All posts in “Cyber Security”

GCHQ Cyber Accelerator doubles down for second intake


A cyber security accelerator with links to the UK’s GCHQ intelligence agency is doubling down for a second program that’s larger and longer than the inaugural bootcamp which kicked off in January.

The second cohort, announced today, will go through a nine month program vs three. There’s also more of them: Nine startups vs seven. And more cash on the table for selected teams, with £25,000 apiece vs the original £5k grant.

Startups in the first cohort were not required to give up any equity to participate, with neither GCHQ nor Wayra investing at that point. We’ve asked whether that situation has changed for the second batch of teams now that the program has been expanded and will update this story with any response. Update: No change, but see below for a quick Q&A with a spokesman for the accelerator.

The expanded program will offer selected teams access to technological and security expertise from GCHQ, the National Cyber Security Centre and Telefónica, which is the partner organization running the accelerator program (under its Wayra UK bootcamp banner), as well as the usual mix of mentoring, business services and office space.

The nine startups selected for the program play in a wide range of areas, from age verification online, to security skills, to blockchain cybercrime to IoT (in)security.

They are:

  • Cybershield detects phishing and spear phishing, and alerts employees before they mistakenly act on deceptive emails 
  • Elliptic detects and investigates cybercrime involving crypto-currencies, enabling the company to identify illicit blockchain activity and provide intelligence to financial institutions and law enforcement agencies
  • ExactTrak supplies embedded technology that protects data and devices, giving the user visibility and control even when the devices are turned off
  • Intruder provides a proactive security monitoring platform for Internet-facing systems and businesses, detecting system weaknesses before hackers do
  • Ioetec provides a plug-and-play cloud service solution to connect Internet of Things devices with end-to-end authenticated, encrypted security
  • RazorSecure provides advanced intrusion and anomaly detection for aviation, rail and automotive sectors
  • Secure Code Warrior has built a hands-on, gamified Software-as-a-Service learning platform to help developers write secure code
  • Trust Elevate solves the problem of age verification and parental consent for young adults and children in online transactions
  • Warden helps businesses protect their users from hacks in real time by monitoring for suspicious activity 

For cyber security startups joining the program it’s proximity to the UK’s domestic spy agency and the chance to impress spooks — and potentially tap into a chunk of the £165 million ($250M) Defence and Cyber Innovation Fund announced by the government two years ago — that is surely the biggest draw here.

The government said the aim of the fund was to widen procurement for security technologies via investing in cyber security and defense startups. It has been said to be “loosely inspired” by In-Q-Tel — aka the CIA’s VC arm.

parliamentary question to the UK secretary of state for defense last month, asking how much of the money had been allocated so far and for what purposes, suggests around £10M per year apiece is being made available for defense and cyber security related support — including investing in startups.

“£10 million out of the £155 million is available in this financial year to the Defence Innovation Fund, to support innovative procurement across Defence. The Fund is harnessing the best ideas from inside and outside of Defence through activities such as themed competitions and the Open Call for Innovation, delivered using the Defence and Security Accelerator,” said Harriett Baldwin, responding to the parliamentary question.

“The government also allocated £10 million to establish a Cyber Innovation Fund. This supports the UK’s national security requirements by providing innovative start-ups with financial and procurement support,” she added.

The GCHQ Cyber Accelerator is part of a wider £1.9 billion investment aimed at significantly transforming the UK’s cyber security capabilities via a national strategy.

Q&A

TC: It’s a big jump from three months to a nine month program. Was three months judged to be just too short?
Spokesman: After the successful first phase of the program, we believe we can develop the start-ups even further via a longer program, ensuring the companies gain maximum advantage of this opportunity.

TC: Where is the funding coming from? Is this all UK government money?
Spokesman: The Accelerator is funded through the National Cyber Security Program, delivered through the Department of Digital, Culture, Media and Sport and the NCSC. Wayra UK and Telefónica provide additional funding support and activities to further increase the benefit for the cohort.

TC: Where are the teams from? Presumably not all from the UK?
Spokesman: All of the companies are UK-registered companies. The founders include British, Spanish, Venezuelan and Irish nationals, and we received applications from all around the world.

One of the requirements is that they be UK-registered in order to grow the UK cyber ecosystem and support the NCSC’s mission to make the UK the safest place to live and work online.

TC: Can you also confirm whether Wayra (or GCHQ) is taking any equity in the teams this time around?
Spokesman: Neither GCHQ, the NCSC or DCMS will be taking equity in any of the companies. However, our accelerator partner (Wayra) and other companies supporting the start-ups are welcome to invest if they wish and the companies agree to this, but this is not a requirement for entry to the program.

Featured Image: GCHQ/Crown Copyright

Apple’s going to mandate 2-factor authentication, so you better get used to it now

Apple’s trying its hardest to protect the security of your account — whether you like it or not. 

In an email sent out in the early hours of June 6, the company confirmed that going forward it will mandate the use of 2-factor authentication (2FA) for many of its services. 

“If you install the iOS 11 or macOS High Sierra public betas this summer and meet the basic requirements, your Apple ID (xxxx@xxxx.com) will be automatically updated to use two-factor authentication,” reads the email. “This is our most advanced, easy-to-use account security, and it’s required to use some of the latest features of iOS, macOS, and iCloud.”

To be clear, this means that it’s not just early adopters downloading public betas of iOS 11 and High Sierra that will be required to use 2FA, but rather everyone that wants access to all the hot new features.   

And what is 2FA, you ask? Two-factor authentication is a basic security measure which requires two pieces of information for a user to access his or her account. Think of taking cash out of an ATM machine. You need your physical bank card (“something you have”), and your PIN (“something you know”). Only with both those keys can you get your cash. 

That High Sierra goodness.

That High Sierra goodness.

Image: apple

With email, 2FA frequently manifests as your account password (“something you know”) and a random code sent to you either via SMS or an authenticator app (“something you have”). With these two elements required to gain access to an online account, it is much harder for hackers to gain unauthorized access. 

“Once updated, you’ll get the same extra layer of security you enjoy with two-step verification today, but with an even better user experience,” the email continues. “Verification codes will be displayed on your trusted devices automatically whenever you sign in, and you will no longer need to keep a printed recovery key to make sure you can reset a forgotten password.”

So, whose Apple IDs will be automatically updated to 2FA? We reached out to Apple to determine if it’s just people downloading the public betas, or if the same requirements will apply to everyone downloading iOS 11 and High Sierra later this year. Unfortunately, we received no response as of press time. 

Either way, with Apple stating that 2FA is required to use “the latest features of iOS, macOS, and iCloud,” it’s clear the company is making a hard push toward better account security. 

So go ahead and update those security settings now — before Apple does it for you. After all, medicine’s always easier to swallow when it’s not being shoved down your throat. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f6%2fdbf25738 af8f c133%2fthumb%2f00001

Hackers just gave you another reason to hate vaping

It turns out vaping may be bad for more than just your look. 

With a few tweaks of the pen, a security researcher has demonstrated that vaporizers can be modified in such a way as to pass code to your computer. 

The problem, as with many things security related, comes down to the USB port. Used for both charging and data transfer, the port is a convenient place to plug in phones or other devices that need a battery boost—devices like vape pens. 

In a video demonstrating his work, the researcher, who goes by FourOctets, plugs an e-cigarette into a computer’s USB and the device immediately lights up as if to charge. A few seconds go by and the computer starts to react. 

“DO U EVEN VAPE BRO!!!!!,” reads a message that pops up on the screen. 

Essentially, the vaporizer issued a custom command to the computer, and the computer was all too happy to oblige. 

Take this as the weirdest example yet that you should never plug random devices into your USB ports.

While FourOctets has no ill-intent, it is easy to imagine someone less scrupulous loading a computer with something not quite as funny. Like, say, a keylogger. Or ransomware

So how did he make this happen? Thankfully for people worried about their e-cigs catching a virus, it required some hands-on work. 

“It started as more of a joke than anything,” FourOctets elaborated over Twitter direct message (he declined to give his real name). “This is done with extra hardware and a little bit of code.”

As to the point of the demonstration, other than the fact that it is legitimately hilarious? 

“Another goal usually when doing dumb stuff like this is that stuff is not always what it seems and that random stuff that can plug into a computer can be dangerous,” he explained. “A lot of folks aren’t aware that something like this is even possible whether it be with firmware or added hardware and a tiny bit of code found online.” 

So should you be worried that your vape pen is delivering malicious code to your laptop? 

“It’s probably pretty unlikely to ever get something like this from the factory that would do this,” FourOctets noted, “but the possibility is there and people need to be mindful of that.”

So, you know, something to maybe consider the next time you’re ripping that sweet cotton. 

Https%3a%2f%2fvdist.aws.mashable.com%2fcms%2f2017%2f5%2f3169faf5 09a3 89a1%2fthumb%2f00001

Surprise! U.S. Senate email lacks the most basic of security features.

When it comes to United States Senate email accounts, you’d think the powers that be would enact a basic security feature that even Yahoo Mail and AOL have down.

Shocker: You would be wrong. 

As an April 20 open letter from Oregon Senator Ron Wyden makes clear, Senate email accounts lack the option to enable two-factor authentication. Like, senators can’t turn it on even if they want to. 

“As you know, the cybersecurity and foreign intelligence threats directed at Congress are
significant,” wrote Wyden in the letter addressed to two Senate colleagues. “However, the Senate is far behind when it comes to implementing basic cybersecurity practices like two-factor authentication.”

What exactly is two-factor authentication (2FA), and why does this matter? Let’s let the experts over at the Electronic Frontier Foundation explain. 

“Login systems that require only a username and password risk being broken when someone else can obtain (or guess) those pieces of information,” notes the organization. “Services that offer two-factor authentication also require you to provide a separate confirmation that you are who you say you are. The second factor could be a one-off secret code, a number generated by a program running on a mobile device, or a device that you carry and that you can use to confirm who you are.”

An easy-to-grasp example of 2FA is your bank ATM card. In order to withdraw cash, you need the PIN (something you know) and the card itself (something you have). Those two factors combine to allow you, and hopefully only you, to access to your hard-earned dollars.

Sen. Ron Wyden just can't believe this.

Sen. Ron Wyden just can’t believe this.

Image: Chip Somodevilla /Getty Images

With 2FA turned on, even if someone gains your email password (like maybe just possibly through a phishing attack) they still lack the necessary credentials to get into your inbox. This seems like something sitting members of the United States Senate and their staff would be interested in, right?

And yet.

“Today, the Senate neither requires nor offers two-factor authentication as an additional
protection for desktop computers and email accounts,” writes Wyden. “The Senate Sergeant at Arms does require two-factor authentication for staff who wish to log in to Senate IT systems from home, using a Virtual Private Network. This is a good first step, but the Senate must go further and embrace two-factor authentication for the workplace, and not just for staff connecting from home.”

Offering 2FA is often viewed as one of several basic security litmus tests for online services. Gmail, Twitter, Facebook, AOL, and even the much-maligned Yahoo Mail make it easy to turn this on — meaning your grandmother’s email account is potentially more secure than your senator’s.

As that depressing little nugget of information sinks in, Wyden hits us with a jaw-dropping follow. The executive branch, you see, offers employees Personal Identity Verification (PIV) cards which contain smart chips. The chips work as part of a 2FA system for employees to log into computers. The senate also offers PIV cards, Wyden tells us, but these don’t have smart chips.

What do they have instead?

“[In] contrast to the executive branch’s widespread adoption of PIV cards with a smart
chip, most senate staff ID cards have a photo of a chip printed on them, rather than a real chip.”

That’s right, a photo of a chip printed on them.

So, to recap: Senate email accounts aren’t protected by 2FA, and most Senate staff ID cards have fake smart chips. 

Next on the agenda, we assume, is the revelation that the password to each and every senators’ personal voicemail account is just “0000.” 

WATCH: Edward Snowden says Russians probably hacked the NSA

Hackers threaten to wipe out 200 million iCloud accounts

Hackers claim they've stolen a ton of iCloud accounts -- and they've demanded a ransom.
Hackers claim they’ve stolen a ton of iCloud accounts — and they’ve demanded a ransom.

Image: mashable composite/shuterstock; apple

A group of hackers claims it has access to over 300 million Apple email accounts — and they say they’re ready and willing to wipe the user data from hundreds of millions of iCloud accounts if Apple won’t pay up by April 7.

The group, which is calling itself the Turkish Crime Family, demanded a $75,000 ransom in either Bitcoin or Ethereum, another form of online currency, to delete the data, reports Motherboard. The site broke the story Tuesday morning after corresponding with multiple people online claiming to represent the group, which will also settle for $100,000 worth of iTunes gift cards as payment.

Members of Turkish Crime Family provided Motherboard with a video, screenshots of emails and access to an email account allegedly used to correspond with Apple’s security team to prove their claims. Reps from Apple flatly denied the group’s request before threatening to forward the information to authorities, according to the report.     

The video shared in the email, which was uploaded to YouTube, reportedly shows the group scrolling through multiple stolen iCloud accounts. This was the only proof provided to Motherboard of the cache’s existence. 

A Twitter handle claiming to represent the group popped up shortly after Motherboard‘s report went live. As of this article’s publication, the account has been used to reiterate the group’s threats and retweet news coverage. 

A Twitter account claiming to represent the group is broadcasting its threats.

A Twitter account claiming to represent the group is broadcasting its threats.

Image: screenshot/twitter

The group has since made itself available to the press via a direct email account, which was also shared with the world via tweet. 

It’s story isn’t exactly consistent, though: one rep told Motherboard that its cache numbered around 300 million accounts, but another estimated they had access to 559 million emails. Meanwhile, the Turkish Crime Family Twitter handle is capping the number of iCloud accounts that will be affected in an attack at 200 million.   

When reached by Mashable, Apple reps had no comment on the matter.

Cyber attacks on our personal data storage systems are no joke — and iCloud has experienced wide scale breaches before, most notably in 2014 when multiple celebrity accounts where accessed and personal photos were shared online. In that instance, the security issue stemmed from the iCloud accounts’ weak personal safety settings rather than any flaw in Apple’s system. 

The Turkish Crime Family hasn’t provided any insight into how it claims to have hijacked the accounts, so we’re cautious to accept their claims at face value — especially since the group doesn’t seem to have its story straight. Even though it provided Motherboard some alleged communications with Apple and a video, that doesn’t prove it has the ability to follow through on its threats. 

This may well be little more than an overblown stunt, unless the group comes forward with some more proof.