Customer data platform ActionIQ raises $32M

ActionIQ co-founder and CEO Tasso Argyros knows that there are plenty of companies promising to help businesses use their customer data to deliver personalized experiences — as he put it, “The space has gotten very, very hot over the last couple of years.”

But in the face of growing competition, ActionIQ (founded in 2014 and headquartered in New York) has attracted some impressive customers like The New York Times, Conde Nast, American Eagle Outfitters, Vera Bradley and Pandora Media, as well as high-profile investors like Sequoia Capital and Andreessen Horowitz.

Today, it’s announcing that it has raised $32 million in Series C funding.

“At this point, we believe we are four to five years ahead of the market,” Argyros told me. “[Customer data platforms are] very hot, you see people really jumping into it, but nobody really has a product.”

He attributed the rise of these platforms to the growth in customer acquisition costs: “Everybody’s switched their focus from ‘How do we acquire more customers?’ to ‘How do you grow lifetime value?’”

The key, Argyros said, is “delivering personalized experiences at scale.” So if you’re a business trying to understand which customers need to be convinced to stick around, which customers are ready to upgrade to a paid subscription and so on, you need a platform like ActionIQ: “What’s common about all these questions is that they’re all data questions.”

He described ActionIQ’s approach as “product-first,” creating self-serve tools for enterprises rather than relying on consulting or IT services, and he said the product is designed to “drive intelligent actions activated through any channel.”

Argyros contrasted this approach with the large marketing clouds, where he said that stitching together products from various acquisitions has led to “a huge data gap between what marketing clouds promise and what they can actually deliver.” And he said other customer data platforms are limited to bringing the data together — but “just putting customer data in one place, that doesn’t mean business can use the customer data to drive value.”

March Capital Partners led the round, with participation from Cisco Ventures, as well as previous investors Sequoia, Andreessen and FirstMark Capital. Meredith Finn, a partner at March, is joining ActionIQ’s board of directors.

“From my professional experience at Salesforce and Twitter, when it comes to building a relationship with your customers, data is everything,” Finn said in a statement. “ActionIQ took a data-first approach from day one in contrast to many vendors that are now scrambling to address their data gaps by duct taping data infrastructure to their existing point solutions. … The potential of such a platform is limitless, and spans well beyond traditional marketing channels to other areas of customer interactions including web and mobile app experiences, customer support, and sales.”

ActionIQ has now raised a total of $75 million in funding. And while the Series C isn’t significantly larger that the $30 million that ActionIQ raise din 2017, Argyros said the company didn’t need to raise a huge round this time around, because it’s already built out the core product.

“A lot of dollars were invested heavily in the product way before the demand was there,” he said. “The Series B was pretty significant because there was so much upfront product investment. … Most of these funds are going towards expanding the business in sales and marketing.”

Former Docker CEO Steve Singh joins Madrona

Madrona Venture Group announced today that is has hired former Docker CEO Steve Singh as a managing director at the firm.

Singh stepped down as CEO of Docker last May and Seattle-based Madrona seems like logical landing spot. He is a long-time resident of Seattle, and has been working behind the scenes with Madrona for many years as a strategic director and angel investor, according to the firm.

Singh says that while there are a number of areas he’s interested in, he wants to concentrate on intelligent applications in the enterprise. “While there are a number of broad themes we are excited about, I am particularly passionate about the potential of intelligent applications to transform business and our lives. Next generation, cloud-native application companies such as Clari, HighSpot, and Amperity, have incredible opportunities to solve large scale business challenges and become multi-billion-dollar businesses,” he said in a statement.

He certainly has broad enterprise experience. Beyond Docker, he was chairman and CEO at Concur for more than 20 years, and oversaw the company’s sale to SAP in 2014 for a hefty $8.3 billion. In addition, he sits on a variety of boards including Clari, Talend, DocuSign and others.

Holger Mueller, an analyst with Constellation Research says it was clear Singh wouldn’t stay on the sidelines for long with “Retired” on his LInkedIn profile. “Given Singh’s experience and connections, we expect him to be a force to be reckoned with in the VC space,” he told TechCrunch.

Singh joins S. Somasegar, who was a former corporate vice president at Microsoft and Hope Cochran, who was a long time CFO and helped take a couple of companies public, as managing directors added at the firm in recent years.

Madrona is celebrating its 25th anniversary in business this year, and can boast that one of its earliest investments was a Series A for a little Seattle startup called Amazon.

Kadena fulfills hybrid blockchain vision with launch of public chain

For the last few years blockchain startup Kadena, has been working on a vision of bringing blockchain to the enterprise. Today it announced the final piece of that vision with the launch of the Kadena public blockchain.

In earlier releases, the company offered the ability to build private blockchains on AWS or Azure. Company co-founder and CEO Will Martino says the public network brings together public and private chains in a hybrid vision for the first time.

“The big exciting thing is that the public chain is out, smart contracts are about to turn on, and that allows us to then go and hit the market with what we’re calling these hybrid applications. These are applications that run both on a private blockchain, but have public smart contracts that allow people on the public side to interact with the private chain,” Martino explained.

The smart contracts are a set of rules that must be met and validated for the private and public chains to interact. Only valid actors and actions as defined in the smart contract will be allowed to move between the two chains.

Overcoming scaling issues

One of the major challenges with building a chain like this has been scaling it to meet the needs of enterprise users. Martino says that his company has solved this problem and can scale from the 10 chains today to 10,000 or more in the future as the company grows. He further claims that his company is the only one one with a tractable roadmap capable of achieving this.

Martino says this could help push companies who have been dabbling in blockchain technology in the last couple of years to take a bigger leap. “This is a watershed moment for enterprises. Up until now, they’ve never had a platform that they could go and use on a public blockchain platform and know that it’s going to have the throughput they need if the product they deployed on that blockchain has legs and starts to take off.” Martino says this blockchain has that.

Kadena public blockchain in action.

Kadena has also developed an open source smart contract language called Pact that Martino says allows a lawyer with Excel-level programming understanding to write these contracts and place them on the chain.

“There are a lot of lawyers who are good with Excel, so you can actually hand the smart contracts to a lawyer and have them review them for compliance. And that’s a crazy idea but we think it’s fundamental because when you’re representing core business workflows that are sensitive, you need to be absolutely certain they are compliant.”

Show me the money

The company is making all of the basic pieces available for free. That includes the private chain development tools on AWS and Azure, the public chain released today along with the Pact smart contract language.

Martino says that there are a couple of ways for the business to make money. For starters, it’s building partnerships where it helps companies in various sectors from financial services to insurance and healthcare build viable hybrid applications on the Kadena blockchain. When they make money so will Kadena.

Secondly, they control a bushel of tokens on their public network, which have value, and if the vision comes to fruition, will have much more over time. They will be able to sell some of these tokens on the public market and make money. Right now he says the tokens have a value of between 20 cents and a dollar, but he expects that to increase as the network becomes more viable.

The blockchain has lost some of its luster as it has moved through the enterprise hype cycle in recent years, but if Kadena can succeed in building a fully decentralized, scalable blockchain, it could help push the technology deeper into the enterprise.

Patch Tuesday, January 2020 Edition

Microsoft today released updates to plug 50 security holes in various flavors of Windows and related software. The patch batch includes a fix for a flaw in Windows 10 and server equivalents of this operating system that prompted an unprecedented public warning from the U.S. National Security Agency. This month also marks the end of mainstream support for Windows 7, a still broadly-used operating system that will no longer be supplied with security updates.

As first reported Monday by KrebsOnSecurity, Microsoft addressed a severe bug (CVE-2020-0601) in Windows 10 and Windows Server 2016/19 reported by the NSA that allows an attacker to spoof the digital signature tied to a specific piece of software. Such a weakness could be abused by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

An advisory (PDF) released today by the NSA says the flaw may have far more wide-ranging security implications, noting that the “exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities.”

“NSA assesses the vulnerability to be severe and that sophisticated cyber actors will understand the underlying flaw very quickly and, if exploited, would render the previously mentioned platforms as fundamentally vulnerable,” the advisory continues. “The consequences of not patching the vulnerability are severe and widespread.”

Matthew Green, an associate professor in the computer science department at Johns Hopkins University, said the flaw involves an apparent implementation weakness in a component of recent Windows versions responsible for validating the legitimacy of authentication requests for a panoply of security functions in the operating system.

Green said attackers can use this weakness to impersonate everything from trusted Web sites to the source of software updates for Windows and other programs.

“Imagine if I wanted to pick the lock in your front door,” Green analogized. “It might be hard for me to come up with a key that will open your door, but what if I could tamper with or present both the key and the lock at the same time?”

Kenneth White, security principal at the software company MongoDB, equated the vulnerability to a phone call that gets routed to a party you didn’t intend to reach.

“You pick up the phone, dial a number and assume you’re talking to your bank or Microsoft or whomever, but the part of the software that confirms who you’re talking to is flawed,” White said. “That’s pretty bad, especially when your system is saying download this piece of software or patch automatically and it’s being done in the background.”

Both Green and White said it likely will be a matter of hours or days before security researchers and/or bad guys work out ways to exploit this bug, given the stakes involved. Indeed, already this evening KrebsOnSecurity has seen indications that people are teasing out such methods, which will likely be posted publicly online soon.

According to security vendor Qualys, only eight of the 50 flaws fixed in today’s patch roundup from Microsoft earned the company’s most dire “critical” rating, a designation reserved for bugs that can be exploited remotely by malware or miscreants to seize complete control over the target computer without any help from users.

Once again, some of those critical flaws include security weaknesses in the way Windows implements Remote Desktop connections, a feature that allows systems to be accessed, viewed and controlled as if the user was seated directly in front of the remote computer. Other critical patches include updates for the Web browsers and Web scripting engines built into Windows, as well as fixes for ASP.NET and the .NET Framework.

The security fix for the CVE-2020-0601 bug and others detailed in this post will be offered to Windows users as part of a bundle of patches released today by Microsoft. To see whether any updates are available for your Windows computer, go to the Start menu and type “Windows Update,” then let the system scan for any available patches.

Keep in mind that while staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re not losing your mind when the odd buggy patch causes problems booting the system. So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Today also marks the last month in which Microsoft will ship security updates for Windows 7 home/personal users. I count myself among some 30 percent of Windows users who still like and (ab)use this operating system in one form or another, and am sad that this day has come to pass. But if you rely on this OS for day-to-day use, it’s probably time to think about upgrading to something newer.

That might be a computer with Windows 10. Or maybe you have always wanted that shiny MacOS computer. If cost is a primary motivator and the user you have in mind doesn’t do much with the system other than browsing the Web, perhaps a Chromebook or an older machine with a recent version of Linux is the answer. Whichever system you choose, it’s important to pick one that fits the owner’s needs and provides security updates on an ongoing basis.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Google brings IBM Power Systems to its cloud

As Google Cloud looks to convince more enterprises to move to its platform, it needs to be able to give businesses an onramp for their existing legacy infrastructure and workloads that they can’t easily replace or move to the cloud. A lot of those workloads run on IBM Power Systems with their Power processors, and, until now, IBM was essentially the only vendor that offered cloud-based Power systems. Now, however, Google is also getting into this game by partnering with IBM to launch IBM Power Systems on Google Cloud.

“Enterprises looking to the cloud to modernize their existing infrastructure and streamline their business processes have many options,” writes Kevin Ichhpurani, Google Cloud’s corporate VP for its global ecosystem, in today’s announcement. “At one end of the spectrum, some organizations are re-platforming entire legacy systems to adopt the cloud. Many others, however, want to continue leveraging their existing infrastructure while still benefiting from the cloud’s flexible consumption model, scalability, and new advancements in areas like artificial intelligence, machine learning, and analytics.”

Power Systems support obviously fits in well here, given that many companies use them for mission-critical workloads based on SAP and Oracle applications and databases. With this, they can take those workloads and slowly move them to the cloud, without having to re-engineer their applications and infrastructure. Power Systems on Google Cloud is obviously integrated with Google’s services and billing tools.

This is very much an enterprise offering, without a published pricing sheet. Chances are, given the cost of a Power-based server, you’re not looking at a bargain, per-minute price here.

Because IBM has its own cloud offering, it’s a bit odd to see it work with Google to bring its servers to a competing cloud — though it surely wants to sell more Power servers. The move makes perfect sense for Google Cloud, though, which is on a mission to bring more enterprise workloads to its platform. Any roadblock the company can remove works in its favor, and, as enterprises get comfortable with its platform, they’ll likely bring other workloads to it over time.

Enterprise Security | What Precautions Should You Take Against the Threat of Iranian APTs?

Following the recent U.S. air strike on Iranian IRGC-Quds Force commander Qassem Soleiman and retaliatory missile strikes by the IRGC on two U.S. and coalition air bases in Iraq, there is widespread concern that organizations may face heightened cyber security threats at this time. 

Although there is no current information indicating a specific, credible threat to U.S. organizations in the wake of the recent hostilities, there is no doubt that Iran-backed APTs have the intent and capability to conduct operations in the United States. Iran maintains a robust cyber warfare program that can execute attacks capable, at the minimum, of temporary disruptive effects against U.S. businesses and critical U.S. infrastructure.

In light of the current situation, Sentinel Labs has published an Iran Cyber-Response Bulletin. Here’s a summary of the main things to be aware of to keep your business safe.

image of Iranian APTs

What Do We Know About Iran’s Cyber Capabilities?

Previous cyber attacks attributed to Iran range from elderly, commodity malware like DarkComet to highly-evasive and destructive wipers and tools such as Shamoon and the more recent ZeroCleare malware. Here’s a short chronology of attacks seen over the last six to seven years.

Iran and Distributed Denial of Service Attacks

Between 2011 and 2013, Distributed Denial of Service attacks were used against websites belonging to 46 U.S. banks, preventing customers from accessing or servicing their accounts online. The fallout from this attack cost these banks millions of dollars. The US Department of Justice indicted seven Iranian nationals in March 2016 for conducting the attacks on behalf of the IRGC.

An Attack on US Infrastructure

In late 2013, an individual accessed supervisory control and data acquisition (SCADA) systems at the Bowman Avenue Dam in Westchester County in the fall of 2013, obtaining sensitive information critical to the operation of the dam. The US DoJ indicted an Iranian national for illegally accessing the dam and the data. The attack was believed to be connected to the DDoS attacks conducted against US banks.

All Bets Are Off in Iranian Attack on Las Vegas Casino

In 2014, an attack on the Sands Las Vegas Corporation in 2014 first exfiltrated data, including credit card, drivers license numbers and Social Security numbers before wiping the corporations computer systems. The U.S. Director of National Intelligence attributed to the attack to Iran. 

Iranian Nationals Accused of IP and Credential Theft

Spanning a three year period from 2013 to 2017, hundreds of U.S. and foreign academic institutions, as well as a large number of private sector companies, were targeted over an extended period in thefts of email credentials and intellectual property. Nine Iranian nationals, believed to be part of an APT known as ‘Cobalt Dickens’ and ‘Secret Librarian, were indicted by the US DoJ in March 2018 for the attacks. 

Iranian APT Attacks in 2019

The Deadwood family of wiper malware was used against specific targets in Saudi Arabia during mid-2019. Microsoft analysts attributed the attack to Iran’s highly-active, APT33. In December 2019, the ZeroCleare wiper malware was found to have been used in multiple attacks against targets including Middle Eastern energy companies and firms in the industrial sector. IBM researchers attributed the attack to Iranian group APT34. The same group responsible for attacks on academic institutions in 2017 and earlier is also thought to be active in 2019.

What Extra Precautions Can You Take?

Current SentinelOne Endpoint Protection users are protected against TTPs associated with known Irainian-based threat actors. Full detection and prevention is available in the current agents for known malware and tools associated with the campaigns and groups noted above. Behavioral AI engines provide an additional layer of protection against “fileless”, living-off-the land (LOTL) and other behavior-based events.

In addition, given the current climate, it’s an apt time to fortify defenses, and organizations should consider the following supplementary recommendations:

Disable unnecessary ports and protocols. A review of your network security device logs should help you determine which ports and protocols are exposed but not needed. For those that are, monitor these for suspicious, ‘command & control’-like activity.

Log and limit the use of PowerShell. If a user or account does not need PowerShell, disable it via the Group Policy Editor. For those that do, enable code signing of PowerShell scripts, log all PowerShell commands and turn on ‘Script Block Logging’. Learn more from Microsoft.

Set policies to alert on new hosts joining the network. To reduce the possibility of ‘rogue’ devices on your network, increase visibility and have key security personnel notified when new hosts attempt to join the network.

Backup now, and test your recovery process for business continuity. It is easy to let backup policies slide, or fail to prove that you can restore in practice. Also, ensure you have redundant backups, ideally using a combination of hot, warm and/or cold sites.

Step up monitoring of network and email traffic. The most common vectors for intruders are unprotected devices on your network and targeted phishing emails. Follow best practices for restricting attachments via email and other mechanisms and review network signatures.

Patch externally facing equipment. Attackers actively scan for and will exploit vulnerabilities, particularly those that allow for remote code execution or denial of service attacks.

Conclusion

Cybersecurity plays a mission-critical role in your organization and society-at-large. High profile attacks believed to be orchestrated by Iran have in the past targeted the energy industry, financial services and government facilities. Defense, Communications, Healthcare and Manufacturing have also been targeted by threat actor groups with links to Iran, and this was all before the current increased tensions. Whether we will see a “proxy war” fought out in cyberspace as a result of the current political climate remains to be seen, but it makes good sense for organizations to adopt what preventative measures they can sooner rather than later.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Atrium lays off lawyers, explains pivot to legal tech

Seventy-five-million-dollar-funded legal services startup Atrium doesn’t want to be the next company to implode as the tech industry tightens its belt and businesses chase margins instead of growth via unsustainable economics. That’s why Atrium is laying off most of its in-house lawyers.

Now, Atrium will focus on its software for startups navigating fundraising, hiring and collaborating with lawyers. Atrium plans to ramp up its startup advising services. And it’s also doubling down on its year-old network of professional service providers that help clients navigate day-to-day legal work. Atrium’s laid-off attorneys will be offered spots as preferred providers in that network if they start their own firm or join another.

“It’s a natural evolution for us to create a sustainable model,” Atrium co-founder and CEO Justin Kan tells TechCrunch. “We’ve made the tough decision to restructure the company to accommodate growth into new business services through our existing professional services network,” Kan wrote on Atrium’s blog. He wouldn’t give exact figures, but confirmed that more than 10 but less than 50 staffers are impacted by the change, with Atrium having a headcount of 150 as of June.

The change could make Atrium more efficient by keeping fewer expensive lawyers on staff. However, it could weaken its $500 per month Atrium membership that included some services from its in-house lawyers that might be more complicated for clients to get through its professional network. Atrium will also now have to prove the its client-lawyer collaboration software can survive in the market with firms paying for it rather than it being bundled with its in-house lawyers’ services.

“We’re making these changes to move Atrium to a sustainable model that provides high-quality services to our clients. We’re doing it proactively because we see the writing on the wall that it’s important to have a sustainable business,” Kan says. “That’s what we’re doing now. We don’t anticipate any disruption of services to clients. We’re still here.”

Justin Kan (Atrium) at TechCrunch Disrupt SF 2017

Founded in 2017, Atrium promised to merge software with human lawyers to provide quicker and cheaper legal services. Its technology can help automatically generate fundraising contracts, hiring offers and cap tables for startups while using machine learning to recommend procedures and clauses based on anonymized data from its clients. It also serves like a Dropbox for legal, organizing all of a startup’s documents to ensure everything’s properly signed and teams are working off the latest versions without digging through email.

The $500 per month Atrium membership offered this technology plus limited access to an in-house startup lawyer for consultation, plus access to guide books and events. Clients could pay extra if they needed special help such as with finalizing an acquisition deal, or access to its Fundraising Concierge service for aid with developing a pitch and lining up investor meetings.

Kan tells me Atrium still has some in-house lawyers on staff, which will help it honor all its existing membership contracts and power its new emphasis on advising services. He wouldn’t say if Atrium is paid any equity for advising, or just cash. The membership plan may change for future clients, so lawyer services are provided through its professional network instead.

“What we noticed was that Atrium has done a really good job of building a brand with startups. Often what they wanted from attorneys was…advice on ‘how to set my company up,’ ‘how to set my sales and marketing team up,’ ‘how to get great terms in my fundraising process,’ ” so Atrium is pursuing advising, Kan tells me. “As we sat down to look at what’s working and what’s not working, our focus has been to help founders with their super-hero story, connect them with the right providers and advisors, and then helping quarterback everything you need with our in-house specialists.”

LawSites first reported Saturday that Atrium was laying off in-house lawyers. A source tells TechCrunch that Atrium’s lawyers only found out a week ago about the changes, and they’ve been trying to pitch Atrium clients on working with them when they leave. One Atrium client said they weren’t surprised by the changes because they got so much legal advice for just $500 per month, which they suspected meant Atrium was losing money on the lawyers’ time as it was so much less expensive than competitors. They also said these cheap legal services rather than the software platform were the main draw of Atrium, and they’re unsure if the tech on its own is valuable enough.

One concern is Atrium might not learn as quickly about which services to translate into software if it doesn’t have as many lawyers in-house. But Kan believes third-party lawyers might be more clear and direct about what they need from legal technology. “I feel like having a true market for the software you’re building is better than having an internal market,” he says. “We get feedback from the outside firms we work with. I think in some ways that’s the most valuable feedback. I think there’s a lot of false signals that can happen when you’re the both the employer and the supplier.”

It was critical for Atrium to correct course before getting any bigger, given the fundraising problems hitting late-stage startups with poor economics in the wake of the WeWork debacle and SoftBank’s troubles. Atrium had raised a $10.5 million Series A in 2017 led by General Catalyst alongside Kleiner, Founders Fund, Initialized and Kindred Ventures. Then in September 2018, it scored a huge $65 million Series B led by Andreessen Horowitz.

Raising even bigger rounds might have been impossible if Atrium was offering consultations with lawyers at far below market rate. Now it might be in a better position to attract funding. But the question is whether clients will stick with Atrium if they get less access to a lawyer for the same price, and whether the collaboration platform is useful enough for outside law firms to pay for.

Kan had gone through tough pivots in the past. He had strapped a camera to his head to create content for his live-streaming startup Justin.tv, but wisely recentered on the 3% of users letting people watch them play video games. Justin.tv became Twitch and eventually sold to Amazon for $970 million. His on-demand personal assistant startup Exec had to switch to just cleaning in 2013 before shutting down due to rotten economics.

Rather than deny the inevitable and wait until the last minute, with Atrium Kan tried to make the hard decision early.

Equinix is acquiring bare metal cloud provider Packet

Equinix announced today that is acquiring bare metal cloud provider Packet. The New York City startup that had raised over $36 million on a $100 million valuation, according to Pitchbook data.

Equinix has a set of data centers and co-locations facilities around the world. Companies that may want to have more control over their hardware could use their services including space, power and cooling systems, instead of running their own data centers.

Equinix is getting a unique cloud infrastructure vendor in Packet, one that can provide more customized kinds of hardware configurations than you can get from the mainstream infrastructure vendors like AWS and Azure.

Interestingly, COO George Karidis came over from Equinix when he joined the company, so there is a connection there. Karidis described his company in a September, 2018 TechCrunch article:

“We offer the most diverse hardware options,” he said. That means they could get servers equipped with Intel, ARM, AMD or with specific nVidia GPUs in whatever configurations they want. By contrast public cloud providers tend to offer a more off-the-shelf approach. It’s cheap and abundant, but you have to take what they offer, and that doesn’t always work for every customer.”

In a blog post announcing the deal, company co-founder and CEO Zachary Smith had a message for his customers, who may be worried about the change in ownership, “When the transaction closes later this quarter, Packet will continue operating as before: same team, same platform, same vision,” he wrote.

He also offered the standard value story for a deal like this, saying the company could scale much faster under Equinix than it could on its own with access to its new company’s massive resources including 200+ data centers in 55 markets and 1,800 networks.

Sara Baack, chief product officer at Equinix says bringing the two companies together will provide a diverse set of bare metal options for customers moving forward. “Our combined strengths will further empower companies to be everywhere they need to be, to interconnect everyone and integrate everything that matters to their business,” she said in a statement.

While the companies did not share the purchase price, they did hint that they would have more details on the transaction after it closes, which is expected in the first quarter this year.

Phishing for Apples, Bobbing for Links

Anyone searching for a primer on how to spot clever phishing links need look no further than those targeting customers of Apple, whose brand by many measures remains among the most-targeted. Past stories here have examined how scammers working with organized gangs try to phish iCloud credentials from Apple customers who have a mobile device that is lost or stolen. Today’s piece looks at the well-crafted links used in some of these lures.

KrebsOnSecurity heard from a reader in South Africa who recently received a text message stating his lost iPhone X had been found. The message addressed him by name and said he could view the location of his wayward device by visiting the link https://maps-icloud[.]com — which is most definitely not a legitimate Apple or iCloud link and is one of countless spoofing Apple’s “Find My” service for locating lost Apple devices.

While maps-icloud[.]com is not a particularly convincing phishing domain, a review of the Russian server where that domain is hosted reveals a slew of far more persuasive links spoofing Apple’s brand. Almost all of these include encryption certificates (start with “https://) and begin with the subdomains “apple.” or “icloud.” followed by a domain name starting with “com-“.

Here are just a few examples (the phishing links in this post have been hobbled with brackets to keep them from being clickable):

apple.com-support[.]id
apple.com-findlocation[.]id
apple.com-sign[.]in
apple.com-isupport[.]in
icloud.com-site-log[.]in

Savvy readers here no doubt already know this, but to find the true domain referenced in a link, look to the right of “http(s)://” until you encounter the first forward slash (/). The domain directly to the left of that first slash is the true destination; anything that precedes the second dot to the left of that first slash is a subdomain and should be ignored for the purposes of determining the true domain name.

For instance, in the case of the imaginary link below, example.com is the true destination, not apple.com:

https://www.apple.com.example.com/findmyphone/

Of course, any domain can be used as a redirect to any other domain. Case in point: Targets of the phishing domains above who are undecided on whether the link refers to a legitimate Apple site might seek to load the base domain into a Web browser (minus the customization in the remainder of the link after the first forward slash). To assuage such concerns, the phishers in this case will forward anyone visiting those base domains to Apple’s legitimate iCloud login page (icloud.com).

The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly. If you’re unsure whether the message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark so as to avoid potential typosquatting sites.

Cryptic Rumblings Ahead of First 2020 Patch Tuesday

Sources tell KrebsOnSecurity that Microsoft Corp. is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020.

According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles “certificate and cryptographic messaging functions in the CryptoAPI.” The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates.

A critical vulnerability in this Windows component could have wide-ranging security implications for a number of important Windows functions, including authentication on Windows desktops and servers, the protection of sensitive data handled by Microsoft’s Internet Explorer/Edge browsers, as well as a number of third-party applications and tools.

Equally concerning, a flaw in crypt32.dll might also be abused to spoof the digital signature tied to a specific piece of software. Such a weakness could be exploited by attackers to make malware appear to be a benign program that was produced and signed by a legitimate software company.

This component was introduced into Windows more than 20 years ago — back in Windows NT 4.0. Consequently, all versions of Windows are likely affected (including Windows XP, which is no longer being supported with patches from Microsoft).

Microsoft has not yet responded to requests for comment. However, KrebsOnSecurity has heard rumblings from several sources over the past 48 hours that this Patch Tuesday (tomorrow) will include a doozy of an update that will need to be addressed immediately by all organizations running Windows.

Update 7:49 p.m. ET: Microsoft responded, saying that it does not discuss the details of reported vulnerabilities before an update is available. The company also said it does “not release production-ready updates ahead of regular Update Tuesday schedule. “Through our Security Update Validation Program (SUVP), we release advance versions of our updates for the purpose of validation and interoperability testing in lab environments,” Microsoft said in a written statement. “Participants in this program are contractually disallowed from applying the fix to any system outside of this purpose and may not apply it to production infrastructure.”

Original story:

Will Dormann, a security researcher who authors many of the vulnerability reports for the CERT Coordination Center (CERT-CC), tweeted today that “people should perhaps pay very close attention to installing tomorrow’s Microsoft Patch Tuesday updates in a timely manner. Even more so than others. I don’t know…just call it a hunch?” Dormann declined to elaborate on that teaser.

It could be that the timing and topic here (cryptography) is nothing more than a coincidence, but KrebsOnSecurity today received a heads up from the U.S. National Security Agency (NSA) stating that NSA’s Director of Cybersecurity Anne Neuberger is slated to host a call on Jan. 14 with the news media that “will provide advanced notification of a current NSA cybersecurity issue.”

The NSA’s public affairs folks did not respond to requests for more information on the nature or purpose of the discussion. The invitation from the agency said only that the call “reflects NSA’s efforts to enhance dialogue with industry partners regarding its work in the cybersecurity domain.”

Stay tuned for tomorrow’s coverage of Patch Tuesday and possibly more information on this particular vulnerability.

Update, Jan. 14, 9:20 a.m. ET: The NSA’s Neuberger said in a media call this morning that the agency did indeed report this vulnerability to Microsoft, and that this was the first time Microsoft will have credited NSA for reporting a security flaw. Neuberger said NSA researchers discovered the bug in their own research, and that Microsoft’s advisory later today will state that Microsoft has seen no active exploitation of it yet.

According to the NSA, the problem exists in Windows 10 and Windows Server 2016. Asked why the NSA was focusing on this particular vulnerability, Neuberger said the concern was that it “makes trust vulnerable.” The agency declined to say when it discovered the flaw, and that it would wait until Microsoft releases a patch for it later today before discussing further details of the vulnerability.