All posts in “Security”

How do you build a secure startup? Find out at TechCrunch Disrupt SF

Security is everything — more so than ever in startup land. But with the constant pressures to launch and scale, how do you build a secure startup from the ground up without slowing growth?

Whether you’re starting out small or you’re a multinational unicorn, your customers and their data will be your greatest asset. We’re excited to announce three cybersecurity industry experts who know better than anyone how to keep their organizations safe from phishing emails to nation-state attackers — and everything in between.

We’ll be joined by Google’s Heather Adkins, IOActive’s Jennifer Sunshine Steffens, and Duo’s Dug Song, who will discuss those startup security questions at TechCrunch Disrupt SF.

Adkins, a 16-year Google veteran, runs Google’s information security shop. As an early employee, Adkins built a global team responsible for maintaining the safety and security of Google’s networks, systems and applications as the company has ballooned in size. Her extensive background in network and systems administration has led her to work to build and secure some of the world’s largest infrastructure.

Steffens, who has spent over a decade at penetration testing and ethical hacking company IOActive, knows all too well how to build a security company. Her team go into enterprises large and small and find the weak spots in their security in an effort to fix the flaws before bad actors exploit them. Having worked during the early stages at several successful startups, Steffens brings a world of corporate and security knowledge to the table.

And, Song, who co-founded security giant Duo, led one of the most successful exits in Silicon Valley security startup history following the company’s $2.35 billion acquisition by Cisco last year. Song is a leading voice in the security community with broad experience in developing security solutions for the enterprises.

How do these cybersecurity leaders keep ahead of the bad guys — and the insider threats? Join us on the Extra Crunch stage to find out. Tickets to the show, which runs October 2 to October 4, are available here.

Did you know Extra Crunch annual members get 20% off all TechCrunch event tickets? Head over here to get your annual pass, and then email extracrunch@techcrunch.com to get your 20% off discount. Please note that it can take up to 24 hours to issue the discount code.

T-Mobile customers report outage, can’t make calls or send text messages

T-Mobile customers across the U.S. say they can’t make calls or send text messages following an apparent outage — although mobile data appears to be unaffected.

We tested with a T-Mobile phone in the office. Both calls to and from the T-Mobile phone failed. When we tried to send a text message, it said the message could not be sent. The outage began around 3pm PT (6pm ET).

Users took to social media to complain about the outage. It’s not clear how many customers are affected, but users across the U.S. have said they are affected.

A spokesperson for T-Mobile did not immediately comment, but a T-Mobile support account said the cell giant has “engaged our engineers and are working on a resolution.”

T-Mobile is the third largest cell carrier after Verizon (which owns TechCrunch) and AT&T. The company had its proposed $26.5 billion merger with Sprint approved by the Federal Communications Commission, despite a stream of state attorneys general lining up to block the deal.

MoviePass exposed thousands of unencrypted customer card numbers

Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company’s many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real-time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers.

These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema.

We reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance, when it was activated.

The database had more than 58,000 records containing card data — and was growing by the minute.

We also found records containing customers’ personal credit card numbers and their expiry date — which included billing information, including names, and postal addresses. Among the records we reviewed, we found records with enough information to make fraudulent card purchases.

Some records, however, contained card numbers that had been masked except for the last four digits.

The database also contained email address and some password data related to failed login attempts. We found hundreds of records containing the user’s email address and presumably incorrectly typed password — which was logged — in the database. We verified this by attempting log into the app with an email address and password that didn’t exist but only we knew. Our dummy email address and password appeared in the database almost immediately.

None of the records in the database were encrypted.

Hussain contacted MoviePass chief executive Mitch Lowe by email — which TechCrunch has seen — over the weekend but did not hear back. It was only after TechCrunch reached out Tuesday when MoviePass took the database offline.

It’s understood that the database may have been exposed for months, according to data collected by cyberthreat intelligence firm RiskIQ, which first detected the system in late June.

We asked MoviePass several questions — including why the initial email disclosing the security lapse was ignored, for how long the server was exposed, and its plans to disclose the incident to customers and state regulators. When reached, a spokesperson did not comment by our deadline.

MoviePass has been on a rollercoaster since it hit mainstream audiences last year. The company quickly grew its customer base from 1.5 million to 2 million customers in less than a month. But MoviePass took a tumble after critics said it grew too fast, forcing the company to cease operating briefly after the company briefly ran out of money. The company later said it was profitable, but then suspended service, supposedly to work on its mobile app. It now says it has “restored [service] to a substantial number of our current subscribers.”

Leaked internal data from April said its customer numbers went from three million subscribers to about 225,000. And just this month MoviePass reportedly changed user passwords to hobble access for customers who use the service extensively.

Hussain said the company was negligent in leaving data unencrypted in an exposed, accessible database.

“We keep on seeing companies of all sizes using dangerous methods to maintain and process private user data,” Hussain told TechCrunch. “In the case of MoviePass, we are questioning the reason why would internal technical teams ever be allowed to see such critical data in plaintext — let alone the fact that the dataset was exposed for public access by anyone,” he said.

The security researcher said he found the exposed database using his company-built web mapping tools, which peeks into non-password protected databases that are connected to the internet, and identifies the owner. The information is privately disclosed to companies, often in exchange for a bug bounty.

Hussain has a history of finding exposed databases. In recent months he found one of Samsung’s development labs exposed on the internet. He also found an exposed backend database belonging to Blind, an anonymity-driven workplace social network, exposing private user data.

Read more:

Yubico launches its dual USB-C and Lightning two-factor security key

Almost two months after it was first announced, Yubico has launched the YubiKey 5Ci, a security key with dual support for both iPhones, Macs and other USB-C compatible devices.

Yubico’s latest Yubikey is the latest iteration of its security key built to support a newer range of devices, including Apple’s iPhone, iPad, and MacBooks in a single device. Announced in June, the company said the security keys would cater for cross-platform users — particularly Apple device owners.

These security keys may be small enough to sit on a keyring, but they contain the keys to your online line. Your Gmail, Twitter, and Facebook account all support these plug-in devices as a second-factor of authentication after your username and password — a far stronger mechanism than the simple code sent to your phone.

Security keys offer almost unbeatable security and can protect against a variety of threats, including nation-state attackers.

Jerrod Chong, Yubico’s chief solutions officer, said the new key would fill a “critical gap in the mobile authentication ecosystem,” particularly given how users are increasingly spending their time across a multitude of mobile devices.

The new key works with a range of apps, including password managers like 1Password and LastPass, and web browsers like Brave, which support security key authentication.

Traces AI is building a less invasive alternative to facial recognition tracking

With all of the progress we’ve seen in deep learning tech in the past few years, it seems pretty inevitable that security cameras become smarter and more capable in regards to tracking, but there are more options than we think in how we choose to pull this off.

Traces AI is a new computer vision startup, in Y Combinator’s latest batch of bets, that’s focused on helping cameras track people without relying on facial recognition data, something the founders believe is too invasive of the public’s privacy. The startup’s technology actually blurs out all human faces in frame, only relying on the other physical attributes of a person.

“It’s a combination of different parameters from the visuals. We can use your hair style, whether you have a backpack, your type of shoes and the combination of your clothing,” co-founder Veronica Yurchuk tells TechCrunch.

Tech like this obviously doesn’t scale too great for a multi-day city-wide manhunt and leaves room for some Jason Bourne-esque criminals to turn their jackets inside out and toss on a baseball cap to evade detection. As a potential customer, why forego a sophisticated technology just to stave off dystopia? Well, Traces AI isn’t so convinced that facial recognition tech is always the best solution, they believe that facial tracking isn’t something every customer wants or needs and there should be more variety in terms of solutions.

“The biggest concern [detractors] have is, ‘Okay, you want to ban the technology that is actually protecting people today, and will be protecting this country tomorrow?’ And, that’s hard to argue with, but what we are actually trying to do is propose an alternative that will be very effective but less invasive of privacy,” co-founder Kostya Shysh tells me.

Earlier this year, San Francisco banned government agencies from the use of facial recognition software, and it’s unlikely that they will be the only city to make that choice. In our conversation, Shysh also highlighted some of the backlash to Detroit’s Project Green Light which brought facial recognition surveillance tech city-wide.

Traces AI’s solution can also be a better option for closed venues that have limited data on the people on their premises in the first place. One use case Shysh highlighted was being able to find a lost child in an amusement park with just a little data.

“You can actually give them a verbal description, So if you say, it’s a missing 10-year-old boy, and he had blue shorts and a white t shirt, that will be enough information for us to start a search,” Shysh says.

In addition to being a better way to promote privacy, Shysh also sees the technology as a more effective way to reduce the racial bias of these computer vision systems which have proven less adept at distinguishing non-white faces, and are thus often more prone to false positives.

“The way our technology works, we actually blur faces of the people before sending it to the cloud. We’re doing it intentionally as one of the safety mechanisms to protect from racial and gender biases as well,” Shysh says.

The co-founders say that the U.S. and Great Britain are likely going to be their biggest markets due to the high quantity of CCTV cameras, but they’re also pursuing customers in Asian countries like Japan and Singapore where face-obscuring facial masks are often worn and can leave facial tracking software much less effective.