All posts in “Security”

Facebook now says its password leak affected ‘millions’ of Instagram users

Facebook has confirmed its password-related security incident last month now affects “millions” of Instagram users, not “tens of thousands” as first thought.

The social media giant confirmed the new information in its updated blog post, first published on March 21.

“We discovered additional logs of Instagram passwords being stored in a readable format,” the company said. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”

“Our investigation has determined that these stored passwords were not internally abused or improperly accessed,” the updated post said, but the company still has not said how it made that determination.

The social media giant did not say how many millions were affected, however.

Last month, Facebook admitted it had inadvertently stored “hundreds of millions” of user account passwords in plaintext for years, said to have dated as far back as 2012. The company said the unencrypted passwords were stored in logs accessible to some 2,000 engineers and developers. The data was not leaked outside of the company, however. Facebook still hasn’t explained how the bug occurred.

Facebook posted the update at 10am ET — an hour before the Special Counsel’s report into Russian election interference was set to be published.

When reached, spokesperson Liz Bourgeois said Facebook does not have “a precise number” yet to share, and declined to say exactly when the additional discovery was made.

Alsid raises $14.7 million to secure your Active Directory installation

French startup Alsid has raised a $14.7 million funding round (€13 million). The company is working on a security solution to protect your Microsoft Active Directory installation and make sure a hacker can’t access your system.

Idinvest Partners is leading today’s round. Existing investors 360 Capital Partners and Axeleo Capital are also participating.

If you have a corporate laptop or if you access files on your corporate network, chances are your company uses Active Directory. Most companies uses this this directory service to manage users and their access rights. Whenever you enter your login and password on your corporate laptop, macOS or Windows check the Active Directory to see if you have the rights to use this laptop and various corporate services.

Big companies have a hard time managing this directory. They acquire other companies, merge directories and don’t realize that some users end up with very generous access rights. Hackers take advantage of that.

There are some solutions to scan your directory and fix vulnerabilities, but they require admin access. They create a risk as much as a solution. Alsid has a completely different approach.

“We operate like an employee working remotely. Our system asks a lot of questions to the directory and detects issues,” co-founder and CEO Emmanuel Gras told me in 2017. The company creates a normal user account, connects to your corporate network with a VPN and uses Microsoft’s API to attack your own Active Directory.

Alsid then generates reports with detailed steps to protect a directory. And of course, the company tries to monitor the directory as often as possible. You can deploy Alsid locally or in the cloud.

The company uses a software-as-a-service approach and currently monitors 3 million Active Directory users. Many big companies already use the service, such as Groupe Accor, Orange, Sanofi and Unibail-Roadmco-Westfield.

Spy on your smart home with this open source research tool

Researchers at Princeton University have built a web app that lets you (and them) spy on your smart home devices to see what they’re up to.

The open source tool, called IoT Inspector, is available for download here. (Currently it’s Mac OS only, with a wait list for Windows or Linux.)

In a blog about the effort the researchers write that their aim is to offer a simple tool for consumers to analyze the network traffic of their Internet connected gizmos. The basic idea is to help people see whether devices such as smart speakers or wi-fi enabled robot vacuum cleaners are sharing their data with third parties. (Or indeed how much snitching their gadgets are doing.)

Testing the IoT Inspector tool in their lab the researchers say they found a Chromecast device constantly contacting Google’s servers even when not in active use.

A Geeni smart bulb was also found to be constantly communicating with the cloud — sending/receiving traffic via a URL (tuyaus.com) that’s operated by a China-based company with a platform which controls IoT devices.

There are other ways to track devices like this — such as setting up a wireless hotspot to sniff IoT traffic using a packet analyzer like WireShark. But the level of technical expertise required makes them difficult for plenty of consumers.

Whereas the researchers say their web app doesn’t require any special hardware or complicated set-up so it sounds easier than trying to go packet sniffing your devices yourself. (Gizmodo, which got an early look at the tool, describes it as “incredibly easy to install and use”.)

One wrinkle: The web app doesn’t work with Safari; requiring either Firefox or Google Chrome (or a Chromium-based browser) to work.

The main caveat is that the team at Princeton do want to use the gathered data to feed IoT research — so users of the tool will be contributing to efforts to study smart home devices.

The title of their research project is Identifying Privacy, Security, and Performance Risks of Consumer IoT Devices. The listed principle investigators are professor Nick Feamster and PhD student Danny Yuxing Huang at the university’s Computer Science department.

The Princeton team says it intends to study privacy and security risks and network performance risks of IoT devices. But they also note they may share the full dataset with other non-Princeton researchers after a standard research ethics approval process. So users of IoT Inspector will be participating in at least one research project. (Though the tool also lets you delete any collected data — per device or per account.)

“With IoT Inspector, we are the first in the research community to produce an open-source, anonymized dataset of actual IoT network traffic, where the identity of each device is labelled,” the researchers write. “We hope to invite any academic researchers to collaborate with us — e.g., to analyze the data or to improve the data collection — and advance our knowledge on IoT security, privacy, and other related fields (e.g., network performance).”

They have produced an extensive FAQ which anyone thinking about running the tool should definitely read before getting involved with a piece of software that’s explicitly designed to spy on your network traffic. (tl;dr, they’re using ARP-spoofing to intercept traffic data — a technique they warn may slow your network, in addition to the risk of their software being buggy.)

The dataset that’s being harvesting by the traffic analyzer tool is anonymized and the researchers specify they’re not gathering any public-facing IP addresses or locations. But there are still some privacy risks — such as if you have smart home devices you’ve named using your real name. So, again, do read the FAQ carefully if you want to participate.

For each IoT device on a network the tool collects multiple data-points and sends them back to servers at Princeton University — including DNS requests and responses; destination IP addresses and ports; hashed MAC addresses; aggregated traffic statistics; TLS client handshakes; and device manufacturers.

The tool has been designed not to track computers, tablets and smartphones by default, given the study focus on smart home gizmos. Users can also manually exclude individual smart devices from being tracked if they’re able to power them down during set up or by specifying their MAC address.

Up to 50 smart devices can be tracked on the network where IoT Inspector is running. Anyone with more than 50 devices is asked to contact the researchers to ask for an increase to that limit.

The project team has produced a video showing how to install the app on Mac:

[embedded content]

Password manager Dashlane closes on $30M, adds former Spotify CMO to board

Dashlane, a popular password manager and all-round identity management solution, has raised another $30 million in funding, the company announced today. The funding – this time a round of debt financing from Hercules Capital – follows prior investment from FirstMark Capital, Rho Ventures, Bessemer Venture Partners, TransUnion and Silicon Valley Bank.

The company is also expanding its board with the addition of Seth Farbman, a former CMO for Spotify and Gap.

Farbman spent nearly four years at Spotify as its Chief Marketing Officer, exiting that position in January 2019. During his time there, Spotify grew to over 200 million monthly actives. He now joins Dashlane as the password management app has topped over 10 million users – a milestone it hit last June. The service is now available in 11 languages and used today in 180 countries worldwide.

Dashlane has also been expanding its product to include new features like Dark Web monitoring, which alerts users if their information is being passed around by hackers on the far reaches of the internet; and has added a VPN and identify theft protection. The goal with these features is to make Dashlane more than just a password management app, and to better differentiate itself from rivals like 1Password or LogMeIn’s Lastpass.

“I am excited to join the board of Dashlane, a company with the right vision for the internet at the right time,” said Seth Farbman, in a statement. “I see many of the same attributes in Dashlane, as I did in Spotify, when I first joined—a best-in-class product that its customers love, a diverse and capable team focused on growth and innovation and powerful macro trends that put the wind at the company’s back. Technology is meant to empower people and make their lives easier, and that is at the very core of what Dashlane does,” he said.

Password managers like Dashlane are today less of a “nice to have” option, and more of a “must” as data breaches and additional security measures – like complex passwords combined with 2FA – have become routine. It’s a lot for the average web user to keep up with, and native solutions like Apple’s Keychain aren’t often enough. That’s why it’s useful to have a program that helps to automate password changes, track compromised accounts, identify weak passwords, and more.

People, broadly, are also more aware of their online privacy these days. That’s thanks, in part, to news coverage of Facebook’s privacy gaffes, security breaches, as well as the changes to the way sites collect and use personal data, as required by Europe’s GDPR.

“When we look back 10 years from now, 2018 will be remembered as the year of GDPR, Facebook revelations, and the year that regulators, the press – and most importantly, public opinion – really started to look at the entire issue of digital privacy and identity differently,” said Emmanuel Schalit, CEO of Dashlane.

Dashlane doesn’t share all its metrics, but claims 90 percent revenue growth year-over-year.

To date, Dashlane has raised over $100 million in venture funding. However, with 10M+ users, it’s still behind some competitors. LastPass, for instance, announced 16.8 million users in 2018. 1Password’s website, meanwhile, claims “millions” of individual users and 40,000 businesses – a number that implies it reaches a large number of employees, thanks to its b2b deals. And of course it still has to convince people who use the built-in password features of today’s browsers that it’s worth having a more complete solution, rather than just a tool to remember passwords.