Koch Industries closes nearly $13B Infor acquisition

Koch Industries announced today that it has closed on the acquisition of Infor, announced in February. The company never officially announced the purchase price, but sources indicated that it was close to $13 billion, putting it in line to be one of the top 10 enterprise acquisitions this year.

The company will remain an independent subsidiary of Koch, which tends to deal more in manufacturing than software. The goal is to use the resources of Koch to continue to build out the Infor product family with a focus on industry-specific solutions, according to the company.

At the time of the deal in February, CEO Kevin Samuelson certainly saw the potential of having a company with the financial resources of Koch backing his organization.

“As a subsidiary of a $110 billion+ revenue company that re-invests 90% of earnings back into its businesses, we will be in the unique position to drive digital transformation in the markets we serve,” Samuelson said.

As the company pointed out, Infor is helping customers move to the cloud, even in industries like manufacturing, distribution and finance that might otherwise be stuck on legacy systems. This transition to the cloud is becoming even more pressing as companies deal with the COVID-19 crisis and are forced to find creative ways to keep their businesses going, even when many employees can’t come into the office. Having access to applications in the cloud certainly helps ease that burden.

The company counts some of the largest organizations in the world as customers, including 17 of the top 20 global banks, 9 of the 10 largest global hotel brands and 7 of the top 10 global luxury brands

Infor was founded in 2002 and raised over $6 billion along the way, according to PitchBook. Its most recent investment before the acquisition was for $1.5 billion in January 2019.

In the wake of COVID-19, UK puts up £20M in grants to develop resilience tech for critical industries

Most of the world — despite the canaries in the coal mine — was unprepared to cope with the coronavirus outbreak that’s now besieging us. Now, work is starting to get underway both to help manage what is going on now and better prepare us in the future. In the latest development, the UK government today announced that it will issue £20 million ($24.5 million) in grants of up to £50,000 each to startups and other businesses that are developing tools to improve resilience for critical industries — in other words, those that need to keep moving when something cataclysmic like a pandemic hits.

You can start your application here. Unlike a lot of other government efforts, this one is aimed at a quick start: you need to be ready to kick of your project using the grant no later than June 2020, but earlier is okay, too.

Awarded through Innovate UK, which part of UK Research and Innovation (itself a division of the Department of Business, Energy and Industrial Strategy), the grants will be available to businesses of any size as long as they are UK-registered, and aim to cover a wide swathe of industries that form the core fabric of how society and the economy can continue to operate.

“The Covid-19 situation is not just a health emergency, but also one that effects the economy and society. With that in mind, Innovate UK has launched this rapid response competition today seeking smart ideas from innovators,” said Dr Ian Campbell Executive Chair, Innovate UK, in a statement. “These could be proposals to help the distribution of goods, educate children remotely, keep families digitally connected and even new ideas to stream music and entertainment. The UK needs a great national effort and Innovate UK is helping by unleashing the power of innovation for people and businesses in need.”

These include not just what are typically considered “critical” industries like healthcare and food production and distribution, but also those that are less tangible but equally important in keeping society running smoothly, like entertainment and wellbeing services:

  • community support services
  • couriers and delivery (rural and/or city based)
  • education and culture
  • entertainment (live entertainment, music, etc.)
  • financial services
  • food manufacture and processing
  • healthcare
  • hospitality
  • personal protection equipment
  • remote working
  • retail
  • social care
  • sport and recreation
  • transport
  • wellbeing

The idea is to introduce new technologies and processes that will support existing businesses and organizations, not use the funding to build new startups from scratch. Those getting the funding could already be businesses in these categories, or building tools to help companies that fall under these themes.

The grants were announced at a time where we are seeing a huge surge of companies step up to the challenge of helping communities and countries cope with COVID-19. That’s included not only those that already made medical supplies increase production, but a number of other businesses step in and try to help where they can, or recalibrate what they normally do to make their factories or other assets more useful. (For example, in the UK, Rolls Royce, Airbus and the Formula 1 team are all working on ventilators and other hospital equipment, a model of industry retooling that has been seen in many other countries, too.)

That trend is what helped to inspire this newest wave of non-equity grants.

“The response of researchers and businesses to the coronavirus outbreak have been remarkable,” said Science Minister Amanda Solloway in a statement. “This new investment will support the development of technologies that can help industries, communities and individuals adapt to new ways of working when situations like this, and other incidents, arise.”

The remit here is intentionally open-ended but will likely be shaped by some of the shortcomings and cracks that have been appearing in recent weeks while systems get severely stress-tested.

So, unsurprisingly, the sample innovations that UK Innovate cites appear to directly relate to that. They include things like technology to help respond to spikes in online consumer demand — every grocery service in the online and physical world has been overwhelmed by customer traffic, leading to sites crashing, people leaving stores disappointed at what they cannot find, and general panic. Or services for families to connect with and remotely monitor vulnerable relatives: while Zoom and the rest have seen huge surges in traffic, there are still too many people on the other side of the digital divide who cannot access or use these. And better education tools: again, there are thousands of edtech companies in the world, but in the UK at least, I wouldn’t say that the educational authorities had done even a small degree of disaster planning, leaving individual schools to scramble and figure out ways to keep teaching remotely that works for everyone (again not always easy with digital divides, safeguarding and other issues).

None of this can cure coronavirus or stop another pandemic from happening — there are plenty of others that are working very squarely on that now, too — but these are equally critical to get right to make sure that a health disaster doesn’t extend into a more permanent economic or societal one.

More information and applications are here.

The Good, the Bad and the Ugly in Cybersecurity – Week 14

The Good

This is an interesting time to be part of the security industry. The struggle to protect and preserve critical infrastructure and services has taken on an entirely new and elevated sense of urgency. There is a great deal of uncertainty as we all traverse through the COVID-19/SARS-CoV-2 pandemic. One thing we can be certain of, collectively, is that we are all pulling together, pooling resources and skills to ensure the availability of our most important resources during this time. Our medical system is under a great deal of strain at the moment. It is vital that they do not have to face a crippling malware attack in the midst of supporting and treating SARS-CoV-2 patients.  

That being said, it is already quite clear that our collective adversaries are continuing to target medical entities. In some ways we have made their job easier with the spike in use of remote collaboration tools (Zoom, Slack, BlueJeans, TeamViewer, etc.) as well as VPNs, mobile devices and other methods of remote access.

This week Microsoft’s Threat Protection Intelligence Team and the MSTIC announced a proactive effort to assist medical operations in hopes of preventing catastrophic attacks. Microsoft’s teams have been taking the unprecedented steps of reaching out directly to “dozens of hospitals with vulnerable gateway and VPN appliance infrastructure” in order to head attacks off at the pass. Microsoft’s intent is to help these organizations understand their exposure and take swift action to reduce their attack surface, while minimizing the potential impact of a ransomware or other type of malware attack. They are specifically focused on educating the hospitals on how vulnerabilities in their environment can be used by attackers, as well as guiding them through the available remediation steps (patches, updates, configuration changes, and beyond).

This is a much needed, proactive, effort by Microsoft and the current climate calls for new and innovative steps like this. Perhaps this effort can help sprout other similar initiatives across the industry.

The Bad

On March 31st, Marriott announced a data breach that potentially impacts up to 5.2 million guests. This is their second reported breach within the last three years. While this incident was not an outright breach of their point-of-sale systems, it is still quite concerning given the methodology and impact of the attack.

According to Marriott, the issue stems from an internal application which provides guest services within franchised Marriott properties. Near the end of February 2020, the credentials of two specific employees were used to access and exfiltrate guest information, including personal data. The data leaked includes:

  • Personal contact information (Name, email, mailing address, phone number, gender, birthday, corporate affiliations)
  • Guest preferences (room type, language , smoking status, accessibility status)
  • Rewards and affiliate identification data (partnership programs, airline loyalty program IDs)

Marriott has stated that the compromised data does not include payment card details, driver’s license numbers, passport data, Marriott Bonvoy account information or national ID data.

Marriott publicly announced the breach on March 31, 2020 as well as directly contacting affected guests via email. Upon discovery of the incident, Marriott was quick to disable the affected accounts along with additional methods to harden the environment during the investigation. The hotelier provides further support here for concerned customers.

The Ugly

Early morning, April 1st, and Israeli researcher Gil Dabah tweeted a new collection of bugs, with proof-of-concept code. This announcement was accompanied by a dump of more than a dozen PoCs into the his GitHub repository, along with thorough documentation for each issue. This release comes exactly one year after Dabah committed to uncovering at least 15 new issues and exploits in this class.

The disclosed issues are all focused on the Windows UI kernel (win32k), heavily targeting exploitable UAF (use-after-free) conditions. In total, Dabah documented 25 new vulnerabilities in this bug class.

These issues were disclosed responsibly, with Dabah working with Microsoft throughout the process. According to Dabah, of the 25 reported vulnerabilities “11 were exploited to prove feasibility for elevation-of-privilege (EOP).” It is reported that Microsoft has been working to release patches for these issues between November 2019 and February of 2020.

One thing this release does illustrate is that researchers (and attackers) are always digging for novel attacks and exploits. This is even true with a heavily-aging codebase such as that which is associated with the Win32k component. While we can’t yet say when all of these issues will be addressed by Microsoft, we can state this is yet another reminder of just how vast the attack surface is, and that good user hygiene and update cycles are critical. We should all strive to keep our critical systems fully patched per vendor recommendations, as well as leverage up-to-date and properly configured endpoint protection.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Zoom will enable waiting rooms by default to stop Zoombombing

Zoom is making some drastic changes to prevent rampant abuse as trolls attack publicly shared video calls. Starting April 5th, it will require passwords to enter calls via Meeting ID, as these may be guessed or reused. Meanwhile, it will change virtual waiting rooms to be on by default so hosts have to manually admit attendees.

The changes could prevent “Zoombombing,” a term I coined two weeks ago to describe malicious actors entering Zoom calls and disrupting them by screensharing offensive imagery. New Zoombombing tactics have since emerged, like spamming the chat thread with terrible GIFs, using virtual backgrounds to spread hateful messages or just screaming profanities and slurs. Anonymous forums have now become breeding grounds for organized trolling efforts to raid calls.

Just imagine the most frightened look on all these people’s faces. That’s what happened when Zoombombers attacked the call.

The FBI has issued a warning about the Zoombombing problem after children’s online classes, Alcoholics Anonymous meetings and private business calls were invaded by trolls. Security researchers have revealed many ways that attackers can infiltrate a call.

The problems stem from Zoom being designed for trusted enterprise use cases rather than cocktail hours, yoga classes, roundtable discussions and classes. But with Zoom struggling to scale its infrastructure as its daily user count has shot up from 10 million to 200 million over the past month due to coronavirus shelter-in-place orders, it’s found itself caught off guard.

Zoom CEO Eric Yuan apologized for the security failures this week and vowed changes. But at the time, the company merely said it would default to making screensharing host-only and keeping waiting rooms on for its K-12 education users. Clearly it determined that wasn’t sufficient, so now waiting rooms are on by default for everyone.

Zoom communicated the changes to users via an email sent this afternoon that explains “we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy.”

The company also explained that “For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL.” Some other precautions users can take include disabling file transfer, screensharing or rejoining by removed attendees.

NEW YORK, NY – APRIL 18: Zoom founder Eric Yuan reacts at the Nasdaq opening bell ceremony on April 18, 2019 in New York City. The video-conferencing software company announced it’s IPO priced at $36 per share, at an estimated value of $9.2 billion. (Photo by Kena Betancur/Getty Images)

The shift could cause some hassle for users. Hosts will be distracted by having to approve attendees out of the waiting room while they’re trying to lead calls. Zoom recommends users resend invites with passwords attached for Meeting ID-based calls scheduled for after April 5th. Scrambling to find passwords could make people late to calls.

But that’s a reasonable price to pay to keep people from being scarred by Zoombombing attacks. The rash of trolling threatened to sour many people’s early experiences with the video chat platform just as it’s been having its breakout moment. A single call marred by disturbing pornography can leave a stronger impression than 100 peaceful ones with friends and colleagues. The old settings made sense when it was merely an enterprise product, but it needed to embrace its own change of identity as it becomes a fundamental utility for everyone.

Technologists will need to grow better at anticipating worst-case scenarios as their products go mainstream and are adapted to new use cases. Assuming everyone will have the best intentions ignores the reality of human nature. There’s always someone looking to generate a profit, score power or cause chaos from even the smallest opportunity. Building development teams that include skeptics and realists, rather than just visionary idealists, could keep ensure products get safeguarded from abuse before rather than after a scandal occurs.

Want to survive the downturn? Better build a platform

When you look at the most successful companies in the world, they are almost never just one simple service. Instead, they offer a platform with a range of services and an ability to connect to it to allow external partners and developers to extend the base functionality that the company provides.

Aspiring to be a platform and actually succeeding at building one are not the same. While every startup probably sees themselves as becoming a platform play eventually, the fact is it’s hard to build one. But if you can succeed and your set of services become an integral part of a given business workflow, your company could become bigger and more successful than even the most optimistic founder ever imagined.

Look at the biggest tech companies in the world, from Microsoft to Oracle to Facebook to Google and Amazon. All of them offer a rich complex platform of services. All of them provide a way for third parties to plug in and take advantage of them in some way, even if it’s by using the company’s sheer popularity to advertise.

Michael A. Cusumano, David B. Yoffie and Annabelle Gawer, who wrote the book The Business of Platforms, wrote an article recently in MIT Sloan Review on The Future of Platforms, saying that simply becoming a platform doesn’t guarantee success for a startup.

“Because, like all companies, platforms must ultimately perform better than their competitors. In addition, to survive long-term, platforms must also be politically and socially viable, or they risk being crushed by government regulation or social opposition, as well as potentially massive debt obligations,” they wrote.

In other words, it’s not cheap or easy to build a successful platform, but the rewards are vast. As Cusumano, Yoffie and Gawer point out their studies have found, “…Platform companies achieved their sales with half the number of employees [of successful non-platform companies]. Moreover, platform companies were twice as profitable, were growing twice as fast, and were more than twice as valuable as their conventional counterparts.”

From an enterprise perspective, look at a company like Salesforce . The company learned long ago that it couldn’t possibly build every permutation of customer requirements with a relatively small team of engineers (especially early on), so it started to build hooks into the platform it had built to allow customers and consultants to customize it to meet the needs of individual organizations.

Eventually Salesforce built APIs, then it built a whole set of development tools, and built a marketplace to share these add-ons. Some startups like FinancialForce, Vlocity and Veeva have built whole companies on top of Salesforce.

Rory O’Driscoll, a partner at Scale Venture Partners, speaking at a venture capitalist panel at BoxWorks in 2014, said that many startups aspire to be platforms, but it’s harder than it looks. “You don’t make a platform. Third-party developers only engage when you achieve a critical mass of users. You have to do something else and then become a platform. You don’t come fully formed as a platform,” he said at the time.

If you’re thinking, how you could possibly start a company like that in the middle of a massive economic crisis, consider that Microsoft launched in 1975 in the middle of recession. Google and Salesforce both launched in the late 1990s, just ahead of the dot-com crash, and Facebook launched in 2004, four years before the massive downturn in 2008. All went on to become tremendously successful companies

That success often requires massive spending and sales and marketing burn, but when it works, the rewards are enormous. Just don’t expect that it’s an easy path to success.

For the First Time Ever, Cybersecurity Workers are Hailed as “Essential”

The Coronavirus outbreak has left authorities with no choice but to limit personal movement to slow down the spread of the disease. Many countries have shut down all non-essential workplaces and businesses, forcing their employees to work from home. But in order to keep the country running, some services have been deemed essential, and the staff providing those services are exempt from the state order to stay home.

In the US, the Cybersecurity and Infrastructure Security Agency (CISA) released Guidance on the Essential Critical Infrastructure Workforce.

CISA developed a list of “Essential Critical Infrastructure Workers” to help State and local officials as they work to protect their communities, while ensuring continuity of functions critical to public health and safety, as well as business continuity and national security.

CISA defines an essential worker as: “workers who conduct a range of operations and services that are essential to continued critical infrastructure viability, including staffing operations centers, maintaining and repairing critical infrastructure, operating call centers, working construction, and performing management functions, among others”.

The logic behind this is clear: for these critical sectors to continue operating, they need to be secured. If hospitals suffer from cyber attacks – as they frequently do – the effectiveness of all the medical and supporting staff (also considered essential) is greatly reduced.

Here are the main industries identified by CISA and the associated cybersecurity roles highlighted as “essential”.

Healthcare

    Workers performing cybersecurity functions at healthcare and public health facilities who cannot practically work remotely.
    Workers performing security, incident management, and emergency operations functions at or on behalf of healthcare entities including healthcare coalitions, who cannot practically work remotely.

Energy

    Petroleum security operations center employees and workers who support emergency response services.
    Natural gas security operations center operators.
    IT and OT technology staff – for EMS (Energy Management Systems) and Supervisory Control and Data Acquisition (SCADA) systems, and utility data centers; Cybersecurity engineers; Cybersecurity risk management.

Information Technology

    Workers who support command centers including, but not limited to, Network Operations Command Center, Broadcast Operations Control Center and Security Operations Command Center.
    Workers responding to cyber incidents involving critical infrastructure, including medical facilities, SLTT governments and federal facilities, energy and utilities, and banks and financial institutions, and other critical infrastructure categories and personnel.
    Data center operators, including system administrators, HVAC & electrical engineers, security personnel, IT managers, data transfer solutions engineers, software and hardware engineers, and database administrators.

Communications

    Customer service and support staff, including managed and professional services as well as remote providers of support to transitioning employees to set up and maintain home offices, who interface with customers to manage or support service environments and security issues, including payroll, billing, fraud, and troubleshooting.

Financial Services

    Workers who support financial operations, such as those staffing data and security operations centers.

 

Adoption of CISA’s Recommendations

Some states were quick to follow CISA’s recommendations. In California, many businesses, jobs and operations were exempt from the governors’ order to stay home to prevent the spread of the coronavirus. Governor Newsom’s action orders “all individuals living in the state of California to stay home or at their place of residence, except as needed to maintain continuity of operation of the federal critical infrastructure sectors”. Among these are cybersecurity professionals who work in critical infrastructure, as stipulated in the CISA guidance.

Looking Ahead

The CISA guidance focuses on two cyber “roles”: SOC operator and incident responders, mostly working in on-prem settings where no remote connection is possible or feasible. In the future, we think this should be extended to include MSSPs, who themselves secure thousands of smaller and medium businesses. MSSPs do this with a small number of operators, so the risks of mass infection due to their continued operation is small, and the security benefits are great. This is one case where decision makers should look at the “Infection Vs. Protection” ratio, where the likelihood of infection (for example, people working in a crowded environment) in comparison to the level of protection these individuals provide to society in general is taken into account. 

We can hope that this crisis will help elevate the status of cybersecurity professionals among the general public, perhaps even to the same status as firefighters, police and emergency service providers.

We owe it to them.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Zoom freezes feature development to fix security and privacy issues

Zoom has been widely criticized over the past couple of weeks for terrible security, a poorly designed screensharing feature, misleading dark patterns, fake end-to-end-encryption claims and an incomplete privacy policy. Despite that, the video conferencing service has attracted a ton of new users thanks to the coronavirus lockdowns around the world — the company reached 200 million daily active users last month.

Zoom, an enterprise product designed for boring corporate meetings, has become a mainstream product with all the risks that it involves.

That’s why the company’s CEO Eric S. Yuan has written a lengthy blog post to address some of the concerns around Zoom. He starts by sharing some metrics. Zoom has been used by 90,000 schools around 20 countries. Daily meetings participants jumped from 10 million in December to 200 million in March.

But some companies are starting to reconsider using Zoom for video conferences. For instance, SpaceX, Elon Musk’s rocket company, has banned its employees from using the service.

For the next 90 days, Zoom is enacting a feature freeze, which means that the company isn’t going to ship any new feature until it is done fixing the current feature set. Zoom will also work with third-party experts and prepare a transparency report.

“For the past several weeks, supporting this influx of users has been a tremendous undertaking and our sole focus,” Yuan writes. “However, we recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it.”

As expected, Yuan says that mainstream adoption has led to unforeseen issues. “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived,” he writes.

In addition to keeping up with the massive influx of customer support requests, Zoom has already shipped a few updates to solve some issues. The company released a new version of its iOS app to remove Facebook’s SDK as the company’s privacy policy never said that you consent to sharing data with Facebook. The company updated its privacy policy as well.

Zoom removed the attendee attention tracker feature, a controversial feature that lets hosts see if the Zoom window is currently in focus. The company has also shipped security updates after Patrick Wardle uncovered vulnerabilities.

Zoom wrote a dedicated K-12 privacy policy and changed some default settings for schools (waiting rooms are on by default, only teachers can share content, etc.).

The company is far from done. Don’t forget that it claimed that calls are end-to-end encrypted even though they’re not at all. More importantly, the fact that Zoom is fixing issues as quickly as it can isn’t enough. Something is wrong at Zoom — there’s a corporate culture issue that leads to all those missteps. It’ll take much longer than 90 days.

Collibra nabs another $112.5M at a $2.3B valuation for its big data management platform

GDPR and other data protection and privacy regulations — as well as a significant (and growing) number of data breaches and exposées of companies’ privacy policies — have put a spotlight on not just the vast troves of data that businesses and other organizations hold on us, but also how they handle it. Today, one of the companies helping them cope with that data in a better and legal way is announcing a huge round of funding to continue that work. Collibra, which provides tools to manage, warehouse, store and analyse data troves, is today announcing that it has raised $112.5 million in funding, at a post-money valuation of $2.3 billion.

The funding — a Series F, from the looks of it — represents a big bump for the startup, which last year raised $100 million at a valuation of just over $1 billion. This latest round was co-led by ICONIQ Capital, Index Ventures, and Durable Capital Partners LP, with previous investors CapitalG (Google’s growth fund), Battery Ventures, and Dawn Capital also participating.

Collibra was originally a spin-out from Vrije Universiteit in Brussels, Belgium and today it works with some 450 enterprises and other large organizations. Customers include Adobe, Verizon (which owns TechCrunch), insurers AXA and a number of healthcare providers. Its products cover a range of services focused around company data, including tools to help customers comply with local data protection policies and store it securely, and tools (and plug-ins) to run analytics and more.

These are all features and products that have long had a place in enterprise big data IT, but they have become increasingly more used and in-demand both as data policies have expanded, as security has become more of an issue, and as the prospects of what can be discovered through big data analytics have become more advanced.

With that growth, many companies have realised that they are not in a position to use and store their data in the best possible way, and that is where companies like Collibra step in.

“Most large organizations are in data chaos,” Felix Van de Maele, co-founder and CEO, previously told us. “We help them understand what data they have, where they store it and [understand] whether they are allowed to use it.”

As you would expect with a big IT trend, Collibra is not the only company chasing this opportunity. Competitors include Informatica, IBM, Talend, and Egnyte, among a number of others, but the market position of Collibra, and its advanced technology, is what has continued to impress investors.

“Durable Capital Partners invests in innovative companies that have significant potential to shape growing industries and build larger companies,” said Henry Ellenbogen, founder and chief investment officer for Durable Capital Partners LP, in a statement (Ellenbogen is formerly an investment manager a T. Rowe Price, and this is his first investment in Collibra under Durable). “We believe Collibra is a leader in the Data Intelligence category, a space that could have a tremendous impact on global business operations and a space that we expect will continue to grow as data becomes an increasingly critical asset.”

“We have a high degree of conviction in Collibra and the importance of the company’s mission to help organizations benefit from their data,” added Matt Jacobson, general partner at ICONIQ Capital and Collibra board member, in his own statement. “There is an increasing urgency for enterprises to harness their data for strategic business decisions. Collibra empowers organizations to use their data to make critical business decisions, especially in uncertain business environments.”

CIOs are dead tired of dumb tech. Pulse has $6.5M to help them help each other

The technology that runs our companies these days is staggering in its complexity. We have moved from a monolith to a microservices world, from boxes to SaaS, and while that has added agility to the enterprise, it has come at the cost of a metric f-ton of services and software platforms required by every team in the building.

CIOs need a place to commiserate and get better recommendations on what tech works well and what should be placed in the proverbial recycle bin. Meanwhile, salespeople and investors want to hear these decision-makers’ views on emerging products to identify rich veins to invest in.

At the core of Pulse is a community of vetted CIOs and other tech procurers, currently numbering more than 15,000. On top of this core group of users, Pulse has built a series of products to help exploit their collective wisdom, including several new products the company is announcing today.

In addition to new product launches, the company is announcing a $6.5 million Series A round from AV8 Ventures, which is exclusively backed by mega-insurer Allianz Group and launched last year with a debut $170 million fund. This round closed in December according to the company and brings the startup’s total funding to $10.5 million.

Pulse’s existing product offerings assist product marketers and investment researchers who want to get a “pulse” on the marketplace for tech products by polling CIOs and testing out language around new features and initiatives.

“As an example, Microsoft will come to us and say, ‘Hey, we want to test our messaging and positioning before we sort of blow it up as a campaign. We’d like to do that very quickly through your community.’ And then we facilitate that through a series of questions through surveys and get back the insights to them very quickly,” co-founder and CEO Mayank Mehta explained.

“We think about this as truly becoming a Bloomberg terminal for marketers and investors,” he said. Researchers “can use this as a great way to get a real-time pulse on their buyers and understand how the market is moving, so they can make appropriate investments and ship strategies in real time.”

He said that the company worked with 50 customers last year and delivered some 150 reports. As for the CIOs themselves, “The community is open so long as you are a director level or above,” Mehta said.

In addition to this product for investors and market researchers, the company is also announcing the launch of Product IQ today, which takes the needs of a particular CIO user into account to offer them “personalized” product recommendations for their companies. Those recommendations are surfaced from the continuous data that CIOs are adding into the system through polls and opinion surveys.

“We’re trying to imagine and rethink how decision-making is done for technology executives, especially in a world like this where teams are changing so dramatically,” Mehta said.

Crowdsourced research platforms in the tech industry have become a popular area for VC investment in recent years. StackShare, which raised $5.2 million from e.Ventures, has focused on helping engineers learn from other engineers about the tech they have chosen for their infrastructure. Meanwhile, startups like Wonder and NewtonX, which raised $12 million from Two Sigma Ventures, have focused less on technical solutions and instead answer business questions such as market sizing or competitive landscape.

Pulse was founded in 2017 and is based in San Francisco, and previously raised a seed from True Ventures, according to Crunchbase.

‘War Dialing’ Tool Exposes Zoom’s Password Problems

As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.

zWarDial, an automated tool for finding non-password protected Zoom meetings. According to its makers, zWarDial can find on average 110 meetings per hour, and has a success rate of around 14 percent.

Each Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Naturally, hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits.

Security experts at Check Point Research did exactly that last summer, and found they were able to predict approximately four percent of randomly generated Meeting IDs. The Check Point researchers said enabling passwords on each meeting was the only thing that prevented them from randomly finding a meeting.

Zoom responded by saying it was enabling passwords by default in all future scheduled meetings. Zoom also said it would block repeated attempts to scan for meeting IDs, and that it would no longer automatically indicate if a meeting ID was valid or invalid.

Nevertheless, the incidence of Zoombombing has skyrocketed over the past few weeks, even prompting an alert by the FBI on how to secure meetings against eavesdroppers and mischief-makers. This suggests that many Zoom users have disabled passwords by default and/or that Zoom’s new security feature simply isn’t working as intended for all users.

New data and acknowledgments by Zoom itself suggest the latter may be more likely.

Earlier this week, KrebsOnSecurity heard from Trent Lo, a security professional and co-founder of SecKC, Kansas City’s longest-running monthly security meetup. Lo and fellow SecKC members recently created zWarDial, which borrows part of its name from the old phone-based war dialing programs that called random or sequential numbers in a given telephone number prefix to search for computer modems.

Lo said zWarDial evades Zoom’s attempts to block automated meeting scans by routing the searches through multiple proxies in Tor, a free and open-source software that lets users browse the Web anonymously.

“Zoom recently said they fixed this but I’m using a totally different URL and passing a cookie along with that URL,” Lo said, describing part of how the tool works on the back end. “This gives me the [Zoom meeting] room information without having to log in.”

Lo said a single instance of zWarDial can find approximately 100 meetings per hour, but that multiple instances of the tool running in parallel could probably discover most of the open Zoom meetings on any given day. Each instance, he said, has a success rate of approximately 14 percent, meaning for each random meeting number it tries, the program has a 14 percent chance of finding an open meeting.

Only meetings that are protected by a password are undetectable by zWarDial, Lo said.

“Having a password enabled on the meeting is the only thing that defeats it,” he said.

Lo shared the output of one day’s worth of zWarDial scanning, which revealed information about nearly 2,400 upcoming or recurring Zoom meetings. That information included the link needed to join each meeting; the date and time of the meeting; the name of the meeting organizer; and any information supplied by the meeting organizer about the topic of the meeting.

The results were staggering, and revealed details about Zoom meetings scheduled by some of the world’s largest companies, including major banks, international consulting firms, ride-hailing services, government contractors, and investment ratings firms.

KrebsOnSecurity is not naming the companies involved, but was able to verify dozens of them by matching the name of the meeting organizer with corporate profiles on LinkedIn.

By far the largest group of companies exposing their Zoom meetings are in the technology sector, and include a number of security and cloud technology vendors. These include at least one tech company that’s taken to social media warning people about the need to password protect Zoom meetings!

The distribution of Zoom meetings found by zWarDial, indexed by industry. As depicted above, zWarDial found roughly 2,400 exposed meetings in less than 24 hours. Image: SecKC.

A GREMLIN IN THE DEFAULTS?

Given the preponderance of Zoom meetings exposed by security and technology companies that ostensibly should know better, KrebsOnSecurity asked Zoom whether its approach of adding passwords by default to all new meetings was actually working as intended.

In reply, Zoom said it was investigating the possibility that its password-by-default approach may fail under certain circumstances.

“Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join,” the company said in a written statement shared with this author.

“Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out,” the statement continues. “We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made.

The acknowledgment comes amid a series of security and privacy stumbles for Zoom, which has seen its user base grow exponentially in recent weeks. Zoom founder and chief executive Eric Yuan said in a recent blog post that the maximum number of daily meeting participants — both paid and free — has grown from around 10 million in December to 200 million in March.

That rapid growth has also brought additional scrutiny from security and privacy experts, who’ve found plenty of real and potential problems with the service of late. TechCrunch’s Zack Whittaker has a fairly comprehensive breakdown of them here; not included in that list is a story he broke earlier this week on a pair of zero-day vulnerabilities in Zoom that were publicly detailed by a former NSA expert.

Zoom CEO Yuan acknowledged that his company has struggled to keep up with steeply growing demand for its service and with the additional scrutiny that comes with it, saying in a blog post that for the next 90 days all new feature development was being frozen so the company’s engineers could focus on security issues.

Dave Kennedy, a security expert and founder of the security consultancy TrustedSec, penned a lengthy thread on Twitter saying while Zoom certainly has had its share of security and privacy goofs, some in the security community are unnecessarily exacerbating an already tough situation for Zoom and the tens of millions of users who rely on it for day-to-day meetings.

“What we have here is a company that is relatively easy to use for the masses (comes with its challenges on personal meeting IDs) and is relatively secure,” Kennedy wrote. “Yet the industry is making it out to be ‘this is malware’ and you can’t use this. This is extreme. We need to look at the risk specific applications pose and help voice a message of how people can leverage technology and be safe. Dropping zero-days to the media hurts our credibility, sensationalizes fear, and hurts others.”

“If there are ways for a company to improve, we should notify them and if they don’t fix their issues, we should call them out,” he continued. “We should not be putting fear into everyone, and leveraging the media as a method to create that fear.”

Zoom’s advice on securing meetings is here. SecKC’s Lo said organizations using Zoom should avoid posting the Zoom meeting links on social media, and always require a meeting password when possible.

“This should be enabled by default as a new customer or a trial user,” he said. “Legacy organizations will need to check their administration settings to make sure this is enabled. You can also enable ‘Embed password in meeting link for one-click join.’ This prevents an actor from accessing your meeting without losing the usability of sharing a link to join.”

In addition, Zoom users can disable “Allow participants to join the meeting before the host arrives.”

“If you have to have this feature enabled at least enable “notify host when participants join the meeting before them,” Lo advised. “This will notify you that someone might be using your meeting without your knowledge. If you must keep your meeting unprotected you should enable ‘Mask phone number in the participant list.’ Using the waiting list feature will prevent unwanted participants from accessing your meeting but it will still expose your meeting details if used without a password.”

Some of the security settings available to Zoom users. These and others can be found at https://www.zoom.us/profile/settings/