Wij willen met u aan tafel zitten en in een openhartig gesprek uitvinden welke uitdagingen en vragen er bij u spelen om zo, gezamelijk, tot een beste oplossing te komen. Oftewel, hoe kan de techniek u ondersteunen in plaats van dat u de techniek moet ondersteunen.

HPE announced today that it has acquired Scytale, a cloud native security startup that is built on the open source Secure Production Identity Framework for Everyone (SPIFFE) protocol. The companies did not share the acquisition price.

Specifically, Scytale looks at application-to-application identity and access management, something that is increasingly important as more transactions take place between applications without any human intervention. It’s imperative that the application knows it’s OK to share information with the other application.

This is an area that HPE wants to expand into, Dave Husak, HPE fellow and GM of cloudless initiative wrote in a blog post announcing the acquisition. “As HPE progresses into this next chapter, delivering on our differentiated, edge to cloud platform as-a-service strategy, security will continue to play a fundamental role. We recognize that every organization that operates in a hybrid, multi-cloud environment requires 100% secure, zero trust systems, that can dynamically identify and authenticate data and applications in real-time,” Husak wrote.

He was also careful to stress that HPE would continue to be good stewards of the SPIFFE and SPIRE (the SPIFFE Runtime Environment) projects, both of which are under the auspices of the Cloud Native Computing Foundation.

Scytale co-founder Sunil James, writing in a blog post about the deal, indicated that this was important to the founders that HPE respect the startup’s open source roots. “Scytale’s DNA is security, distributed systems, and open-source. Under HPE, Scytale will continue to help steward SPIFFE. Our ever-growing and vocal community will lead us. We’ll toil to maintain this transparent and vendor-neutral project, which will be fundamental in HPE’s plans to deliver a dynamic, open, and secure edge-to-cloud platform,” he wrote.

Scytale was founded in 2017 and has raised $ 8 million to-date, according to PitchBook data. The bulk of that was in a $ 5 million Series A last March led by Bessemer.


TechCrunch

Think you’ve found a glaring security hole in Xbox Live? Microsoft is interested.

The company announced a new bug bounty program today, focused specifically on its Xbox Live network and services. Depending on how serious the exploit is and how complete your report is, they’re paying up to $ 20,000.

Like most bug bounty programs, Microsoft is looking for pretty specific/serious security flaws here. Found a way to execute unauthorized code on Microsoft’s servers? They’ll pay for that. Keep getting disconnected from Live when you play as a certain legend in Apex? Not quite the kind of bug they’re looking for.

Microsoft also specifically rules out a few types of vulnerabilities as out-of-scope, including DDoS attacks, anything that involves phishing Microsoft employees or Xbox customers, or getting servers to cough up basic info like server name or internal IP. You can find the full breakdown here.

This is by no means Microsoft’s first foray into bounty programs; they’ve got similar programs for the Microsoft Edge browser, their “Windows Insider” preview builds, Office 365, and plenty of other categories. The biggest bounties they offer are on their cloud computing service, Azure, where the bounty for a super specific bug (gaining admin access to an Azure Security Lab account, which are closely controlled) can net up to $ 300,000.


TechCrunch

Mass surveillance regimes in the UK, Belgium and France which require bulk collection of digital data for a national security purpose may be at least partially in breach of fundamental privacy rights of European Union citizens, per the opinion of an influential advisor to Europe’s top court issued today.

Advocate general Campos Sánchez-Bordona’s (non-legally binding) opinion, which pertains to four references to the Court of Justice of the European Union (CJEU), takes the view that EU law covering the privacy of electronic communications applies in principle when providers of digital services are required by national laws to retain subscriber data for national security purposes.

A number of cases related to EU states’ surveillance powers and citizens’ privacy rights are dealt with in the opinion, including legal challenges brought by rights advocacy group Privacy International to bulk collection powers enshrined in the UK’s Investigatory Powers Act; and a La Quadrature du Net (and others’) challenge to a 2015 French decree related to specialized intelligence services.

At stake is a now familiar argument: Privacy groups contend that states’ bulk data collection and retention regimes have overreached the law, becoming so indiscriminately intrusive as to breach fundamental EU privacy rights — while states counter-claim they must collect and retain citizens’ data in bulk in order to fight national security threats such as terrorism.

Hence, in recent years, we’ve seen attempts by certain EU Member States to create national frameworks which effectively rubberstamp swingeing surveillance powers — that then, in turn, invite legal challenge under EU law.

The AG opinion holds with previous case law from the CJEU — specifically the Tele2 Sverige and Watson judgments — that “general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate”, as the press release puts it.

Instead the recommendation is for “limited and discriminate retention” — with also “limited access to that data”.

“The Advocate General maintains that the fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law, under which power and strength are subject to the limits of the law and, in particular, to a legal order that finds in the defence of fundamental rights the reason and purpose of its existence,” runs the PR in a particularly elegant passage summarizing the opinion.

The French legislation is deemed to fail on a number of fronts, including for imposing “general and indiscriminate” data retention obligations, and for failing to include provisions to notify data subjects that their information is being processed by a state authority where such notifications are possible without jeopardizing its action.

Belgian legislation also falls foul of EU law, per the opinion, for imposing a “general and indiscriminate” obligation on digital service providers to retain data — with the AG also flagging that its objectives are problematically broad (“not only the fight against terrorism and serious crime, but also defence of the territory, public security, the investigation, detection and prosecution of less serious offences”).

The UK’s bulk surveillance regime is similarly seen by the AG to fail the core “general and indiscriminate collection” test.

There’s a slight carve out for national legislation that’s incompatible with EU law being, in Sánchez-Bordona’s view, permitted to maintain its effects “on an exceptional and temporary basis”. But only if such a situation is justified by what is described as “overriding considerations relating to threats to public security or national security that cannot be addressed by other means or other alternatives, but only for as long as is strictly necessary to correct the incompatibility with EU law”.

If the court follows the opinion it’s possible states might seek to interpret such an exceptional provision as a degree of wiggle room to keep unlawful regimes running further past their legal sell-by-date.

Similarly, there could be questions over what exactly constitutes “limited” and “discriminate” data collection and retention — which could encourage states to push a ‘maximal’ interpretation of where the legal line lies.

Nonetheless, privacy advocates are viewing the opinion as a positive sign for the defence of fundamental rights.

In a statement welcoming the opinion, Privacy International dubbed it “a win for privacy”. “We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed,” said legal director, Caroline Wilson Palow. “If the Court agrees with the AG’s opinion, then unlawful bulk surveillance schemes, including one operated by the UK, will be reined in.”

The CJEU will issue its ruling at a later date — typically between three to six months after an AG opinion.

The opinion comes at a key time given European Commission lawmakers are set to rethink a plan to update the ePrivacy Directive, which deals with the privacy of electronic communications, after Member States failed to reach agreement last year over an earlier proposal for an ePrivacy Regulation — so the AG’s view will likely feed into that process.

The opinion may also have an impact on other legislative processes — such as the talks on the EU e-evidence package and negotiations on various international agreements on cross-border access to e-evidence — according to Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo.

“It is worth noting that, under Article 4(2) of the Treaty on the European Union, “national security remains the sole responsibility of each Member State”. Yet, the advocate general’s opinion suggests that this provision does not exclude that EU data protection rules may have direct implications for national security,” Tosoni also pointed out. 

“Should the Court decide to follow the opinion… ‘metadata’ such as traffic and location data will remain subject to a high level of protection in the European Union, even when they are accessed for national security purposes.  This would require several Member States — including Belgium, France, the UK and others — to amend their domestic legislation.”


TechCrunch

Welcome back to This Week in Apps, the Extra Crunch series that recaps the latest OS news, the applications they support and the money that flows through it all. What are developers talking about? What do app publishers and marketers need to know? How are politics impacting the App Store and app businesses? And which apps are everyone using?

This week we look at how the Black Friday weekend played out on mobile (including which non-shopping category that saw a boost in revenue!), as well as a few security-related stories, TikTok’s latest bad press, plus Apple and Google’s best and most downloaded apps of 2019, and more.

Headlines

80% of Android apps are encrypting traffic by default

Google gave an update on Android security this week, noting that 80% of Android applications were encrypting traffic by default, and that percentage was higher for apps targeting Android 9 or higher, with 90% of them encrypting traffic by default. Android protects the traffic entering or leaving the devices with TLS (Transport Layer Security). Its new statistics are related to Android 7’s introduction of the Network Security Configuration in 2016, which allows app developers to configure the network security policy for their app through a declarative configuration file. Apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain. And since Nov. 1, 2019, all apps (including app updates) must target at least Android 9, Google says. That means the percentages will improve as more apps roll out their next updates.

Black Friday boosted mobile game revenue to a record $ 70M

U.S. sales holiday Black Friday wasn’t just good for online shoppers, who spent a record $ 7.4 billion in sales, $ 2.9 billion from smartphones. It also boosted iOS and Android mobile game revenue to a single-day record of $ 69.7 million in the U.S., according to Sensor Tower. This was the most revenue ever generated in a single day for the category, and it represents a 25% increase over 2018. Marvel Contest of Champions from Kabam led the day with approximately $ 2.7 million in player spending. Two titles from Playrix — Gardenscapes and Homescapes — also won big, with $ 1 million and $ 969,000 in revenue, respectively.

These increases indicate that consumers are looking for all kinds of deals on Black Friday, not just those related to holiday gift-giving. They’re also happy to spend on themselves in games. Mobile publishers caught on to this trend and offered special in-game deals on Black Friday which really paid off.

Did Walmart beat Amazon’s app on Black Friday?

Sensor Tower and Apptopia said it did. App Annie also said it did, but then later took it back (see update). In any event, it must have been a close race. According to Sensor Tower, Walmart’s app reached No.1 on the U.S. App Store on Black Friday with 113,000 new downloads, a year-over-year increase of 23%. Amazon had 102,000 downloads, making it No. 2.

Arguably, many Amazon shoppers already have the app installed, so this is more about Walmart’s e-commerce growth more so than some ding on Amazon.

In fact, Apptopia said that Amazon still had 162% more mobile sessions over the full holiday weekend — meaning Amazon was more shopped than Walmart.

More broadly, mobile shopping is still huge on Black Friday. The top 10 shopping apps grew their new installs by 11% over last year on Black Friday, to reach a combined 527,000 installs.

Report: Android Advanced Protection Program could prevent sideloading

Google’s Advanced Protection Program protects the accounts of those at risks of targeted attacks — like journalists, activists, business leaders, and political campaign teams. This week, 9to5Google found the program may get a new protection feature with the ability to block sideloading of apps, according to an APK breakdown. What’s not yet clear is if program members will have the option to disable the protection, but there are some indications that may be the case. Another feature the report uncovered appears to show that Play Protect will automatically scan all apps, including those from outside the Play Store. This won’t affect the majority of Android users, of course, but it is an indication of where Google believes security risks may be found: sideloaded apps.

Bug hunter suggests Security.plist standard for apps


TechCrunch

A massive database storing tens of millions of SMS text messages, most of which were sent by businesses to potential customers, has been found online.

The database is run by TrueDialog, a business SMS provider for businesses and higher education providers, which lets companies, colleges, and universities send bulk text messages to their customers and students. The Austin, Texas-based company says one of the advantages to its service is that recipients can also text back, allowing them to have two-way conversations with brands or businesses.

The database stored years of sent and received text messages from its customers and processed by TrueDialog. But because the database was left unprotected on the internet without a password, none of the data was encrypted and anyone could look inside.

Security researchers Noam Rotem and Ran Locar found the exposed database earlier this month as part of their internet scanning efforts.

TechCrunch examined a portion of the data, which contained detailed logs of messages sent by customers who used TrueDialog’s system, including phone numbers and SMS message contents. The database contained information about university finance applications, marketing messages from businesses with discount codes, and job alerts, among other things.

But the data also contained sensitive text messages, such as two-factor codes and other security messages, which may have allowed anyone viewing the data to gain access to a person’s online accounts. Many of the messages we reviewed contained codes to access online medical services to obtain, and password reset and login codes for sites including Facebook and Google accounts.

The data also contained usernames and passwords of TrueDialog’s customers, which if used could have been used to access and impersonate their accounts.

Because some of the two-way message conversations contained a unique conversation code, it’s possible to read entire chains of conversations. One table alone had tens of millions of messages, many of which were message recipients trying to opt-out of receiving text messages.

TechCrunch contacted TrueDialog about the exposure, which promptly pulled the database offline. Despite reaching out several times, TrueDialog’s chief executive John Wright would not acknowledge the breach nor return several requests for comment. Wright also did not answer any of our questions — including whether the company would inform customers of the security lapse and if he plans to inform regulators, such as state attorneys general, per state data breach notification laws.

The company is just one of many SMS providers that have in recent months left systems — and sensitive text messages — on the internet for anyone to access. Not only that but it’s another example of why SMS text messages may be convenient but is not a secure way to communicate — particularly for sensitive data, like sending two-factor codes.

Read more:


TechCrunch

If you’ve ever bought an Android phone, there’s a good chance you booted it up to find it pre-loaded with junk you definitely didn’t ask for.

These pre-installed apps can be clunky, annoying to remove, rarely updated… and, it turns out, full of security holes.

Security firm Kryptowire built a tool to automatically scan a large number of Android devices for signs of security shortcomings and, in a study funded by the U.S. Department of Homeland Security, ran it on phones from 29 different vendors. Now, the majority of these vendors are ones most people have never heard of — but a few big names like Asus, Samsung and Sony make appearances.

Kryptowire says they found vulnerabilities of all different varieties, from apps that can be forced to install other apps, to tools that can be tricked into recording audio, to those that can silently mess with your system settings. Some of the vulnerabilities can only be triggered by other apps that come pre-installed (thus limiting the attack vector to those along the supply chain); others, meanwhile, can seemingly be triggered by any app the user might install down the road.

Kryptowire has a full list of observed vulnerabilities here, broken down by type and manufacturer. The firm says it found 146 vulnerabilities in all.

As Wired points out, Google is well aware of this potential attack route. In 2018 it launched a program called the Build Test Suite (or BTS) that all partner OEMs must pass. BTS scans a device’s firmware for any known security issues hiding amongst its pre-installed apps, flagging these bad apps as Potentially Harmful Applications (or PHAs). As Google puts it in its 2018 Android security report:

OEMs submit their new or updated build images to BTS. BTS then runs a series of tests that look for security issues on the system image. One of these security tests scans for pre-installed PHAs included in the system image. If we find a PHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can be offered to users.

During its first calendar year, BTS prevented 242 builds with PHAs from entering the ecosystem.

Anytime BTS detects an issue we work with our OEM partners to remediate and understand how the application was included in the build. This teamwork has allowed us to identify and mitigate systemic threats to the ecosystem.

Alas, one automated system can’t catch everything — and when an issue does sneak by, there’s no certainty that a patch or fix will ever arrive (especially on lower-end devices, where long-term support tends to be limited).

We reached out to Google for comment on the report, but have yet to hear back.

Update — Google’s response:

We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these.


TechCrunch

Zamna — which uses a blockchain to securely share and verify data between airlines and travel authorities to check passenger identities — has raised a $ 5m seed funding round led by VC firms LocalGlobe and Oxford Capital, alongside Seedcamp, the London Co-Investment Fund (LCIF), Telefonica, and a number of angel investors.

Participation has also come from existing investor IAG (International Airlines Group), which is now its first commercial client. The company is also changed its name from VChain Technology to Zamna.

When VChain-now-Zamna first appeared, I must admit I was confused. Using blockchain to verify passenger data seemed like a hammer to crack a nut. But it turns out to have some surprisingly useful applications.

The idea is to use it to verify and connect the passenger data sets which are currently silo-ed between airlines, governments and security agencies. By doing this, says Zamna, you can reduce the need for manual or other checks by up to 90 percent. If that’s the case, then it’s quite a leap in efficiency.

In theory, as more passenger identities are verified digitally over time and shared securely between parties, using a blockchain in the middle to maintain data security and passenger privacy, the airport security process could become virtually seamless and allow passengers to sail through airports without needing physical documentation or repeated ID checks. Sounds good to me.

Zamna says its proprietary Advance Passenger Information (API) validation platform for biographic and biometric data, is already being deployed by some airlines and immigration authorities. It recently started working with Emirates Airline and the UAE’s General Directorate of Residency and Foreigners (GDRFA) to deliver check-in and transit checks.

Here’s how it works: Zamna’s platform is built on algorithms that check the accuracy of Advanced Passenger Information or biometric data, without having to share any of that data with third parties, because it attaches an anonymous token to the already verified data. Airlines, airports and governments can then access that secure, immutable and distributed network of validated tokens without having actually needing to ‘see’ the data an agency, or competing airline, holds. Zamna’s technology can then be used by any of these parties to validate passengers’ biographic and biometric data, using cryptography to check you are who you say you are.

So, what was wrong with the previous security measures in airports for airlines and border control that Zamna might be fixing?

Speaking to TechCrunch, Irra Ariella Khi, co-founder and CEO of Zamna, says: “There is a preconception that when you arrive at the airport somehow – as if by magic – the airline knows who you are, the security agencies know who you are, and the governments of departure and destination both know that you are flying between their countries and have established that it is both legitimate and secure for you to do so. You may even assume that the respective security authorities have exchanged some intelligence about you as a passenger, to establish that both you and your fellow passengers are safe to board the same plane.”

“However,” she says, “the reality is far from this. There is no easy and secure way for airlines and government agencies to share or cross-reference your data – which remains siloed (for valid data protection reasons). They must, therefore, repeat manual one-off data checks each time you travel. Even if you have provided your identity data and checked in advance, and if you travel from the same airport on the same airline many times over, you will find that you are still subject to the same one-off passenger processing (which you have probably already experienced many times before). Importantly, there is an ‘identity verification event’, whereby the airline must check both the document of identity which you carry, as well as establish that it belongs to your physical identity.”

There are three main trends in this space. Governments are demanding more accurate passenger data from airlines (for both departure and destination) – and increasing the regulatory fines imposed for incorrect data provided to them by the airlines. Secondly, Airlines also have to manage the repatriation of passengers and luggage if they are refused entry by a government due to incorrect data, which is costly. And thirdly, ETA (electronic transit authorizations, such as eVisas) are on the rise, and governments and airlines will need to satisfy themselves that a passenger’s data matches exactly that of their relevant ETA in order to establish that they have correct status to travel. This is the case with ESTAs for all US-bound travelers. Many other countries have similar requirements. Critically for UK travelers – this will also be the case for all passengers traveling into Europe under the incoming ETIAS regulations.

The upshot is that airlines are imposing increased document and identity checks at the airports – regardless of whether the passenger has been a regular flier, and irrespective of whether they have checked-in in advance.

Zamna’s data verification platform pulls together multiple stakeholders (airlines, governments, security agencies) with a way to validate and revalidate passenger identity and data (both biographic and biometric), and to securely establish data ownership – before passengers arrive at the airport.

It doesn’t require any new infrastructure at the airport, and none of these entities have to share data, because the ‘sharing without sharing’ is performed by Zamna’s blockchain platform in the middle of all the data sources.

Remus Brett, Partner at LocalGlobe, says: “With passenger numbers expected to double in the next 20 years, new technology-driven solutions are the only way airlines, airports and governments will be able to cope. We’re delighted to be working with the Zamna team and believe they can play a key role in addressing these challenges.” Dupsy Abiola, Global Head of Innovation at International Airlines Group, adds: “Zamna is working with IAG on a digital transformation project involving British Airways and the other IAG carriers. It’s very exciting.”

Zamna is a strategic partner to the International Air Transport Association (IATA) and an active member of IATA’s “One ID” working group.


TechCrunch

Created by R the Company. Powered by SiteMuze.