Some sage security advice after Radiohead’s unreleased music hack

Bad news: Radiohead was hacked.

Last week, a hacker stole the band’s lead singer Thom Yorke’s private minidisk archive from the band’s third album and subsequent major worldwide hit, “OK Computer.” The hacker demanded $150,000 or they’d release it to the public.

Stuck between a ransom and a hard place, Radiohead released the tapes themselves.

The recordings were “never intended for public consumption” and “only tangentially interesting,” the band said in a post on Facebook. But “instead of complaining – much – or ignoring it, we’re releasing all 18 hours on Bandcamp” in aid of Extinction Rebellion, a climate change group.

Until the end of the month, the stolen recordings will be available for £18 ($23).

There is, though, a lesson to be learned. Holding files for ransom is more common today than ever thanks to ransomware. The event isn’t too dissimilar from a ransomware event. Pay the ransom or lose your files — or worse, have them spread all over the internet. That’s a business’ worst nightmare. We’ve seen ransomware destroy the computer networks of some of the largest companies around the world, like Arizona Beverages, Norsk Hydro and shipping giant Maersk. Ransomware is now a multibillion-dollar business, and it’s growing.

But in any ransom-type situation, the FBI has long told victims of ransomware to never pay. Security experts agree. Simply put, you run the risk of losing your files even if they pay the demand.

ProPublica recently found that even some of the largest ransomware recovery companies are quietly paying the ransom — and passing on the costs to the victim — with mixed results. In many cases, paying the demand failed to recover the files.

If there’s one takeaway from the Radiohead hack, it’s never pay the ransom. Better yet, plan for the worst and have a backup just in case.

Two years after WannaCry, a million computers remain at risk


By Zack Whittaker

Liberty’s challenge to UK state surveillance powers reveals shocking failures

A legal challenge to the UK’s controversial mass surveillance regime has revealed shocking failures by the main state intelligence agency, which has broad powers to hack computers and phones and intercept digital communications, in handling people’s information.

The challenge, by rights group Liberty, led last month to an initial finding that MI5 had systematically breached safeguards in the UK’s Investigatory Powers Act (IPA) — breaches the Home Secretary, Sajid Javid, euphemistically couched as “compliance risks” in a carefully worded written statement that was quietly released to parliament.

Today Liberty has put more meat on the bones of the finding of serious legal breaches in how MI5 handles personal data, culled from newly released (but redacted) documents that it says describe the “undoubtedly unlawful” conduct of the UK’s main security service which has been retaining innocent people’s data for years.

The series of 10 documents and letters from MI5 and the Investigatory Powers Commissioner’s Office (IPCO), the body charged with overseeing the intelligence agencies’ use of surveillance powers, show that the spy agency has failed to meet its legal duties for as long as the IPA has been law, according to Liberty.

The controversial surveillance legislation passed into UK law in November 2016 — enshrining a system of mass surveillance of digital communications which includes a provision that logs of all Internet users’ browsing activity be retained for a full year, accessible to a wide range of government agencies (not just law enforcement and/or spy agencies).

The law also allows the intelligence agencies to maintain large databases of personal information on UK citizens, even if they are not under suspicion of any crime. And sanctions state hacking of devices, networks and services, including bulk hacking on foreign soil. It also gives U.K. authorities the power to require a company to remove encryption, or limit the rollout of end-to-end encryption on a future service.

The IPA has faced a series of legal challenges since making it onto the statute books, and the government has been forced to amend certain aspects of it on court order — including beefing up restrictions on access to web activity data. Other challenges to the controversial surveillance regime, including Liberty’s, remain ongoing.

The newly released court documents include damning comments on MI5’s handling of data by the IPCO — which writes that: “Without seeking to be emotive, I consider that MI5’s use of warranted data… is currently, in effect, in ‘special measures’ and the historical lack of compliance… is of such gravity that IPCO will need to be satisfied to a greater degree than usual that it is ‘fit for purpose’”.”

Liberty also says MI5 knew for three years of failures to maintain key safeguards — such as the timely destruction of material, and the protection of legally privileged material — before informing the IPCO.

Yet a key government sales pitch for passing the legislation was the claim of a ‘world class’ double-lock authorization and oversight regime to ensure the claimed safeguards on intelligence agencies powers to intercept and retain data.

So the latest revelations stemming from Liberty’s legal challenge represent a major embarrassment for the government.

“It is of course paramount that UK intelligence agencies demonstrate full compliance with the law,” the home secretary wrote in the statement last month, before adding his own political spin: “In that context, the interchange between the Commissioner and MI5 on this issue demonstrates that the world leading system of oversight established by the Act is working as it should.”

Liberty comes to the opposite conclusion on that point — emphasizing that warrants for bulk surveillance were issued by senior judges “on the understanding that MI5’s data handling obligations under the IPA were being met — when they were not”.

“The Commissioner has pointed out that warrants would not have been issued if breaches were known,” it goes on. “The Commissioner states that “it is impossible to sensibly reconcile the explanation of the handling of arrangements the Judicial Commissioners [senior judges] were given in briefings…with what MI5 knew over a protracted period of time was happening.”

So, basically, it’s saying that MI5 — having at best misled judges, whose sole job it is to oversee its legal access to data, about its systematic failures to lawfully handle data — has rather made a sham of the entire ‘world class’ oversight regime.

Liberty also flags what it calls “a remarkable admission to the Commissioner” — made by MI5’s deputy director general — who it says acknowledges that personal data collected by MI5 is being stored in “ungoverned spaces”. It adds that the MI5 legal team claims there is “a high likelihood [of material] being discovered when it should have been deleted, in a disclosure exercise leading to substantial legal or oversight failure”.

“Ungoverned spaces” is not a phrase that made it into Javid’s statement last month on MI5’s “compliance risks”.

But the home secretary did acknowledge: “A report of the Investigatory Powers Commissioner’s Office suggests that MI5 may not have had sufficient assurance of compliance with these safeguards within one of its technology environments.”

Javid also said he had set up “an independent review to consider and report back to me on what lessons can be learned for the future”. Though it’s unclear whether that report will be made public. 

We reached out to the Home Office for comment on the latest revelations from Liberty’s litigation. But a spokesman just pointed us to Javid’s prior statement. 

In a statement, Liberty’s lawyer, Megan Goulding, said: “These shocking revelations expose how MI5 has been illegally mishandling our data for years, storing it when they have no legal basis to do so. This could include our most deeply sensitive information – our calls and messages, our location data, our web browsing history.

“It is unacceptable that the public is only learning now about these serious breaches after the Government has been forced into revealing them in the course of Liberty’s legal challenge. In addition to showing a flagrant disregard for our rights, MI5 has attempted to hide its mistakes by providing misinformation to the Investigatory Powers Commissioner, who oversees the Government’s surveillance regime.

“And, despite a light being shone on this deplorable violation of our rights, the Government is still trying to keep us in the dark over further examples of MI5 seriously breaching the law.”


By Natasha Lomas

Vectra lands $100M Series E investment for AI-driven network security

Vectra, a seven-year old company that helps customers detect intrusions at the network level, whether in the cloud or on premises, announced a $100 million Series E funding round today led by TCV. Existing investors including Khosla Ventures and Accel also participated in the round, which brings the total raised to over $200 million, according to the company.

As company CEO Hitesh Sheth explained, there are two primary types of intrusion detection. The first is end point detection and the second is his company’s area of coverage, network detection and response or NDR.  He says that by adding a layer of artificial intelligence, it improves the overall results.

“One of the keys to our success has been applying AI to network traffic, the networking side of NDR, to look for the signal in the noise. And we can do this across the entire infrastructure, from the data center to the cloud all the way into end user traffic including IoT,” he explained.

He said that as companies move their data to the cloud, they are looking for ways to ensure the security of their most valuable data assets, and he says his company’s NDR solution can provide that. In fact, securing the cloud side of the equation is one of the primary investment focuses for this round.

Tim McAdam from lead investor TVC, says that the AI piece is a real differentiator for Vectra and one that attracted his firm to invest in the company. He said that while he realized that AI is an overused term these days, after talking to 30 customers he heard over and over again that Vectra’s AI-driven solution was a differentiator over competing products. “All of them have decided to standardize on the Vectra Cognito because to a person, they spoke of the efficacy and the reduction of their threat vectors as a result of standardizing on Vectra,” McAdam told TechCrunch.

The company was founded in 2012 and currently has 240. That is expected to double in the year to 18 months with this funding.


By Ron Miller

FireEye snags security effectiveness testing startup Verodin for $250M

When FireEye reported its earnings last month, the outlook was a little light, so the security vendor decided to be proactive and make a big purchase. Today, the company announced it has acquired Verodin for $250 million. The deal closed today.

The startup had raised over $33 million since it opened its doors 5 years ago, according to Crunchbase data, and would appear to have given investors a decent return. With Verodin, FireEye gets a security validation vendor, that is, a company that can run a review against the existing security setup and find gaps in coverage.

That would seem to be a handy kind of tool to have in your security arsenal, and could possibly explain the price tag. Perhaps, it could also help set FireEye apart from the broader market, or fill in a gap in its own platform.

FireEye CEO Kevin Mandia certainly sees the potential of his latest purchase. “Verodin gives us the ability to automate security effectiveness testing using the sophisticated attacks we spend hundreds of thousands of hours responding to, and provides a systematic, quantifiable, and continuous approach to security program validation,” he said in a statement.

Chris Key, Verodin co-founder and chief executive officer, sees the purchase through the standard acquisition lens. “By joining FireEye, Verodin extends its ability to help customers take a proactive approach to understanding and mitigating the unique risks, inefficiencies and vulnerabilities in their environments,” he said in a statement. In other words, as part of a bigger company, we’ll do more faster.

While FireEye plans to incorporate Verodin into its on-prem and managed services, it will continue to sell the solution as a stand-alone product, as well.


By Ron Miller

Google says some G Suite user passwords were stored in plaintext since 2005

Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext.

The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

No consumer Gmail accounts were affected by the security lapse, said Frey.

“To be clear, these passwords remained in our secure encrypted infrastructure,” said Frey. “This issue has been fixed and we have seen no evidence of improper access to or misuse of the affected passwords.”

Google has more than 5 million enterprise customers using G Suite.

Google said it also discovered a second security lapse earlier this month as it was troubleshooting new G Suite customer sign-ups. The company said since January it was improperly storing “a subset” of unhashed G Suite passwords on its internal systems for up to two weeks. Those systems, Google said, were only accessible to a limited number of authorized Google staff, the company said.

“This issue has been fixed and, again, we have seen no evidence of improper access to or misuse of the affected passwords,” said Frey.

Google said it’s notified G Suite administrators to warn of the password security lapse, and will reset account passwords for those who have yet to change.

A spokesperson confirmed Google has informed data protection regulators of the exposure.

Google becomes the latest company to have admitted storing sensitive data in plaintext in the past year. Facebook said in March that “hundreds of millions” of Facebook and Instagram passwords were stored in plaintext. Twitter and GitHub also admitted similar security lapses last year.

Read more:


By Zack Whittaker

Egnyte brings native G Suite file support to its platform

Egnyte announced today that customers can now store G Suite files inside its storage, security and governance platform. This builds on the support the company previously had for Office 365 documents.

Egnyte CEO and co-founder Vineet Jain says that while many enterprise customers have seen the value of a collaborative office suite like G Suite, they might have stayed away because of compliance concerns (whether that was warranted or not).

He said that Google has been working on an API for some time that allows companies like Egnyte to decouple G Suite documents from Google Drive. Previously, if you wanted to use G Suite, you no choice but to store the documents in Google Drive.

Jain acknowledges that the actual integration is pretty much the same as his competitors because Google determined the features. In fact, Box and Dropbox announced similar capabilities over the last year, but he believes his company has some differentiating features on its platform.

“I honestly would be hard pressed to tell you this is different than what Box or Dropbox is doing, but when you look at the overall context of what we’re doing…I think our advanced governance features are a game changer,” Jain told TechCrunch.

What that means is that G Suite customers can open a document and get the same editing experience as they would get were they inside Google Drive, while getting all the compliance capabilities built into Egnyte via Egnyte Protect. What’s more, they can store the files wherever they like, whether that’s in Egnyte itself, an on-premises file store or any cloud storage option that Egnyte supports, for that matter.

Egnyte storage and compliance platform

G Suite documents stored on the Egnyte platform.

Long before it was commonplace, Egnyte tried to differentiate itself from a crowded market by being a hybrid play where files can live on-premises or in the cloud. It’s a common way of looking at cloud strategy now, but it wasn’t always the case.

Jain has always emphasized a disciplined approach to growing the company, and it has grown to 15,000 customers and 600 employees over 11 years in business. He won’t share exact revenue, but says the company is generating “multi-millions in revenue” each month.

He has been talking about an IPO for some time, and that remains a goal for the company. In a recent letter to employees that Egnyte shared with TechCrunch, Jain put it this way. “Our leadership team, including our board members, have always looked forward to an IPO as an interim milestone — and that has not changed. However, we now believe this company has the ability to not only be a unicorn but to be a multi-billion dollar company in the long-term. This is a mindset that we all need to have moving forward,” he wrote.

Egnyte was founded in 2007 and has raised over $137 million, according to Crunchbase data.


By Ron Miller

Takeaways from F8 and Facebook’s next phase

Extra Crunch offers members the opportunity to tune into conference calls led and moderated by the TechCrunch writers you read every day. This week, TechCrunch’s Josh Constine and Frederic Lardinois discuss major announcements that came out of Facebook’s F8 conference and dig into how Facebook is trying to redefine itself for the future.

Though touted as a developer-focused conference, Facebook spent much of F8 discussing privacy upgrades, how the company is improving its social impact, and a series of new initiatives on the consumer and enterprise side. Josh and Frederic discuss which announcements seem to make the most strategic sense, and which may create attractive (or unattractive) opportunities for new startups and investment.

“This F8 was aspirational for Facebook. Instead of being about what Facebook is, and accelerating the growth of it, this F8 was about Facebook, and what Facebook wants to be in the future.

That’s not the newsfeed, that’s not pages, that’s not profiles. That’s marketplace, that’s Watch, that’s Groups. With that change, Facebook is finally going to start to decouple itself from the products that have dragged down its brand over the last few years through a series of nonstop scandals.”

(Photo by Justin Sullivan/Getty Images)

Josh and Frederic dive deeper into Facebook’s plans around its redesign, Messenger, Dating, Marketplace, WhatsApp, VR, smart home hardware and more. The two also dig into the biggest news, or lack thereof, on the developer side, including Facebook’s Ax and BoTorch initiatives.

For access to the full transcription and the call audio, and for the opportunity to participate in future conference calls, become a member of Extra Crunch. Learn more and try it for free. 


By Arman Tabatabai

VDOO secures $32M for a platform that uses AI to detect and fix vulnerabilities on IoT devices

Our universe of connected things is expanding by the day: the number of objects with embedded processors now exceeds the number of smartphones globally and is projected to reach some 18 billion devices by 2022. But just as that number is growing, so are the opportunities for malicious hackers to use these embedded devices to crack into networks, disrupting how these objects work and stealing information, a problem that analysts estimate will cost $18.3 billion to address by 2023. Now, an Israeli startup called VDOO has raised $32 million to address this, with a platform that identifies and fixes security vulnerabilities in IoT devices, and then tests to make sure that the fixes work.

The funding is being led by WRVI Capital and GGV Capital and also includes strategic investments from NTT DOCOMO (which works with VDOO), MS&AD Ventures (the venture arm of the global cyber insurance firm), and Avigdor Willenz (who founded both Galileo Technologies and Annapurna Labs, respectively acquired by Marvell and Amazon). 83North, Dell Technology Capital and David Strohm, who backed VDOO in its previous round of $13 million in January 2018, also participated, bringing the total raised by VDOO now to $45 million.

VDOO — a reference to the Hebrew word that sounds like “vee-doo” and means “making sure” — was cofounded by Netanel Davidi (co-CEO), Uri Alter (also co-CEO) and Asaf Karas (CTO). Davidi and Alter previously co-founded Cyvera, a pioneer in endpoint security that was acquired by Palo Alto Networks and became the basis for its own endpoint security product; Karas meanwhile has extensive experience coming to VDOO of working, among other places, for the Israeli Defense Forces.

In an interview, Davidi noted that the company was created out of one of the biggest shortfalls of IoT.

“Many embedded systems have a low threshold for security because they were not created with security in mind,” he said, noting that this is partly due to concerns of how typical security fixes might impact performance, and the fact that this has typically not been a core competency for hardware makers, but something that is considered after devices are in the market. At the same time, a lot of security solutions today in the IoT space have focused on monitoring, but not fixing, he added. “Most companies have good solutions for the visibility of their systems, and are able to identify vulnerabilities on the network, but are not sufficient at protecting devices themselves.”

The sheer number of devices on the market and their spread across a range of deployments from manufacturing and other industrial scenarios, through to in-home systems that can be vulnerable even when not connected to the internet, also makes for a complicated and uneven landscape.

VDOO’s approach was to conceive of a very lightweight implementation that sits on a small group of devices — “small” is relative here: the set was 16,000 objects — applying machine learning to “learn” how different security vulnerabilities might behave to discover adjacent hacks that hadn’t yet been identified.

“For any kind of vulnerability, using deep binary analysis capabilities, we try to understand the broader idea, to figure out how a similar vulnerability can emerge,” he said.

Part of the approach is to pare down security requirements and solutions to those pertinent to the device in question, and providing clear guidance to vendors for how to best avoid problems in the first place at the development stage. VDOO then also generates specific “tailor-made on-device micro-agents” to continue the detection and repair process. (Davidi likened it to a modern approach to some cancer care: preventive measures such as periodic monitoring checks; followed by a “tailored immunotherapy” based on prior analysis of DNA.)

It currently supports Linux- and Android-based operating systems, as well as FreeRTOS and support for more systems coming soon, Davidi said. It sells its services primarily to device makers, who can make over the air updates to their devices after they have been purchased and implemented to keep them up to date with the latest fixes. Typical devices currently secured with VDOO tech include safety and security devices such as surveillance cameras, NVRs & DVRs, fire alarm systems, access controls, routers, switches and access points, Davidi said.

It’s the focus on providing security services for hardware makers, in fact, that helps VDOO stand out from the others in the field.

“Among all startups for embedded systems, VDOO is the first to introduce a unique, holistic approach focusing on the device vendors which are the focal enabler in truly securing devices,” said Lip-Bu Tan, founding partner of WRVI Capital. “We are delighted to back VDOO’s technology, and the exceptional team that has created advanced tools to allow vendors to secure devices as much as possible without in-house security know-how, for the first time in many decades, I see a clear demand for security, as being raised constantly in many meetings with leading OEMs worldwide, as well as software giants.”

Over the last 18 months, as VDOO has continued to expand its own reach, it has picked up customers along the way after identifying vulnerabilities in their devices. Its dataset covers some 70 million embedded systems’ binaries and more than 16,000 versions of embedded systems, and it has worked with customers to identify and address 150 zero-day vulnerabilities and 100,000 security issues that would have potentially impacted 1.5 billion devices.

Interestingly, while VDOO is building its own IP, it is also working with a number of vendors to provide many of the fixes. Davidi says that VDOO and those vendors go through fairly rigorous screening processes before integrating, and the hope is that down the line there will more automation brought in for the “fixing” element using third-party solutions.

“VDOO brings a unique end-to-end security platform, answering the global connectivity trend and the emerging threats targeting embedded devices, to provide security as an essential enabler of extensive connected devices adoption. With its differentiated capabilities, VDOO has succeeded in acquiring global customers, including many top-tier brands. Moreover, VDOO’s ability to uncover and mitigate weaknesses created by external suppliers fits perfectly into our Supply Chain Security investment strategy,” said Glenn Solomon, managing partner at GGV Capital, in a statement. “This funding, together with the company’s great technology, skilled entrepreneurs and one of the best teams we have seen, will allow VDOO to maintain its leadership position in IoT security and expand geographies while continuing to develop its state-of-the-art technology.”

Valuation is currently not being disclosed.


By Ingrid Lunden

Homeland Security warns of security flaws in enterprise VPN apps

Several enterprise virtual private networking apps are vulnerable to a security bug that can allow an attacker to remotely break into a company’s internal network, according to a warning issued by Homeland Security’s cybersecurity division.

An alert was published Friday by the government’s Cybersecurity and Infrastructure Security Agency following a public disclosure by CERT/CC, the vulnerability disclosure center at Carnegie Mellon University.

The VPN apps built by four vendors — Cisco, Palo Alto Networks, Pulse Secure, and F5 Networks — improperly store authentication tokens and session cookies on a user’s computer. These aren’t your traditional consumer VPN apps used to protect your privacy, but enterprise VPN apps that are typically rolled out by a company’s IT staff to allow remote workers to access resources on a company’s network.

The apps generate tokens from a user’s password and stored on their computer to keep the user logged in without having to reenter their password every time. But if stolen, these tokens can allow access to that user’s account without needing their password.

But with access to a user’s computer — such as through malware — an attacker could steal those tokens and use them to gain access to a company’s network with the same level of access as the user. That includes company apps, systems and data.

So far, only Palo Alto Networks has confirmed its GlobalProtect app was vulnerable. The company issued a patch for both its Windows and Mac clients.

Neither Cisco nor Pulse Secure have patched their apps. F5 Networks is said to have known about storing since at least 2013 but advised users to roll out two-factor authentication instead of releasing a patch.

CERT warned that hundreds of other apps could be affected — but more testing was required.


By Zack Whittaker

Armis nabs $65M Series C as IoT security biz grows in leaps and bounds

Armis is helping companies protect IoT devices on the network without using an agent, and it’s apparently a problem that is resonating with the market, as the startup reports 700 percent growth in the last year. That caught the attention of investors, who awarded them with a $65 million Series C investment to help keep accelerating that growth.

Sequoia Capital led the round with help from new investors Insight Venture Partners and Intermountain Ventures. Returning investors Bain Capital Ventures, Red Dot Capital Partners and Tenaya Capital also participated. Today’s investment brings the total raised to $112 million, according to the company.

The company is solving a hard problem around device management on a network. If you have devices where you cannot apply an agent to track them, how do you manage them? Nadir Izrael, company co-founder and CTO, says you have to do it very carefully because even scanning for ports could be too much for older devices and they could shut down. Instead, he says that Armis takes a passive approach to security, watching and learning and understanding what normal device behavior looks like — a kind of behavioral fingerprinting.

“We observe what devices do on the network. We look at their behavior, and we figure out from that everything we need to know,” Izreal told TechCrunch. He adds, “Armis in a nutshell is a giant device behavior crowdsourcing engine. Basically, every client of Armis is constantly learning how devices behave. And those statistical models, those machine learning models, they get merged into master models.”

Whatever they are doing, they seem to have hit upon a security pain point. They announced a $30 million Series B almost exactly a year ago, and they went back for more because they were growing quickly and needed the capital to hire people to keep up.

That kind of growth is a challenge for any startup. The company expects to double its 125 person work force before the end of the year, but the company is working to put systems in place to incorporate those new people and service all of those new customers.

The company plans to hire more people in sales and marketing, of course, but they will concentrate on customer support and building out partnership programs to get some help from systems integrators, ISVs and MSPs, who can do some of the customer hand-holding for them.


By Ron Miller

The right way to do AI in security

Artificial intelligence applied to information security can engender images of a benevolent Skynet, sagely analyzing more data than imaginable and making decisions at lightspeed, saving organizations from devastating attacks. In such a world, humans are barely needed to run security programs, their jobs largely automated out of existence, relegating them to a role as the button-pusher on particularly critical changes proposed by the otherwise omnipotent AI.

Such a vision is still in the realm of science fiction. AI in information security is more like an eager, callow puppy attempting to learn new tricks – minus the disappointment written on their faces when they consistently fail. No one’s job is in danger of being replaced by security AI; if anything, a larger staff is required to ensure security AI stays firmly leashed.

Arguably, AI’s highest use case currently is to add futuristic sheen to traditional security tools, rebranding timeworn approaches as trailblazing sorcery that will revolutionize enterprise cybersecurity as we know it. The current hype cycle for AI appears to be the roaring, ferocious crest at the end of a decade that began with bubbly excitement around the promise of “big data” in information security.

But what lies beneath the marketing gloss and quixotic lust for an AI revolution in security? How did AL ascend to supplant the lustrous zest around machine learning (“ML”) that dominated headlines in recent years? Where is there true potential to enrich information security strategy for the better – and where is it simply an entrancing distraction from more useful goals? And, naturally, how will attackers plot to circumvent security AI to continue their nefarious schemes?

How did AI grow out of this stony rubbish?

The year AI debuted as the “It Girl” in information security was 2017. The year prior, MIT completed their study showing “human-in-the-loop” AI out-performed AI and humans individually in attack detection. Likewise, DARPA conducted the Cyber Grand Challenge, a battle testing AI systems’ offensive and defensive capabilities. Until this point, security AI was imprisoned in the contrived halls of academia and government. Yet, the history of two vendors exhibits how enthusiasm surrounding security AI was driven more by growth marketing than user needs.


By Arman Tabatabai

Google extends its BeyondCorp security model to G Suite

BeyondCorp is Google’s model for securing networks not just through VPNs and other endpoint security techniques, but through a model that focus on context-aware access policies that focus on the user’s identity, hardware and the context of the request. That has been Google’s internal security policy for a while now and over the last few months, it started brining it to its own customers, too, starting with its Cloud Identity-Aware Proxy, which is now generally available, and its VPC Service Controls.

Today, the company is extending these context-aware access capabilities to its Cloud Identity user and device management service, as well as G Suite, its productivity suite. So while earlier implementation centered around protecting a company’s technical cloud infrastructure, this release focuses on devices and cloud-based apps like Gmail, Drive, Docs, Sheets and Calendar.

In this context, some devices, for example, may be more highly trusted because they have been enrolled in the Cloud Identity service and because a number of security policies are in place for it. That’s a different kind of security posture than a system that simply trusts users because they come through a specific VPN.

Context-aware access for G Suite apps is now in beta, but only for customers who subscribe to Cloud Identity Premium, G Suite Enterprise and G Suite Enterprise for Education.

With today’s release, Google also announced the BeyondCorp Alliance, which brings together a number of security and management partners. These include Check Point, Lookout, Palo Alto Networks, Symantec and VMware. According to Google, these companies are all working to bring device posture data to Google’s context-aware access engine.


By Frederic Lardinois

Google launches new security tools for G Suite users

Google today launched a number of security updates to G Suite, its online productivity and collaboration platform. The focus of these updates is on protecting a company’s data inside G Suite, both through controlling who can access it and through providing new tools for prevening phishing and malware attacks.

To do this, Google is announcing the beta launch of its advanced phishing and malware protection, for example. This is meant to help admins protect users from malicious attachment and inbound email spoofing, among other things.

The most interesting feature here, though, is the new security sandbox, another beta feature for G Suite enterprise users. The sandbox allows admins to add an extra layer of protection on top of the standard attachment scans for known viruses and malware. Those existing tools can’t fully protect you against zero-day ransomware or sophisticated malware, though. So instead of just letting you open the attachment, this tool executes the attachment in a sandbox environment to check if there are any security issues.

With today’s launch, Google is announcing the beta launch of its new security and alert center for admins. These tools are meant to create a single services that features best practice recommendations, but also a unified notifications center and tools to triage and take actions against threats, all with focus on collaboration among admins. Also new is a security investigation tool that mostly focuses on allowing admins to create automated workflows for sending notifications or assigning ownership to security investigations.


By Frederic Lardinois

Okta unveils $50M in-house venture capital fund

Identity management software provider Okta, which went public two years ago in what was one of the first pure-cloud subscription-based company IPOs, wants to fund the next generation of identity, security and privacy startups.

At its big customer conference Oktane, where the company has also announced a new level of identity protection at the server level, chief operating officer Frederic Kerrest (pictured above, right, with chief executive officer Todd McKinnon) will unveil a $50 million investment fund meant to back early-stage startups leveraging artificial intelligence, machine learning and blockchain technology.

“We view this as a natural extension of what we are doing today,” Okta senior vice president Monty Gray told TechCrunch. Gray was hired last year to oversee corporate development, i.e. beef up Okta’s M&A strategy.

Gray and Kerrest tell TechCrunch that Okta Ventures will invest capital in existing Okta partners, as well as other companies in the burgeoning identity management ecosystem. The team managing the fund will look to Okta’s former backers, Sequoia, Andreessen Horowitz and Greylock, for support in the deal sourcing process.

Okta Ventures will write checks sized between $250,000 and $2 million to eight to 10 early-stage businesses per year.

“It’s just a way of making sure we are aligning all our work and support with the right companies who have the right vision and values because there’s a lot of noise around identity, ML and AI,” Kerrest said. “It’s about formalizing the support strategy we’ve had for years and making sure people are clear of the fact we are helping these organizations build because it’s helpful to our customers.”

Okta Ventures’ first bet is Trusted Key, a blockchain-based digital identity platform that previously raised $3 million from Founders Co-Op. Okta’s investment in the startup, founded by former Microsoft, Oracle and Symantec executives, represents its expanding interest in the blockchain.

“Blockchain as a backdrop for identity is cutting edge if not bleeding edge,” Gray said.

Okta, founded in 2009, had raised precisely $231 million from Sequoia, Andreessen Horowitz, Greylock, Khosla Ventures, Floodgate and others prior to its exit. The company’s stock has fared well since its IPO, debuting at $17 per share in 2017 and climbing to more than $85 apiece with a market cap of $9.6 billion as of Tuesday closing.


By Kate Clark

Onfido, which verifies IDs using AI, nabs $50M from SoftBank, Salesforce, Microsoft and more

Security breaches, where malicious hackers obtain snippets of information that then get used to impersonate individuals in order to gain access to individuals’ and businesses’ sensitive financial and other private information, have become par for the course in the world of digital services. More than 2.7 billion records were  breached in a single incident this year in the US, and overall the damage from incidents like these potentially runs into the trillions of dollars globally.

Today, a startup called Onfido, which uses AI techniques combined with human verifiers to efficiently verify people are who they say they are when using digital services — is today announcing $50 million in funding to help address that ongoing — and growing — problem.

The funding comes on the heels of some very strong growth for the startup, which was founded in London but now operates most of its business out of San Francisco. In an interview, co-founder and CEO Husayn Kassai said that more than half of its customers, and most of its new growth, is coming out of the US.

Onfido uses computer vision and a number of other AI-based technologies to verify against some 4,500 different types of identity documents, using techniques like “facial liveness testing,” to see patterns invisible to the human eye, now has 1,500 businesses as customers, primarily in categories like marketplaces and communities, gaming and financial services, including companies like Remitly, Zipcar and Europcar; and in the last year, it had sales growth of 342 percent. Kassai said that it has to date verified “tens of millions” of IDs.

The money — a Series C2, technically — is coming from a group that includes top strategic tech investors. The round is being co-led by SoftBank Investment (SBI) and Salesforce Ventures, with M12Capital (the new name for Microsoft Ventures), FinVC and other unnamed new and previous investors are also participating. That’s a signal not just of how the biggest companies in that sector today are grappling with this problem, but also what approach they are using to solve it.

For SoftBank, the investment is separate from the Vision fund, founder and CEO Husayn Kassai noted, but it’s notable that a lot of the businesses that have been backed out of that fund — companies like Didi, Uber, Oyo, Lemonade, and others — fundamentally rely on people trusting that they are handling personal details securely while also carefully vetting suppliers on the platform (meaning, they need and use services like Onfido’s).

Meanwhile, both Microsoft and Salesforce have extensive enterprise businesses that could see multiple benefits from working with an identity verification provider, not just for their own purposes, but as a service that is sold on to its customers as part of a larger identity management and security offering.

The company is not revealing its valuation but has raised around $100 million to date and Kassai confirmed that it was an upround, with “a lot of happy investors.”

“We have strong metrics, and we have a long way to go in our growth,” he added.

There are a lot of companies today offering services to help offer secure services to authenticate users, for example, to help them log on to their work accounts or to access their online banking services. Onfido’s business focuses on the first step in all of this — customer onboarding — specifically around services geared towards consumers.

The opportunity that has opened up for it has been the result of more than just a rise in breaches. There’s also been a growing realization that a lot of the existing services that had been used for verification are simply not fit for purpose: either they too have been breached — as in the case of some of the bigger credit agencies like Equifax — or are not realistically efficient enough for how many online services run today, such as in the case of in-person verifications. (Onfido claims that its system can make a verification in as little as 15 seconds.)

Or, they are part of the new guard that has shifted its approach to the business of ID verificiation, either by choice or force. One would-be competitor from the past, Checkr, is now a partner of Onfido’s, Kassai noted. Others like Jumio — which is still grappling with the fallout from major illegal missteps from previous management — seem to still be trying to find their feet as standalone businesses.

“Fraud is rising and not going anywhere,” Kassai — who co-founded the company with Ruhul Amin and Eamon Jubbawy — said. “And the problem is that there are a dozen other companies that have not done a good enough job to detect it so far.” While no service is perfect — Onfido says that its “risk exposure” is 0.195 percent — he says that the advantage of building its service on top of AI means that the algorithms use every experience to continue honing its accuracy. “What we learn from one client gets applied everywhere,” he notes.

“There has never been a more important time for companies to build trust with their customers by showing they are one step ahead of fraudsters,” said Frank van Veenendaal, the ex-vice chairman of Salesforce, who is joining the board with this round. “I believe Onfido has the unique opportunity to transform the digital identity market and deliver robust and scalable authentication-as-a-service, similar to how Salesforce transformed customer relationship management.”


By Ingrid Lunden