduced a new version of its handheld “DroneGun,” which scrambles the UAV’s signal so that it has no choice but to safely put itself down, as these devices are generally programmed to do. You can’t buy one — technically, they’re illegal — but
Continue reading "DroneShield is keeping hostile UAVs away from NASCAR events"

Zuckerberg makes case for privacy regs with teeth — by failing to remember non-existent FTC fine

Chalk up a sharp political point in support for privacy legislation with actual teeth: In today’s testimony in front of the House Energy & Commerce committee, Facebook CEO Mark Zuckerberg was asked about the outcomes of a string of legal actions against the company — most of which he claimed not be aware of. One which he at last said he could remember was Facebook’s 2011 FTC consent decree — when the company settled over deceptive privacy practices by agreeing to make product changes opt-in and pledging to gain express consent from users to any changes going forward. As part of that decree it also agreed to submit to privacy audits every two years for the next 20 years; bar access to content on deactivated accounts; and avoid misrepresenting the privacy or security of user data. But congresswoman Diana DeGette pressed the Facebook CEO on whether the company paid a financial penalty as
Continue reading "Zuckerberg makes case for privacy regs with teeth — by failing to remember non-existent FTC fine"

Here Technologies and Argus join our Tel Aviv lineup

Let’s share a bit more about our agenda for TechCrunch’s Tel Aviv event. This year, the event will focus on mobility and everything around it, from autonomous vehicles, to sensors, drones and security. That’s why I’m incredibly excited to announce two great speakers. Argus Cyber Security co-founder and CEO Ofer Ben Noon and Here Technologies Head of Mobility Liad Itzhak will join us on stage. By focusing on mobility, we have the opportunity to spend more time talking about the companies making the magic happen behind the scene. Here Technologies has been around for more than 30 years. But the company is currently going through a sort of renaissance. After flourishing as an independent company and getting acquired by Nokia, the company is now owned by Audi, BMW and Daimler. In many ways, mapping technology is the new oil. Car manufacturers need to control mapping data to develop self-driving technologies and services.
Continue reading "Here Technologies and Argus join our Tel Aviv lineup"

‘Tens of thousands’ of Facebook accounts may be related to Russian intelligence

Facebook has previously officially noted that 470 accounts associated with Russia’s Internet Research Agency have been banned related to the 2016 election, plus 270 more in Russia just last week. But in today’s testimony Mark Zuckerberg also mentioned a much higher estimate of “tens of thousands,” though the confidence in this number would be also be much lower. “In the IRA specifically, the ones we’ve pegged back to the IRA, we can identify 470 in the American elections, and the 270 that we went after in Russia last week,” he began in response to Senator Feinstein (D-), who had asked about the numbers of accounts associated with this type of coordinated disinformation campaign. But then he continued: “There are many others that our systems catch which are more difficult to attribute specifically to Russian intelligence, but the number would be in the tens of thousands of fake accounts…” The tens
Continue reading "‘Tens of thousands’ of Facebook accounts may be related to Russian intelligence"

How Facebook has reacted since the data misuse scandal broke

Facebook founder Mark Zuckerberg will be questioned by US lawmakers today about the “use and abuse of data” — following weeks of breaking news about a data misuse scandal dating back to 2014.

The Guardian published its first story linking Cambridge Analytica and Facebook user data in December 2015. The newspaper reported that the Ted Cruz campaign had paid UK academics to gather psychological profiles about the US electorate using “a massive pool of mainly unwitting US Facebook users built with an online survey”. Post-publication, Facebook released just a few words to the newspaper — claiming it was “carefully investigating this situation”. Yet more than a year passed with Facebook seemingly doing nothing to limit third party access to user data nor to offer more transparent signposting on how its platform could be — and was being — used for political campaigns. Through 2015 Facebook

Continue reading "How Facebook has reacted since the data misuse scandal broke"

Security shop Carbon Black files to go public

Today Carbon Black filed to go public, publishing its S-1 document with a $100 million IPO figure as a placeholder. The security-focused firm based in Massachusetts raised more than $190 million during its life as a private company, including a $54.5 million Series F in 2015 and a more modest $14 million Series F extension in 2016. Today we’ll take a quick peek at the filing, which joins a number of other technology listings in an active IPO cycle. Carbon Black follows notable debuts such as Spotify and Dropbox, along with other, smaller debuts. Into the numbers!

The big picture

Carbon Black is a big SaaS shop, something it makes plain in the early sections of its S-1 by noting that its revenue mix has increasingly skewed toward subscriptions. Indeed, according to Carbon Black, the firm’s “[r]ecurring revenue represented 77%, 83% and 88% of our total revenue in
Continue reading "Security shop Carbon Black files to go public"

FIDO Alliance and W3C have a plan to kill the password

By now it’s crystal clear to just about everyone that the password is a weak and frankly meaningless form of authentication, yet most of us still live under the tyranny of the password. This, despite the fact it places a burden on the user, is easily stolen and mostly ineffective. Today, two standards bodies, FIDO and W3C announced a better way, a new password free protocol for the web called WebAuthn. The major browser makers including Google, Mozilla and Microsoft have all agreed to incorporate the final version of the protocol, which allow websites to bypass the pesky password in favor of an external authenticator such as a security key or you mobile phone. These devices will communicate directly with the website via Bluetooth, USB or NFC. The standards body has referred to this as ‘phishing-proof’. Yes, by switching to this method, not only will you eliminate the need for
Continue reading "FIDO Alliance and W3C have a plan to kill the password"

A brief history of Facebook’s privacy hostility ahead of Zuckerberg’s testimony

The Facebook founder will be questioned by the Senate Judiciary and Senate Commerce Committees later today — in a session entitled “Facebook, Social Media Privacy, and the Use and Abuse of Data.” Mark Zuckerberg is also due to testify before Congress on Wednesday — to be asked about the company’s use and protection of user data. As we’ve pointed out already, his written testimony is pretty selective and self-serving in terms of what he does and doesn’t include in his version of events. Indeed, in the face of the snowballing Cambridge Analytica data misuse scandal, the company’s leadership (see also: Sheryl Sandberg) has been quick to try to spin an idea that it was simply too “idealistic and optimistic” — and that ‘bad actors’ exploited its surfeit of goodwill. This of course is pure fiction. Facebook’s long history of privacy hostility should make that plain to any thinking
Continue reading "A brief history of Facebook’s privacy hostility ahead of Zuckerberg’s testimony"

Department of Energy hosts competition to train cyber defense warriors

From leaked passwords to identity theft, cybersecurity issues are constantly in the news. Few issues, though, are as important — or as under-reported by the media — as the security of America’s industrial control infrastructure. Oil rigs, power plants, water treatment facilities and other critical infrastructure are increasingly connecting to the internet, but often without the kinds of foolproof security systems in place to ensure bad actors can’t gain access or disrupt service delivery. This is a growing area of the economy with a wealth of jobs, but few students even realize that industrial and infrastructure cybersecurity is an interesting career path. So, over the past three years, the Department of Energy has hosted a Cyber Defense Competition to encourage university students to engage in the field. The latest incarnation of the completion was held this past weekend and hosted by Argonne, Pacific Northwest and Oak Ridge national laboratories. Lewis
Continue reading "Department of Energy hosts competition to train cyber defense warriors"

Last march of the Penryns: Intel cuts Spectre fixes for some older chips

As part of its ongoing efforts to patch its systems against the Meltdown and Spectre chip flaws, Intel indicated last month that it would be issuing fixes as far back as 2005’s Yorkfield processors. But in a new guidance document the company announces that many of these older platforms will not receive fixes after all. Specifically, work has been stopped on Spectre Variant 2 mitigations for the chip generations known as Bloomfield, Clarksfield, Gulftown, Harpertown, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield. (You can find more specifics at this great list of Intel codenames on Wikipedia.) Variant 2 is the toughest of the chip flaws to block or work around, so the creation of fixes is nontrivial — Intel isn’t just copying and pasting stuff into a microcode update for each of these. In the guidance document (PDF), Intel cited several reasons for stopping development on the
Continue reading "Last march of the Penryns: Intel cuts Spectre fixes for some older chips"

Amazon introduces new private certificate feature

At the Amazon Summit in San Francisco today, the company announced a new cloud service that enables organizations to create and manage private certificates in the cloud. While the Summit wasn’t chock full of announcements like the annual re:Invent conference, it did offer some new services like the beefing up the AWS Certificate Manager (ACM) with an all-new Private Certificate Authority (PCA). (Amazon does love its acronyms.) Private certificates let you limit exactly who has access, giving you more control and hence greater security over them. Private certificates are usually confined to a defined group like a company or organization, but up until now it has been rather complex to create them. As with any good cloud services, the Private Certificate Authority removes a layer of complexity involved in managing them. “ACM Private CA builds on ACM’s existing certificate capabilities to help you easily and securely manage the
Continue reading "Amazon introduces new private certificate feature"