Wij willen met u aan tafel zitten en in een openhartig gesprek uitvinden welke uitdagingen en vragen er bij u spelen om zo, gezamelijk, tot een beste oplossing te komen. Oftewel, hoe kan de techniek u ondersteunen in plaats van dat u de techniek moet ondersteunen.

Alex Stamos rose to fame as the former chief security officer for Yahoo and then Facebook. But today he’s the director of Stanford’s Internet Observatory, where he’s immersed in teaching and research safe tech — and understands better than most the threats that the U.S. is facing, particularly as we sail toward the next U.S. presidential election.

Last night, at a StrictlyVC event in San Francisco, he talked with New York Times cybersecurity correspondent Sheera Frenkel about a small number of these massively impactful issues, first by revisiting what happened during the 2016 president election, then catching up the audience on whether the country’s defenses have evolved since. (The short version: they haven’t. If there’s any good news at all, it’s that the federal and state governments are at least aware now there’s an issue, whereas they appeared largely blindsided by it the last time around.)

What worries Stamos most are “direct attacks on our election infrastructure” because there’s been so little to bolster it. In fact, a big theme of the interview was the growing inability of the public sector to protect Americans or U.S. democracy against actors who would do the country harm.

As it relates to election infrastructure specifically, Stamos used a hyperlocal example to underscore what the U.S. is dealing with right now. As he told Frenkel, “I live in San Mateo County. I’ve met the CIO of San Mateo County. Really nice guy. I’m sure he has a staff of very hard-working people. The idea that the CIO of San Mateo County has to stand up and protect himself against the [Russian military intelligence agency known as the] GRU or China’s Ministry of State Security or Iran’s Islamic Revolutionary Guard Corps or the Lazarus Group of North Korea . . . that’s frickin’ ridiculous. Like, we don’t ask the San Mateo County Sherriff’s department to get ready to repel an invasion by the People’s Liberation Army, but we ask for the cyber equivalent in the United States.”

Put into perspective, San Mateo County is one of about about 10,000 local governments in the United States that are involved in elections, said Stamos. “Nobody else in the world runs their elections this way.”

In fact, in nearly every conceivable way, “responsibilities that were once clearly public sector responsibilities are now private sector responsibilities,” he told Frenkel during a later part of their discussion. He would know, having seen it first-hand.

“When I was the chief security officer at Facebook,” he told the audience, “I had a child safety team. We probably put more bad guys away than almost any law enforcement agency outside of the FBI or [Homeland Security Investigations unit] in the child safety realm. Like, there’s no local police department in the United States that put away more child predators than the Facebook child safety team. That is a crazy stat.

Facebook also has a counter terrorism team — which not everyone realizes — and which has become in many ways the country’s first responder, he suggested. Indeed, Stamos said that “there are several terrorist attacks that you’ve never heard of because they didn’t happen because we caught them. Now, there’s some local law enforcement agency took credit for it, but it was actually our team that found it and turned it over to them with a bow on it.”

Americans might shrug off this continuing shift in who is tackling what, but they do it at their peril, suggested Stamos — who managed to keep the crowd laughing, even as he painted a bleak picture. As he noted, the big tech “companies are exercising this power without any kind of democratic oversight.” Consider, he said, that “[Facebook’s] authorization is the terms of service that people click through and never read when they join Facebook or Instagram. That’s a bizarre set of rules to be bound by when you have such incredible power.”

Another huge blind spot, said Stamos, is the apparently inability — as well as the collective lack of determination required — of the public and the increasingly powerful private sector to coordinate their work.  Here, he offered another broad example to make it accessible. “Say you had an organized group in the United States that’s running a bunch of Facebook ads, but their money is coming from bitcoin from St. Petersburg,” said Stamos. “That is completely invisible to Facebook. That is perhaps visible to FBI . . .but they don’t have access to that actual content [on FB]. And figuring out a way for these two groups to work with each other without massively violating the privacy of everybody on the platform turns out to be super hard.”

Yet it’s worse than even that sounds, he continued. The reason: there’s no decision-tree in part because the issue has grown so unmanageable that no one wants to own what goes awry. “There’s effectively nobody in charge of this right now, which is one of the scariest things we’re facing as a country. Almost nobody is in defense of cyber, and certainly nobody is in charge of the big picture, [meaning] how do we defend against election [interference] both from a cybersecurity perspective and a disinformation perspective.”

Stamos even jokingly referred to “pockets of people in the U.S. government who are effectively hiding from the White House and trying very, very hard” to escape its attention, given the daunting job they’d be tasked with figuring out. Except, all kidding aside, with no one at the helm and “no real cross-agency process, there’s really nobody in charge,” said Stamos.

That means the “tech companies are effectively the coordinating body for this. And that’s actually really screwed up.”


TechCrunch

There’s not a week that goes by where cybersecurity doesn’t dominates the headlines. This week was no different. Struggling to keep up? We’ve collected some of the biggest cybersecurity stories from the week to keep you in the know and up to speed.

Malicious websites were used to secretly hack into iPhones for years, says Google

TechCrunch: This was the biggest iPhone security story of the year. Google researchers found a number of websites that were stealthily hacking into thousands of iPhones every week. The operation was carried out by China to target Uyghur Muslims, according to sources, and also targeted Android and Windows users. Google said it was an “indiscriminate” attack through the use of previously undisclosed so-called “zero-day” vulnerabilities.

Hackers could steal a Tesla Model S by cloning its key fob — again

Wired: For the second time in two years, researchers found a serious flaw in the key fobs used to unlock Tesla’s Model S cars. It’s the second time in two years that hackers have successfully cracked the fob’s encryption. Turns out the encryption key was doubled in size from the first time it was cracked. Using twice the resources, the researchers cracked the key again. The good news is that a software update can fix the issue.

Microsoft’s lead EU data watchdog is looking into fresh Windows 10 privacy concerns

TechCrunch: Microsoft could be back in hot water with the Europeans after the Dutch data protection authority asked its Irish counterpart, which oversees the software giant, to investigate Windows 10 for allegedly breaking EU data protection rules. A chief complaint is that Windows 10 collects too much telemetry from its users. Microsoft made some changes after the issue was brought up for the first time in 2017, but the Irish regulator is looking at if these changes go far enough — and if users are adequately informed. Microsoft could be fined up to 4% of its global annual revenue if found to have flouted the law. Based off 2018’s figures, Microsoft could see fines as high as $ 4.4 billion.

U.S. cyberattack hurt Iran’s ability to target oil tankers, officials say

The New York Times: A secret cyberattack against Iran in June but only reported this week significantly degraded Tehran’s ability to track and target oil tankers in the region. It’s one of several recent offensive operations against a foreign target by the U.S. government in recent moths. Iran’s military seized a British tanker in July in retaliation over a U.S. operation that downed an Iranian drone. According to a senior official, the strike “diminished Iran’s ability to conduct covert attacks” against tankers, but sparked concern that Iran may be able to quickly get back on its feet by fixing the vulnerability used by the Americans to shut down Iran’s operation in the first place.

Apple is turning Siri audio clip review off by default and bringing it in house

TechCrunch: After Apple was caught paying contractors to review Siri queries without user permission, the technology giant said this week it will turn off human review of Siri audio by default and bringing any opt-in review in-house. That means users actively have to allow Apple staff to “grade” audio snippets made through Siri. Apple began audio grading to improve the Siri voice assistant. Amazon, Facebook, Google, and Microsoft have all been caught out using contractors to review user-generated audio.

Hackers are actively trying to steal passwords from two widely used VPNs

Ars Technica: Hackers are targeting and exploiting vulnerabilities in two popular corporate virtual private network (VPN) services. Fortigate and Pulse Secure let remote employees tunnel into their corporate networks from outside the firewall. But these VPN services contain flaws which, if exploited, could let a skilled attacker tunnel into a corporate network without needing an employee’s username or password. That means they can get access to all of the internal resources on that network — potentially leading to a major data breach. News of the attacks came a month after the vulnerabilities in widely used corporate VPNs were first revealed. Thousands of vulnerable endpoints exist — months after the bugs were fixed.

Grand jury indicts alleged Capital One hacker over cryptojacking claims

TechCrunch: And finally, just when you thought the Capital One breach couldn’t get any worse, it does. A federal grand jury said the accused hacker, Paige Thompson, should be indicted on new charges. The alleged hacker is said to have created a tool to detect cloud instances hosted by Amazon Web Services with misconfigured web firewalls. Using that tool, she is accused of breaking into those cloud instances and installing cryptocurrency mining software. This is known as “cryptojacking,” and relies on using computer resources to mine cryptocurrency.


TechCrunch

The pace of malicious hacks and security breaches is showing no signs of slowing down, and spend among enterprises to guard against that is set to reach $ 124 billion this year. That’s also having a knock-on effect on the most innovative cybersecurity startups, which continue to raise big money to grow and meet that demand.

In the latest development, a New York startup called BlueVoyant — which provides managed security, professional services and most recently threat intelligence — has picked up $ 82.5 million in a Series B round of funding at a valuation in excess of $ 430 million.

The funding is coming from a range of new and existing investors that includes Fiserv, the fintech giant that’s acquiring First Data for $ 22 billion. (The startup is not disclosing any other names at this time, it said.) It has raised $ 207.5 million to date.

BlueVoyant has a notable pedigree that goes some way also to explaining how the idea for the startup first germinated.

Co-founder and CEO Jim Rosenthal met his co-founder Tom Glocer (the former CEO of Thomson Reuters) when Rosenthal was COO of Morgan Stanley and Glocer was a director at the financial services giant (Glocer is still on the board). Glocer said that in 2012 and 2013, a fair amount of Rosenthal’s work involved cyber defense, and he came into close contact there with Glocer, who was chairing the operations and technology committee at the time.

“Here was an incredibly strategic, smart fellow in charge of operations,” he said of Rosenthal. “When it came time for him to retire, he told me he wanted to do one more big thing, but in a more entrepreneurial fashion. I suggested to him that the next step could be to work on [cybersecurity], which we were focusing on at Morgan Stanley.”

Glocer noted that the bank was spending some $ 300 million annually on cybersecurity at the time. It effectively had all the resources of the world at its disposal to invest in tackling the risks, but the two were all too aware of how even that could prove not to be enough — and of course for any company with fewer resources, or that wasn’t build as a tech company or with technology as part of its DNA.

BlueVoyant was built with those kinds of challenges in mind.

The startup has amassed talent from the world of private enterprise, but also a number of government organizations such as the NSA, FBI, GCHQ and Unit 8200 — which are alternately renowned and somewhat notorious for their work in cybersecurity and hacking. Its offices span a multitude of geographies that speaks to the customers that it has picked up in its quiet growth to date (which also gives some color to its valuation, too). In addition to the US, it has operatoins in Israel, the United Kingdom, Spain and the Philippines.

Tapping that talent pool, the company focuses on three areas of service for its customers: threat intelligence, managed security and professional services (with the latter focused specifically on those related to security implementations and operations).

Within these, Rosenthal said in an interview that it both builds its own IP, and also brings in software from a range of trusted partners (which include many of the biggest security software companies around today). Key to the proposition, though, is also the implementation of that technology. The theory is that technology will only get a company so far: you need a multi-level strategy when it comes to cybersecurity, and part of that will involve people able to identify vulnerabilities and figuring out how to fix or defend around them.

BlueVoyant believes the opportunity for it is twofold: targeting small and medium enterprises — the pitch being that it can provide the same kind of software and level of services that large enterprises enjoy; and targeting larger enterprises that may already have large IT budgets and teams tasked with cybersecurity, but could still use supplementary work from a world-class team of experts that would be a challenge to amass directly.

“My view is that for firms with very good cyber defenses, external cyber intelligence is important because you can’t defend everything equally,” Rosenthal said. “Having good actionable defense makes it better.

“Then for firms that are unable to afford an excellent cyber defense instructed by themselves and may not be able to attract the talent necessary, a managed security service is the right and important answer,” he continued. “That kind of managed security now needs to be available to companies of all sizes, not just the big ones but small and medium organizations, too. We have created a tech stack and level of talent capable of providing those.”

The formula appears to be working. Since launching the first tranche of its offering, managed services, in 2018, BlueVoyant has picked up some 150 customers in verticals like financial services, manufacturing, municipal government and education.

Working with partners is one way that BlueVoyant plans to expand that customer base over time. Fiserv is backing the startup as a strategic investment and the two will collaborate on providing respective services to each other’s clients. Specifically, Glocer noted that many of the banks that Fiserv currently works with are typical targets: businesses that have a lot to lose in a breach, but may lack the size to ever adequately secure its infrastructure and other assets.

“The strategic alliance between Fiserv and BlueVoyant brings advanced cyber defense capabilities to banks and credit unions of all sizes,” said Byron Vielehr, Chief Administrative Officer of Fiserv. “Our continued investment in BlueVoyant underscores the value these capabilities can bring to our clients.”

BlueVoyant is not the only big security startup to raise at a high valuation in recent times. Auth0 raised $ 103 million at a $ 1 billion valuation last week. In April, Bitglass closed a $ 70 million round. 2018 had seen a high water mark for security funding, with startups raking in a record $ 5.3 billion in the year: it will be worth watching to see whether the ongoing march of breaches will see those figures rise again this year.


TechCrunch

Created by R the Company. Powered by SiteMuze.