Work Life Ventures raises $5M for debut enterprise SaaS seed fund

Brianne Kimmel had no trouble transitioning from angel investor to general partner.

Initially setting out to garner $3 million in capital commitments, Kimmel, in just two weeks’ time, closed on $5 million for her debut venture capital fund Work Life Ventures. The enterprise SaaS-focused vehicle boasts an impressive roster of limited partners, too, including the likes of Zoom chief executive officer Eric Yuan, InVision CEO Clark Valberg, Twitch co-founder Kevin Lin, Cameo CEO Steven Galanis, Andreessen Horowitz general partners Marc Andreessen and Chris Dixon, Initialized Capital GP Garry Tan and fund-of-funds Slow Ventures, Felicis Ventures and NFX.

At the helm of the new fund, Kimmel joins a small group of solo female general partners: Dream Machine’s Alexia Bonatsos is targeting $25 million for her first fund; Day One Ventures’ Masha Drokova raised an undisclosed amount for her debut effort last year; and Sarah Cone launched Social Impact Capital, a fund specializing in impact investing, in 2016, among others.

Meanwhile, venture capital fundraising is poised to reach all-time highs in 2019. In the first half of the year, a total of $20.6 billion in new capital was introduced to the startup market across more than 100 funds.

For most, the process of raising a successful venture fund can be daunting and difficult. For well-connected and established investors in the Bay Area, like Kimmel, raising a fund can be relatively seamless. Given the speed and ease of fund one in Kimmel’s case, she plans to raise her second fund with a $25 million target in as little as 12 months.

“The desire for the fund is to take a step back and imagine how do we build great consumer experiences in the workplace,” Kimmel tells TechCrunch.

Kimmel has been an active angel investor for years, sourcing top enterprise deals via SaaS School, an invite-only workshop she created to educate early-stage SaaS founders on SaaS growth, monetization, sales and customer success. Prior to launching SaaS School, which will continue to run twice a year, Kimmel led go-to-market strategy at Zendesk, where she built the Zendesk for Startups program.

 

View this post on Instagram

 

✔ available offline #google #remote

A post shared by Work Life Ventures (@worklifevc) on Aug 17, 2019 at 8:09pm PDT

“You start by advising, then you start with very small angel checks,” Kimmel explains. “I reached this inflection point and it felt like a great moment to raise my own fund. I had friends like Ryan Hoover, who started Weekend Fund focused on consumer, and Alexia is one of my friends as well and I saw what she was doing with Dream Machine, which is also consumer. It felt like it was the right time to come out with a SaaS-focused fund.”

Emerging from stealth today, Work Life Ventures will invest up to $150,000 per company. To date, Kimmel has backed three companies with capital from the fund: Tandem, Dover and Command E. The first, Tandem, was amongst the most coveted deals in Y Combinator’s latest batch of companies. The startup graduated from the accelerator with millions from Andreessen Horowitz at a valuation north of $30 million.

Dover, another recent YC alum, provides recruitment software and is said to be backed by Founders Fund in addition to Work Life. Command E, currently in beta, is a tool that facilities search across multiple desktop applications. Kimmel is also an angel investor in Webflow, Girlboss, TechCrunch Disrupt 2018 Startup Battlefield winner Forethought, Voyage and others.

Work Life is betting on the consumerization of the enterprise, or the idea that the next best companies for modern workers will be consumer-friendly tools. In her pitch deck to LPs, she cites the success of Superhuman and Notion, a well-designed email tool and a note-taking app, respectively, as examples of the heightened demand for digestible, easy-to-use B2B products.

“The next generation of applications for the workplace sees people spinning out of Uber, Coinbase and Airbnb,” Kimmel said. “They’ve faced these challenges inside their highly efficient tech company so we are seeing more consumer product builders deeply passionate about the enterprise space.”

But Kimmel doesn’t want to bury her thesis in jargon, she says, so you won’t find any B2B lingo on Work Life’s website or Instagram.

She’s focusing her efforts on a more important issue often vacant from conversations surrounding investment in the future of work: diversity & inclusion.

Kimmel meets with every new female hire of her portfolio companies. Though it’s “increasingly non-scalable,” she admits, it’s part of a greater effort to ensure her companies are thoughtful about D&I from the beginning: “Because I have a very focused fund, it’s about maintaining this community and ensuring that people feel like their voices are heard,” she said.

“I want to be mindful that I am a female GP and I feel [proud] to have that title.”

Payments giant Stripe debuts a credit card in its latest step into the financing fray

Last week, when the popular payments startup Stripe made some waves with its first move into money lending through the launch of Stripe Capital, we reported that the company was also soon going to be launching a credit card. Now, that news is official. Today, the company is doubling down on financing with the launch of corporate cards for business customers.

Announced officially today to coincide with the company’s developer event Stripe Sessions, the Stripe Corporate Card — as the product is officially called — is a Visa that will be open to businesses that are incorporated in the U.S., although they can operate elsewhere.

Notably, users are expected to pay their balance in full each month, so for now there is no interest rate, or fee, to use the card, with Stripe making its money by way of the interchange fee that comes with every transaction using the card.

“We’re not freezing cards based on late or no payments,” Cristina Cordova, the business lead overseeing the launch, said in an interview. “A pretty common reason for non-payment is that a person switched bank accounts and forgot to update the information. But we think we’ll have fewer problems because we have banking information for accepting revenue, by way of our payments business.”

The move is another major step ahead for Stripe as it continues to diversify its business and bring on more financial products to become a one-stop shop for e-commerce and other companies for all the transactions they might need to make in the course of their lives. It is a little ironic that it’s taken years for credit cards to get added into the mix, considering Stripe’s earliest homepages and marketing efforts were built around the design of a credit card (a reference to taking payments online, not issuing credit, of course).

In any case, the list of products now offered by Stripe is long — longer, you might say, than it takes to incorporate a Stripe service into a developer workflow. In addition to its API-based flagship payments product — which is available as a direct service or, via Stripe Connect, for third parties via marketplaces and other platforms — it offers billing and invoicing, in-person payment services (via Terminal), business analytics, fraud prevention on transactions (Radar), company incorporation (Atlas) and a range of content around business strategy.

Some of these Stripe products are free to use, and some come at a price: The main point for offering them together is to build more engagement and loyalty from customers to keep them from migrating to other services. In that regard, credit cards are a cornerstone of how businesses operate, to handle day-to-day expenses in a more accountable way, and this is an area that is already well-served by others, including startups like Brex but also a plethora of challenger and traditional banks. So as much as anything else, this is a clear move to help stave off competition.

At the same time, it underscores how Stripe is leveraging the huge amount of data that it has amassed about its users and payments on the platform: It’s not just about enabling single services, but about using the byproducts of those services — data — to put fuel into new products.

Today, to underscore its global ambitions in that regard, Stripe is adding some expansions to several of its existing products. For example, it will now allow businesses to make payouts in local currencies in 45 countries (an important detail, for example, for marketplaces and network-based companies like ridesharing businesses).

The credit card product will follow a model similar to that of Stripe Capital. As with the lending product, there is a single bank issuing the credit and the card. Amber Feng, head of financial infrastructure for Stripe, confirmed to me that it is actually the same bank that’s providing the cash behind Stripe Capital. Stripe is still declining to name the bank itself, but hints that we may hear more about it soon, which leads me to wonder what news might be coming next.

(Funding perhaps would make sense? The company has raised a whopping $785 million to date and has a valuation of $22.5 billion at the moment. Given that Stripe has made indications that a public listing is not on the cards soon, that might imply, with the launch of these new financing products, that more capital might be raised soon.)

Also similar to Stripe Capital, the underwriting of the card is based on Stripe data. That is to say, business users are verified and approved based on turnover (revenues) as measured by the Stripe payments platform itself; and in cases where applicants are “pre-revenue,” they can be evaluated based on other data sources. For example, if they have used Stripe Atlas to incorporate their businesses, the paperwork supplied for that is used by Stripe to vet the customer’s suitability for a credit card.  

Notably, the cards will be delivered in the spirit of instant gratification: If you are applying and get approved, you can within minutes download a virtual card to your Apple Wallet as you await the physical card to arrive in the post.

Stripe is big on data in its own business, and it’s bringing some of that into this product with spending controls that can be set by person and by category; real-time expense reporting by way of texts; rewards of 2% back on spending in the business’s most-used categories; and integration with financial software like QuickBooks and Expensify.

HashiCorp expands Terraform free version, adds paid tier for SMBs

HashiCorp has had a free tier for its Terraform product in the past, but it was basically for a single user. Today, the company announced it was expanding that free tier to allow up to five users, while also increasing the range of functions that are available before you have to pay.

“We’re announcing a pretty large expansion of the Terraform Cloud free tier. So many of the capabilities that used to be exclusively in our Terraform enterprise product, we’re now bringing down into the Terraform free tier. It allows you to do central actual execution of Terraform and apply the full lifecycle as part of the free tier,” HashiCorp co-founder and CTO Armon Dadgar explained.

In addition, the company announced a middle tier aimed at SMBs. Dadgar says the new pricing tier helped address some obvious gaps in the pricing catalog for a large sets of users who outgrew the free product yet weren’t ready for the enterprise version.

“We were seeing a lot of friction with our SMB customers trying to figure out how to go from one-user Terraform to a team of five people or a team of 20 people. And I think the challenge was that we had the enterprise product, which in terms of deployment and pricing, is really geared toward Global 2000 kinds of companies,” Dadgar told TechCrunch.

He said this left a huge gap for smaller teams of between five and 100-user teams, which forced those teams to kludge together solutions to fit their requirements. The company thought it would make more sense to have a paid tier specifically geared for this group that would create a logical path for all users on the platform, while solving a known problem.

“It’s a logical path, but it also just answers the constant questions on forums and mailing lists regarding how to collaborate [with smaller teams]. Before, we didn’t have a prescriptive answer, and so there was a lot of DIY, and this is our attempt at a prescriptive answer of how you should do this,” he said.

Terraform is the company’s tool for defining, deploying and managing infrastructure as code. There is an open-source product, an on-prem version and a SaaS version.

HashiCorp announces fully managed service mesh on Azure

Service mesh is just beginning to take hold in the cloud native world, and as it does, vendors are looking for ways to help customers understand it. One way to simplify the complexity of dealing with the growing number of service mesh products out there is to package it as a service. Today, HashiCorp announced a new service on Azure to address that need, building it into the Consul product.

HashiCorp co-founder and CTO Armon Dadgar says it’s a fully managed service. “We’ve partnered closely with Microsoft to offer a native Consul [service mesh] service. At the highest level, the goal here is, how do we make it basically push button,” Dadgar told TechCrunch.

He adds that there is extremely tight integration in terms of billing and permissions, as well other management functions, as you would expect with a managed service in the public cloud. Brendan Burns, one of the original Kubernetes developers, who is now a distinguished engineer at Microsoft, says the HashiCorp solution really strips away a lot of the complexity associated with running a service mesh.

“In this case, HashiCorp is using some integration into the Azure control plane to run Consul for you. So you just consume the service mesh. You don’t have to worry about the operations of the service mesh, Burns said. He added, “This is really turning it into a service instead of a do-it-yourself exercise.”

Service meshes are tools used in conjunction with containers and Kubernetes in a dynamic cloud native environment to help micro services communicate and interoperate with one another. There is a growing number of them including Istio, Envoy and Linkerd jockeying for position right now.

Burns makes it clear that while Microsoft is working closely with HashiCorp on this project, it’s also working with other vendors, as well. “Our goal with the service mesh interface specification was really to let a lot of partners be successful on the platform. You know, there’s a bunch of different service meshes. It’s a place where we feel like there’s a lot of evolution and experimentation happening, so we want to make sure that our customers can can find the right solution for them,” Burns explained.

The HashiCorp Consul service is currently in private Beta.

Threat Actor Basics: Understanding the 5 Main Threat Types

Protecting the business in today’s cybersecurity climate is all about staying up-to-date. Up-to-date with your security technology, up-to-date with security patches and up-to-date with the tools, techniques and procedures of different threat actors. In this post, we take a look at the five main threat types, how these adversaries operate and how you can defend against them.

image of threat actor basics

1. Organized Crime – Making Money from Cyber

The number one threat for most organizations at present comes from criminals seeking to make money. Whether it’s theft and subsequent sale of your data, flat out ransomware or stealthy, low-risk/low-return cryptojacking, criminals have been quick to adapt themselves to the opportunities for illicit moneymaking via the online world. There are digital equivalents of pretty much any ‘analog’ financial crime you care to think of, from kidnapping to bank robbery, and there’s a double pay-off for the criminally-inclined: digital crime offers far greater rewards and much lower risks.

The low-risk factor is due both to the ability of criminals to hide their activity online and the ease of money laundering thanks to the rise of digital currencies. There are apparently over 17000 “Bitcoin millionaires” – addresses that hold more than $1 million worth of bitcoin – according to one report. As the value of bitcoin is currently on the rise again, expect to see some of those starting to cash out.

In the first 6 months of 2019, ransomware attacks have nearly doubled and business email compromises are up over 50% from the previous six months. It’s not just the multinationals and famous names that are under attack either. Organizations from local governments to SMEs all represent soft targets for an increasingly experienced and well-equipped cybercrime underworld. Malware and ransomware kits are widely traded on the dark net and the impact is being felt. In the UK, 24% of SMEs reported an attack or cyber incident last year, amounting to a combined loss of over $10m.

How To Protect Against Criminals

To protect yourself from external threats like criminals, it is essential that your network and endpoints are protected by a modern, multi-layered intrusion detection and response solution. As proven by the number of successful attacks that hit the media on a weekly basis, the AV Suites of the past are simply antiquated and not up to the job of defeating well-funded cyber criminals armed with sophisticated tools. A modern solution should be able to detect anomalous behavior both pre-execution and on-execution and should have simple remediation and rollback capabilities to deal with ransomware and other threats.

Along with that, it’s important that you patch vulnerabilities in a timely fashion. Criminals will soon jump on flaws like BlueKeep and although solutions like SentinelOne can detect exploitation of known vulnerabilities, timely patching is one more layer of defense that may persuade an attacker to look for an easier target.

An incident response plan is also a vital part of your security posture. Be sure that appropriate staff know what to do and who to contact in the event of a breach.

2. APT – Industrial Spies, Political Manipulation, IP Theft & More

Advanced persistent threat groups have become increasingly active as an estimated 30 nations wage cyber warfare operations on each others’ political, economic, military and commercial infrastructure.

APT groups have proliferated in recent years, and tracking them is complicated. Groups may have common members and toolsets making attribution difficult, and often impossible. Added to that is the fact that security vendors do not use a common classification scheme, leading to a snowball of different labels for each group. Ever heard of Longhorn, Housefly or Tilded Team? Probably not, but they are all names for what is more commonly known as the USA’s ‘Equation Group’. A useful public document is maintained that tries to make sense of these different actors, their classifications and their activities.

image of apt group doc

Although APTs are primarily engaged in activities that benefit the interests of one country or countries over another, businesses can easily get caught in the crossfire, too. Whether it’s a nation-state that wants your IP for their own use, cyber weapons like stuxnet that escape into the wild or weaponized zero-day vulnerabilities like Eternalblue, APT activity can have a dramatic impact on a business.

APTs aren’t shy about straight-up financial theft either. North Korean APT groups like Lazarus (aka ‘Hidden Cobra’) have been engaged in SWIFT-related bank heists as well as targeting bitcoin exchanges.

Middle East actor ‘Syrian Electronic Army’ were widely held responsible for causing a $200 billion dollar loss on the Dow Jones stock exchange after an attack on the twitter account of the Associated Press. The hackers caused the stock market panic after using the hijacked account to tweet about a fake bomb attack at the White House, stating “Breaking: Two explosions in the White House and Barack Obama is injured”.

How To Protect Against APTs

Defending against targeted attacks from APT groups requires similar defensive strategies to those mentioned above, but on top of that ensure that security risk assessment includes consideration of what assets your company may possess that would be attractive to nation states. Look at the TTPs of groups that might have an interest in your organization and devise suitable strategies around those.

For all external threats actors, be sure that employees are following safe password procedures and are aware of phishing techniques.

3. Insider Threats – Malicious Intent, Incompetence, Negligence

When valued employees go ‘off the reservation’, the impact to an organization can be devastating, and potentially far more catastrophic than the relentless attempts of external threat actors. It’s common to think of insider threats as being a risk due to malicious intent, but as we’ve pointed out recently, negligence and unintentional errors can be as much, if not more, of a factor. Financial institutions like HSBC and Wells Fargo have both suffered embarrassing and costly data breaches due to unintentional errors.

At the other end of the scale, intentional insider threats are on the rise according to recent industry reports. These can be difficult to detect because employees may well have valid credentials and knowledge of the company’s security procedures. Moreover, an increasing number of businesses are moving their data to the cloud where monitoring of user behavior and file access may be less rigorous or not yet in place. Staff being able to use personal mobile devices on the corporate network is also an area where organizations need to be increasingly vigilant.

How To Protect Against Insider Threats

For internal threats, aside from the advice given above for external actors, it is also important that anomalous user behaviour is tracked and acted on, and for that you need visibility across your network. File access should be locked down according to the maxim of ‘least privilege’, and all devices on the network should have proper firewall and media control, as well as protection against compromise from Bluetooth and other peripherals. Employee wellness programs led by HR or Personnel Management can help to identify disgruntled employees. Be sure that employees receive appropriate and regular training on cyber security awareness to minimize the possibility of unintentional errors.

4. Hacktivists – Rebels With a Cause, Or Maybe Just a Gripe

Like APTs, hacktivists like to pool their resources, but stealth is rarely on their agenda. Hacktivist groups aim to bring attention to an issue, person or organization that they want to positively promote or negatively disclose information about. Although less in the spotlight in recent years, groups like Anonymous and LulzSec have caused significant problems for businesses and organizations. The CIA, Sony Pictures and even governments such as the Philippines and Thailand have been targeted in the past.

Hacktivists tactics of choice include DDoS attacks on web services through botnets, defacing corporate websites, and taking over the Twitter and other social media accounts of high-profile individuals and businesses.

image of hacktivist tweet

How To Protect Against Hacktivists

As we have seen, hacktivist campaigns will tend to target web services and applications, so it’s important that as well as a modern security solution you have 2FA and MFA on all social media accounts, strong web application firewalls and a DDoS mitigation strategy that can analyse network traffic and identify anomalous requests. Be sure that your incident response plan includes mitigation strategies for reputational damage that could be caused by hacktivists.

5. Script Kiddies, Lone Wolves & Other Malcontents

Aside from the threats described above, there are also the dangers of individuals with no clear motives other than to break into other people’s computers. These actors are sometimes labelled ‘script kiddies’, meaning teenagers who have acquired powerful tools written by others and deploy them against targets for fun or experimentation. However, that ‘script kiddie’ designation is not entirely accurate and also risks downplaying the seriousness of the threat from these kinds of actors.

A good example is the recent case of expert programmer and webstack engineer Paige A Thompson. For seemingly no reason, or at least not a reason that fits into the categories discussed above, Thompson allegedly hacked CapitalOne and other corporations causing data breaches that could cost the affected parties millions of dollars in FTC fines – such, at least, was the fate of Equifax – even though the data was not actually sold or distributed.

A different kind of case that would fall into this category would be a ‘lone wolf’ such as Phillip Durachinsky, the alleged developer of Fruitfly, malware targeting macOS that was used to infiltrate systems belonging to companies, schools, police departments as well as state and federal governments. Durachinsky’s motives remain unknown.

How To Protect Against Script Kiddies et al

This threat actor type can be either internal or external. A good EDR solution should protect against non-targeted attacks like these. Anti-phishing strategies should also be in place here as phishing kits are as popular among script kiddies looking to see what they can ‘catch’ as they are among other threat actor types.

Conclusion

In this post we’ve looked at the five main threat actor groups and some strategies that you should have in place to present an effective, multi-layered security posture. The modern cyber world has changed markedly from just a few years ago, with tools and techniques proliferating to the advantage of different kinds of attackers, from script kiddies to nation-state actors. If you would like to see how SentinelOne can help protect your organization against all kinds of threat actors, contact us for a free demo.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Spendesk raises $38.4 million for its corporate card and expense service

French startup Spendesk has raised another $38.4 million Series B round with existing investor Index Ventures leading the round. The company has raised $49.4 million (€45 million) over the years.

Spendesk is an all-in-one corporate expense and spend management service. It lets you track expenses across your company, empower your employees with a clear approval process and simplify your bookkeeping.

The service essentially works like Revolut or N26, but for corporate needs. After you sign up, you get your own Spendesk account with an IBAN. You can top up that account and define different sets of policies.

For instance, you can set payment limits depending on everyone’s job and define who’s in charge of approving expensive payments. After that, everyone can generate virtual cards for online payments and get a physical card for business travel.

When you’re on the road, you can pay directly using Spendesk just like any corporate card. If you have to pay in cash or with another card, you can take a photo of the receipt from the Spendesk mobile app and get your money back.

Many Spendesk users also leverage the service for other use cases. For instance, you can define a marketing budget and let the marketing team spend it on Facebook or Google ads using a virtual card.

You can also track all your online subscriptions from the Spendesk interface to make sure that you don’t pay for similar tools. If you hire freelancers, you can also upload all your invoices to the platform, export an XML with your outstanding invoices and import it to your banking portal.

Spendesk tries to be smarter than legacy expense solutions. For instance, the company tries to leverage optical character recognition (OCR) to match receipts with payments, autofill the VAT rate, etc.

With today’s funding round, the company plans to open offices in Berlin and London, add more currencies and develop new features. Over the past year, the company went from 20 employees to 120 employees. There are now 1,500 companies using Spendesk in Europe.

Secret Service Investigates Breach at U.S. Govt IT Contractor

The U.S. Secret Service is investigating a breach at a Virginia-based government technology contractor that saw access to several of its systems put up for sale in the cybercrime underground, KrebsOnSecurity has learned. The contractor claims the access being auctioned off was to old test systems that do not have direct connections to its government partner networks.

In mid-August, a member of a popular Russian-language cybercrime forum offered to sell access to the internal network of a U.S. government IT contractor that does business with more than 20 federal agencies, including several branches of the military. The seller bragged that he had access to email correspondence and credentials needed to view databases of the client agencies, and set the opening price at six bitcoins (~USD $60,000).

A review of the screenshots posted to the cybercrime forum as evidence of the unauthorized access revealed several Internet addresses tied to systems at the U.S. Department of Transportation, the National Institutes of Health (NIH), and U.S. Citizenship and Immigration Services (USCIS), a component of the U.S. Department of Homeland Security that manages the nation’s naturalization and immigration system.

Other domains and Internet addresses included in those screenshots pointed to Miracle Systems LLC, an Arlington, Va. based IT contractor that states on its site that it serves 20+ federal agencies as a prime contractor, including the aforementioned agencies.

In an interview with KrebsOnSecurity, Miracle Systems CEO Sandesh Sharda confirmed that the auction concerned credentials and databases managed by his company, and that an investigating agent from the Secret Service was in his firm’s offices at that very moment looking into the matter.

But he maintained that the purloined data shown in the screenshots was years-old and mapped only to internal test systems that were never connected to its government agency clients.

“The Secret Service came to us and said they’re looking into the issue,” Sharda said. “But it was all old stuff [that was] in our own internal test environment, and it is no longer valid.”

Still, Sharda did acknowledge information shared by Wisconsin-based security firm Hold Security, which alerted KrebsOnSecurity to this incident, indicating that at least eight of its internal systems had been compromised on three separate occasions between November 2018 and July 2019 by Emotet, a malware strain usually distributed via malware-laced email attachments that typically is used to deploy other malicious software.

The Department of Homeland Security did not respond to requests for comment, nor did the Department of Transportation. A spokesperson for the NIH said the agency had investigated the activity and found it was not compromised by the incident.

“As is the case for all agencies of the Federal Government, the NIH is constantly under threat of cyber-attack,” NIH spokesperson Julius Patterson said. “The NIH has a comprehensive security program that is continuously monitoring and responding to security events, and cyber-related incidents are reported to the Department of Homeland Security through the HHS Computer Security Incident Response Center.”

One of several screenshots offered by the dark web seller as proof of access to a federal IT contractor later identified as Arlington, Va. based Miracle Systems. Image: Hold Security.

The dust-up involving Miracle Systems comes amid much hand-wringing among U.S. federal agencies about how best to beef up and ensure security at a slew of private companies that manage federal IT contracts and handle government data.

For years, federal agencies had few options to hold private contractors to the same security standards to which they must adhere — beyond perhaps restricting how federal dollars are spent. But recent updates to federal acquisition regulations allow agencies to extend those same rules to vendors, enforce specific security requirements, and even kill contracts that are found to be in violation of specific security clauses.

In July, DHS’s Customs and Border Patrol (CPB) suspended all federal contracts with Perceptics, a contractor which sells license-plate scanners and other border control equipment, after data collected by the company was made available for download on the dark web. The CPB later said the breach was the result of a federal contractor copying data on its corporate network, which was subsequently compromised.

For its part, the Department of Defense recently issued long-awaited cybersecurity standards for contractors who work with the Pentagon’s sensitive data.

“This problem is not necessarily a tier-one supply level,” DOD Chief Information Officer Dana Deasy told the Senate Armed Services Committee earlier this year. “It’s down when you get to the tier-three and the tier-four” subcontractors.

The Good, the Bad and the Ugly in Cybersecurity – Week 36

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

The hero of the day is the city of New Bedford, Massachusetts. After (another) typical ransomware attack on a US city (this time, using the Ryuk ransomware) and a ransom request of $5.3 million, the city negotiated it down to $400k, and eventually moved on to recreate their server infrastructure without paying anything to the extortionists. Every paid ransom guarantees another attack. Criminals won’t give up on easy sources of money, and until organizations have proper defenses in place and refuse to give in the attacks will keep coming. So well done New Bedford! Authorities in Flagstaff have also held out against a ransomware attack so far and temporarily closed schools on Thursday while responding to the incident. 

image tweet refuse to pay ransomware

The Bad

Last week it was iOS, this week it’s Android’s turn. Around 50% of all Android smartphones in use (those from vendors Huawei, LG, Samsung and Sony) allow attackers to easily trick users into changing their phone settings to route internet traffic through a man-in-the-middle proxy. Attackers are able to send over-the-air (OTA) provisioning profiles through phishing messages that can appear to come from the user’s network provider. The provisioning profiles, once installed, allow attackers to change settings for the device’s MMS message server, proxy address, email server and browser homepage, among other things. While Huawei, LG and Samsung have either addressed the issue or plan to, the researchers reported that Sony has refused to acknowledge the vulnerability. 

image of accept new settings

The Ugly

There is nothing worse for a security product than to pave the way for malicious actors to gain entry into enterprise networks. That has happened in the past where Bit9 (later to become CarbonBlack) had their certificate stolen and ended up signing malware used to bypass their own whitelisting product back in 2013. This week, it was revealed that Fortinet and Pulse Secure have been targeted by a Chinese APT5 group seeking to exploit vulnerabilities found in both companies’ products. A Black Hat presentation last month detailed bugs in their SSL VPN implementations. Despite the vendors having patched the vulnerabilities with urgency back in May and issuing a further reminder since the Black Hat conference, some of the 500,000+ organizations affected have left themselves open to attack by failing to keep up and patch in time.  

image of ssl vpn vulnerability


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Battlefield winner Forethought adds tool to automate support ticket routing

Last year at this time, Forethought won the TechCrunch Disrupt Battlefield competition. A $9 million Series A investment followed last December. Today at TechCrunch Sessions: Enterprise in San Francisco, the company introduced the latest addition to its platform, called Agatha Predictions.

Forethought CEO and co-founder Deon Nicholas said that after launching its original product, Agatha Answers (to provide suggested answers to customer queries), customers were asking for help with the routing part of the process, as well. “We learned that there’s a whole front end of that problem before the ticket even gets to the agent,” he said. Forethought developed Agatha Predictions to help sort the tickets and get them to the most qualified agent to solve the problem.

“It’s effectively an entire tool that helps triage and route tickets. So when a ticket is coming in, it can predict whether it’s a high-priority or low-priority ticket and which agent is best qualified to handle this question. And this all happens before the agent even touches the ticket. This really helps drive efficiencies across the organization by helping to reduce triage time,” Nicholas explained.

The original product (Agatha Answers) is designed to help agents get answers more quickly and reduce the amount of time it takes to resolve an issue. “It’s a tool that integrates into your Help Desk software, indexes your past support tickets, knowledge base articles and other [related content]. Then we give agents suggested answers to help them close questions with reduced handle time,” Nicholas said.

He says that Agatha Predictions is based on the same underlying AI engine as Agatha Answers. Both use Natural Language Understanding (NLU) developed by the company. “We’ve been building out our product, and the Natural Language Understanding engine, the engine behind the system, works in a very similar manner [across our products]. So as a ticket comes in the AI reads it, understands what the customer is asking about, and understands the semantics, the words being used,” he explained. This enables them to automate the routing and supply a likely answer for the issue involved.

Nicholas maintains that winning Battlefield gave his company a jump start and a certain legitimacy it lacked as an early-stage startup. Lots of customers came knocking after the event, as did investors. The company has grown from five employees when it launched last year at TechCrunch Disrupt to 20 today.

Newly renamed Superside raises $3.5M for its outsourced design platform

Superside, a startup aiming to create a premium alternative to the existing crowdsourced design platforms, is announcing that it has raised $3.5 million in new funding.

It’s also adding new features like the ability to work on user interfaces, interaction design and motion graphics. Co-founder and CEO Fredrik Thomassen said this allows the company to offer “a full-service design solution.”

You may have heard about Superside under its old name Konsus . In a blog post, Thomassen explained the recent change in name and branding, writing, “We changed our name and look to align with what we had become: The world’s top team of international designers and creatives.”

He told me Superside was created to address his own frustrations after trying to use marketplaces like 99designs and Fiverr. He argued that there’s a problem with “adverse selection on those platforms.” In other words, “The best people … don’t remain, because they don’t have a career path — they’re fighting with other freelancers to get the jobs.”

Superside, on the other hand, is picky about the designers it works with — it claims to select 100 designers from the more than 50,000 applications it receives each year. But if they are accepted, they’re guaranteed full-time work.

superside step1 orderwizard

Thomassen said the platform is built for large enterprises that have their own design and marketing teams but still need additional support. Customers include Uber, LinkedIn, L’Oreal, Cisco, Santander, Amazon, Walmart Tiffany & Co. Hewlett Packard and Airbus

In addition to choosing good designers, Superside also built a broader project management platform.

“We’re basically automating everything: Finding people, screening people, on-boarding, on-the-job learning, invoicing of customers, project management, all of the nitty gritty,” Thomassen said. “The only thing not automated is design — that’s where the human element and the creativity come in.”

Plus, Thomassen said Superside can turn around a standard piece of artwork in 12 hours: “Nobody else can do what we’re doing in terms of speed.”

The new funding comes from Freestyle Capital, with participation from High Alpha Ventures, Y Combinator and Alliance Ventures.

“We’re very much a mission-driven company,” Thomassen added. “For me, the reason to go to work in the morning is to help build an online labor market and create equal economic opportunity for everyone in the world.”