The Good, the Bad and the Ugly in Cybersecurity – Week 5

The Good

We are barely a month into 2021 and it is safe to say it has already started off with a bang. Emotet has been at the top of many ‘most wanted’ lists for several years. Initially launching in 2014 as a modest but functional banking trojan, Emotet has evolved into a complex, multi-tiered framework. The Emotet infrastructure is vast, fault tolerant, and has proven to be a power vector for the delivery of additional and equally problematic malware such as Trickbot, Ryuk, and Qakbot. However, all that appears to be changing.

This week, Europol executed on a long-term, collaborative, project to disrupt Emotet. Working with additional law enforcement agencies and industry partners, the Emotet infrastructure was disrupted from the inside. Traffic across all tiers of the Emotet infrastructure has been seized and redirected to systems controlled by law enforcement. Making this specific takedown even more unique, it appears that a custom module was introduced as part of Operation Ladybird that will force Emotet to automatically remove itself on April 25.

This takedown is more thorough than many others we have seen recently, including that of Trickbot. While it is possible that Emotet will eventually retool and bounce back, it will take much more time and a great deal of investment in new systems and infrastructure. Time will tell, but for now we should all take some comfort in the fact that one of, if not the, most problematic and prolific malware families has been dealt a serious blow.

The Bad

What kind of week would it be without some discussion of ransomware? By now we are all familiar with the double-whammy of modern ransomware families. That is, they hit you with both the encryption payload as well as the potential for your data to be leaked to the public in the event that you do not comply with the attackers’ demands. However, we are now seeing an increasing number of ransomware families adding the threat of DDoS (Distributed Denial of Service) attacks to the equation. In addition to the previously mentioned ‘double-whammy’, victims also face the possibility of their public websites being attacked directly through a denial of service attack.

Among those adopting this new tactic are Ragnar, Avaddon RaaS, and a small group of other families. Threatening victims with a DDoS attack is meant to encourage the victims to contact the attackers rather than attempt to quickly restore from backup or try some other means of circumventing the attacker’s demands.

There is no doubt that the continued adoption of this additional layer of extortion is both threatening and problematic. However, this does also serve to reinforce the importance of prevention. The only true defence, and the only way to ensure full and proper continuity of business is to prevent these attacks before they happen. Modern and forward-thinking endpoint security controls are a prerequisite, of course, but they must also be properly managed and configured.

The Ugly

This week, two worrisome bugs were revealed in relation to the venerable Unix sudo command. First up, sharp-eyed researcher Rich Mirch noticed that a fix for an earlier CVE in sudoedit, CVE-2021-23240, which had been patched in sudo v1.9.5, actually opened up a new privilege escalation vulnerability. After reversing the patch, Mirch was able to find and exploit a new bug that makes it possible for a low-privileged user to gain a root shell.

Mirch’s bug was promptly fixed in 1.9.5p1, but a research team from Qualys gave the developers and Unix admins further headaches by identifying another, long-standing but unnoticed critical flaw affecting that version and many earlier versions, too.

CVE-2021-3156 is a heap-based buffer overflow that, upon exploitation, allows any user (regardless of their presence in the sudoers file) to achieve root-level access. The flaw lies in improper handling of unescaped characters provided in the sudo command syntax.

According to the disclosure from Qualys, the flaw can be invoked “either through the -s option, which sets sudo’s MODE_SHELL flag” or “through the -i option, which sets Sudo’s MODE_SHELL and MODE_LOGIN_SHELL flags”.

What may be slightly more alarming is that this bug was introduced into the sudo program code in July of 2011. The flaw affects stable versions from 1.9.0 to 1.9.5p1 as well as all ‘legacy’ versions from 1.8.2 to 1.8.31p2. Needless to say, all users are advised to patch to v1.9.5p2 immediately.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Okta SaaS report finds Office 365 wins the cloud — sort of

Each year Okta processes millions of SaaS logons via its authentication system. It kindly aggregates that data to find the most popular apps and publishes an annual report. This year it found that the most popular tool by far was Microsoft Office 365.

It’s worth noting that while app usage popularity varied by region, Office 365 was number one with a bullet across the board, whether globally or when the report broke it down by geographic area. That wasn’t true of any other product in this report, so Office 365 has extensive usage across the world (at least among companies that use Okta).

But as with everything cloud, it’s not a simple matter to say that because lots of people signed onto Office 365, Microsoft is the clear winner in a broader sense. In reality, the cloud is a complex marketplace, and just because people use one tool doesn’t preclude them from using tools that compete directly with it.

As a case in point, consider that the report found that 36% of Microsoft 365 customers were also using Google Workspace (formerly known as G Suite), which offers a similar set of office productivity tools. Further, Okta found that 42% of Office 365 customers were using Zoom and 32% were using Slack.

This is pretty remarkable when you consider that Office 365 bundles Teams with similar functionality for free. What’s more, so does Google with Google Hangouts, so people use the tool they want when they want, and sometimes it seems they use competing versions of the same tool. The report also found that of those Office 365 users, 44% are using Salesforce, 41% AWS, 15% Smartsheet and 14% Tableau (which is owned by Salesforce). Microsoft has products in all those categories.

Microsoft is clearly a big company with a lot of products, but the report blows a hole in the idea that because people like Office 365, they are going to be big fans of other Microsoft products, or that they can count on any kind of brand loyalty across the range of products or even exclusivity within the same product category.

All of this, and much of the other data in this report makes tremendously interesting reading as far as it goes. It’s not a definitive window on the state of SaaS. It’s a definitive reading on the state of Okta customers’ use of SaaS, on the Okta Integration Network (OIN), a point the company readily acknowledges in the report’s methodology section.

“As you read this report, keep in mind that this data is representative of Okta’s customers, the applications and integrations we connect to through the OIN, and the ways in which users access these tools through our service,” the report stated.

But it is a way to look at the state of SaaS taking advantage of the 9400 Okta customers using the network and the 6,500 integrations to the world’s most popular SaaS tools. That gives the company a unique view into the world of SaaS. What you can conclude is that the cloud is complicated, and it’s not a zero-sum game by any means. In fact, being a winner in one area is not a guarantee of winning across the board.

Subscription-based pricing is dead: Smart SaaS companies are shifting to usage-based models

Software buying has evolved. The days of executives choosing software for their employees based on IT compatibility or KPIs are gone. Employees now tell their boss what to buy. This is why we’re seeing more and more SaaS companies — Datadog, Twilio, AWS, Snowflake and Stripe, to name a few — find success with a usage-based pricing model.

The usage-based model allows a customer to start at a low cost, while still preserving the ability to monetize a customer over time.

The usage-based model allows a customer to start at a low cost, minimizing friction to getting started while still preserving the ability to monetize a customer over time because the price is directly tied with the value a customer receives. Not limiting the number of users who can access the software, customers are able to find new use cases — which leads to more long-term success and higher lifetime value.

While we aren’t going 100% usage-based overnight, looking at some of the megatrends in software —  automation, AI and APIs — the value of a product normally doesn’t scale with more logins. Usage-based pricing will be the key to successful monetization in the future. Here are four top tips to help companies scale to $100+ million ARR with this model.

1. Land-and-expand is real

Usage-based pricing is in all layers of the tech stack. Though it was pioneered in the infrastructure layer (think: AWS and Azure), it’s becoming increasingly popular for API-based products and application software — across infrastructure, middleware and applications.

API-based products and appliacation software – across infrastructure, middleware and applications.

Image Credits: Kyle Poyar / OpenView

Some fear that investors will hate usage-based pricing because customers aren’t locked into a subscription. But, investors actually see it as a sign that customers are seeing value from a product and there’s no shelf-ware.

In fact, investors are increasingly rewarding usage-based companies in the market. Usage-based companies are trading at a 50% revenue multiple premium over their peers.

Investors especially love how the usage-based pricing model pairs with the land-and-expand business model. And of the IPOs over the last three years, seven of the nine that had the best net dollar retention all have a usage-based model. Snowflake in particular is off the charts with a 158% net dollar retention.

Extra Crunch roundup: Edtech VC survey, 5 founder mistakes, fintech liquidity, more

Edtech is so widespread, we already need more consumer-friendly nomenclature to describe the products, services and tools it encompasses.

I know someone who reads stories to their grandchildren on two continents via Zoom each weekend. Is that “edtech?”

Similarly, many Netflix subscribers sought out online chess instructors after watching “The Queen’s Gambit,” but I doubt if they all ran searches for “remote learning” first.

Edtech needs to reach beyond underfunded public school systems to become more sustainable, which is why more investors and founders are focusing on lifelong learning.

Besides serving traditional students with field trips and art classes, a maturing sector is now branching out to offer software tutors, cooking classes and singing lessons.

For our latest investor survey, Natasha Mascarenhas polled 13 edtech VCs to learn more about how “employer-led up-skilling and a renewed interest in self-improvement” is expanding the sector’s TAM.

Here’s who she spoke to:

  • Deborah Quazzo, managing partner, GSV Ventures
  • Ashley Bittner, founding partner, Firework Ventures (a future of work fund with portfolio companies LearnIn and TransfrVR)
  • Jomayra Herrera, principal, Cowboy Ventures (a generalist fund with portfolio companies Hone and Guild Education)
  • John Danner, managing partner, Dunce Capital (an edtech and future of work fund with portfolio companies Lambda School and Outschool)
  • Mercedes Bent and Bradley Twohig, partners, Lightspeed Venture Partners (a multistage generalist fund with investments including Forage, Clever and Outschool)
  • Ian Chiu, managing director, Owl Ventures (a large edtech-focused fund backing highly valued companies including Byju’s, Newsela and Masterclass)
  • Jan Lynn-Matern, founder and partner, Emerge Education (a leading edtech seed fund in Europe with portfolio companies like Aula, Unibuddy and BibliU)
  • Benoit Wirz, partner, Brighteye Ventures (an active edtech-focused venture capital fund in Europe that backs YouSchool, Lightneer and Aula)
  • Charles Birnbaum, partner, Bessemer Venture Partners (a generalist fund with portfolio companies including Guild Education and Brightwheel)
  • Daniel Pianko, co-founder and managing director, University Ventures (a higher ed and future of work fund that is backing Imbellus and Admithub)
  • Rebecca Kaden, managing partner, Union Square Ventures (a generalist fund with portfolio companies including TopHat, Quizlet, Duolingo)
  • Andreata Muforo, partner, TLCom Capital (a generalist fund backing uLesson)

Full Extra Crunch articles are only available to members
Use discount code ECFriday to save 20% off a one- or two-year subscription

In other news: Extra Crunch Live, a series of interviews with leading investors and entrepreneurs, returns next month with a full slate of guests. This year, we’re adding a new feature: Our guests will analyze pitch decks submitted by members of the audience to identify their strengths and weaknesses.

If you’d like an expert eye on your deck, please sign up for Extra Crunch and join the conversation.

Thanks very much for reading! I hope you have a fantastic weekend — we’ve all earned it.

Walter Thompson
Senior Editor, TechCrunch

13 investors say lifelong learning is taking edtech mainstream

Image Credits: Bryce Durbin

Rising African venture investment powers fintech, clean tech bets in 2020

After falling into yesterday’s wild news cycle, Alex Wilhelm returned to The Exchange this morning with a close look at venture capital activity across Africa in 2020.

“Comparing aggregate 2020 figures to 2019 results, it appears that last year was a somewhat robust year for African startups, albeit one with fewer large rounds,” he found.

For more context, he interviewed Dario Giuliani, the director of research firm Briter Bridges, which focuses on emerging markets in Africa, Asia and Latin America.

Talent and capital are shifting cybersecurity investors’ focus away from Silicon Valley

Image Credits: MCCAIG (opens in a new window) / Getty Images

New cybersecurity ecosystems are popping up in different parts of the world.

Some of of that growth has been fueled by an exodus from the Bay Area, but many early-stage security startups already have deep roots in East Coast cities like Boston and New York.

In the United Kingdom and Europe, government innovation programs have helped entrepreneurs close higher numbers of Series A and B rounds.

Investor interest and expertise is migrating out of Silicon Valley: This post will help you understand where it’s going.

Will Apple’s spectacular iPhone 12 sales figures boost the smartphone industry in 2021?

On Wednesday, 20 January, 2021, in Dublin, Ireland. (Photo by Artur Widak/NurPhoto via Getty Images)

Image Credits: NurPhoto (opens in a new window) / Getty Images

Today’s smartphones are unfathomably feature-rich and durable, so it’s logical that sales have slowed.

A phone purchased 18 months ago is probably “good enough” for many consumers, especially in times of economic uncertainty.

Then again, of the record $111.4 billion in revenue Apple earned last quarter, $65.68 billion came from phone sales, largely driven by the release of the iPhone 12.

Even though “Apple’s success this quarter was kind of a perfect storm,” writes Hardware Editor Brian Heater, “it’s safe to project a rebound for the industry at large in 2021.”

The 5 biggest mistakes I made as a first-time startup founder

Boy Standing with Dropped Ice Cream Cone

Image Credits: Randy Faris (opens in a new window) / Getty Images

Finmark co-founder and CEO Rami Essaid wrote a post for Extra Crunch that candidly describes the traps he laid for himself that made him a less-effective entrepreneur.

As someone who’s worked closely with founders at several startups, each of the points he raised resonated deeply with me.

In my experience, many founders have a hard time delegating, which can quickly create cultural and operational problems. Rami’s experience bears this out:

“I became a human GPS: People could follow my directions, but they struggled to find the way themselves. Independent thinking suffered.”

Dear Sophie: How can I sponsor my mom and stepdad for green cards?

lone figure at entrance to maze hedge that has an American flag at the center

Image Credits: Bryce Durbin/TechCrunch

Dear Sophie:

I just got my U.S. citizenship! My husband and I want to bring my mom and her husband to the U.S. to help us take care of our preschooler and toddler.

My biological dad passed away several years ago when I was an adult and my mom has since remarried.

Can they get green cards?

— Appreciative in Aptos

Check out the amazing speakers joining us on Extra Crunch Live in February

Extra Crunch Live February Schedule: February 3 Gaurav Gupta Lightspeed Venture Partners Raj Dutt Grafana Labs February 10 Aydin Senkut Felicis Kevin Busque Guideline February 17 Steve Loughlin Accel Jason Boehmig Ironclad February 24 Matt Harris Bain Capital Isaac Oates Justworks

Next month, Extra Crunch Live returns with a lineup of guests who are extremely well-qualified to discuss early-stage startups.

Each Wednesday at noon PPST/3 p.m. EST, join a conversation with founders and the investors who backed their companies:

February 3:

Gaurav Gupta (Lightspeed Venture Partners) + Raj Dutt (Grafana Labs)

February 10:

Aydin Senkut (Felicis Ventures) + Kevin Busque (Guideline)

February 17:

Steve Loughlin (Accel) + Jason Boehmig (Ironclad)

February 24:

Matt Harris (Bain Capital) + Isaac Oates (Justworks)

Also, we’re adding a new feature to Extra Crunch Live — our guests will offer advice and feedback on pitch decks submitted by Extra Crunch members in the audience!

10 VCs say interactivity, regulation and independent creators will reshape digital media in 2021

Photo of a young woman watching TV in the bedroom of her apartment; eating sushi and enjoying her night at home alone.

Image Credits: Aleksandar Nakic (opens in a new window) / Getty Images

Since the pandemic disrupted the social rhythms of work and school, many of us have compensated by changing our relationship to digital media.

For instance, I purchased a new sofa and thicker living room curtains several months ago when I realized we have no idea when movie theaters will reopen.

Last year, podcast sponsors spent almost $800 million to reach listeners, but ad revenue is estimated to surpass $1 billion this year. Clearly, I’m not the only person who used a discount code to buy a new product in 2020.

At this point, I can scarcely keep track of the multiple streaming platforms I’m subscribed to, but a new voice-activated remote control that comes with my basic cable plan makes it easier to browse my options.

Media reporter Anthony Ha spoke to10 VCs who invest in media startups to learn more about where they see digital media heading in the months ahead. For starters, how much longer can we expect traditional advertising models to persist?

And in a world with hundreds of channels, how are creators supposed to compete for our attention? What sort of discovery tools can we expect to help us navigate between a police procedural set in a Scandinavian village and a 90s sitcom reboot?

Here’s who Anthony interviewed:

  • Daniel Gulati, founding partner, Forecast Fund
  • Alex Gurevich, managing director, Javelin Venture Partners
  • Matthew Hartman, partner, Betaworks Ventures
  • Jerry Lu, senior associate, Maveron
  • Jana Messerschmidt, partner, Lightspeed Venture Partners
  • Michael Palank, general partner, MaC Venture Capital (with additional commentary from MaC’s Marlon Nichols)
  • Pär-Jörgen Pärson, general partner, Northzone
  • M.G. Siegler, general partner, GV
  • Laurel Touby, managing director, Supernode Ventures
  • Hans Tung, managing partner, GGV Capital

Normally, we list each investor’s responses separately, but for this survey, we grouped their responses by question. Some readers say they use our surveys to study up on an individual VC before pitching them, so let us know which format you prefer.

Does a $27 billion or $29 billion valuation make sense for Databricks?

Data analytics platform Databricks is reportedly raising new capital that could value the company between $27 billion and $29 billion.

By the end of Q3 2020, Databricks had surpassed a $350 million run rate — a $150 million YoY increase, reports Alex Wilhelm.

At the time, he described the company as “an obvious IPO candidate” with “broad private-market options.”

Which begs the question: “Can we come up with a set of numbers that help make sense of Databricks at $27 billion?”

End-to-end operators are the next generation of consumer business

Tourist route to the top of the mountain. Rope bridge in the clouds. Crimea. Ai-Petri

Image Credits: Natalia Timchenko (opens in a new window) / Getty Images

Rapid shifts in the way we buy goods and services disrupted old-school marketplaces like local newspapers and the Yellow Pages.

Today, I can use my phone to summon a plumber, a week’s worth of groceries or a ride to a doctor’s office.

End-to-end operators like Netflix, Peloton and Lemonade take a lot of time and energy to reach scale, but “the additional capital required is often outweighed by the value captured from owning the entire experience.”

Unpacking Chamath Palihapitiya’s SPAC deals for Latch and Sunlight Financial

On January 25, Social Capital CEO Chamath Palihapitiya tweeted that he was making two blank-check deals.

Enterprise SaaS company Latch makes keyless entry systems; Sunlight Financial helps consumers finance residential solar power installations.

“There are nearly 300 SPACs in the market today looking for deals,” noted Alex Wilhelm, who unpacked both transactions.

“There’s no escaping SPACs for a bit, so if you are tired of watching blind pools rip private companies into the public markets, you are not going to have a very good next few months.”

Fintechs could see $100 billion of liquidity in 2021

Long exposure spillway shines water and light. Copy space.

Image Credits: dan tarradellas (opens in a new window) / Getty Images

On Monday, we published the Matrix Fintech Index, a three-part study that weighs liquidity, public markets and e-commerce trends to create a snapshot of an industry in perpetual flux.

For four years running, the S&P 500 and incumbent financial services companies have been outperformed by companies like Afterpay, Square and

In light of steady VC investment, increasing consumer adoption and a crowded IPO pipeline, “fintech represents one of the most exciting major innovation cycles of this decade.”

Drupal’s journey from dorm-room project to billion-dollar exit

Dries Buytaert, co-founder and CTO at Acquia

Image Credits: Acquia

On January 15, 2001, then-college student Dries Buytaert released Drupal 1.0.0, an open-source content-management platform. At the time, about 7% of the world’s population was online.

After raising more than $180 million, Buytaert exited to Vista Equity Partners for $1 billion in 2019.

Enterprise reporter Ron Miller interviewed Buytaert to learn more about his 18-year journey.

“His story is compelling, but it also offers lessons for startup founders who also want to build something big,” says Ron.

The Taxman Cometh for ID Theft Victims

The unprecedented volume of unemployment insurance fraud witnessed in 2020 hasn’t abated, although news coverage of the issue has largely been pushed off the front pages by other events. But the ID theft problem is coming to the fore once again: Countless Americans will soon be receiving notices from state regulators saying they owe thousands of dollars in taxes on benefits they never received last year.

One state’s experience offers a window into the potential scope of the problem. Hackers, identity thieves and overseas criminal rings stole over $11 billion in unemployment benefits from California last year, or roughly 10 percent of all such claims the state paid out in 2020, the state’s labor secretary told reporters this week. Another 17 percent of claims — nearly $20 billion more – are suspected fraud.

California’s experience is tracked at a somewhat smaller scale in dozens of other states, where chronically underfunded and technologically outdated unemployment insurance systems were caught flat-footed by an avalanche of fraudulent claims. The scammers typically use stolen identity data to claim benefits, and then have the funds credited to an online account that they control.

States are required to send out 1099-G forms reporting taxable income by Jan. 31, and under federal law unemployment benefits are considered taxable income. Unfortunately, many states have not reconciled their forms with confirmed incidences of fraudulent unemployment insurance claims, meaning many people are being told they owe a great deal more in taxes than they actually do.

In a notice posted Jan. 28, the U.S. Internal Revenue Service urged taxpayers who receive forms 1099-G for unemployment benefits they didn’t actually get because of ID theft to contact their appropriate state agency and request a corrected form.

But the IRS’s advice ignores two rather inconvenient realities. The first is that the same 1099-G forms which states are sending to their citizens also are reported to the IRS — typically at the same time the notices are mailed to residents. The other is that many state agencies are completely overwhelmed right now.

Karl Fava, a certified public accountant in Michigan, told KrebsOnSecurity two of his clients have received 1099-G forms from Michigan regarding thousands of dollars in unemployment payments that they had neither requested nor received.

Fava said Michigan recently stood up a website where victims of unemployment insurance fraud who’ve received incorrect 1099-Gs can report it, but said he’s not confident the state will issue corrected notices before the April 15 tax filing deadline.

“In both cases, the recipients contacted the state but couldn’t get any help,” Fava said. “We’re not getting a lot of traction in resolving this issue. But the fact that they’ve now created a web page where people can input information about receiving these tells you they have to know how prevalent this is.”

Fava said for now he’s advising his clients who are dealing with this problem to acknowledge the amount of fraudulent income on their federal tax returns, but also to subtract an equal amount on the return and note that the income reported by the state was due to fraud.

“That way, things can be consistent with what the IRS already knows,” Fava said. “Not to acknowledge an issue like this on a federal return is just asking for a notice from the IRS.”

The Taxpayer Advocate Service, an independent office of the U.S. Internal Revenue Service (IRS) that champions taxpayer advocacy issues, said it recently became aware that some taxpayers are receiving 1099-Gs that include reported income due to unemployment insurance identity theft. The office said it is hearing about a lot of such issues in Ohio particularly, but that the problem is happening nationally.

Another perennial (albeit not directly related) identity theft scourge involving taxes each year is refund fraud. Tax refund fraud involves the use of identity information and often stolen or misdirected W-2 forms to electronically file an unauthorized tax return for the purposes of claiming a refund in the name of a taxpayer.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.  

The best way to avoid tax refund fraud is to file your taxes as early possible. This year, that date is Feb. 12. One way the IRS has sought to stem the flow of bogus tax refund applications is to issue the IP PIN, which is a six-digit number assigned to taxpayers that helps prevent the use of their Social Security number on a fraudulent income tax return. Each PIN is good only for the tax year for which it was issued.

Until recently the IRS restricted who could apply for an IP PIN, but the program has since been opened to all taxpayers. To create one, if you haven’t already done so you will need to plant your flag at the IRS by stepping through the agency’s “secure access authentication” process.

Creating an account requires supplying a great deal of personal data; the information that will be requested is listed here.

The signup process requires one to validate ownership of a mobile phone number in one’s name, and it will reject any voice-over-IP-based numbers such as those tied to Skype or Google Voice. If the process fails at this point, the site should offer to send an activation code via postal mail to your address on file.

Once you have an account at the IRS and are logged in, you can request an IP PIN by visiting this link and following the prompts. The site will then display a six digit PIN that needs to be included on your federal return before it can be accepted. Be sure to print out a copy and save it in a secure place.

Data Privacy Day | Are We Responsible For Leaking Our Own Data?

With the debate raging over user privacy on platforms such as WhatsApp, Telegram and Facebook, today – January 28 – Data Privacy Day, which promotes privacy awareness and best practices, is a great opportunity to reflect on aspects of the issue that increasingly affects us all.

No Way to Disconnect

Pretty much everyone today interacts with the internet, and for that, they use social networks, mobile devices, and various software (such as Gmail). Most users understand and accept that in order to use these free services and technologies, we have to agree to divulge some of our private information.

The social networks know our preferences, and they know who our friends are; Google scans the content of our emails to offer us customized search results, and mobile apps collect information about us to improve interaction (and increase consumption).

Most people take this data collection, retention, cataloging, and analysis in their stride. After all, they “agreed” to it. However, if we realize that someone is collecting information about us without our prior consent, we rightly kick up a commotion.

Outcry or not, Google, Amazon, and Facebook, as well as Apple and Samsung and many others will continue to gather as much information as possible about their users. Whether it’s to sell that data or use it to enhance their understanding of user behavior, it is all part of their business model. In some cases, it is only such data collection that enables businesses to offer their services at the price they do: often, zero.

For most of us, it’s either impractical or impossible to really break away from these companies; we accept their proportionate invasion of our privacy because the convenience or utility of their service offers us value. Of course, that does not mean they should be allowed to do whatever they want; increasingly, voices are calling for regulators to implement greater oversight and enact and enforce stronger privacy protection laws.

Apply Common Sense

The fact that we are consumers of digital services and products and that we waive some of our right to privacy to a greater or lesser extent does not mean our privacy should in any way be undervalued. Facebook indeed knows an awful lot about us, but there’s no reason we should reveal to the social network, or to our Facebook friends, any more than we need to.

We must be mindful that any post, tweet, photo, or clip will be exposed to millions of unknown eyes. Even if we use the most stringent privacy settings, all that needs to happen is for someone to take a screenshot and share it with their followers for that data to ‘leak’ into the wider public domain.

So the simple rule is: If you don’t want people to know, don’t share it online!

That includes personal information, intimate photographs, private documents, and anything else that other people shouldn’t be able to see.

Visual Data

In the early years of the internet, most private information was structured – addresses, names, phone numbers, bank accounts, and credit card numbers. With the rise of social networks, a new kind of information was added – textual information that we produce ourselves, such as talkbacks, posts, and blogs. In recent years, with the advent of Smartphones, the most significant information produced today is visual information: photos and videos. This type of information is completely different from written or structured information: it is accessible and easy to copy and transfer via screenshots.

Worse, visual information can identify a person definitively. You can’t hide behind a fake user profile if you share a real picture of yourself. And yet, on the other hand, visual information can easily be manipulated with Deep Fake technology.

Here as well, the rule is: don’t share what you don’t want your Auntie or Uncle to see. Did you take a picture? Did you send it to a friend or share it on social media? Keep in mind that “it’s out there” and that this information cannot be erased from the collective memory of the internet.

Child Privacy

Adults, in general, understand these rules, but it is not at all a trivial issue for children. The generation that grew up with mobile devices in their hands feels completely comfortable photographing themselves and sending pictures and videos to friends or posting them online, often without understanding the consequences of such actions. Again, you have to take into account that everything is visible, and everything can live in the Cloud’s memory indefinitely.

When it comes to toddlers, the issue is even more serious as we do not ask their permission at all. Keep in mind that when your children grow up, someone could suddenly pull out an embarrassing picture of them from kindergarten, or worse – naked in the bath (not to mention what pedophiles could do with such pictures).

It is advisable to talk to young children and explain the issue to them, and even to prevent them from using such platforms until at least adolescence.

Smart Homes and Wearables

The world of consumer electronics is evolving at a breakneck pace. When computers entered our lives, there was no privacy risk involved. Personal computers were not connected to anything. We then connected them to the internet and learned not to tell strangers our passwords. With the smartphone, we also learned about the dangers of the camera and microphone.

But the evolution of modern ‘Smart’ technology is relentless. Smarthomes record our actions, photograph and record us, and also know what we have in the fridge. Because there is no need to take an active “log in” or manually run an app, our sensitivity to risk decreases, and we forget that the Smart device is there, listening to us. “Hello, Siri”. “Alexa, …”.

Hiding in Plain Sight | The IoT Security Headache and How to Fix It

Here, too, the rule is: Only use such monitoring devices if you have a real need. It is wise not to install Smart cameras and microphones where they can record things we do not want others to see or hear. Do you really need a webcam in your own or your child’s bedroom? These devices are supposed to be secure, but there have been many instances where they have been hacked and their content broadcast or sold.

And don’t forget your wearable devices, which constantly report your physiological data to a third-party data center. Here, we need to ask ourselves whether we really need non-stop monitoring or whether the danger of such fine-grained data collection might one day turn out to be greater than the benefit. Leaked Smartwatch data that can be used to locate individuals is not unheard of.

Safekeeping Our Data Whilst In the Hands of Others

So far we’ve discussed information that we produced and were, to some extent, in control of its distribution; thus, the responsibility for protecting it lies with us. However, there is also a great deal of information we provide to other entities to identify, perform actions, or retain on our behalf (such as cloud storage and backup services).

Some of the major information security incidents of recent years have occurred when such entities have been negligent in securing our information. As the information producers (and customers of those entities), we do not have much control over the security of how our data is stored by these companies – the information is no longer with us, and sometimes we will not even know that it was taken from the party that received the information from us.

What Can We Do?

For most of us, it’s not possible to completely “disconnect” and we accept some degree of our privacy is forfeited in return for the benefits of the product or services we use. But there are things that we can do to reduce unnecessary exposure:

  • Choose your platform, service and software – You have a choice. Dissatisfied with WhatsApp sharing your data with Facebook? You can use Signal or Telegram. If you’re not happy with the privacy protections of your Chrome browser, you can explore the privacy protections offered by alternatives such as Firefox or Brave. Each have their own pros and cons, but check out what works for you and know that there are alternatives depending on what features you value most.
  • Explore privacy settings – If you choose to use a certain service or platform, take the time to study its privacy features. For instance, on LinkedIn you can check which applications are associated with your account and limit data sharing with 3rd parties, decide which parts of your profile are displayed as part of your public profile.
  • Change default password on Smart devices – Smart home devices usually ship with built-in default passwords (or worse, none whatsoever). This makes it easier for hackers to gain access to your device. Change defaults and set your own secure passwords on all IoT devices as soon as you unbox them.
  • Erase older accounts – If you are not using your old Yahoo! Gmail or Hotmail account (as well as numerous other accounts you probably have on obscure sites and platforms) you should erase them. This will reduce the risk of leaking data from either insecure passwords or insecure storage of your passwords.
  • Do not provide information unnecessarily – Many sites ask customers for an ID number, phone number or other PII without any real need for that data. In some cases, you can often fill in required data that is not necessary for your use of the service with ‘junk’ data. If you find yourself having to do this, don’t forget to complain to the vendor.
  • Think before you post! – The good old rule of thumb is ‘would I be embarrassed if my boss, colleagues, partner, parents, children saw this content? Consider that in light not just of the present, but the future, also (like your next job interview).

In short, don’t assume you can leave the safety of your private data solely in the hands of service providers. On Data Privacy Day, it’s worth us all taking a moment to reflect that we have to take responsibility for our own data privacy wherever we can. As we’ve outlined above, there are actionable ways that we can do this.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Workday nabs employee feedback platform Peakon for $700M

Workday started the work day with some big news today. It’s acquiring employee feedback platform Peakon for $700 million in cash.

One thing we have learned during the pandemic is that organizations need to find new ways to build stronger connections with their employees, and that’s precisely what Peakon provides. “Bringing Peakon into the Workday family will be very compelling to our customers — especially following an extraordinary past year that has magnified the importance of having a constant pulse on employee sentiment in order to keep people engaged and productive,” Workday co-founder and co-CEO Aneel Bhusri, said in a statement.

Without the ability to have face-to-face meetings with employees, managers have struggled throughout 2020 to understand how COVID, working from home and all the trials and tribulations of the last year have affected the workforce.

But this ability to check the pulse of employees goes beyond this crisis period. Managers of large organizations know that the bigger and more spread out your firm becomes, the more challenging it is to understand what’s happening across the company. The company uses weekly surveys to ask specific questions about the organization. For them it’s all about getting good data, and so far customers have used the platform to ask over 153 million questions since inception six years ago.

Peakon CEO and co-founder Phil Chambers sees Workday as a logical partner. “Workday excels at helping enable customers to leverage their data. Together, we’ll be able to help drive greater productivity, talent development and employee retention for our customers — and unify how employees interact with their organizations,” he said in a Workday blog post announcing the deal.

Peakon was founded in Copenhagen in 2014 and has raised $68 million along the way, according to Crunchbase data. Its most recent round was a $35 million Series B in March 2019. The deal is expected to close by the end of this quarter subject to typical regulatory review.

After soaring above $23B, Qualtrics’ founder and CEO reflect on a stellar debut

Amidst all of the the sturm und drang of l’affaire GameStop, Qualtrics went public today.

After pricing its stock above its raised IPO range, the company received a warm welcome from public investors. After starting its trading life worth $41.85, Qualtrics closed the day worth $45.50, up some 51.67%.

Qualtrics did everything that it said it was going to.

The software company’s debut comes after a lengthy path to the public markets; Qualtrics sold to SAP on the eve of its first run at a public listing back in 2018. Now, SAP has completed spinning the company out, though the software giant remains the Utah unicorn’s largest shareholder.

That Qualtrics’ IPO might perform well was presaged in its pricing run, having prices far above its initial valuation estimates; there was evidence of strong demand even before its shares started to trade.

But did Qualtrics misprice, given its strong first-day performance? TechCrunch spoke with Qualtrics CEO Zig Serafin, and its founder and current executive chairman Ryan Smith about its public offering, hoping to learn a bit about what is next for the company.

Pricing, plans

Having spoken to myriad folks on IPO days, I’ve learned the best way to kick off is to ask about emotions. Most CEOs and other execs are tied up in what they can (and cannot) say. And they are well-trained by communications experts regarding what to repeat and emphasize. You can sometimes loosen them up a little, however, by asking them how they feel.

In response to that question, Serafin described a feeling of gratitude and Smith brought up the long game. Qualtrics, he said, had been told that it couldn’t bootstrap, that it couldn’t build in Utah, that SAP had overpaid, that SAP had messed up and so forth.

Hong Kong startup ICW eyes supply chain diversification demand amid trade war

For American importers, finding suppliers these days can be challenging not only due to COVID-19 travel restrictions. The U.S. government’s entity list designations, human rights-related sanctions, among other trade blacklists targeting Chinese firms have also rattled U.S. supply chains.

One young company called International Compliance Workshop, or ICW, is determined to make sourcing easier for companies around the world as it completed a fresh round of funding. The Hong Kong-based startup has just raised $5.75 million as part of its Series A round, boosting its total funding to around $10 million, co-founder and CEO Garry Lam told TechCrunch.

ICW works like a matchmaker for suppliers and buyers, but unlike existing options like Alibaba’s B2B platform or international trade shows, ICW also vets suppliers over compliance, product quality, and accreditation. It gathers all that information into its growing database of over 40,000 suppliers — 80% of which are currently in China — and recommends them to customers based on individual needs.

Founded in 2016, ICW’s current client base includes some of the world’s largest retailers, including Ralph Lauren, Prenatal Retail Group, Blokker, Kmart, and a major American pharmacy chain that declined to be named.

ICW’s latest funding round was led by Infinity Ventures Partners with participation from Integrated Capital and existing investors MindWorks Capital and the Hong Kong government’s $2 billion Innovation and Technology Venture Fund.

Supply chain shift

In line with the ongoing shift of sourcing outside China, in part due to the U.S.-China trade war and China’s growing labor costs, ICW has seen more customers diversifying their supply chains. But the transition has limitations in the short run.

“It’s still very difficult to find suppliers of certain product categories, for example, Bluetooth devices and power banks, in other countries,” observed Lam. “But for garment and textile, the transition already began to happen a decade ago.”

In Southeast Asia, which has been replacing a great deal of Chinese manufacturing activity, each country has its slight specialization. Whereas Vietnam abounds with wooden furniture suppliers, Thailand is known for plastic goods and Malaysia is a good source for medical supplies, said Lam.

When it comes to trickier compliance burdens, such as human rights sanctions, ICW relies on third-party certification institutes to screen and verify suppliers.

“There is a [type of] qualification standard that verifies whether a supplier has fulfilled its corporate social responsibility… like whether the factory fulfills the labor law, the minimum labor rights, or the payroll, everything,” Lam explained.

ICW plans to use the fresh proceeds to further develop its products, including its compliance management system, product testing platform, and B2B sourcing site.

Inside the Mind of the SUNBURST Adversary

Listen to SentinelLab’s Principal Threat Researcher Marco Figueroa explain how the SUNBURST adversary conducted one of the most impactful attacks in recent cybersecurity history, an attack whose consequences are going to reverberate for months and years to come.

Marco is speaking as a guest on the To The Point podcast series and goes inside the mind of the adversary, explaining how the attacker patiently lay dormant for months inside SolarWinds before using the Orion platform as a springboard to infect 18,000 downstream customers.

Marco discusses the magnitude of the breach, the attack timeline, and how the adversary prioritized government agencies. He also explains how important it is for security teams to hunt not only for what is already known about this attack but also what may have been missed.

Inside the Mind of the #Sunburst Adversary transcript powered by Sonix—easily convert your audio to text with Sonix.

Inside the Mind of the #Sunburst Adversary was automatically transcribed by Sonix with the latest audio-to-text algorithms. This transcript may contain errors. Sonix is the best audio automated transcription service in 2021. Our automated transcription algorithms works with many of the popular audio file formats.

Welcome to To the Point cyber security podcast.

Each week, join Eric Traxler and Carolyn Ford to explore the latest in government, cybersecurity news and trending topics.

Now, let’s get to the point.

Good morning, welcome to To the Point, cyber security. I’m Carol Lin for it here with Eric Drexler. Eric?

Hi, Carol. And it’s actually afternoon. We’re recording in the afternoon this time.

Do you know what? You’re right. It’s afternoon for me to this time.

And a sad afternoon. A sad afternoon.

Well, this is our last joint episode together.

Don’t make me cry. It is. Yeah, I am.

I am off for new adventures, man. I’m going to miss this.

So, yeah, I’m going to miss you. I know the listeners will miss you. It’s been a it’s been a quite an enjoyable ride. I’ve really enjoyed this.

It has been it has been fantastic.

And, you know, preshow show. We got to talk to our guest for a minute, Marco Figueroa. And I think this might be one of my favorite episodes ever, just based on our conversation. Marco, before we even started recording.

Marco, welcome to the show. Sorry, we’re tearing up a little.

Already know I’m tearing up with you guys. I didn’t know you didn’t tell me this.

It’s very special because I’m the last one is our last show together to the point will continue. Nice. We’ll figure out what the journey with the path looks like.

But Caroline is leaving the organization for unchartered better waters and you know, it’ll be good. I wish you the best. It’s been a it’s been an amazing time getting to know you these past three years.

Caroline, same Eric and I. I just have to say I’m going to a really cool company when I saw their technology. It’s something that every IT shop needs. The name of the company is dangerous. So go check it out and you’ll know what I mean when you go see what they’ve got.

So with that, though, let’s get to Marco Figueroa, who has a principal threat researcher at SentinelOne one.

His technical expertise includes reverse engineering incident handling threat intelligence.

He likes to do bug bounty on the weekend. I did not know this was a thing until just now, but apparently you can make a lot of money in this, right, Marco?

Absolutely. Go look up some of the people on the leaderboards, a hacker one, and you see the bugs that they are getting and the rewards and the payouts.

It’s this is what I’m going to miss, meeting people like you, Marco. So, I mean, I got to figure out how to keep this going.

So anyways, at least at least you’re not going to solo ends, right? Whatever, Chris.

Chris Krebs is there. I wouldn’t mind. I’m not going to lie. Yeah.

Yeah. They’re getting some needed help.

Well, and speaking of Selwyn’s well, let me just finish your very impressive bio. You also talk about hunting.

And before SentinelOne one, you spent seven years at Intel as a senior security researcher.

So what we want to talk to you about today is exactly what you just mentioned, solar winds.

I want to I want to get inside the head of the adversary. So I want you to be the adversary and tell us what you’re doing in there.


I think for me to to paint a picture for the listeners, I think yesterday or the day before yesterday, solar winds released a blog on the timeline. Right. And I think it it’s really critical to look at that. And I had discussions with other colleagues about the timeline. So it’s interesting. So what they reported was nine for nineteen. The actor actor accessed solar winds.

Right. There was about a year and a half ago. You’re saying twenty nineteen. Not twenty. Twenty, twenty. Nineteen. Yeah, yeah. Nineteen.

Eight days later, they inject test code and begin the trial run to see if they’re detected, how is deployed, and and that carries on to 11 for 19. Right. So let’s take a step back. Right. If I’m doing a pen test or I’m the actor. I need to know first of the software, how it works, how it does right, I can download the free trial, install it, take a look of how it works, reverse engineer it using IDEO, Pro or Gaja or something like that to understand or use a another tool of your choice to understand how it works. Right. What can I do? What can I replace and put in its place to to blend in and not stick out.

So and that’s really David’s right, Mark. I mean, as good as you are that I’ve known you a long time, you still take a little bit of time.

Oh, yeah. Oh, yeah. So for for me, if if I’m penetrating their network, I’m first getting a understanding where everything is getting the lay of the land, doing recon and just building a map of the attack surface and what’s going on.

So you understand it.

Yeah. It’s not like you just going to however you enter, you still got to figure out how where everything is. Right. I’ve worked on cases where the saw for all it did was a recon mission of the environment it was in. So it took what software was installed, what was the BIOS version, what kind of hardware was on the system? So they can tailor the next time they penetrated, they can tailor their their target for this specific environment.

And this doesn’t even include markka. This isn’t even including the the prep time thinking about the operation and the nation state level where which type of software are we going to try to penetrate and how do we want to do it in which teams are going to be oriented towards that? We’re talking an operation that was probably at least two years in the making, if not more.

Absolutely. The patients, you know, when when you get into an environment, you make potential mistakes, right. As an attacker, time favors the attacker. When they’re not when when they’re ghosts in a show where they’re not detected, once they’re detected, the time favors the defender because they have time. And that’s what we’re seeing now. You’re seeing trickling reports come out, right? Every week, so like last week, there was a report, this week there was two reports also there was another. I don’t want to mention the name. There was another firm that was compromised, their certificate that those secure emails. So you’re going to start seeing this over and over the hack that will keep on giving.

Well, as physicians, the patients look at and they just know, I guess it wasn’t really when they decided to strike it, when we finally noticed them.

What why did we notice them? I’m jumping ahead in the timeline. Keep taking us through the timeline.

We’re going to go there because there’s some juicy parts that I want to cover first. So just the test code was around two months, right? Just around two months.

So they’re just doing just looking back to understand, just seeing if anyone’s detecting what we injected into it.

Is it fair to say is it safe? Is it safe to say that it was at least two months from what we know?

That’s that’s what’s on the timeline from nine, 12, 19 to 11 for they’re just testing out.

Right. How do we get that exact injection date?

I know that’s kind of a dumb question, but it’s it’s not out there. And this is this is why for me, it is like you as solar wind. The thing to do is really provide solid evidence, backing everything up from logs to to show you have to show it. Because as an attacker later on on this podcast, I’m going to show you why. If you have the software, you need a worry, you need a carpet bomb your company and there’s no food here.

This is real talk. You have to understand the magnitude of what’s going on. So. Jumping forward to two, 20, 20 when Sunbus was compiled and deployed. So we’re talking about patients as soon as November happen.

Right, and they said, OK, there was no detection timeline shows to 20, 23 months, basically three months, all of November, all of December, all of January and most of February, short month, by the way, they just waited all they didn’t.

What do you think they were kind of waiting for?

They were there were waiting to get more into the election mayhem to as a distraction. And then maybe when it hit, they they were like, oh, this is even better.

We’ll go now.

I think potentially they were they were waiting and as an attacker, I’m waiting and looking right. Not only. Understanding the environment better, right, that I think that time, right, it’s it’s like the nine four initial penetration, I already understood your environment. I know where everything was. So the nine four and then the nine 12, that was like, OK, I popped in. And I already know where I’m going.

So this is in Windsor, Ryan, we’re not talking customers yet. We’re not talking customers. Yes, just into Solar Windsor, right?

Correct. Correct. And this is this is why for me, it’s there has to be more information and more transparency than ever because so many people were infected and they have to be more transparent talking about this, because a lot of times who keeps logs, it’s very expensive to keep logs. So. How did the how did how did they figure out nine for 19 was the initial did that three actors leave something on the box so you could understand that it was them? And these are all questions that all of us researchers, Brett Hunters, analysts, everybody wants to know. So Sunbus happens comp.. Then in three. Twenty six.

Twenty eight months later, hotfix. Yeah, a hotfix five. Dialo was available to customers. Now. This is all assumptions because they didn’t. Write anything about that? My guess is good. So Lauryn’s, they didn’t write anything on their report, what, three twenty six twenty is they just put Hotfix five Dialo available to customers. I’m guessing that that is the Sunbus implant was available to customers for customers to download. But again, that’s my assumption. It’s not facts, but that’s what I’m thinking.

So then.

June 4th, Tier removes malware from Build VMS. What the what is that they took out everything. My assumption that you have. Close to four months there that it was up and people were downloading. My guess is that the the scene, what they wanted to see and now they have access to the solar winds, customers that they wanted know. And they’re going to remove the evidence, scrub it, we’re going to scrub it is gone.

So when you say they have basically sweeping out footprints. Yeah.

And when when you say they have access to those customers, at that point, they’ve gone in and created possible fake privileged user accounts with those customers. So whatever they did with solar winds, they don’t care anymore.

They’ve got in the door and they and they moved laterally to other platforms.

Mm hmm.

And then you don’t need solar winds anymore right there on their main targets. Yes. Let’s let’s remove the fingerprints, the footprints, whatever you want to call it, so we’re less likely to get caught. And we’ll go to phase two of the operation.

So then that happened, fast forward 12, 12, 20. Solar winds notifies. R is notified of of Sunbus, so you have all that timeline now about this injection of code. Happening now, we’re going to put all of that aside.

And now I’m I’m I’m the red team or hacker actor. So let’s talk about the access permissions you just said. Right. If you had that Sunbus Orion DLO installed on Adewusi and or Zuhur. How can the attackers leverage these permissions, you know, for the setup contributor role, which allows you to start, stop, restart your VMS and then for Amazon you can do a little bit more, which is metric. You can look at metric stats and terminate instances, so. That that right there, that role is is really important. And then you have, you know, if you have knowledge of the cloud API and you have some excessive. Access to company resources, everything is unlimited to you, right, everything is there, you you’re completely own. Let’s say you had that. You know, Amazon s three bucket full access to everything that’s like logging in and seeing all your instances of you using Amazon across everything was to say with that access, they don’t turn something on. Inject something into. One of one of the eight of us, you know, servers or or it’s just unlimited, it’s unlimited, unprecedented access that I’ve never seen.

Britain as an attack to the other as an attacker, mark your choices, really, where do I go now? Like, where do I spend my time?

Because time is of the essence. I have no idea how long I’ll be in here undetected. What’s how do I prioritize, how do I stack rank and then what do I do?

Ok, let’s let’s put the AWB and ASER aside for a second. Let’s dig into exploiting the access permissions stored in Orion. So if you have the Orion platform, you have a database installed just by the because this is where stores installs everything and you potentially have all the information of identity and access management or I.T. asset management. So all of the Orion holds all the credentials, such as domain admins, Cisco routers and switches, ESX I v center credentials, AWB or any cloud route API keys and so database much, much more. All of everything. Yeah, yeah. It is. You personally targeted tool. Yeah, you must go.

Yeah, it is, I think it’s shut everything down like what you’re seeing right now. You’re telling me they have access to shut.

Everything now, what I’m saying is, if you had that software, whatever was in that database, whatever. They had or that company had stored, you have to have to realize that. You have to consider everything on the Orion platform compromise, not all you have to once you go to an asset that you found out through Orion that asset may have access to.

Other things, so so in essence, your whole network essentially is is burned or you have to at least suspect that Carolyn. Yeah, I was talking to somebody yesterday and one of the customers who was who was impacted by this. The first inclination was let’s just let’s just set up a whole new infrastructure and network and everything will burn it all down, burn it all down. And that was great thinking. You can’t do it.

Yeah, not easy when you’re thinking now when you’re an enterprise, right.

You can’t a government enterprise can’t burn it all down, but you almost have to think like every single thing out here is suspect now. And that’s the beauty of this attack.

Well, and so who has Orien? Tell me. Everybody in the world. Eighteen thousand customers.

They said eighteen thousand customers. And there were clearly dozens that were impacted to Marco’s point about, you know, the time is not on the adversary side. Once they’re detected, once they were detected, they had to. You know, they were running out of time. They couldn’t get to all 18000, not that they ever would, but they had to prioritize from the beginning.

But, you know, it looks like they prioritized government agencies, Deb, customers, telecommunications, you know, the key infrastructure of the United States and our and our allies.

Yeah, it’s. The hack is unprecedented, and you’re right, the one thing you have to think about, if you had. You know, Sunbus is that everything is compromised. But imagine if you work in a place that I know that has over seven hundred thousand employees.

What do you do, you can’t burn them all down. It’s Caroline, it’s almost like being invited into Willy Wonka Chocolate Chocolate Factory, like you’re in this amazing place, but you can’t eat all the chocolate. So what are you what are your choices?

So what do we do? Marco what do they do?

I’m the red team.

I’m looking at the VP over here and I’m asking you if you’re consulting someone, I’ll give my answer after yours. But if you’re going to a company and and they’re asking you what should we do? Even if we had ten thousand points, what do you say?

Hiya, Marco.

Immediate, I would say, and here’s here’s my thing, I would me I would say.


You know. OK, I like that, but that’s that’s that’s for another day, another story. But I mean, what do you tell a customer, though, right? Well, that’s what I just said.

So I think I had some good guidance here, right.

This week or late last week. I forget what it was on the 8th of January.

In the last about a week ago, they announced alert a 20 dash, three fifty two dash, which talks about compromise of buying and bypassing a federal identity.

Solutions, talks about using forged authentication tokens, tokens. So basically, you’re zero trust architecture, if you were heading down that path, is compromised also because the things that credentials, the core credentials were burned. So my my answer markka, without naming any products or any organizations, is I think you need to go back to a point in time along that timeline when you ingest it, when you uploaded the latest solar winds patch that would have allowed the adversary on your network. And you need to start looking at all user IDs and everything from that time forward. Now, could they play with system clocks and do things like that? Maybe, maybe not. But at a minimum, you’ve got to look at everything that was created from what was the date, March 20th. Maybe you’ve got to look at everything from from that point forward. March twenty six, I think. Forward and absolutely understand that Marco Figueroa is Marco Figueiro, and you’ve got to look at what those users are doing with their behaviors, where you’ve got to go back to logs, you know, if you have insider threat capability or some kind of EDR capability that was capturing information, either cash and or storing it in a database. Going back to your logs. And it is this is just grunt police work like forensic work digging through that. I think you have to do that, Carolynn, or you have to burn it all down and start over, which is unlikely.

But that’s what I’m asking. Like, in the meantime, while you’re doing all of this, like Marco is giving the scale here of seven hundred thousand point seven hundred thousand users, do you shut it all down while you check it out? You can’t do that because you don’t. Then they’re continuing to move.

Yeah, that continues. And I’ve seen Marco. I mean, he’d continue to keep moving. You can’t catch me. It’s you can’t catch me, Eric. I’m faster than whack a mole.

Yeah. Yeah, it’s a whack a mole mentality. You’re going to be whack a mole thing. And and this is the thing, you know. Initially when this happened, Microsoft stated that, you know, they weren’t hacked, right, and I think I tweeted something I retweeted something from someone from Microsoft. Right. Two weeks later, we found out, you know, there was no modification. But we we received the source code. Source code. Let me tell you. Access, right. So source code. We don’t know what source code. I haven’t seen anything that Microsoft stated except they accessed source code. But here, again, as a red or as an attacker, as a bug bounty hunter, what I could do with that is I don’t have to reverse engineer things anymore. I, I because if I access it, that means I probably copied it. And whichever way or we don’t know, again, transparency. This is why, you know, everything has to be open because now for me, I’m like paranoid to download stuff now from Microsoft, from everything. Everything is in a VMD that I install and then detonate it if if you know, it’s not good. So this is I think building trust with customers is is very important and being transparent, especially these days where we’re getting reports. You’re going to see so many more reports in the upcoming days, weeks, months. It’s going to continue to to to happen. And yesterday there was another report.

Yeah, this is the tip of the iceberg. This is this is what I would tell you is the tip of the iceberg, Carol.

And this is why I say this is beyond Snowden, buckshot, Yankee. Right. You name it. And imagine if the adversary wanted to actually cause harm. We’re talking sabotage. We’re causing damage, talking damage, as opposed to just espionage. And maybe they can in the future because they’re inside what I would question, the one thing I would question is anybody who says we’re clean, we’re good, we know we’re OK, who who was accessed? I would say, how do you know that? At this point, Sammarco, Murka, you get in through solar winds, you you clean up your footprints. You’ve now compromised three sixty five active directory, maybe some Eitam ICAM tools, Zira Trust is no longer trustworthy as an adversary. How do you think? What’s your next move? What do you do? How do you prioritize? You’re in the chocolate, actually. How?

Yeah, usually, you know, it’s to stay and and have access. Right. If you stole stuff like they were saying court records were where access and I guess stolen again, transparency is is really important because we we have to know because we have to as they share, like with Sunspot, we start to have a better understanding for future attacks. So people like if I’m the attacker and I penetrated a company, it’s to maintain access. And you’re so deep in the company, you could, like, pivot upon pivot like. Oh, yeah, you found that. But you’re not going to find me for another four months because I’m over here. You know, it’s maintaining that access. And, you know, supply chain attacks are going to be here to stay and this is. Something that that will go down as one that, like you said, it’s the biggest hack.

Of all time.

So so what’s your thought, I mean, as a hacker, I read T’mar, you know, all these cyber security companies are coming out and they’re saying, hey, here’s a patch, addresses all the you know. We can address all these Aoki’s indicators of compromise around solar winds. To me, it’s too late. I think it’s great that you’re doing it, but.

The horse has already left the barn or the adversaries inside the castle walls, if you will, and they look like you, they act like you and you believe they’re you. So the fact that you’re closing the the castle drawbridge or you’re raising it.

Yeah, but I think needs to be it’s correct. It’s important, though, for that to happen. You know why? Because if you have eighteen thousand customers do like all those customers can’t like, pay for EDR. Every incident response team right now is busy. You’re not going to hire someone. So you need tools. You know, we released the tool. We release blogs to help people that aren’t our customers, like, hey, oh, it’s it’s like running the tool. Right. And this is important. It is a community task. It’s not just one company. The community needs to help each other here because, like I said, eighteen thousand customers. You’re not going to. If a customer right now tried to get. Another company, another firm to try to do an investigation is going to be hard, it’s like, OK, you’re on the list, we’ll get to you when we get to you, because everyone is busy enabling to your point of why it’s so important that we’re transparent and that we’re sharing the information.

So you said that the supply chain attacks are here to stay. Which idea?

How what do we do to make sure that that kind of code doesn’t get injected again, like what? What could have solar winds done? To detect that before it went out or a solar orange customer.

Yeah, yeah.

So, you know, I always believe if you’re a large company, you need a team to vet. You know, your. The software you’re bringing in and really vet them, right, and understand a company that that is your I.

Yeah, if you’re a consumer of a software product, you need to have a team of people who actually look at in this case, it would have been solar winds. Look at the update process. You don’t have access to the source code. How do you do that? I mean, I’ve worked with some government agencies. I know you’ve worked with with also markka that they don’t have enough staff to do it. They’re they’re always behind. You know, you can do you can do selective, you know, pull even. They ask for the source code to do source code reviews. And even in that, I bet they miss things.

I don’t know that that’s feasible. Is it?

I think, you know, depending on the company, right, the last company I had, we did have that right. We had red teamers auditing code. Because this is a part of of.

The security life-cycle and a company, let’s assume the fortune one hundred can do that, did you find anything?


Password’s in the clear, probably, hey, why are you why are you lying back to a company with with update messages or whatever, but would you have found it?

And even if you could, even if the top one hundred companies, not the world, can do it and afford to do it and do it perfectly, rest of world can’t do it.

Well, do you think here’s a question. Do you think you know, the reason why solar winds came out was because they were alerted by who? Or fire first. Exactly.

Exactly. With the red team to us. But but you would as you would assume that fire. I would be better than most in this regard. Yeah. And turns out they were luckily. Yeah. So they went public on I think it was December 13th. They went public right away, which, which huge kudos to FireEye. A lot of companies would have said are my red team tools. That’s that’s a huge part of my business. Why would I ever do that?

They were they found it because they had already been compromised. Right. They didn’t find it before they got compromised.

Well, this is the they’ve stated that they were compromised.

And this is why, like, I wonder if FireEye didn’t come out right with solar winds have come out the way it did. I feel like, you know, fire. I put put them on blast and told them, hey, you know, you got to we’re going to tell our shareholders or whatever the case is. We don’t I don’t know the politics behind there, but I’m pretty sure we do the time frame. We know what time frame exactly was the 8th of December.

The Fiery Red Team Tools report came out. They put a report out on the 13th on solar winds and on the 14th, the very next day, solar wind security advisory was released.

And then the next day, Microsoft seized the Sunbus control and command and control domain. And things started to shut down from that from the initial attack vector perspective.

And that’s what I’m saying, it’s great, right, but the damage has already been done. You know, this was an operation ongoing for six months and maybe they six months were they were in for nine or 10.

What I’m saying is like three twenty six. And then when they initially got caught. Right. And they’re still like I said, they’re still catching a lot of things out there.

Microsoft reported to I think it was memcache yesterday. About their search being compromised so they can read secure email.

And it is it is, like I said, the tip of the iceberg, as people start digging more and more, you’re going to see more reports. It’s going to get scary.

So as a threat research, I don’t want to scare everybody. What do you do? What are you looking at?

How do you think through this problem if you are working for a compromised agency, what would your advice be right now?

I think back to Carol, this question, yeah, you see a lot of times, and this is what I believe, this is my belief a lot of times a lot of companies are reactive to a situation. Right. How do you become proactive? How do you go on the offense? Right. Which is start having your threat hunters hunt, but also start putting your rules out there on virus total so you can get more detection and build that detection rate. And and for me, a lot of times we wait for an alert. You know, that is, to me, the wrong way, especially now, because everybody is thinking of, yeah, it’s the reactive, we got an alert, OK, what do we do instead of being proactive? And what’s going to happen is. Forget about, you know, what’s going on with solar winds and the and what happened, it’s what else did they put in those environments? What else do they do that we don’t know? And that is where you’re going to start seeing the trickle down effect of of this hack. Yeah, right.

And that is where it’s at and it’s scary, Carolyn and right in all of our time together, we’ve had some amazing guests on the podcast. And when Dmitri Alperovitch crowd strike, former crowd strikes, CTO and founder.

Mentioned hunting.

Which is a conversation I had had with him before, and you get so wrapped up in things and and he took me back to early on and he’d been talking about that for years, like more than a decade.

It really it was one thing tangible that we can grab on to as cyber professional, cyber security professionals. We don’t hunt too much. There aren’t a lot of Marko’s out there who are actually reverse engineering malware, reverse engineering code, looking at things that are suspicious on the networks, going back to the cyber defensive teams and saying, hey, you’ve got some potential vulnerabilities here. As Dimitri said, ninety nine percent of the budget is spent on the perimeter or spent on tools to protect.

There’s very little on actually looking at what’s happening in your in your environment, on your networks, with your systems, with your users, with your people, and determining if that’s appropriate. The hunting piece. It was such an eye opener for me, EPP.

Yeah, and and I agree with that, right, a lot of my times I look at reports out there and one of the things here’s a recommendation for everyone listening is when you read a report, at least for me, a report from whatever company that has hashes.

I look at their report and I say, did they miss something?

And that’s what what I do as a hunter, I want to find something that they missed. I’ve worked on a case around twenty seventeen that. Affected the company I was working at at the time, but it wasn’t in their report and when we went on a call with them, I was like, look, there is a a a jump. You only covered this side. But this was more important to us, a specific pattern and code. And I was like, I think, you know, I had a reverse engineer to say, hey, this impacted us more than what they reported. So these are the little tricks that you can do or anyone out there as an analyst, as a hunter or even as a manager is like, what did someone else miss? And the show that I always tell people to watch when they are when they are in this field is watch the first forty eight. You have 48 hours to, like, get the bad guy right, so you start understanding how the scene is set up as as a hunter who shot the gun, where’s the bullet? Right. What kind what kind of gun? If someone die and it’s the same thing you do when you’re researching something.

So, Detective.

And as we wrap up here, what what Mark was talking about is reminding me a lot of what we just talked to Jared Quants, who is an insider threat program manager, and he’s he said the same thing, Marco.

He said you go into interrogation mode, you start asking all those questions and dig, dig, dig.

And that’s so I’ve heard you say. Get on the be proactive.

Don’t don’t be on the reactive side, start hunting. And then the other thing that you’ve brought up multiple times and has been brought up by many of our guests, Eric, is just share the information, be transparent, and then we all know to start asking those questions. Right.

I think one hundred percent you’re you’re right. But this particular. Hack, it needs to be transparent because you’re going to have people helping out. That’s not on the payroll, right? You release an indicator myself and about ten thousand other researchers are helped, are trying to put out reports or things that can help the community. So this is why transparency is super important.

And this one’s got crowdsourced.

What we saw with fire irate as soon as FireEye went public, boom, the the picture opened up and people started to see the extent of the problem, which they had been dealing with for nine to 10 months without even knowing it was impacting them. But I still see that issue of government. It’s really hard for government and and and industry to share information is going to call again yesterday, I assume, because covid. But where we’re still talking about the same things we’ve been talking about for more than a decade on information sharing, on how to get it out there, you know, we haven’t put protections in place for companies against lawsuits and and negligence. There’s a lot to do. I don’t see the government sharing a ton when they do. It’s usually late. It’s impartial. It’s it’s it’s a component of something.

So we have a lot of work to do here, but I agree with you, Mark. We’ve got to open up. We’ve got to work together because it just keeps getting worse.

Yeah, and like I said, it’s the tip of the iceberg. And also, you know, during this time, we’re in covid, right? What Beryl’s. Way to spend your time, then help investigating. So as these, you know. Hashes and indicators and everything, you have to share them, give you a good example, the report that came out this week had a hash. They didn’t share the sample. You need to share the sample, right? Put it up in VTI. It’s going to eventually get up there. But again, the hasher is there. You know, they’re not sharing and they have their own reasons. But this particular incident needs to be very transparent and you have to share.

Yeah. Marco, thank you so much for I.

I’d like to keep you for just a minute more. This is actually my favorite part of the show. Oh, yeah. We give you some rapid fire question.

So what is a show that you have watched recently and just love?

Besides the first 48.

Having watched the show, let me see you always bug hunting, aren’t you?

I’m always I want to see you to tell you you talk today. I feel like I was watching your show.

You’re going to have to skip to the next one. I don’t think Marco is right.

Don’t really just say YouTube, YouTube or sorry, there was yesterday I put on Aitel.

It’s OK by Donald Glover. Do you have Danny Glover? Do you have any guilty pleasures?

Uh. This being in front of my computer, I don’t know.

All right, what do you read?

Or maybe is a better question, I would say a lot of growth in self-help books. I love that really. I mean, it’s very entertaining.

It’s all life.

Yeah, so what are you reading right now, I’m reading there’s there’s three books I’m reading I just finished A Green Light by Matthew McConaughey. I absolutely love that. And if you guys going to read it, don’t read it by the audiobook because I read it and then I bought the audio book. I’m also reading Stephen King’s On Writing, which is interesting is how he writes and how he preps himself, how to write.

And the third one is TV 12 method, which is winning, having like a winning mentality like Tom Brady. So those are the three books I’m digging into now.

Do you have a cybersecurity must read book?


I have a few, actually, they’re over there, I would say.

Joe, I love Geyser’s, so that’s on the top of my mind, the GI Joe book. By no stretch, that’s for tools, let me give you a few for bug bounty, I would say go to website. They have a.. One, they have like their little books and four.

Offense, security. Misty.

I think. The art of exploitation, there we go.

Nice, nice light reads for a weekend.

Yeah, OK. Yeah.

All right. Marco, if you had a magic wand and you could change anything you wanted in cybersecurity, what would it be?

That’s a good one. I think there’s there’s sometimes a lot of drama, I don’t get into drama, but I hear through the grapevine, so drop all the drama. It’s all about love and helping each other and providing value to everyone.

Amen. Well said, unexpected and well said.

Yeah, all right, I think we already know the answer to this, but what would you say is the biggest cybersecurity impact in the last 12 months?

And we talked about it on this. I think we did. I think we got it.

And I think it I think for the next 12 months as well. And then 20, 20 to 10 years.

Right. Well, I don’t want it to continue. And there will be copycats. And the mechanism is is sound.

Yeah, well, it was a pleasure to be on this show and thank you. I’m so happy you know that. I got to meet you, Carolyn, before you exited stage. Right. So it was a pleasure, I hope. Good luck. Good luck. And I hope you stay in touch.

America, keep going. Keep keep the world safe. Keep doing what you’re doing with your research and reverse engineering and in getting information out there.

Really, really appreciate it. Glad you’re at central one right now. Making love a better place. I love it.

You’re one of my you’re now one of my cybersecurity heroes also. Like much Eric.

Yeah. Now Mark is a guy I got you. If I have any issues, by the way, I do have an IP address. I want to run by you, Marco. Anyway, with that being said, Caroline, it’s been so much fun working with you and so much fun doing the podcast. I’m really I really will miss you. But with that, the show is over.

It is about the show will go on, but yes, this has been the highlight of my yes, to be honest. Good. Wow. Well, that’s.

Now, this is a fun thing. So this show is over, I should say, today show. We will continue. So we will continue to the point. Cybersecurity, we have too many listeners and we cover too much good ground.

Eric, we need to have a follow up show, maybe in like six to eight months to see what plays out. Oh, don’t worry. We will have a collection.

We’ll still be playing the game, unfortunately. But anyway, Carolyn. Godspeed, Eric.

Same to you, babe, as. Thanks for joining us on the two of the Point cybersecurity podcast brought to you by Force Point for more information and show notes from today’s episode. Please visit w w w dot force point dot com slash gov podcast. And don’t forget to subscribe and leave a review on iTunes or the Google Play store.

Automatically convert your audio files to text with Sonix. Sonix is the best online, automated transcription service.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Transcribing by hand is no longer necessary; put away those headphones. Automated transcription can quickly transcribe your skype calls. All of your remote meetings will be better indexed with a Sonix transcript. Create better transcripts with online automated transcription. Do you have a lot of background noise in your audio files? Here’s how you can remove background audio noise for free. Better audio means a higher transcript accuracy rate. Easily share and publish transcripts that were automatically transcribed by Sonix.

Use Sonix to simplify your audio workflow. Colleges and universities use Sonix to convert their lectures, classroom sessions, and research recordings to text. Let powerful computers do the work for you; automated transcription in minutes. Transcription agencies are able to better serve their customers by using Sonix’s automated transcription in the back office.

Sonix uses cutting-edge artificial intelligence to convert your mp3 files to text.

Sonix is the best online audio transcription software in 2021—it’s fast, easy, and affordable.

If you are looking for a great way to convert your audio to text, try Sonix today.

(function(s,o,n,i,x) {
var j=o.createElement(‘script’);j.type=’text/javascript’,j.async=true,j.src=i,o.head.appendChild(j);
var css=o.createElement(“link”);css.type=”text/css”,css.rel=”stylesheet”,css.href=x,o.head.appendChild(css)
})(window,document, “__sonix”,”//”,”//”);

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security