All posts in “Security”

Twitter still keeps archives of your DMs years after you deleted them

Uh-oh, this doesn’t look good.

You know how when you delete a Twitter DM and you’re expecting it to, like, be erased and non-retrievable ever again? Turns out Twitter’s still keeping archives of deleted DMs according to a security researcher who shared his discovery with TechCrunch.

Speaking with TechCrunch, security researcher Karan Saini discovered he was able to retrieve old Twitter DMs he had deleted years ago. 

Saini says he found his old deleted Twitter messages from recipient archive folders belonging to Twitter accounts that were deleted. Twitter lets senders delete their DM messages, but the messages are only deleted from their end and not the recipient’s (and vice versa).

“DMs are never ‘deleted’—rather only withheld from appearing in the UI,” Saini said on Twitter after TechCrunch published the story. “The archive feature lets you view these DMs, as well as any others with now suspended, or deactivated users.”

He was also able to use a now-deprecated Twitter API to recover old direct messages from both the sender and recipient.

Saini’s discovery flies against Twitter privacy policy, which says data is only stored for “up to 30 days after deactivation” to allow users to restore their accounts.

Twitter's privacy policy says data should be deleted after 30 days of deactivating an account.

Twitter’s privacy policy says data should be deleted after 30 days of deactivating an account.

After 30 days, if a user hasn’t restored their account, the data should be gone… for good. Except Saini and TechCrunch’s findings insist this isn’t the case. TechCrunch reporters said they were able to “recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts.” One example showed they were able to retrieve deleted messages from 2016.

Mashable has reached out to Twitter for clarification on why the company’s still keeping archives to DMs that were deleted years ago and we’ll update this story if we receive a response.

As it stands, this discovery is another reason to be mindful of the amount of data social media services collect. Social media platforms like Twitter make it easier than ever to share and communicate with others instantly, but the extent of their reach is now being contested. Can you really trust a company that that doesn’t delete your data when you think you’ve deleted it? 

Uploads%252fvideo uploaders%252fdistribution thumb%252fimage%252f90429%252f1d73d86b 3832 4d72 8bad 05ddbc08d14e.jpg%252foriginal.jpg?signature=sjw7ekt5bwv6twdq3h8qqg3au4s=&source=https%3a%2f%2fblueprint api production.s3.amazonaws

Even years later, Twitter doesn’t delete your direct messages

When does “delete” really mean delete? Not always or even at all if you’re Twitter .

Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini.

Saini found years-old messages found in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also filed a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient — though, the bug wasn’t able to retrieve messages from suspended accounts.

Saini told TechCrunch that he had “concerns” that the data was retained by Twitter for so long.

Direct messages once let users to “unsend” messages from someone else’s inbox, simply by deleting it from their own. Twitter changed this years ago, and now only allows a user to delete messages from their account. “Others in the conversation will still be able to see direct messages or conversations that you have deleted,” Twitter says in a help page. Twitter also says in its privacy policy that anyone wanting to leave the service can have their account “deactivated and then deleted.” After a 30-day grace period, the account disappears and along with its data.

But, in our tests, we could recover direct messages from years ago — including old messages that had since been lost to suspended or deleted accounts. By downloading your account’s data, it’s possible to download all of the data Twitter stores on you.

A conversation, dated March 2016, with a suspended Twitter account was still retrievable today. (Image: TechCrunch

Saini says this is a “functional bug” rather than a security flaw, but argued that the bug allows anyone a “clear bypass” of Twitter mechanisms to prevent accessed to suspended or deactivated accounts.

But it’s also a privacy matter, and a reminder that “delete” doesn’t mean delete — especially with your direct messages. That can open up users, particularly high-risk accounts like journalist and activists, to government data demands that call for data from years earlier.

That’s despite Twitter’s claim that once an account has been deactivated, there is “a very brief period in which we may be able to access account information, including tweets,” to law enforcement.

A Twitter spokesperson said the company was “looking into this further to ensure we have considered the entire scope of the issue.”

Retaining direct messages for years may put the company in a legal grey area ground amid Europe’s new data protection laws, which allows users to demand that a company deletes their data.

Neil Brown, a telecoms, tech and internet lawyer at U.K. law firm Decoded Legal, said there’s “no formality at all” to how a user can ask for their data to be deleted. Any request from a user to delete their data that’s directly communicated to the company “is a valid exercise” of a user’s rights, he said.

Companies can be fined up to four percent of their annual turnover for violating GDPR rules.

“A delete button is perhaps a different matter, as it is not obvious that ‘delete’ means the same as ‘exercise my right of erasure’,” said Brown. Given that there’s no case law yet under the new General Data Protection Regulation regime, it will be up to the courts to decide, he said.

When asked if Twitter thinks that consent to retain direct messages is withdrawn when a message or account is deleted, Twitter’s spokesperson had “nothing further” to add.

Elevate Security announces $8M Series A to alter employee security behavior

It’s well understood that many network breaches begin with phishing emails designed to trick users into giving hackers their credentials. They don’t even have to work to find a vulnerability, they can just waltz in the front door. Elevate Security, a San Francisco startup, wants to change that by helping employees understand phishing attacks better using behavioral techniques. Today, the company announced an $8 million Series A round to build on this idea.

The investment was led by Defy Partners. Existing investor Costanoa Ventures also participated. Today’s round brings the total raised to $10 million, according to the company.

What has the company created to warrant this investment? “We have a solution that motivates, measures and rewards employees to change their security habits, while at the same time giving security teams unprecedented visibility into the security habits and actions of their employees,” co-founder Masha Sedova told TechCrunch.

Specifically, the company has built a Security Behavior platform. “Our platform pulls in data sets that allow employees or security teams to see where the strengths and weaknesses of their organization lie, and then apply a suite of solutions that are rooted in behavioral science that helps them change behavior,” she explained.

Sedova and co-founder Robert Fly started working on this problem when both were part of the Salesforce security team. They began working with the idea of gamifying security to teach employees and customers how to be more security aware.

Elevate Security dashboard

When Fly’s team at Salesforce dug into the root of security problems, it found that it was often simply human error. He said it wasn’t malicious on the employee’s part, but they had jobs to do, and expected the security team to handle these issues. He realized that shifting employees to become more security aware was as much a behavioral psychology problem as a technology one and the roots of Elevate began to take shape.

The first product they built on top of the platform is called Hacker’s Mind, a tool designed to help employees understand how hackers think and operate.

The company launched in 2017 and currently has 15 employees, half of which are women. It also boasts an entirely female board of directors, and the startup plans to continue this trend as it staffs up with the new funding. Its headquarters are in San Francisco, but it just opened an engineering office in Montreal. Current customers include AutoDesk, Exxon and Illumio.

C2A raises $6.5M for its in-car cybersecurity platform

Cars are now essentially computers on wheels — and like every computer, they are susceptible to attacks. It’s no surprise then that there’s a growing number of startups that are working to protect a car’s internal systems from these hacks, especially given that the market for automotive cybersecurity could be worth over $900 billion by 2026.

One of these companies is Israel’s C2A Security, which offers an end-to-end security platform for vehicles, which today announced that it has raised a $6.5 million Series A funding round.

The round was led by Maniv Mobility, which previously invested in companies like Hailo, drive.ai and Turo, and ICV, which has invested in companies like Freightos and Vayyar. OurCrowd’s Labs/02 also participated in this round.

Like most companies at the Series A stage, C2A plans to use the new funding to grow its team, especially on the R&D side, and help support its customer base. Sadly, C2A does not currently talk about who its customers are.

The promise of C2A is that it offers a full suite of solutions to detect and mitigate attacks. The team behind the company has an impressive security pedigree, with the company’s CMO Nat Meron being an alumn of Israel’s Unit 8200 intelligence unit, for example. C2A founder and CEO Michael Dick previously co-founded NDS, a content security solution, which Cisco acquired for around $5 billion in 2012 (and then recently sold on to Permira, also for $5 billion).

“We are extremely proud to receive the support of such outstanding investors, who will bring tremendous value to the company,” said Dick. “Maniv’s expertise in autotech and strong network across the industry coupled with ICV’s rich experience in cybersecurity brings the perfect combination of skills to the table.”

PerimeterX secures $43M to protect web apps from bot attacks

We know by now that modern website attacks are typically automated, as armies of bots knock on doors until they inevitably find vulnerabilities and take advantage. PerimeterX, a San Francisco startup wants to protect sites from these automated assaults. Today, it announced a $43 million Series C.

The round was led by Scale Venture Partners . New investor Adams Street Partners joined existing investors Canaan Partners, Vertex Ventures and Data Collective in the round. Ariel Tseitlin, a partner at Scale will be joining the company’s board under the terms of the deal. Today’s investment brings the total raised to over $77 million, according to Crunchbase data.

Omri Iluz, co-founder and CEO at PerimeterX says bots have become the preferred way of hackers to attack websites and mobile apps, and his company has developed a way to defend against that kind of approach.It uses an approach called behavioral fingerprinting to blunt these automated attacks.

“Once we gain visibility into the behavior of the user, we are able to discern between normal behavior and an anomalous behavior that looks like it’s coming from an automated tool,” he said. The solution looks at attributes like mouse movements and swipes. It also analyze the hardware to understand the graphics driver and audio driver of whatever device the bot is purporting to be.

To achieve this kind of identification requires massive amounts of data and PerimeterX uses machine learning to help understand normal behavior and shut down anomalous behavior in an automated fashion.

The company was founded in 2014 and currently as 140 employees. Ariel Tseitlin from Scale Venture Partners, who is leading the round, says as companies reach this level of maturity, the Series C money tends to go into sales and marketing to push the revenue pedal and scale the company.

“While there is a lot of opportunity in R&D, generally at this stage most of the dollars are going for sales and marketing, so hiring more salespeople, hiring more marketers more sales ops.
That’s where a big part of the expansion comes from, and that tends to be pretty closely correlated to revenue growth, and pretty closely correlated to just greater growth in general,” he explained

We wrote about Signal Sciences’ funding last week, a company that also works to protect web apps using a firewall approach. Iluz says that the two companies often work together in the same customers, rather than competing because they attack the problem differently.