All posts in “Cyber Security”

Proofpoint acquires Cloudmark for $100M in cybersecurity consolidation play


As malicious groups continue to become more sophisticated in their hacking techniques, cybersecurity efforts are attempting to expand in their reach, and that is leading to some consolidation in the field. Today, cybersecurity firm Proofpoint — which provides SaaS products to protect businesses’ email, social media and other services — announced that it would pay $100 million to acquire Cloudmark, another firm that provides security protection for messaging services, focusing specifically on serving the ISP and mobile carrier markets.

“We are excited to welcome Cloudmark’s ISP and mobile carrier customers to Proofpoint,” said Gary Steele, Chief Executive Officer of Proofpoint. “By combining the threat intelligence from Cloudmark with the Proofpoint Nexus platform, we can better protect all of our customers – both enterprises and ISPs – from today’s rapidly evolving threats.”

As we have said before, these days big data is the name of the game, and this deal is as much an acquisition to expand products and customer reach as it is to expand data sources to be able to analyse and combat malicious attacks more effectively. Cloudmark’s Global Threat Network sources telemetry data from billions of emails and messages each day to help identify attacks, and as part of the deal, it will be rolled into Proofpoint’s primary product, the Nexus platform.

Cloudmark is an old stalwart in the security space, founded in 2001. It had raised $39 million in funding from investors that included Nokia Growth Partners, Ignition Partners, FTVentures and Summit Partners. Proofpoint has been public since 2012 and currently has a market cap of over $4 billion. It said that the deal will increase its full-year revenue range by $20 million to $25 million to between $664 million and $673 million.

Getting its start originally in scanning email and helping block spam, Cloudmark later moved into other areas like identifying and blocking malicious SMS messages. The rising popularity of messaging applications (both native and downloaded apps) has made them a recurring target for malware and dodgy links, a trend that looks like it is not disappearing, and analysts estimate that there will be $5.5 billion spent by enterprises on messaging security products alone (apart from other security solutions) by 2022.

“Messaging has been the number one threat vector for years, but with ransomware and BEC, it’s never been a more urgent issue,” said Jason Donahue, Chief Executive Officer of Cloudmark, in a statement. “We’re thrilled to be continuing our work to fight advanced threats in messaging as part of Proofpoint.”

The transaction is expected to close in Q4 2017, pending regulatory approval, the companies said.

Featured Image: piranka/Getty Images

GCHQ Cyber Accelerator doubles down for second intake


A cyber security accelerator with links to the UK’s GCHQ intelligence agency is doubling down for a second program that’s larger and longer than the inaugural bootcamp which kicked off in January.

The second cohort, announced today, will go through a nine month program vs three. There’s also more of them: Nine startups vs seven. And more cash on the table for selected teams, with £25,000 apiece vs the original £5k grant.

Startups in the first cohort were not required to give up any equity to participate, with neither GCHQ nor Wayra investing at that point. We’ve asked whether that situation has changed for the second batch of teams now that the program has been expanded and will update this story with any response. Update: No change, but see below for a quick Q&A with a spokesman for the accelerator.

The expanded program will offer selected teams access to technological and security expertise from GCHQ, the National Cyber Security Centre and Telefónica, which is the partner organization running the accelerator program (under its Wayra UK bootcamp banner), as well as the usual mix of mentoring, business services and office space.

The nine startups selected for the program play in a wide range of areas, from age verification online, to security skills, to blockchain cybercrime to IoT (in)security.

They are:

  • Cybershield detects phishing and spear phishing, and alerts employees before they mistakenly act on deceptive emails 
  • Elliptic detects and investigates cybercrime involving crypto-currencies, enabling the company to identify illicit blockchain activity and provide intelligence to financial institutions and law enforcement agencies
  • ExactTrak supplies embedded technology that protects data and devices, giving the user visibility and control even when the devices are turned off
  • Intruder provides a proactive security monitoring platform for Internet-facing systems and businesses, detecting system weaknesses before hackers do
  • Ioetec provides a plug-and-play cloud service solution to connect Internet of Things devices with end-to-end authenticated, encrypted security
  • RazorSecure provides advanced intrusion and anomaly detection for aviation, rail and automotive sectors
  • Secure Code Warrior has built a hands-on, gamified Software-as-a-Service learning platform to help developers write secure code
  • Trust Elevate solves the problem of age verification and parental consent for young adults and children in online transactions
  • Warden helps businesses protect their users from hacks in real time by monitoring for suspicious activity 

For cyber security startups joining the program it’s proximity to the UK’s domestic spy agency and the chance to impress spooks — and potentially tap into a chunk of the £165 million ($250M) Defence and Cyber Innovation Fund announced by the government two years ago — that is surely the biggest draw here.

The government said the aim of the fund was to widen procurement for security technologies via investing in cyber security and defense startups. It has been said to be “loosely inspired” by In-Q-Tel — aka the CIA’s VC arm.

parliamentary question to the UK secretary of state for defense last month, asking how much of the money had been allocated so far and for what purposes, suggests around £10M per year apiece is being made available for defense and cyber security related support — including investing in startups.

“£10 million out of the £155 million is available in this financial year to the Defence Innovation Fund, to support innovative procurement across Defence. The Fund is harnessing the best ideas from inside and outside of Defence through activities such as themed competitions and the Open Call for Innovation, delivered using the Defence and Security Accelerator,” said Harriett Baldwin, responding to the parliamentary question.

“The government also allocated £10 million to establish a Cyber Innovation Fund. This supports the UK’s national security requirements by providing innovative start-ups with financial and procurement support,” she added.

The GCHQ Cyber Accelerator is part of a wider £1.9 billion investment aimed at significantly transforming the UK’s cyber security capabilities via a national strategy.

Q&A

TC: It’s a big jump from three months to a nine month program. Was three months judged to be just too short?
Spokesman: After the successful first phase of the program, we believe we can develop the start-ups even further via a longer program, ensuring the companies gain maximum advantage of this opportunity.

TC: Where is the funding coming from? Is this all UK government money?
Spokesman: The Accelerator is funded through the National Cyber Security Program, delivered through the Department of Digital, Culture, Media and Sport and the NCSC. Wayra UK and Telefónica provide additional funding support and activities to further increase the benefit for the cohort.

TC: Where are the teams from? Presumably not all from the UK?
Spokesman: All of the companies are UK-registered companies. The founders include British, Spanish, Venezuelan and Irish nationals, and we received applications from all around the world.

One of the requirements is that they be UK-registered in order to grow the UK cyber ecosystem and support the NCSC’s mission to make the UK the safest place to live and work online.

TC: Can you also confirm whether Wayra (or GCHQ) is taking any equity in the teams this time around?
Spokesman: Neither GCHQ, the NCSC or DCMS will be taking equity in any of the companies. However, our accelerator partner (Wayra) and other companies supporting the start-ups are welcome to invest if they wish and the companies agree to this, but this is not a requirement for entry to the program.

Featured Image: GCHQ/Crown Copyright

Apple’s going to mandate 2-factor authentication, so you better get used to it now

Apple’s trying its hardest to protect the security of your account — whether you like it or not. 

In an email sent out in the early hours of June 6, the company confirmed that going forward it will mandate the use of 2-factor authentication (2FA) for many of its services. 

“If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID (xxxx@xxxx.com) will be automatically updated to use two-factor authentication,” reads the email. “This is our most advanced, easy-to-use account security, and it’s required to use some of the latest features of iOS, macOS, and iCloud.”

To be clear, this means that it’s not just early adopters downloading public betas of iOS 11 and High Sierra that will be required to use 2FA, but rather everyone that wants access to all the hot new features.   

And what is 2FA, you ask? Two-factor authentication is a basic security measure which requires two pieces of information for a user to access his or her account. Think of taking cash out of an ATM machine. You need your physical bank card (“something you have”), and your PIN (“something you know”). Only with both those keys can you get your cash. 

That High Sierra goodness.

That High Sierra goodness.

Image: apple

With email, 2FA frequently manifests as your account password (“something you know”) and a random code sent to you either via SMS or an authenticator app (“something you have”). With these two elements required to gain access to an online account, it is much harder for hackers to gain unauthorized access. 

“Once updated, you’ll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience,” the email continues. “Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password.”

So, whose Apple IDs will be automatically updated to 2FA? We reached out to Apple to determine if it’s just people downloading the public betas, or if the same requirements will apply to everyone downloading iOS 11 and High Sierra later this year. Unfortunately, we received no response as of press time. 

Either way, with Apple stating that 2FA is required to use “the latest features of iOS, macOS, and iCloud,” it’s clear the company is making a hard push toward better account security. 

So go ahead and update those security settings now — before Apple does it for you. After all, medicine’s always easier to swallow when it’s not being shoved down your throat. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f6%2fdbf25738 af8f c133%2fthumb%2f00001

Hackers just gave you another reason to hate vaping

It turns out vaping may be bad for more than just your look. 

With a few tweaks of the pen, a security researcher has demonstrated that vaporizers can be modified in such a way as to pass code to your computer. 

The problem, as with many things security related, comes down to the USB port. Used for both charging and data transfer, the port is a convenient place to plug in phones or other devices that need a battery boost—devices like vape pens. 

In a video demonstrating his work, the researcher, who goes by FourOctets, plugs an e-cigarette into a computer’s USB and the device immediately lights up as if to charge. A few seconds go by and the computer starts to react. 

“DO U EVEN VAPE BRO!!!!!,” reads a message that pops up on the screen. 

Essentially, the vaporizer issued a custom command to the computer, and the computer was all too happy to oblige. 

Take this as the weirdest example yet that you should never plug random devices into your USB ports.

While FourOctets has no ill-intent, it is easy to imagine someone less scrupulous loading a computer with something not quite as funny. Like, say, a keylogger. Or ransomware

So how did he make this happen? Thankfully for people worried about their e-cigs catching a virus, it required some hands-on work. 

“It started as more of a joke than anything,” FourOctets elaborated over Twitter direct message (he declined to give his real name). “This is done with extra hardware and a little bit of code.”

As to the point of the demonstration, other than the fact that it is legitimately hilarious? 

“Another goal usually when doing dumb stuff like this is that stuff is not always what it seems and that random stuff that can plug into a computer can be dangerous,” he explained. “A lot of folks aren’t aware that something like this is even possible whether it be with firmware or added hardware and a tiny bit of code found online.” 

So should you be worried that your vape pen is delivering malicious code to your laptop? 

“It’s probably pretty unlikely to ever get something like this from the factory that would do this,” FourOctets noted, “but the possibility is there and people need to be mindful of that.”

So, you know, something to maybe consider the next time you’re ripping that sweet cotton. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f5%2f3169faf5 09a3 89a1%2fthumb%2f00001

Surprise! U.S. Senate email lacks the most basic of security features.

When it comes to United States Senate email accounts, you’d think the powers that be would enact a basic security feature that even Yahoo Mail and AOL have down.

Shocker: You would be wrong. 

As an April 20 open letter from Oregon Senator Ron Wyden makes clear, Senate email accounts lack the option to enable two-factor authentication. Like, senators can’t turn it on even if they want to. 

“As you know, the cybersecurity and foreign intelligence threats directed at Congress are
significant,” wrote Wyden in the letter addressed to two Senate colleagues. “However, the Senate is far behind when it comes to implementing basic cybersecurity practices like two-factor authentication.”

What exactly is two-factor authentication (2FA), and why does this matter? Let’s let the experts over at the Electronic Frontier Foundation explain. 

“Login systems that require only a username and password risk being broken when someone else can obtain (or guess) those pieces of information,” notes the organization. “Services that offer two-factor authentication also require you to provide a separate confirmation that you are who you say you are. The second factor could be a one-off secret code, a number generated by a program running on a mobile device, or a device that you carry and that you can use to confirm who you are.”

An easy-to-grasp example of 2FA is your bank ATM card. In order to withdraw cash, you need the PIN (something you know) and the card itself (something you have). Those two factors combine to allow you, and hopefully only you, to access to your hard-earned dollars.

Sen. Ron Wyden just can't believe this.

Sen. Ron Wyden just can’t believe this.

Image: Chip Somodevilla /Getty Images

With 2FA turned on, even if someone gains your email password (like maybe just possibly through a phishing attack) they still lack the necessary credentials to get into your inbox. This seems like something sitting members of the United States Senate and their staff would be interested in, right?

And yet.

“Today, the Senate neither requires nor offers two-factor authentication as an additional
protection for desktop computers and email accounts,” writes Wyden. “The Senate Sergeant at Arms does require two-factor authentication for staff who wish to log in to Senate IT systems from home, using a Virtual Private Network. This is a good first step, but the Senate must go further and embrace two-factor authentication for the workplace, and not just for staff connecting from home.”

Offering 2FA is often viewed as one of several basic security litmus tests for online services. Gmail, Twitter, Facebook, AOL, and even the much-maligned Yahoo Mail make it easy to turn this on — meaning your grandmother’s email account is potentially more secure than your senator’s.

As that depressing little nugget of information sinks in, Wyden hits us with a jaw-dropping follow. The executive branch, you see, offers employees Personal Identity Verification (PIV) cards which contain smart chips. The chips work as part of a 2FA system for employees to log into computers. The senate also offers PIV cards, Wyden tells us, but these don’t have smart chips.

What do they have instead?

“[In] contrast to the executive branch’s widespread adoption of PIV cards with a smart
chip, most senate staff ID cards have a photo of a chip printed on them, rather than a real chip.”

That’s right, a photo of a chip printed on them.

So, to recap: Senate email accounts aren’t protected by 2FA, and most Senate staff ID cards have fake smart chips. 

Next on the agenda, we assume, is the revelation that the password to each and every senators’ personal voicemail account is just “0000.” 

WATCH: Edward Snowden says Russians probably hacked the NSA