Newly public CrowdStrike wants to become the Salesforce of cybersecurity

Like many good ideas, CrowdStrike, a seller of subscription-based software that protects companies from breaches, began as a few notes scribbled on a napkin in a hotel lobby.

The idea was to leverage new technology to create an endpoint protection platform powered by artificial intelligence that would blow incumbent solutions out of the water. McAfee, Palo Alto Networks and Symantec, long-time leaders in the space, had been too slow to embrace new technologies and companies were suffering, the CrowdStrike founding team surmised.

Co-founders George Kurtz and Dmitri Alperovitch, a pair of former McAfee executives, weren’t strangers to legacy cybersecurity tools. McAfee had for years been a dominant player in endpoint protection and antivirus. At least, until the emergence of cloud computing.

Since 2012, CrowdStrike’s Falcon Endpoint Protection platform has been pushing those incumbents into a new era of endpoint protection. By helping enterprises across the globe battle increasingly complex attack scenarios more efficiently, CrowdStrike, as well as other fast-growing cybersecurity upstarts, has redefined company security standards much like Salesforce redefined how companies communicate with customers.

“I think we had the foresight that [CrowdStrike] was going to be a foundational element for security,” CrowdStrike chief executive officer George Kurtz told TechCrunch this morning. The full conversation can be read further below.

CrowdStrike co-founder and CEO George Kurtz.

Have I Been Pwned is looking for a new owner

Troy Hunt has revealed he’s looking for an acquirer for the breach notification service he set up more than five years ago — aka: Have I Been Pwned.

In a blog post discussing the future of the service, Hunt details how traffic to the site has exploded since January when he uploaded a massive 773M record list of breached emails and passwords that could be used for automated unauthorized logins (aka credential stuffing).

“The extra attention HIBP started getting in Jan never returned to 2018 levels, it just kept growing and growing,” he writes, saying he realized he was getting close to burn out trying to manage the service solo. Hence his decision to seek an acquirer.

HIBP has ridden a wave of growing concern about data breaches and Internet security, with Hunt taking the decision to accept a commercial sponsorship via a partnership with password manager firm 1Password last year.

Its growing profile has also led the service finding favor with governments wanting to monitor their own domains.

Sketching what he hopes to achieve with more resources behind HIBP, Troy writes: “Imagine a future where I’m able to source and process much more data, proactively reach out to impacted organisations, guide them through the process of handling the incident, ensure impacted individuals like you and me better understand our exposure (and what to do about it) and ultimately, reduce the impact of data breaches on organisations and consumers alike. And it goes much further than that too because there’s a lot more that can be done post-breach, especially to tackle attacks such as the huge rate of credential stuffing we’re seeing these days. I’m really happy with what HIBP has been able to do to date, but I’ve only scratched the surface of potential with it so far.”

At this stage Hunt says he’s met with KPMG’s M&A division to discuss the process of finding a new owner. Although he also says he intends to remain personally involved in the service.

“In meeting with the M&A folks, it quickly became apparent how much support I really needed,” he writes. “The most significant thing that comes to mind is that I’d never really taken the time just to step back and look at what HIBP actually does. That might sound odd, but as it’s grown organically over the years and I’ve built it out in response to a combination of what I think it should do and where the demand is, I’ve not taken the time to step back and look at the whole thing holistically. Nor have I taken enough time to look at what it could do… but there’s so much potential to do so much more and I really needed the support of people that specialise in finding the value in a business to help me see that.”

Hunt’s blog includes a list of “commitments for the future of HIBP” — including that he remains a part of it, and that “freely available consumer searches should remain freely available”. (Albeit ‘should’ is not the same as ‘will’.)

Other items on his wish list are more capabilities for the service; reaching a larger audience; playing a bigger role in changing consumer; greater support for organizations to use HIBP; and “more disclosure — and more data”.

“There’s a whole heap of organisations out there that don’t know they’ve been breached simply because I haven’t had the bandwidth to deal with it all,” he notes on the latter — a sentence that should send a chill up spines everywhere. 

There’s no named acquirer in the frame as yet, although Hunt sounds like he has a short-list — writing that there’s “a solid selection [of potential acquirer organizations] that are at the front of my mind” and “also a bunch that I have enormous respect for but are less well-equipped to help me achieve this”.

He also says he considered but dismissed taking VC to scale the service into a company himself — as it would inevitably amp up his responsibilities when he’s looking for a way to spread the load.

“As the process plays out, I’ll be working with KPMG to more clearly identify which organisations fit into the first category,” he goes on. “As I’m sure you can imagine, there are some very serious discussions to be had: where HIBP would fit into the organisation, how they’d help me achieve those bullet-pointed objectives above and frankly, whether it’s the right place for such a valuable service to go. There are also some major personal considerations for me including who I’d feel comfortable working with, the impact on travel and family and, of course, the financial side of the whole thing. I’ll be honest – it’s equal parts daunting and exciting.”

A couple of commenters on the blog post ask Hunt whether he’s considered/approached Mozilla as a potential owner — and in a reply to one he writes: “Being a party that’s already dependent on HIBP, I reached out to them in advance of this blog post and have spoken with them. I can’t go into more detail than that just now, but certainly their use of the service is enormously important to me.”

Security startup Bugcrowd on crowdsourcing bug bounties: ‘Cybersecurity is a people problem’

For a cybersecurity company, Bugcrowd relies much more on people than it does on technology.

For as long as humans are writing software, developers and programmers are going to make mistakes, said Casey Ellis, the company’s founder and chief technology officer in an interview TechCrunch from his San Francisco headquarters.

“Cybersecurity is fundamentally a people problem,” he said. “Humans are actually the root of the problem,” he said. And when humans made coding mistakes that turn into bugs or vulnerabilities that be exploited, that’s where Bugcrowd comes in — by trying to mitigate the fallout before they can be maliciously exploited.

Founded in 2011, Bugcrowd is one of the largest bug bounty and vulnerability disclosure companies on the internet today. The company relies on bug finders, hackers, and security researchers to find and privately report security flaws that could damage systems or putting user data at risk.

Bugcrowd acts as an intermediary by passing the bug to the companies to get fixed — potentially helping them to dodge a future security headache like a leak or a breach — in return for payout to the finder.

The greater the vulnerability, the higher the payout.

“The space we’re in is brokering conversations between different groups of people that don’t necessarily have a good history of getting along but desperately need to talk to each other,” said Ellis.

Three ‘new rules’ worth considering for the internet

In a recent commentary, Facebook’s Mark Zuckerberg argues for new internet regulation starting in four areas: harmful content, election integrity, privacy and data portability. He also advocates that government and regulators “need a more active role” in this process. This call to action should be welcome news as the importance of the internet to nearly all aspects of people’s daily lives seems indisputable. However, Zuckerberg’s new rules could be expanded, as part of the follow-on discussion he calls for, to include several other necessary areas: security-by-design, net worthiness and updated internet business models.

Security-by-design should be an equal priority with functionality for network connected devices, systems and services which comprise the Internet of Things (IoT). One estimate suggests that the number of connected devices will reach 125 billion by 2030, and will increase 50% annually in the next 15 years. Each component on the IoT represents a possible insecurity and point of entry into the system. The Department of Homeland Security has developed strategic principles for securing the IoT. The first principle is to “incorporate security at the design phase.” This seems highly prudent and very timely, given the anticipated growth of the internet.

Ensuring net worthiness — that is, that our internet systems meet appropriate and up to date standards — seems another essential issue, one that might be addressed under Zuckerberg’s call for enhanced privacy. Today’s internet is a hodge-podge of different generations of digital equipment, unclear standards for what constitutes internet privacy and growing awareness of the likely scenarios that could threaten networks and user’s personal information.

Recent cyber incidents and concerns have illustrated these shortfalls. One need only look at the Office of Personnel Management (OPM) hack that exposed the private information of more than 22 million government civilian employees to see how older methods for storing information, lack of network monitoring tools and insecure network credentials resulted in a massive data theft. Many networks, including some supporting government systems and hospitals, are still running Windows XP software from the early 2000s. One estimate is that 5.5% of the 1.5 billion devices running Microsoft Windows are running XP, which is now “well past its end-of-life.” In 2016, a distributed denial of service attack against the web security firm Dyn exposed critical vulnerabilities in the IoT that may also need to be addressed.

Updated business models may also be required to address internet vulnerabilities. The internet has its roots as an information-sharing platform. Over time, a vast array of information and services have been made available to internet users through companies such as Twitter, Google and Facebook. And these services have been made available for modest and, in some cases, no cost to the user.

Regulation is necessary, but normally occurs only once potential for harm becomes apparent.

This means that these companies are expending their own resources to collect data and make it available to users. To defray the costs and turn a profit, the companies have taken to selling advertisements and user information. In turn, this means that private information is being shared with third parties.

As the future of the internet unfolds, it might be worth considering what people would be willing to pay for access to traffic cameras to aid commutes, social media information concerning friends or upcoming events, streaming video entertainment and unlimited data on demand. In fact, the data that is available to users has likely been compiled using a mix of publicly available and private data. Failure to revise the current business model will likely only encourage more of the same concerns with internet security and privacy issues. Finding new business models — perhaps even a fee-for-service for some high-end services — that would support a vibrant internet, while allowing companies to be profitable, could be a worthy goal.

Finally, Zuckerberg’s call for government and regulators to have a more active role is imperative, but likely will continue to be a challenge. As seen in attempts at regulating technologies such as transportation safety, offshore oil drilling and drones, such regulation is necessary, but normally occurs only once potential for harm becomes apparent. The recent accidents involving the Boeing 737 Max 8 aircraft could be seen as one example of the importance of such government regulation and oversight.

Zuckerberg’s call to action suggests a pathway to move toward a new and improved internet. Of course, as Zuckerberg also highlights, his four areas would only be a start, and a broader discussion should be had as well. Incorporating security-by-design, net worthiness and updated business models could be part of this follow-on discussion.

Fastly, the content delivery network, files for an IPO

Fastly, the content delivery network that’s raised $219 million in financing from investors (according to Crunchbase), is ready for its close up in the public markets.

The eight-year-old company is one of several businesses that improve the download time and delivery of different websites to internet browsers and it has just filed for an IPO.

Media companies like The New York Times use Fastly to cache their homepages, media and articles on Fastly’s servers so that when somebody wants to browse the Times online, Fastly’s servers can send it directly to the browser. In some cases, Fastly serves up to 90 percent of browser requests.

E-commerce companies like Stripe and Ticketmaster are also big users of the service. They appreciate Fastly because its network of servers enable faster load times — sometimes as quickly as 20 or 30 milliseconds, according to the company.

The company raised its last round of financing roughly nine months ago, a $40 million investment that Fastly said would be the last before a public offering.

True to its word, the company is hoping public markets have the appetite to feast on yet another “unicorn” business.

While Fastly lacks the sizzle of companies like Zoom, Pinterest or Lyft, its technology enables a huge portion of the activities in which consumers engage online, and it could be a bellwether for competitors like Cloudflare, which recently raised $150 million and was also exploring a public listing.

The company’s public filing has a placeholder amount of $100 million, but given the amount of funding the company has received, it’s far more likely to seek closer to $1 billion when it finally prices its shares.

Fastly reported revenue of roughly $145 million in 2018, compared to $105 million in 2017, and its losses declined year on year to $29 million, down from $31 million in the year-ago period. So its losses are shrinking, its revenue is growing (albeit slowly) and its cost of revenues are rising from $46 million to around $65 million over the same period.

That’s not a great number for the company, but it’s offset by the amount of money that the company’s getting from its customers. Fastly breaks out that number in its dollar-based net expansion rate figure, which grew 132 percent in 2018.

It’s an encouraging number, but as the company notes in its prospectus, it’s got an increasing number of challenges from new and legacy vendors in the content delivery network space.

The market for cloud computing platforms, particularly enterprise-grade products, “is highly fragmented, competitive and constantly evolving,” the company said in its prospectus. “With the introduction of new technologies and market entrants, we expect that the competitive environment in which we compete will remain intense going forward. Legacy CDNs, such as Akamai, Limelight, EdgeCast (part of Verizon Digital Media), Level3, and Imperva, and small business-focused CDNs, such as Cloudflare, InStart, StackPath, and Section.io, offer products that compete with ours. We also compete with cloud providers who are starting to offer compute functionality at the edge like Amazon’s CloudFront, AWS Lambda, and Google Cloud Platform.”

A new state-backed hacker group is hijacking government domains at a phenomenal pace

A few months ago, researchers at Cisco’s Talos cybersecurity unit sounded the alarm after discovering a previously undiscovered hacker group targeting a core part of the internet’s infrastructure.

Their alarm was heard: FireEye quickly came out with new intelligence warning of a “global” domain name hijacking campaign targeting websites of predominantly Arab governments. The campaign, dubbed “DNSpionage,” rerouted users from a legitimate web address to a malicious server to steal passwords. Homeland Security warned the U.S. government had been targeted, and ICANN, the non-profit charged with keeping the internet’s address book, said the domain name system (DNS) was under an “ongoing and significant” attack and urged domain owners to take action.

Now, Talos researchers say they have found another highly advanced hacker group, likely backed by a nation-state, which they say has targeted 40 government and intelligence agencies, telecom firms and internet giants in 13 countries for more than two years.

“This is a new group that is operating in a relatively unique way that we have not seen before.” Craig Williams, Cisco Talos

“We assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage,” said the Talos report out Wednesday, seen by TechCrunch.

The group, which Talos calls “Sea Turtle” — an internal codename that ended up sticking — similarly targets companies by hijacking their DNS. That allows the hackers to point a target’s domain name to a malicious server of their choosing. This clever site-spoofing technique exploits long-known flaws in DNS that can be used to trick unsuspecting corporate victims into turning over their credentials on fake login pages, which the hackers can use for further compromise.

“This is a new group that is operating in a relatively unique way that we have not seen before, using new tactics, techniques, and procedures,” Craig Williams, director, outreach at Cisco Talos, told TechCrunch.

The hackers first compromise an intended target using spearphishing to get a foothold on the network, then use known exploits to target servers and routers to move laterally and obtain and exfiltrate network-specific passwords. The hackers then use those credentials to target the organization’s DNS registrar by updating its records so that the domain name points away from the IP address of the target’s server to a server controlled by the hackers.

Once the target’s domain is pointing to the malicious server, the hackers can run a man-in-the-middle operation to impersonate login pages and scrape the usernames and passwords of the staff as a way of getting deeper access into the network. The hackers also used their own HTTPS certificate for the target’s domain from another provider to make the malicious server look like the real thing.

With the credentials for greater network access in hand, the hackers aim to obtain the target’s SSL certificates used across the corporate network, granting greater visibility into the organization’s operations. The attackers also stole the SSL certificates used in security appliances, like virtual private networks (VPN), which were used to steal credentials to gain access to the organization’s network from outside its walls.

Using this same technique, Talos said that the hacker group compromised Netnod, a DNS provider in Sweden and one of the 13 root servers that powers the global DNS infrastructure. In February, Netnod confirmed its infrastructure was hijacked. The successful attack allowed the hackers to steal the passwords of administrators who manage Saudi Arabia’s top-level domain — .sa — suggesting other Saudi-based companies could be in the hacker group’s crosshairs.

Williams said Talos can “conclusively” link the Sea Turtle hackers to the Netnod attack.

In another case, the hackers gained access to the registrar that manages Armenia’s top-level domains, allowing the group to potentially target any .am domain name.

Talos wouldn’t name the targets of the attacks nor name the registrars at risk, citing the risk of further or copycat attacks — and the researchers wouldn’t name the state likely behind the group, instead deferring to the authorities to attribute. But the researchers said Armenia, along with Egypt, Turkey, Swwden, Jordan, and the United Arab Emirates were among the countries where it found victims.

Given the eventual targets included internet and telecom infrastructure companies, foreign ministries, and intelligence agencies in the Middle East and Africa, Williams said the group’s primary motivations are to conduct espionage.

Sea Turtle are said to be “highly capable,” said the researchers’ findings, and the hackers are able to maintain long-term access by using the stolen credentials.

The researchers urged companies to begin using DNSSEC, a cryptographically more secure domain name system that’s far tougher to spoof, and employing two-factor on an organization’s DNS records.

“While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,” the researchers said.

Security flaw in EA’s Origin client exposed gamers to hackers

Electronic Arts has fixed a vulnerability in its online gaming platform Origin after security researchers found they could trick an unsuspecting gamer into remotely running malicious code on their computer.

The bug affected Windows users with the Origin app installed. Tens of millions of gamers use the Origin app to buy, access and download games. To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.

But two security researchers, Daley Bee and Dominik Penner of Underdog Security, found that the app could be tricked into running any app on the victims computer.

“An attacker could’ve ran anything they wanted,” Bee told TechCrunch.

‘Popping calc’ to demonstrate a remote code execution bug in Origin. (Image: supplied)

The researchers gave TechCrunch proof-of-concept code to test the bug for ourselves. The code allowed any app to run at the same level of privileges as the logged-in user. In this case, the researchers popped open the Windows calculator — the go-to app for hackers to show they can run code remotely on an affected computer.

But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.

Bee said a malicious link could be sent as an email or listed on a webpage, but could also triggered if the malicious code was combined with a cross-site scripting exploit that ran automatically in the browser.

It was also possible to steal a user’s account access token using a single line of code, allowing a hacker to gain access to a user’s account without needing their password.

Origin’s macOS client wasn’t affected by the bug.

EA spokesperson John Reseburg confirmed a fix was rolled out Monday. TechCrunch confirmed the code no longer worked following the update.

Cloudflare expands its government warrant canaries

When the government comes for your data, tech companies can’t always tell you. But thanks to a legal loophole, companies can say if they haven’t had a visit yet

That’s opened up an interesting clause that allows companies to silently warn customers when the government turns up to secretly raid its stash of customer data without violating a gag order it. Under U.S. freedom of speech laws, companies can publicly say that “the government has not been here” when there has been no demand for data, but they are allowed to remove statements when a warrant comes in as a warning shot to anyone who pays attention.

These so-called “warrant canaries” — named for the poor canary down the mine, who dies when there’s gas that the human can’t see — are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes.

Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend.

The networking and content delivery network giant said in a blog post this week that it’s expanding the transparency reports to include more canaries.

To date, the company:

  • has never turned over our SSL keys or our customers SSL keys to anyone;
  • has never installed any law enforcement software or equipment anywhere on our network;
  • has never terminated a customer or taken down content due to political pressure;
  • has never provided any law enforcement organization a feed of our customers’ content transiting our network.

Those key points are critical to the company’s business. A government demand for SSL keys and installing intercept equipment on its network would allow investigators unprecedented access to a customer’s communications and data, and undermine the company’s security. A similar demand led to Ladar Levison shutting down his email service Lavabit when they sought the keys to obtain information on whistleblower Edward Snowden, who used the service.

Now Cloudflare’s warrant canaries will include:

  • Cloudflare has never modified customer content at the request of law enforcement or another third party.
  • Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
  • Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.

It’s also expanded and replaced its first canary to confirm that the company “has never turned over our encryption or authentication keys or our customers’ encryption or authentication keys to anyone.”

Cloudflare said that if it were ever asked to do any of the above, the company would “exhaust all legal remedies” to protect customer data, and remove the statements from its site.

The networking and content delivery network is one of a handful of major companies that have used warrant canaries over the years. Following reports that the National Security Agency was vacuuming up the call records from the major telecom giants in bulk, Apple included a statement in its most recent transparency reports noting that the company has to date “not received any orders for bulk data.” Reddit removed its warrant canary in 2015, indicating that it had received a national security order it wasn’t permitted to disclose.

Cloudflare’s expanded canaries were included in the company’s latest transparency report, out this week.

According to its latest figures covering the second-half of 2018, Cloudflare responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. The company also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains.

The company received between 0-249 national security requests for the duration, and that it didn’t process any wiretap or foreign government requests for the duration.

Uber fixes bug that exposed third-party app secrets

Uber has fixed a bug that allowed access to the secret developer tokens of any app that integrated with the ride-sharing service, according to the security researchers who discovered the flaw.

In a blog post, Anand Prakash and Manisha Sangwan explained that a vulnerable developer endpoint on Uber’s back-end systems — since locked down — was mistakenly spitting back client secrets and server tokens for apps authorized by the Uber account owner.

Client secrets and server tokens are considered highly sensitive bits of information for developers as they allow apps to communicate with Uber’s servers. For its part, Uber warns developers to “never share” the keys with anyone.

Prakash, founder of Bangalore-based AppSecure, told TechCrunch that the bug was “very easy” to exploit, and could have allowed an attacker to obtain trip receipts and invoicesBut he didn’t test how far the access could have given him as he immediately reported the bug to Uber.

Uber took a month to fix the bug, according to the disclosure timeline, and was considered serious enough to email developers last week warning of the possible exposure.

“At this time, we have no indication that the issue was exploited, but suggest reviewing your application’s practices out of an abundance of caution,” Uber’s email to developers said. “We have mitigated the issue by restricting the information returned to the name and id of the authorized applications.”

Uber did not respond to a request for comment. If that changes, we’ll update.

Prakash was paid $5,000 in Uber’s bug bounty for reporting the bug, and currently ranks in the top five submitters on Uber’s bug bounty.

The security researcher is no stranger to Uber’s bug bounty. Two years ago, he found and successfully exploited a bug that allowed him to receive free trips in both the U.S. and his native India.

Google’s cyber unit Jigsaw introduces Intra, a new security app dedicated to busting censorship

Jigsaw, the division owned by Google parent Alphabet, has revealed Intra, a new app aimed at protecting users from state-sponsored censorship.

Intra is a new app that aims to prevent DNS manipulation attacks. Whenever you visit a website, the easy-to-remember web address is converted to a less-than-memorable IP address — often over an unsecured connection. That makes it easy for oppressive governments — like Turkey, which has used this technique before — to intercept web addresses requests and either kill them in their tracks to stop sites from loading, or redirect to a fake site.

By passing all your browsing queries and app traffic through an encrypted connection to a trusted Domain Name Server, Intra says it ensures you can use your app without meddling or get to the right site without interference.

“Intra is dead simple to use. Just download the app and turn it on,” Jigsaw said. “That’s it.”

Jigsaw has already seen some successes in parts of the world where internet access is restricted or monitored. The government in Venezuela reportedly used DNS manipulation to prevent citizens from accessing news sites and social networks.

The app uses Google’s own trusted DNS server by default, but users can also funnel their browsing requests through Cloudflare, which also hosts its own publicly accessible secure DNS server, or any other secure DNS server.

Admittedly, that requires a bit of trust for Google and Cloudflare — or any third party. A Jigsaw spokesperson told TechCrunch that Intra’s use of Google’s DNS is covered by its privacy policy, and Cloudflare also has its own.

Jigsaw said it will bake the app into Android Pie, which already allows already allows encrypted DNS connections. But Jigsaw is also making the app available for users in parts of the world with weaker economies that make upgrading from older devices near-impossible so they can benefit from the security features.

It’s the latest piece in the security and privacy puzzle that Jigsaw is trying to solve.

The little-known Alphabet division is focused on preventing censorship, threats of online harassment and countering violent extremism. The incubator focuses on empowering free speech and expression by providing tools and services that make online safer for higher-risk targets.

Jigsaw has also invested its time on several other anti-censorship apps, including Project Shield, which protects sites against distributed denial-of-service attacks, as well as Outline, which gives reporters and activists a virtual private network that funnels data through a secure channel.