Salesforce announces new tools to boost developer experience on Commerce Cloud

Salesforce announced some new developer tools today, designed to make it easier for programmers to build applications on top of Commerce Cloud in what is known in industry parlance as a “headless” system.

What that means is that developers can separate the content from the design and management of the site, allowing companies to change either component independently.

To help with this goal, Salesforce announced some new and enhanced APIs that enable developers take advantage of features built into the Commerce Cloud platform without having to build them from scratch. For instance, they could take advantage of Einstein, Salesforce’s artificial intelligence platform, to add elements like next-best actions to the site, the kind of intelligent functionality that would typically be out of reach of most developers.

Developers also often need to connect to other enterprise systems from their eCommerce site to share data with these tools. To fill that need, Salesforce is taking advantage of Mulesoft, the company it purchased almost two years ago for $6.5 billion. Using Mulesoft’s integration technology, Salesforce can help connect to other systems like ERP financial systems or product management tools and exchange information between the two systems.

Brent Leary, founder at CRM Essentials, whose experience with Salesforce goes back to its earliest days, says this about helping give developers the tools that they need to create the same kind of integrated shopping experiences consumers have grown to expect from Amazon.

“These tools give developers real-time insights delivered at the “moment of truth” to optimize conversion opportunities, and automate processes to improve ordering and fulfillment efficiencies. This should give developers in the Salesforce ecosystem what they need to deliver Amazon-like experiences while having to compete with them.” he said.

To help get customers comfortable with these tools, the company also announced a new Commerce Cloud Development Center to access a community of developers who can discuss and share solutions with one another, an SDK with code samples and Trailhead education resources.

Salesforce made these announcement as part of the National Retail Foundation (NRF) Conference taking place in New York City this week.

Zebra’s SmartSight inventory robot keeps an eye on store shelves

How many times have you gone into a store and found the shelves need restocking of the very item you came in for? This is a frequent problem and it’s difficult, especially in larger retail establishments, to keep on top of stocking requirements. Zebra Technologies has a solution: a robot that scans the shelves and reports stock gaps to human associates.

The SmartSight robot is a hardware solution that roams the aisles of the store checking the shelves, using a combination of computer vision, machine learning, workflow automation and robotic capabilities. It can find inventory problems, pricing glitches and display issues. When it finds a problem, it sends a message to human associates via a Zebra mobile computer with the location and nature of the issue.

The robot takes advantage of Zebra’s EMA50 mobile automation technology and links to other store systems including inventory and online ordering systems. Zebra claims it increases available inventory by 95%, while reducing human time spent wandering the aisles to do inventory manually by an average of 65 hours.

While it will likely reduce the number of humans required to perform this type of task, Zebra’s Senior Vice President and General Manager of Enterprise Mobile Computing, Joe White, says it’s not always easy to find people to fill these types of positions.

“SmartSight and the EMA50 were developed to help retailers fully capitalize on the opportunities presented by the on-demand economy despite heightened competition and ongoing labor shortage concerns,” White said in a statement.

This is a solution that takes advantage of robotics to help humans keep store shelves stocked and find other issues. The SmartSight robot will be available on a subscription basis. That means retailers won’t have to worry about owning and maintaining the robot. If anything goes wrong, Zebra would be responsible for fixing it.

Smasung launches the rugged, enterprise-ready Galaxy XCover Pro

We got a bit of a surprise at the end of CES: some hands-on time with Samsung’s latest rugged phone for the enterprise, the Galaxy XCover Pro. The XCover Pro, which is officially launching today, is a mid-range $499 phone for first-line workers like flight attendants, construction workers or nurses.

It is meant to be very rugged but without the usual bulk that comes with that. With its IP68 rating, Military Standard 810 certification and the promise that it will survive a drop from 1.5 meters (4.9 feet) without a case, it should definitely be able to withstand quite a bit of abuse.

While Samsung is aiming this phone at the enterprise market, the company tells us that it will also sell it to individual customers.

As Samsung stressed during our briefing, the phone is meant for all-day use in the field, with a 4,050 mAh replaceable battery (yes, you read that right, you can replace the battery just like on phones from a few years ago). It’ll feature 4GB of RAM and 64GB of storage space, but you can extend that up to 512GB thanks to the built-in microSD slot. The 6.3-inch FHD+ screen won’t wow you, but it seemed perfectly adequate for most of the use cases. That screen, the company says, should work even in rain or snow and features a glove mode, too.

And while this is obviously not a flagship phone, Samsung still decided to give it a dual rear camera setup, with a standard 25MP sensor and a wide-angle 8MP sensor for those times where you might want to get the full view of a construction site, for example. On the front, there is a small cutout for a 13MP camera, too.

All of this is powered by a 2GHz octa-core Exynos 9611 processor, as one would expect from a Samsung mid-range phone, as well as Android 10.

Traditionally, rugged phones came with large rubber edges (or users decided to put even larger cases around them). The XCover Pro, on the other hand, feels slimmer than most regular phones with a rugged case on them.

By default, the phone features NFC support for contactless payments (the phone has been approved to be part of Visa’s Tap to Phone pilot program) and two programmable buttons so that companies can customize their phones for their specific use cases. One of the first partners here is Microsoft, which lets you map a button to its recently announced walkie talkie feature in Microsoft Teams.

“Microsoft and Samsung have a deep history of bringing together the best hardware and software to help solve our customers’ challenges,” said Microsoft CEO Satya Nadella in today’s announcement. “The powerful combination of Microsoft Teams and the new Galaxy XCover Pro builds on this partnership and will provide frontline workers everywhere with the technology they need to be more collaborative, productive and secure.”

With its Pogo pin charging support and compatibility with third-party tools from a variety of partners for adding scanners, credit card readers and other peripherals from partners like Infinite Peripherals, KOAMTAC, Scandit and Visa.

No enterprise device is complete without security features and the XCover Pro obviously supports all of Samsungs various Knox enterprise security tools and access to the phone itself is controlled by both a facial recognition system and a fingerprint reader that’s built into the power button.

With the Tab Active Pro, Samsung has long offered a rugged tablet for first-line workers. Not everybody needs a full-sized tablet, though, so the XCover Pro fills what Samsung clearly believes is a gap in the market that offers always-on connectivity in a smaller package and in the form of a phone that doesn’t look unlike a consumer device.

I could actually imagine that there are quite a few consumers who may opt for this device. For a while, the company made phones like the Galaxy S8 Active that traded weight and size for larger batteries and ruggedness. the XCover Pro isn’t officially a replacement of this program, but it may just find its fans among former Galaxy Active users.

The Good, the Bad and the Ugly in Cybersecurity – Week 2

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

With missiles flying in the Middle East and everyone on high alert for new Iranian cyberwarfare activity, good news would appear to be in short supply as we come to the end of our first full week of 2020. Greeted with a somewhat lukewarm response, Facebook have announced a new ban on deepfake videos. The company says it will remove content that has both been manipulated to mislead viewers into believing that a subject “said words they did not actually say” and that is the product of machine learning. While the policy is welcome insofar as it goes, it doesn’t cover videos that remove or rearrange the order of words, nor does it include editing that isn’t generated by machine learning algorithms, both far more common ways of manipulating media. Nonetheless, we’ll still give Facebook a something out of ten for this as good news, particularly as the company has partnered with the Reuters news agency to provide a free course to help journalists and others identify and tackle manipulated media.

Meanwhile, Cisco kicked off the New Year by plugging 14 vulns, including two high severity flaws involving remote code execution (RCE) and cross-site request forgery (CSRF), which is good news for customers who patch often and patch early. The RCE bug affects the web-based management interface of Cisco’s Webex Video Mesh product and is caused by improper validation of user input.

image of cisco flaws

The Bad

Patching vulns is good, but those being actively exploited in the wild is definitely bad news for victims and worrisome for everyone else. Mozilla this week announced a new version of their popular free Firefox browser, updating the latest stable release to 72.0 on January 7th. Hardly had users been given time to check out the list of new features when hard on its heels came a critical patch in 72.0.1 on January 8th. Mozilla gave few details, saying only that a bug designated as CVE-2019-17026 was a result of a type confusion in its JIT compiler. Not for the first time, an urgent update was required as the vuln was being actively exploited in targeted attacks in the wild. Adding to the worry is that the Chinese researchers credited with the discovery, Qihoo 360, posted and then shortly after deleted a tweet claiming to have found an associated Internet Explorer zero day also being actively exploited in the wild. More details on that as soon as they become available.

image of firefox flaw

According to a statement on Monday, what appears to be a targeted ransomware attack hit elite German cycle maker Canyon over the holiday period, encrypting both software and servers. While there is no information about the amount of the ransom demanded or whether the company chose to pay, the company did say that “experts from the field of IT, forensics and cyber security were able to quickly analyze and control the attack”. The attack is expected to cost the company at least in terms of lost production and missed delivery deadlines. 

image of canyon bicycles

The Ugly

Insider threats always top our list of cybersecurity ugly, so Amazon and their controversial IoT Ring products are first up this week in news that over a period of four years, a number of employees had been snooping on user videos. The company said that employees in the Ukraine and other non-US locations had access to Ring video feeds from other employees, contractors and friends and family of employees and contractors, as well as Ring videos that any user chooses to make public but which may contain information they did not intend to be viewed. The company noted four incidents of employees accessing user video data that was not necessary for their job functions. Amazon says in each case the employees were terminated.

We’ve all seen vendors load bloatware onto retail PCs and smartphones before, but a vendor pre-installing unremovable malware on a low-cost phone funded by the U.S. government is something else. According to research posted this week, the $35 government-funded Unimax U686CL comes pre-installed with known riskware, associated with a developer they say has been caught creating backdoors. It also carries its own “heavily obfuscated malware” within the phones Settings.app and drops malware the researchers dub “Android/Trojan.HiddenAds”. Removing the Settings.app effectively bricks the phone, so remediation is out of the question. 

image of u686cl smartphone
Source


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Alleged Member of Neo-Nazi Swatting Group Charged

Federal investigators on Friday arrested a Virginia man accused of being part of a neo-Nazi group that targeted hundreds of people in “swatting” attacks, wherein fake bomb threats, hostage situations and other violent scenarios were phoned in to police as part of a scheme to trick them into visiting potentially deadly force on a target’s address.

In July 2018, KrebsOnSecurity published the story Neo-Nazi Swatters Target Dozens of Journalists, which detailed the activities of a loose-knit group of individuals who had targeted hundreds of individuals for swatting attacks, including federal judges, corporate executives and almost three-dozen journalists (myself included).

A portion of the Doxbin, as it existed in late 2019.

An FBI affidavit unsealed this week identifies one member of the group as John William Kirby Kelley. According to the affidavit, Kelley was instrumental in setting up and maintaining the Internet Relay Chat (IRC) channel called “Deadnet” that was used by he and other co-conspirators to plan, carry out and document their swatting attacks.

Prior to his recent expulsion on drug charges, Kelley was a student studying cybersecurity at Old Dominion University in Norfolk, Va. Interestingly, investigators allege it was Kelley’s decision to swat his own school in late November 2018 that got him caught. Using the handle “Carl,” Kelley allegedly explained to fellow Deadnet members he hoped the swatting would get him out of having to go to class.

The FBI says Kelley used virtual private networking (VPN) services to hide his true Internet location and various voice-over-IP (VoIP) services to conduct the swatting calls. In the ODU incident, investigators say Kelley told ODU police that someone was armed with an AR-15 rifle and had placed multiple pipe bombs within the campus buildings.

Later that day, Kelley allegedly called ODU police again but forgot to obscure his real phone number on campus, and quickly apologized for making an accidental phone call. When authorities determined that the voice on the second call matched that from the bomb threat earlier in the day, they visited and interviewed the young man.

Investigators say Kelley admitted to participating in swatting calls previously, and consented to a search of his dorm room, wherein they found two phones, a laptop and various electronic storage devices.

The affidavit says one of the thumbs drive included multiple documents that logged statements made on the Deadnet IRC channel, which chronicled “countless examples of swatting activity over an extended period of time.” Those included videos Kelley allegedly recorded of his computer screen which showed live news footage of police responding to swatting attacks while he and other Deadnet members discussed the incidents in real-time on their IRC forum.

The FBI believes Kelley also was linked to a bomb threat incident in November 2018 at the predominantly African American Alfred Baptist Church in Old Town Alexandria, an incident that led to the church being evacuated during evening worship services while authorities swept the building for explosives.

The FBI affidavit was based in part on interviews with an unnamed co-conspirator, who told investigators that he and the others on Deadnet IRC are white supremacists and sympathetic to the neo-Nazi movement.

“The group’s neo-Nazi ideology is apparent in the racial tones throughout the conversation logs,” the affidavit reads. “Kelley and other co-conspirators are affiliated with or have expressed sympathy for Atomwafen Division,” an extremist group whose members are suspected of having committed multiple murders in the U.S. since 2017.

Investigators say on one of Kelley’s phones they found a photo of he and others in tactical gear holding automatic weapons next to pictures of Atomwaffen recruitment material and the neo-Nazi publication Siege.

As I reported last summer, several Deadnet members maintained a site on the Dark Web called the “Doxbin,” which listed the names, addresses, phone number and often known IP addresses, Social Security numbers, dates of birth and other sensitive information on hundreds of people — and in some cases the personal information of the target’s friends and family. After those indexed on the Doxbin were successfully swatted, a blue gun icon would be added next to the person’s name.

One of the core members of the group on Deadnet — an individual who used the nickname “Chanz,” among others — stated that he was responsible for maintaining SiegeCulture, a white supremacist Web site that glorifies the writings of neo-Nazi James Mason (whose various books call on followers to start a violent race war in the United States).

Deadnet chat logs obtained by KrebsOnSecurity show that another key swatting suspect on Deadnet who used the handle “Zheme” told other IRC members in March 2019 that one of his friends had recently been raided by federal investigators for allegedly having connections to the person responsible for the mass shooting in October 2018 at the Tree of Life Jewish synagogue in Pittsburgh.

At one point last year, Zheme also reminded denizens of Deadnet about a court hearing in the murder trial of Sam Woodward, an alleged Atomwaffen member who’s been charged with killing a 19-year-old gay Jewish college student.

As reported by this author last year, Deadnet members targeted dozens of journalists whose writings they considered threatening to their worldviews. Indeed, one of the targets successfully swatted by Deadnet members was Pulitzer prize winning columnist Leonard G. Pitts Jr., whose personal information as listed on the Doxbin was annotated with a blue gun icon and the label “anti-white race/politics writer.”

In another Deadnet chat log seen by this author, Chanz admits to calling in a bomb threat at the UCLA campus following a speech by Milo Yiannopoulos. Chanz bragged that he did it to frame feminists at the school for acts of terrorism.

On a personal note, I sincerely hope this arrest is just the first of many to come for those involved in swatting attacks related to Deadnet and the Doxbin. KrebsOnSecurity has obtained information indicating that several members of my family also have been targeted for harassment and swatting by this group.

Finally, it’s important to note that while many people may assume that murders and mass shootings targeting people because of their race, gender, sexual preference or religion are carried out by so-called “lone wolf” assailants, the swatting videos created and shared by Deadnet members are essentially propaganda that hate groups can use to recruit new members to their cause.

The Washington Post reports that Kelley had his first appearance in federal court in Alexandria, Va. on Friday.

“His public defender did not comment on the allegations but said his client has ‘very limited funds,’” The Post’s courts reporter Rachel Weiner wrote.

The charge against Kelley of conspiracy to make threats carries up to five years in prison. The affidavit in Kelley’s arrest is available here (PDF).

Insight Partners acquires data management company Veeam for $5B

Last year Insight Partners invested $500 million in cloud data management company Veeam. It apparently liked the company so much that today it announced it has acquired the Swiss startup for $5 billion.

Veeam helps customers with cloud data backup and disaster recovery. The company, which has been based in Baar, Switzerland, says that it had $1 billion in revenue last year. It boasts 365,000 customers worldwide, including 81% of the Fortune 500.

Ray Wang, founder and principal analyst at Constellation Research, says that data management is an increasingly important tool for companies working with data on prem and in the cloud. “This is a smart move, as the data management space is rapidly consolidating. There’s a lot of investment in managing hybrid clouds, and data management is key to enterprise adoption,” Wang told TechCrunch.

The deal is coming with some major changes. Veeam’s EVP of Operations, William H. Largent, will be promoted to CEO. Danny Allan, who was VP of product strategy, will be promoted to CTO. In addition, the company will be moving its headquarters to the U.S. Veeam currently has around 1,200 employees in the U.S., but expects to expand that in the coming year.

New CEO Allan says in spite of their apparent success in the market, and the high purchase price, he believes under Insight’s ownership, the company can go further than it could have on its own. “While Veeam’s preeminence in the data management space, currently supporting 81% of the Fortune 500, is undeniable, this commitment from Insight Partners and deeper access to its unmatched business strategy [from its scale-up] division, Insight Onsite, will bring Veeam’s solutions to more businesses across the globe.”

Insight Onsite is Insight Partners’ strategy arm that is designed to help its portfolio companies be more successful. It provides a range of services in key business areas, like sales, marketing and product development.

Veeam has backup and recovery tools for both Amazon Web Services and Microsoft Azure, along with partnerships with a variety of large enterprise vendors, including Cisco, IBM, Dell EMC and HPE.

The company, which was founded in 2006, had a valuation of more than $1 billion prior to today’s acquisition, according to Crunchbase data. The deal is expected to close in the first quarter this year.

Sisense nabs $100M at a $1B+ valuation for accessible big data business analytics

Sisense, an enterprise startup that has built a business analytics business out of the premise of making big data as accessible as possible to users — whether it be through graphics on mobile or desktop apps, or spoken through Alexa — is announcing a big round of funding today and a large jump in valuation to underscore its traction. The company has picked up $100 million in a growth round of funding that catapults Sisense’s valuation to over $1 billion, funding that it plans to use to continue building out its tech, as well as for sales, marketing and development efforts.

For context, this is a huge jump: The company was valued at only around $325 million in 2016 when it raised a Series E, according to PitchBook. (It did not disclose valuation in 2018, when it raised a venture round of $80 million.) It now has some 2,000 customers, including Tinder, Philips, Nasdaq and the Salvation Army.

This latest round is being led by the high-profile enterprise investor Insight Venture Partners, with Access Industries, Bessemer Venture Partners, Battery Ventures, DFJ Growth and others also participating. The Access investment was made via Claltech in Israel, and it seems that this led to some details of this getting leaked out as rumors in recent days. Insight is in the news today for another big deal: Wearing its private equity hat, the firm acquired Veeam for $5 billion. (And that speaks to a particular kind of trajectory for enterprise companies that the firm backs: Veeam had already been a part of Insight’s venture portfolio.)

Mature enterprise startups have proven their business cases are going to be an ongoing theme in this year’s fundraising stories, and Sisense is part of that theme, with annual recurring revenues of over $100 million speaking to its stability and current strength. The company has also made some key acquisitions to boost its business, such as the acquisition of Periscope Data last year (coincidentally, also for $100 million, I understand).

Its rise also speaks to a different kind of trend in the market: In the wider world of business intelligence, there is an increasing demand for more digestible data in order to better tap advances in data analytics to use it across organizations. This was also one of the big reasons why Salesforce gobbled up Tableau last year for a slightly higher price: $15.7 billion.

Sisense, bringing in both sleek end user products but also a strong theme of harnessing the latest developments in areas like machine learning and AI to crunch the data and order it in the first place, represents a smaller and more fleet of foot alternative for its customers. “We found a way to make accessing data extremely simple, mashing it together in a logical way and embedding it in every logical place,” explained CEO Amir Orad to us in 2018.

“We have enjoyed watching the Sisense momentum in the past 12 months, the traction from its customers as well as from industry leading analysts for the company’s cloud native platform and new AI capabilities. That coupled with seeing more traction and success with leading companies in our portfolio and outside, led us to want to continue and grow our relationship with the company and lead this funding round,” said Jeff Horing, managing director at Insight Venture Partners, in a statement.

To note, Access Industries is an interesting backer which might also potentially shape up to be strategic, given its ownership of Warner Music Group, Alibaba, Facebook, Square, Spotify, Deezer, Snap and Zalando.

“Given our investments in market leading companies across diverse industries, we realize the value in analytics and machine learning and we could not be more excited about Sisense’s trajectory and traction in the market,” added Claltech’s Daniel Shinar in a statement.

How some founders are raising capital outside of the VC world

Hello and welcome back to our regular morning look at private companies, public markets and the gray space in between.

Today, we’re exploring fundraising from outside the venture world.

Founders looking to raise capital to power their growing companies have more options than ever. Traditional bank loans are an option, of course. As is venture capital. But between the two exists a growing world of firms and funds looking to put capital to work in young companies that have growing revenues and predictable economics.

Firms like Clearbanc are rising to meet demand for capital with more risk appetite than a traditional bank looking for collateral, but less than an early-stage venture firm. Clearbanc offers growth-focused capital to ecommerce and consumer SaaS companies for a flat fee, repaid out of future revenues. Such revenue-based financing is becoming increasingly popular; you could say the category has roots in the sort of venture debt that groups like Silicon Valley Bank have lent for decades, but there’s more of it than ever and in different flavors.

While revenue-based financing, speaking generally, is attractive to SaaS and ecommerce companies, other types of startups can benefit from alt-capital sources as well. And, some firms that disburse money to growing companies without an explicit equity stake are finding a way to connect capital to them.

Today, let’s take a quick peek at three firms that have found interesting takes on providing alternative startup financing: Earnest Capital with its innovative SEAL agreement, RevUp Capital, which offers services along with non-equity capital, and Capital, which both invests and loans using its own proprietary rubric.

After all, selling equity in your company to fund sales and marketing costs might not be the most efficient way to finance growth; if you know you are going to get $3 out from $1 in spend, why sell forever shares to do so?

Your options

Before we dig in, there are many players in what we might call the alt-VC space. Lighter Capital came up again and again in emails from founders. Indie.vc has its own model that is pretty neat as well. In honor of starting somewhere, however, we’re kicking off with Earnest, RevUp and Capital. We’ll dive into more players in time. (As always, email me if you have something to share.)

Lawmakers Prod FCC to Act on SIM Swapping

Crooks have stolen tens of millions of dollars and other valuable commodities from thousands of consumers via “SIM swapping,” a particularly invasive form of fraud that involves tricking a target’s mobile carrier into transferring someone’s wireless service to a device they control. But the U.S. Federal Communications Commission (FCC), the entity responsible for overseeing wireless industry practices, has so far remained largely silent on the matter. Now, a cadre of lawmakers is demanding to know what, if anything, the agency might be doing to track and combat SIM swapping.

On Thursday, a half-dozen Democrats in the House and Senate sent a letter to FCC Chairman Ajit Pai, asking the agency to require the carriers to offer more protections for consumers against unauthorized SIM swaps.

“Consumers have no choice but to rely on phone companies to protect them against SIM swaps — and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” reads the letter, signed by Sens. Ron Wyden (OR), Sherrod Brown (OH) and Edward Markey (MA), and Reps. Ted Lieu (CA), Anna Eshoo (CA) and Yvette Clarke (NY).

SIM swapping is an insidious form of mobile phone fraud that is often used to steal large amounts of cryptocurrencies and other items of value from victims. All too frequently, the scam involves bribing or tricking employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Once in control of the stolen phone number, the attacker can then reset the password for any online account that allows password resets and/or two-factor verification requests via text messages or automated phone calls (i.e. most online services, including many of the mobile carrier Web sites).

From there, the scammers can pivot in a variety of directions, including: Plundering the victim’s financial accounts; hacking their identities on social media platforms;  viewing the victim’s email and call history; and abusing that access to harass and scam their friends and family.

The lawmakers asked the FCC to divulge whether it tracks consumer complaints about fraudulent SIM swapping and number “port-outs,” which involve moving the victim’s phone number to another carrier. The legislators demanded to know whether the commission offers any guidance for consumers or carriers on this important issue, and if the FCC has initiated any investigations or taken enforcement actions against carriers that failed to secure customer accounts.

The letter also requires the FCC to respond as to whether there is anything in federal regulations that prevents mobile carriers from sharing with banks information about the most recent SIM swap date of a customer as a way to flag potentially suspicious login attempts — a method already used by financial institutions in other countries, including Australia, the United Kingdom and several nations in Africa.

“Some carriers, both in the U.S. and abroad, have adopted policies that better protect consumers from SIM swaps, such as allowing customers to add optional security protections to their account that prevent SIM swaps unless the customer visits a store and shows ID,” the letter continues. “Unfortunately, implementation of these additional security measures by wireless carriers in the U.S. is still spotty and consumers are not likely to find out about the availability of these obscure, optional security features until it is too late.”

The FCC did not immediately respond to requests for comment.

SIM SWAP (CRIM)INNOVATIONS

Legitimate SIM swaps are a common request for all carriers, and they usually happen when a customer has lost their mobile phone or when they need to upgrade to a newer model that requires a different-sized SIM card (the small, removable smart chip that ties the customer’s device to their phone number).

But unauthorized SIM swaps enable even low-skilled thieves to quickly turn a victim’s life upside down and wrest control over a great deal of their online identities and finances. What’s more, the security options available to wireless customers concerned about SIM swapping — such as personal identification number (PIN) codes — are largely ineffective against crooked or clueless mobile phone store employees.

A successful SIM swap may allow tormentors to access a victim’s email inbox even after the target has changed his or her password. For example, some email services allow customers to reset their passwords just by providing a piece of information that would likely only be known to the legitimate account holder, such as the month and year the account was created, or the name of a custom folder or label in the account previously created by the user.

One technique used by SIM swappers to regain access to hacked inboxes is to jot down this information once a SIM swap affords them the ability to reset the account’s password. Alternatively, SIM swappers have been known to create their own folders or labels in the hacked account to facilitate backdoor access later on.

A number of young men have recently been criminally charged with using SIM swapping to steal accounts and cryptocurrencies like Bitcoin from victims. This week, a court in New York unsealed a grand jury indictment against 22-year-old alleged serial SIM swapper Nicholas Truglia, who stands accused of using the technique to siphon $24 million worth of cryptocurrencies from blockchain investor Michael Terpin.

But experts say the few arrests that have been made in conjunction with SIM swapping attacks have pushed many involved in this crime to enlist help from co-conspirators who are minors and thus largely outside the reach of federal prosecutors.

For his part, Terpin sent an open letter to FCC commissioners in October 2019, urging them to mandate that wireless carriers provide a way for customers to truly lock down their accounts against SIM swapping, even if that means requiring an in-person visit to a store or conversation with the carrier’s fraud department.

In an interview with KrebsOnSecurity, Terpin said the FCC has so far abdicated its responsibility over the carriers on this matter.

“It took them a long time to get around to taking robocalls seriously, but those scams rarely cost people millions of dollars,” Terpin said. “Imagine going into a bank and you don’t remember your PIN and the teller says, ‘Oh, that’s okay I can look it up for you.’ The fact that a $9-an-hour mobile store employee can see your high security password or PIN is shocking.”

“The carriers should also have to inform every single current and future customer that there is this high security option available,” Terpin continued. “That would stop a lot of this fraud and would take away the ability of these ne’er-do-well 19-year-old store employees who get bribed into helping out with the scam.”

Want to read more about SIM swapping? Check out Busting SIM Swappers and SIM Swap Myths, or view the entire catalog of stories on the topic here.

What is the True Cost of a Ransomware Attack? | 6 Factors to Consider

The end of year summary season is gone, and among all the scary and shocking statistics, there is one number that looms above all others. It is estimated that ransomware has cost the United States more than $7.5 billion last year. And indeed, we’ve heard of countless ransomware incidents and seen an explosion of build-your-own ransomware RaaS projects making it easier for unsophisticated criminals to get in on the act. And yet, when you add up the numbers and calculate the average payout, those dollar amounts don’t paint the entire picture of the financial burden suffered by organizations hit by these kinds of criminal attack. In this post, we’ll look at the six true costs of a ransomware attack.

image of true cost of ransomware

1. Direct Cost: The Ransom Payment 

Of course, the up-front ransomware payment is the headline figure, but it’s only one – and not necessarily the largest – factor in the overall cost that ransomware imposes on its victims.

That said, in Q3 of 2019, we saw the average ransom payment increase by 13% to $41,198 compared to $36,295 in Q2 of 2019

Ryuk ransomware is largely responsible for the massive increase in ransomware payments. The malware operators demand an average of $288,000 for the release of systems, compared to the $10,000 average price demanded by other criminal gangs. 

2. Indirect Cost: Enforced Downtime

Indirect costs are the costs of business interruption associated with a ransomware attack. Business interruption costs are often five to ten times higher than direct costs.

Calculating the actual cost of downtime can be challenging as it has different effects on different businesses and organizations. For SMBs, the average cost of downtime in 2019 comes out at $141,000, a more than 200 percent increase over last year’s average downtime cost of $46,800. This is more than 20 times higher than the average ransom request from SMBs, which is $5,900.

In the public sector, 42% of organizations have suffered a ransomware incident in the last 12 months, with 73% of those experiencing two or more days of downtime as a result. For enterprise, the average downtime in Q3 2019 was 12.1 days, according to a Ponemon Institute study, and the overall cost estimated at $740,357. This leads to the additional cost of operational shutdown, which can have a truly staggering impact on the bottom line, as aluminum manufacturer Norsk discovered when it suffered from a ransomware attack that caused cumulative damage of $55 million. Attacks on municipalities can be costly as well. A recent attack on New Orleans is estimated to have cost the city $1 million, and an earlier attack on Baltimore is estimated to total $18 million in damage.   

3. Indirect Cost: Reputation Loss

Ransomware attacks are unlike stealthy cyber attacks of the past. As such, they are both highly destructive and visible, leaving victims with no choice but to make it known to the public that they have been breached.

That public admission can often result in outcry and disapproval from customers, investors and other stakeholders. While the data can be restored, it’s not always so easy to restore public trust, particularly if disclosure is not handled in a timely and transparent manner. This can have adverse effects on retaining existing clients, generating future business and even negatively affect the company’s stock prices.

4. Indirect Cost: Liability 

Ransomware attacks can lead to very unhappy clients, and these clients in turn could resort to legal means for some compensation. That’s what happened to DCH Health Systems after a ransomware attack on Alabama Hospitals in December 2019. Subsequently, patients filed a class action lawsuit against the company, alleging privacy violations, negligence and medical care disruption.

While it’s always possible that companies can fall foul of libel suits for such issues without ransomware being involved, the fact that ransomware was involved made the incident public and the case for compensation easier. In addition, cyber criminals have started to expose stolen data, which could lead to potential embarrassments for the victimized organization and further law suits from clients’ whose data is leaked.  

5. Indirect Cost: Collateral Damage

As with any type of cyber infection, victims should expect the full gamut of damage, even if it’s not directly related to the attack. In one such incident, as reported by Brian Krebs, a company initially infected with Ryuk ransomware had its entire credentials stolen and then reused for all sorts of malicious activities, in part with the help of another notorious malware family, Emotet.

While this may not be typical behaviour of many ransomware-related hackers, who usually go directly for the quick payout, it does show the potential for further collateral damage from such incidents. 

6. Indirect Cost: Data Loss

And unfortunately, after all the damage caused by the attack itself, paying the ransom does not guarantee the safe retrieval of the victim’s encrypted data. Recently, it was discovered that the data recovery mechanism used by Ryuk is faulty, causing an incomplete recovery of some types of files and leading to data loss even if the victim had paid the ransom demand.

In other cases, hackers have been known to simply walk away and never bother to provide the decryption keys, leaving the hapless victim out of pocket and their data lost forever.  

Is This The End?

Ransomware attacks can be deadly for businesses, which might never recover from the financial burden caused by the direct and indirect damage inflicted. In one such case, a US fundraising firm has been forced to close its doors after more than 60 years in business following a crippling ransomware attack in October. The company had paid the ransom, but nonetheless it was unable to get back on its feet and had to close shop in late December, making it a very unhappy Christmas for all its employees.   

Summary 

When trying to assess the potential risk emanating from ransomware attacks, businesses should factor in all these aspects: the payout, downtime, damage to reputation, data loss and more. Once all these have been taken into consideration, it is advisable to seek a trusted endpoint solution to provide maximum security against ransomware and complement it with proper backup systems and business continuity procedures. It’s also advised to purchase suitable cyber insurance to reduce the risk even further. 


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security