Decrypted: With more SolarWinds fallout, Biden picks his cybersecurity team

All change in the capital as the Biden administration takes charge, and thankfully without a hitch (or violence) after the attempted insurrection two weeks earlier.

In this week’s Decrypted, we look at the ongoing fallout from the SolarWinds breach and who the incoming president wants to lead the path to recovery. Plus, the news in brief.


THE BIG PICTURE

Google says SolarWinds exposure “limited,” more breaches confirmed

The cyberattack against SolarWinds, an ongoing espionage campaign already blamed on Russia, claimed the U.S. Bureau of Labor Statistics as another federal victim this week. The attack also hit cybersecurity company Malwarebytes, the company’s chief executive confirmed. Marcin Kleczynski said in a blog post that attackers gained access to a “limited” number of internal company emails. It was the same attackers as SolarWinds but using a different intrusion route. It’s now the third security company known to have been targeted by the same Russian hackers after a successful intrusion at FireEye and an unsuccessful attempt at CrowdStrike.

App stores saw record 218 billion downloads in 2020, consumer spend of $143 billion

Mobile adoption continued to grow in 2020, in part due to the market forces of the COVID-19 pandemic. According to App Annie’s annual “State of Mobile” industry report, mobile app downloads grew by 7% year-over-year to a record 218 billion in 2020. Meanwhile, consumer spending grew by 20% to also hit a new milestone of $143 billion, led by markets that included China, the United States, Japan, South Korea and the United Kingdom.

Consumers also spent 3.5 trillion minutes using apps on Android devices alone, the report found.

In another shift, app usage in the U.S. surged ahead of the time spent watching live TV. Currently, the average American watches 3.7 hours of live TV per day, but now spends four hours on their mobile device.

The increase in time spent is a trend that’s not unique to the U.S., but can be seen across several other countries, including both developing mobile markets like Indonesia, Brazil and India, as well as places like China, Japan, South Korea, the U.K., Germany, France and others.

The trend isn’t isolated to any one demographic, either, but is seen across age groups. In the U.S., for example, Gen Z, millennials and Gen X/Baby Boomers spent 16%, 18% and 30% more time in their most-used apps year-over-year, respectively. However, what those favorite apps looked like was very different.

For Gen Z in the U.S., top apps on Android phones included Snapchat, Twitch, TikTok, Roblox and Spotify.

Millennials favored Discord, LinkedIn, PayPal, Pandora and Amazon Music.

And Gen X/Baby Boomers used Ring, Nextdoor, The Weather Channel, Kindle and ColorNote Notepad Notes.

The pandemic didn’t necessarily change how consumers were using apps in 2020, but rather accelerated mobile adoption by two to three years’ time, the report found.

Investors were also eager to fuel mobile businesses as a result, pouring $73 billion in capital into mobile companies — a figure that’s up 27% year-over-year. According to Crunchbase data, 26% of total global funding dollars in 2020 went to businesses that included a mobile solution.

From 2016 to 2020, global funding to mobile technology companies more than doubled compared with the previous five years, and was led by financial services, transportation, commerce and shopping.

Mobile gaming adoption also continued to grow in 2020. Casual games dominated the market in terms of downloads (78%), but Core games accounted for 66% of games’ consumer spend and 55% of the time spent.

With many stuck inside due to COVID-19 lockdowns and quarantines, mobile games that offered social interaction boomed. Among Us, for example, became a breakout game in several markets in 2020, including the U.S.

Other app categories saw sizable increases over the past year, as well.

Time spent in Finance apps in 2020 was up 45% worldwide, outside of China, and participation in the stock market grew 55% on mobile, thanks to apps like Robinhood in the U.S. and others worldwide, that democratized investing and trading.

TikTok had a big year, too.

The app saw incredible 325% year-over-year growth, despite a ban in India, and ranked in the top five apps by time spent. The average monthly time spent per user also grew faster than nearly every other app analyzed, including 65% in the U.S. and 80% in the U.K., surpassing Facebook. TikTok is now on track to hit 1.2 billion active users in 2021, App Annie forecasts.

Other video services boomed in 2020, thanks to a combination of new market entrants and a lot of time spent at home. Consumers spent 40% more hours streaming on mobile devices, with time spent in streaming apps peaking in the second quarter in the west as the pandemic forced people inside.

YouTube benefitted from this trend, as it became the No. 1 streaming app by time spent among all markets analyzed except China. The time spent in YouTube is up to 6x that of the next closet app at 38 hours per month.

Of course, another big story for 2020 was the rise of e-commerce amid the pandemic. This made the past year the biggest ever for mobile shopping, with an over 30% increase in time spent in Shopping apps, as measured on Android phones outside of China.

Mobile commerce, however, looked less traditional in 2020.

Social shopping was a big trend, with global downloads of Pinterest and Instagram growing 50% and 20% year-over-year, respectively.

Livestreaming shopping grew, too, led by China. Downloads of live shopping TaoBao Live in China, Grip in South Korea and NTWRK in the U.S. grew 100%, 245% and 85%, respectively. NTWRK doubled in size last year, and now others are entering the space as well — including TikTok, to some extent.

The pandemic also prompted increased usage of mobile ordering apps. In the U.S., Argentina, the U.K., Indonesia and Russia, the app grew by 60%, 65%, 70%, 80% and 105%, respectively, in Q4.

Business apps, like Zoom and Google Meet among others, grew 275% in Q4, for example, as remote work and sometimes school, continued.

The analysis additionally included lists of the top apps by downloads, spending and monthly active users (MAUs).

Although TikTok had been topping year-end charts, Facebook continued to beat it in terms of MAUs. Facebook-owned apps controlled the top charts by MAUs, with Facebook at No. 1 followed by WhatsApp, Messenger and Instagram.

TikTok, however, had more downloads than Facebook and ranked No. 2 by consumer spending, behind Tinder.

The full report is available only as an online interactive experience this year, not a download. The report largely uses data from both the iOS App Store and Google Play, except where otherwise noted.

Chris Krebs and Alex Stamos have started a cyber consulting firm

Former U.S. cybersecurity official Chris Krebs and former Facebook chief security officer Alex Stamos have founded a new cybersecurity consultancy firm, which already has its first client: SolarWinds .

The two have been hired as consultants to help the Texas-based software maker recover from a devastating breach by suspected Russian hackers, which used the company’s software to set backdoors in thousands of organizations and to infiltrate at least 10 U.S. federal agencies and several Fortune 500 businesses.

At least the Treasury, State and the Department of Energy have been confirmed breached, in what has been described as likely the most significant espionage campaign against the U.S. government in years. And while the U.S. government has already pinned the blame on Russia, the scale of the intrusions are not likely to be known for some time.

Krebs was one of the most senior cybersecurity officials in the U.S. government, most recently serving as the director of Homeland Security’s CISA cybersecurity advisory agency from 2018, until he was fired by President Trump for his efforts to debunk false election claims — many of which came from the president himself. Stamos, meanwhile, joined the Stanford Internet Observatory after holding senior cybersecurity positions at Facebook and Yahoo. He also consulted for Zoom amid a spate of security problems.

In an interview with the Financial Times, which broke the story, Krebs said it could take years before the hackers are ejected from infiltrated systems.

SolarWinds chief executive Sudhakar Ramakrishna acknowledged in a blog post that it had brought on the consultants to help the embattled company to be “transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements.”

After the FireEye and SolarWinds breaches, what’s your failsafe?

The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.

These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.

The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend to turn a compromise into a meaningful breach. We’ve heard FireEye put effort and execution into the protection of sensitive tools and accesses, forcing the Russians to put stunning effort into a breach.

Run a red-team security program, see how well you stack up and learn from your mistakes.

More evidence of FireEye’s dedication to security can be seen by the speed with which its moved to publish countermeasure tools. While the Solarwinds breach has had stunning immediate fallout, I’ll reserve opining about SolarWinds until we learn details of the whole event, because while a breach that traverses the supply should be exceedingly rare, they’ll never be stopped entirely.

All this is to say, this news isn’t surprising to me. Security organizations are a top adversarial target, and I would expect a nation-state like Russia to go to great lengths to impede FireEye’s ability to protect its customers. FireEye has trusted relationships with many enterprise organizations, which makes it a juicy target for espionage activities. SolarWinds, with its lengthy list of government and large enterprise customers, is a desirable target for an adversary looking to maximize its efforts.

SolarWinds' hackers gained access to multiple federal agencies.

Image Credits: David Wolpoff

Hack Solarwinds once, and Russia gains access to many of its prized customers. This isn’t the first time a nation-state adversary has gone through the supply chain. Nor is it likely to be the last.

For security leaders, this is a good opportunity to reflect on their reliance and trust in technology solutions. These breaches are reminders of unseen risk debt: Organizations have a huge amount of potential harm built up through their providers that typically isn’t adequately hedged against.

People need to ask the question, “What happens when my MSSP, security vendor or any tech vendor is compromised?” Don’t look at the Solarwinds hack in isolation. Look at every one of your vendors that can push updates into your environment.

No single tool can be relied on to never fail.

You need to expect that FireEye, SolarWinds and every other vendor in your environment will eventually get compromised. When failures occur, you need to know: “Will the remainder of my plans be sufficient, and will my organization be resilient?”

What’s your backup plan when this fails? Will you even know?

If your security program is critically dependent on FireEye (Read: It’s the primary security platform), then your security program is dependent on FireEye implementing, executing and auditing its own program, and you and your management need to be okay with that.

Often, organizations purchase a single security solution to cover multiple functions, like their VPN, firewall, monitoring solution and network segmentation device. But then you have a single point of failure. If the box stops working (or is hacked), everything fails.

From a structural standpoint, it’s hard to have something like SolarWinds be a point of compromise and not have wide-reaching effects. But if you trusted Solarwind’s Orion platform to talk to and integrate with everything in your environment, then you took the risk that a breach like this wouldn’t happen. When I think about utilizing any tool (or service) one question I always ask is, “When this thing fails, or is hacked, how will I know and what will I do?”

Sometimes the answer might be as simple as, “That’s an insurance-level event,” but more often I’m thinking about other ways to get some signal to the defenders. In this case, when Solarwinds is the vector, will something else in my stack still give me an indication that my network is spewing traffic to Russia?

Architecting a resilient security program isn’t easy; in fact, it’s a really hard problem to solve. No product or vendor is perfect, that’s been proven time and again. You need to have controls layered on top of each other. Run through “what happens” scenarios. Organizations focusing on defense in depth, and defending forward, will be in a more resilient position. How many failures does it take for a hacker to get to the goods? It should take more than one mishap for critical data to end up in Russia’s hands.

It’s critical to think in terms of probability and likelihood and put controls in place to prevent accidental changes to baseline security. Least privilege should be the default, and lots of segmenting should prevent rapid lateral motion. Monitoring and alerting should trigger responses, and if any wild deviations occur, the fail safes should activate. Run a red-team security program, see how well you stack up and learn from your mistakes.

Much was made of the security impacts of the FireEye breach. In reality, Russia already has tools commensurate to those taken from FireEye. So while pundits might like to make a big story out of the tools themselves, this is not likely to be reminiscent of other leaks, such as those of NSA tools in 2017.

The exploits released from the NSA were remarkable and immediately useful for adversaries to use, and those exploits were responsible for temporarily increased risk the industry experienced after the Shadow Brokers hack  —  it wasn’t the rootkits and malware (which were what was stolen at FireEye). In the FireEye case, since it appears there were no zero-days or exploits taken, I don’t expect that breach to cause significant shockwaves.

Breaches of this magnitude are going to happen. If they’re something your organization needs to be resilient against, then it’s best to be prepared for them.

Dozens of journalists’ iPhones hacked with NSO ‘zero-click’ spyware, says Citizen Lab

Citizen Lab researchers say they have found evidence that dozens of journalists had their iPhones silently compromised with spyware known to be used by nation states.

For more than the past year, London-based reporter Rania Dridi and at least 36 journalists, producers and executives working for the Al Jazeera news agency were targeted with a so-called “zero-click” attack that exploited a now-fixed vulnerability in Apple’s iMessage. The attack invisibly compromised the devices without having to trick the victims into opening a malicious link.

Citizen Lab, the internet watchdog at the University of Toronto, was asked to investigate earlier this year after one of the victims, Al Jazeera investigative journalist Tamer Almisshal, suspected that his phone may have been hacked.

In a technical report out Sunday and shared with TechCrunch, the researchers say they believe the journalists’ iPhones were infected with the Pegasus spyware, developed by Israel-based NSO Group.

The researchers analyzed Almisshal’s iPhone and found it had between July and August connected to servers known to be used by NSO for delivering the Pegasus spyware. The device revealed a burst of network activity that suggests that the spyware may have been delivered silently over iMessage.

Logs from the phone show that the spyware was likely able to secretly record the microphone and phone calls, take photos using the phone’s camera, access the victim’s passwords, and track the phone’s location.

Citizen Lab analyzed the network logs of two hacked iPhones and found it could record ambient calls, take photos using the camera, and track the device’s location without the victim knowing. (Image: Citizen Lab)

Citizen Lab said the bulk of the hacks were likely carried out by at least four NSO customers, including the governments of Saudi Arabia and the United Arab Emirates, citing evidence it found in similar attacks involving Pegasus.

The researchers found evidence that two other NSO customers hacked into one and three Al Jazeera phones respectively, but that they could not attribute the attacks to a specific government.

A spokesperson for Al Jazeera, which just broadcast its reporting of the hacks, did not immediately comment.

NSO sells governments and nation states access to its Pegasus spyware as a prepackaged service by providing the infrastructure and the exploits needed to launch the spyware against the customer’s targets. But the spyware maker has repeatedly distanced itself from what its customers do and has said it does not who its customers target. Some of NSO’s known customers include authoritarian regimes like China and Russia. Saudi Arabia allegedly used the surveillance technology to spy on the communications of columnist Jamal Khashoggi shortly before his murder, which U.S. intelligence concluded was likely ordered by the kingdom’s de facto ruler, Crown Prince Mohammed bin Salman.

Citizen Lab said it also found evidence that Dridi, a journalist at Arabic television station Al Araby in London, had fallen victim to a zero-click attack. The researchers said Dridi was likely targeted by the UAE government.

In a phone call, Dridi told TechCrunch that her phone may have been targeted because of her close association to a person of interest to the UAE.

Dridi’s phone, an iPhone XS Max, was targeted for a longer period, likely between October 2019 and July 2020. The researchers found evidence that she was targeted on two separate occasions with a zero-day attack — the name of an exploit that has not been previously disclosed and that a patch is not yet available — because her phone was running the latest version of iOS both times.

“My life is not normal anymore. I don’t feel like I have a private life again,” said Dridi. “To be a journalist is not a crime,” she said.

Citizen Lab said its latest findings reveal an “accelerating trend of espionage” against journalists and news organizations, and that the growing use of zero-click exploits makes it increasingly difficult — though evidently not impossible — to detect because of the more sophisticated techniques used to infect victims’ devices while covering their tracks.

When reached on Saturday, NSO said it was unable to comment on the allegations as it had not seen the report, but declined to say when asked if Saudi Arabia or the UAE were customers or describe what processes — if any — it puts in place to prevent customers from targeting journalists.

“This is the first we are hearing of these assertions. As we have repeatedly stated, we do not have access to any information related to the identities of individuals upon whom our system is alleged to have been used to conduct surveillance. However, when we receive credible evidence of misuse, combined with the basic identifiers of the alleged targets and timeframes, we take all necessary steps in accordance with our product misuse investigation procedure to review the allegations,” said a spokesperson.

“We are unable to comment on a report we have not yet seen. We do know that CitizenLab regularly publishes reports based on inaccurate assumptions and without a full command of the facts, and this report will likely follow that theme NSO provides products that enable governmental law enforcement agencies to tackle serious organized crime and counterterrorism only, but as stated in the past, we do not operate them. Nevertheless, we are committed to ensuring our policies are adhered to, and any evidence of a breach will be taken seriously and investigated.”

Citizen Lab said it stood by its findings.

Read more on TechCrunch

Spokespeople for the Saudi and UAE governments in New York did not respond to an email requesting comment.

The attacks not only puts a renewed focus on the shadowy world of surveillance spyware, but also the companies having to defend against it. Apple rests much of its public image on advocating privacy for its users and building secure devices, like iPhones, designed to be hardened against the bulk of attacks. But no technology is impervious to security bugs. In 2016, Reuters reported that UAE-based cybersecurity firm DarkMatter bought a zero-click exploit to target iMessage, which they referred to as “Karma.” The exploit worked even if the user did not actively use the messaging app.

Apple told TechCrunch that it had not independently verified Citizen Lab’s findings but that the vulnerabilities used to target the reporters were fixed in iOS 14, released in September.

“At Apple, our teams work tirelessly to strengthen the security of our users’ data and devices. iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks. The attack described in the research was highly targeted by nation-states against specific individuals. We always urge customers to download the latest version of the software to protect themselves and their data,” said an Apple spokesperson.

NSO is currently embroiled in a legal battle with Facebook, which last year blamed the Israeli spyware maker for using a similar, previously undisclosed zero-click exploit in WhatsApp to infect some 1,400 devices with the Pegasus spyware.

Facebook discovered and patched the vulnerability, stopping the attack in its tracks, but said that more than 100 human rights defenders, journalists and “other members of civil society” had fallen victim.

U.S. charges Russian hackers blamed for Ukraine power outages and the NotPetya ransomware attack

Six Russian intelligence officers accused of launching some of the “world’s most destructive malware” — including an attack that took down the Ukraine power grid in December 2015 and the NotPetya global ransomware attack in 2017 — have been charged by the U.S. Justice Department.

Prosecutors said the group of hackers, who work for the Russian GRU, are behind the “most disruptive and destructive series of computer attacks ever attributed to a single group.”

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John Demers, U.S. U.S. assistant attorney general for national security. “Today the Department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”

The six accused Russian intelligence officers. (Image: FBI/supplied)

In charges laid out Monday, the hackers are accused of developing and launching attacks using the KillDisk and Industroyer (also known as Crash Override) to target and disrupt the power supply in Ukraine, which left hundreds of thousands of customers without electricity two days before Christmas. The prosecutors also said the hackers were behind the NotPetya attack, a ransomware attack that spread across the world in 2017, causing billions of dollars in damages.

The hackers are also said to have used Olympic Destroyer, designed to knock out internet connections during the opening ceremony of the 2018 PyeongChang Winter Olympics in South Korea.

Prosecutors also blamed the six hackers for trying to disrupt the 2017 French elections by launching a “hack and leak” operation to discredit the then-presidential frontrunner, Emmanuel Macron, as well as launching targeted spearphishing attacks against the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory, tasked with investigating the use of the Russian nerve agent Novichok in Salisbury, U.K. in 2018, and attacks against targets in Georgia, the former Soviet state.

The alleged hackers — Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko, 27; and Petr Nikolayevich Pliskin, 32 — are all charged with seven counts of conspiracy to hack, commit wire fraud, and causing computer damage.

The accused are believed to be in Russia. But the indictment serves as a “name and shame” effort, frequently employed by Justice Department prosecutors in recent years where arrests or extraditions are not likely or possible.

Russian surveillance tech startup NtechLab nets $13M from sovereign wealth funds

NtechLab, a startup that helps analyze footage captured by Moscow’s 100,000 surveillance cameras, just closed an investment of more than 1RUB billion ($13 million) to further global expansion.

The five-year-old company sells software that recognizes faces, silhouettes and actions on videos. It’s able to do so on a vast scale in real time, allowing clients to react promptly to situations It’s a key “differentiator” of the company, co-founder Artem Kukharenko told TechCrunch.

“There could be systems which can process, for example, 100 cameras. When there are a lot of cameras in a city, [these systems] connect 100 cameras from one part of the city, then disconnect them and connect another hundred cameras in another part of the city, so it’s not so interesting,” he suggested.

The latest round, financed by Russia’s sovereign wealth fund, the Russian Direct Investment Fund, and an undisclosed sovereign wealth fund from the Middle East, certainly carries more strategic than financial importance. The company broke even last year with revenue reaching $8 million, three times the number from the previous year, ane expects to finish 2020 at a similar growth pace.

Nonetheless, the new round will enable the startup to develop new capabilities such as automatic detection of aggressive behavior and vehicle recognition as it seeks new customers in its key markets of the Middle East, Southeast Asia and Latin America. City contracts have a major revenue driver for the firm, but it has plans to woo non-government clients, such as those in the entertainment industry, finance, trade and hospitality.

The company currently boasts clients in 30 cities across 15 countries in the Commonwealth of Independent States (CIS) bloc, Middle East, Latin America, Southeast Asia and Europe.

These customers may procure from a variety of hardware vendors featuring different graphic processing units (GPUs) to carry out computer vision tasks. As such, NtechLab needs to ensure it’s constantly in tune with different GPU suppliers. Ten years ago, Nvidia was the go-to solution, recalled Kukharenko, but rivals such as Intel and Huawei have cropped up in recent times.

The Moscow-based startup began life as a consumer software that allowed users to find someone’s online profile by uploading a photo of the person. It later pivoted to video and has since attracted government clients keen to deploy facial recognition in law enforcement. For instance, during the COVID-19 pandemic, the Russian government uses NtechLab’s system to monitor large gatherings and implement access control.

Around the world, authorities have rushed to implement similar forms of public health monitoring and tracking for virus control. While these projects are usually well-meaning, they inspire a much-needed debate around privacy, discrimination, and other consequences brought by the scramble for large-scale data solutions. NtechLab’s view is that when used properly, video surveillance generally does more good than harm.

“If you can monitor people quite [effectively], you don’t need to close all people in the city… The problem is people who don’t respect the laws. When you can monitor these people and [impose] a penalty on them, you can control the situation better,” argued Alexander Kabakov, the other co-founder of the company.

As it expands globally, NtechLab inevitably comes across customers who misuse or abuse its algorithms. While it claimed to keep all customer data private and have no control over how its software is used, the company strives to “create a process that can be in compliance with local laws,” said Kukharenko.

“We vet our partners so we can trust them, and we know that they will not use our technology for bad purposes.”

A bug in Joe Biden’s campaign app gave anyone access to millions of voter files

SCRANTON, PENNSYLVANIA – SEPTEMBER 11: A political poster favoring U.S. presidential candidate former Vice President Joe Biden and Senator Kamala Harris is placed on a front lawn September 11, 2020 in Scranton, Pennsylvania. (Photo by Robert Nickelsberg/Getty Images)

A privacy bug in Democratic presidential candidate Joe Biden’s official campaign app allowed anyone to look up sensitive voter information on millions of Americans, a security researcher has found.

The campaign app, Vote Joe, allows Biden supporters to encourage friends and family members to vote in the upcoming U.S. presidential election by uploading their phone’s contact lists to see if their friends and family members are registered to vote. The app uploads and matches the user’s contacts with voter data supplied from TargetSmart, a political marketing firm that claims to have files on more than 191 million Americans.

When a match is found, the app displays the voter’s name, age and birthday, and which recent election they voted in. This, the app says, helps users “find people you know and encourage them to get involved.”

While much of this data can already be public, the bug made it easy for anyone to access any voter’s information by using the app.

The App Analyst, a mobile expert who detailed his findings on his eponymous blog, found that he could trick the app into pulling in anyone’s information by creating a contact on his phone with the voter’s name.

Worse, he told TechCrunch, the app pulls in a lot more data than it actually displays. By intercepting the data that flows in and out of the device, he saw far more detailed and private information, including the voter’s home address, date of birth, gender, ethnicity and political party affiliation, such as Republican or Democrat.

The Biden campaign fixed the bug and pushed out an app update on Friday.

screenshot of Joe Biden's official iPhone app.

A screenshot of Joe Biden’s official campaign app, which uploads and matches a user’s contacts with their existing voter file. But a bug allowed anyone to pull in any voter’s information. (Image: TechCrunch)

“We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed,” Matt Hill, a spokesperson for the Biden campaign, told TechCrunch. “We worked with our vendor quickly to fix the issue and remove the information. We are committed to protecting the privacy of our staff, volunteers and supporters will always work with our vendors to do so.”

After publication, Hill disputed the researcher’s findings and and that the app returned gender, ethnicities, or home addresses

A spokesperson for TargetSmart said a “limited amount of publicly or commercially available data” was accessible to other users.

It’s not uncommon for political campaigns to trade and share large amounts of voter information, called voter files, which includes basic information like a voter’s name, often their home address and contact information and which political parties they are registered with. Voter files can differ wildly state to state.

Though a lot of this data can be publicly available, political firms also try to enrich their databases with additional data from other sources to help political campaigns identify and target key swing voters.

But several security lapses involving these vast banks of data have questioned whether political firms can keep this data safe.

It’s not the first time TargetSmart has been embroiled in a data leak. In 2017, a voter file compiled by TargetSmart on close to 600,000 voters in Alaska was left on an exposed server without a password. And in 2018, TechCrunch reported that close to 15 million records on Texas voters were found on an exposed and unsecured server, just months ahead of the U.S. midterm elections.

Last week Microsoft warned that hackers backed by Russia, China and Iran are targeting both the 2020 presidential campaigns but also their political advisors. Reuters reported that one of those firms, Washington, DC-based SKDKnickerbocker, a political consultant to the Biden campaign, was targeted by Russian intelligence but that there was “no breach.”

Updated with Hill remarks.

CarbonChain is using AI to determine the emissions profile of the world’s biggest polluters

It was the Australian bush fire that finally did it.

For 12 years Adam Hearne had worked at companies that represented some of the world’s largest sources of greenhouse gas emissions. First at Rio Tinto, one of the largest industrial miners, and then at Amazon, where he handled inbound delivery operations across the EU, Hearne was involved in ensuring that things flowed smoothly for companies whose operations spew millions of tons of carbon dioxide into the environment.

Amazon’s business alone was responsible for emitting 51.17 million metric tons of carbon dioxide last year — the equivalent of 13 coal-burning power plants, according to a report from the company.

Then, Hearne’s home country burned.

In 2019 wildfires erupted that engulfed more than 46 million acres of land, destroyed over 9,000 buildings, and killed over 400 people and untold numbers of animals — driving some species to the brink of extinction.

Hearne, along with an old friend from his business school rugby days (Roheet Shah) and computer science and machine learning experts from Imperial College of London (Yuri Oparin and Jeremiah Smith), launched CarbonChain that year. The company, now poised to graduate from the latest Y Combinator cohort, is pitching a service that can accurately account for emissions from the commodities industry — which is responsible for 50% of the world’s greenhouse gas emissions.

The company’s services are coming at the right time. Countries around the globe are poised to adopt much more stringent regulations around carbon dioxide and greenhouse gas emissions. The European Union is slowly working toward passage of sweeping new regulations on climate change that are mirrored in the region’s local economies. Even petrostates like Russia are poised to enact new climate regulations (at least according to Russian officials).

What’s missing in all of this are ways for companies to accurately track their emissions and technologies that can adequately monitor how well emissions offsets are working.

CarbonChain tackles this problem by going to the sectors that are responsible for the largest percentage of greenhouse gas emissions, Hearne said.

“The world needs hard accounting and hard numbers of what commodities companies are producing,” said Hearne in a July interview.

To ensure that emissions reductions and regulations are working, regulators need to go after oil and gas and commodities and minerals producers, according to Hearne. “Those sectors are uniform and carbon intensive and that’s how you quantify them,” he said.

CarbonChain has built models for every single asset in the supply chain for these industries, according to Hearne. The company has created digital twins of every piece of equipment used in heavy industry. If CarbonChain can’t get the information about the equipment from the companies that use it, they go to the engineering firms that built the equipment or facility for the company.

“In order to get a number that doesn’t get laughed out of the room we have to go down to the aluminum smelter that has a power station right next to it,” said Hearne. “Ninety percent of its footprint is its electrical usage.”

According to Hearne, CarbonChain’s system is so precise that it can tell users how much carbon emissions are embedded in a cup of coffee or a glass of wine (which is two pounds of carbon dioxide for imported wine, by the way).

CarbonChain is already selling its services to commodities producers and carbon traders who are operating in existing carbon trading schemes.

So far, the company has received roughly $500,000 from the U.K. government and an investment from one of its (undisclosed) commodities customers.

But CarbonChain’s technology seems to have the most rigorous methodology of any of the companies that’s purporting to do emissions monitoring. Other startups purporting to provide carbon emissions data for companies include Persefoni, which raised $3.5 million for its solution, and another Y Combinator graduate, SINAI Technologies.

If the company can actually measure the embedded emissions of materials down to a single piece of rebar, it could have huge consequences for industry broadly.

The company also slots nicely into the trend of entrepreneurs with deep industry experience building vertical solutions based on the collection of massive data sets using machine learning.

Decrypted: Hackers show off their exploits as Black Hat goes virtual

Every year hackers descend on Las Vegas in the sweltering August heat to break ground on security research and the most innovative hacks. This year was no different, even if it was virtual.

To name a few: Hackers tricked an ATM to spit out cash. A duo of security researchers figured out a way to detect the latest cell site simulators. Car researchers successfully hacked into a Mercedes-Benz. A Windows bug some two decades old can be used to plant malware. Cryptocurrency exchanges were extremely vulnerable to hackers for a time. Internet satellites are more insecure than we thought and their data streams can contain sensitive, unencrypted data. Two security researchers lived to tell the tale after they were arrested for an entirely legal physical penetration test. And, a former NSA hacker revealed how to plant malware on a Mac using a booby-trapped Word document.

But with less than three months until millions of Americans go to the polls, Black Hat sharpened its focus on election security and integrity more so than any previous year.

Here’s more from the week.


THE BIG PICTURE

A major voting machine maker is finally opening up to hackers

The relationship between hackers and election machine manufacturers has been nothing short of fraught. No company wants to see their products torn apart for weaknesses that could be exploited by foreign spies. But one company, once resistant to the security community, has started to show signs of compromise.

Election equipment maker ES&S is opening up its voting machines to hackers — willingly — under a new vulnerability disclosure program. That will see the company embrace hackers for the first time, recognizing that hackers have knowledge, insight and experience — rather than pushing them away and ignoring the problems altogether. Or, as the company’s security chief told Wired: “Hackers gonna hack, researchers gonna research.”