Quantexa raises $64.7M to bring big data intelligence to risk analysis and investigations

/0 Comments/in /by

The wider field of cybersecurity — not just defending networks, but identifying fraudulent activity — has seen a big boost in activity in the last few months, and that’s no surprise. The global health pandemic has led to more interactions and transactions moving online, and the contractions we’re feeling across the economy and society have led some to take more desperate and illegal actions, using digital challenges to do it.

Today, a U.K. company called Quantexa — which has built a machine learning platform branded “Contextual Decision Intelligence” (CDI) that analyses disparate data points to get better insight into nefarious activity, as well as to (more productively) build better profiles of a company’s entire customer base — is raising a growth round of funding to address that opportunity.

The London-based startup has picked up $64.7 million, a Series C it will be using to continue building out both its tools and the use cases for applying them, as well as expanding geographically, specifically in North America, Asia-Pacific and more European territories.

The mission, said Vishal Marria, Quantexa’s founder and CEO, is to “connect the dots to make better business decisions.”

The startup built its business on the back of doing work for major banks and others in the financial services sector, and Marria added that the plan will be to continue enhancing tools for that vertical while also expanding into two growing opportunities: working with insurance and government/public sector organizations.

The backers in this round speak to how Quantexa positions itself in the market, and the traction it’s seen to date for its business. It’s being led by Evolution Equity Partners — a VC that specialises in innovative cybersecurity startups — with participation also from previous backers Dawn Capital, AlbionVC, HSBC and Accenture, as well as new backers ABN AMRO Ventures. HSBC, Accenture and ABN AMRO are all strategic investors working directly with the startup in their businesses.

Altogether, Quantexa has “thousands of users” across 70+ countries, it said, with additional large enterprises, including Standard Chartered, OFX and Dunn & Bradstreet.

The company has now raised some $90 million to date, and reliable sources close to the company tell us that the valuation is “well north” of $250 million — which to me sounds like it’s between $250 million and $300 million.

Marria said in an interview that he initially got the idea for Quantexa — which I believe may be a creative portmanteau of “quantum” and “context” — when he was working as an executive director at Ernst & Young and saw “many challenges with investigations” in the financial services industry.

“Is this a money launderer?” is the basic question that investigators aim to answer, but they were going about it, “using just a sliver of information,” he said. “I thought to myself, this is bonkers. There must be a better way.”

That better way, as built by Quantexa, is to solve it in the classic approach of tapping big data and building AI algorithms that help, in Marria’s words, connect the dots.

As an example, typically, an investigation needs to do significantly more than just track the activity of one individual or one shell company, and you need to seek out the most unlikely connections between a number of actions in order to build up an accurate picture. When you think about it, trying to identify, track, shut down and catch a large money launderer (a typical use case for Quantexa’s software) is a classic big data problem.

While there is a lot of attention these days on data protection and security breaches that leak sensitive customer information, Quantexa’s approach, Marria said, is to sell software, not ingest proprietary data into its engine to provide insights. He said that these days deployments typically either are done on premises or within private clouds, rather than using public cloud infrastructure, and that when Quantexa provides data to complement its customers’ data, it comes from publicly available sources (for example, Companies House filings in the U.K.).

There are a number of companies offering services in the same general area as Quantexa. They include those that present themselves more as business intelligence platforms that help detect fraud (such as Looker) through to those that are secretive and present themselves as AI businesses working behind the scenes for enterprises and governments to solve tough challenges, such as Palantir, through to others focusing specifically on some of the use cases for the technology, such as ComplyAdvantage and its focus on financial fraud detection.

Marria says that it has a few key differentiators from these. First is how its software works at scale: “It comes back to entity resolution that [calculations] can be done in real time and at batch,” he said. “And this is a platform, software that is easily deployed and configured at a much lower total cost of ownership. It is tech and that’s quite important in the current climate.”

And that is what has resonated with investors.

“Quantexa’s proprietary platform heralds a new generation of decision intelligence technology that uses a single contextual view of customers to profoundly improve operational decision making and overcome big data challenges,” said Richard Seewald, founding and managing partner of Evolution, in a statement. “Its impressive rapid growth, renowned client base and potential to build further value across so many sectors make Quantexa a fantastic partner whose team I look forward to working with.” Seewald is joining the board with this round.

iObeya raises $17M to digitize management planning processes like Agile

/0 Comments/in /by

As we move deeper into the pandemic, companies are looking for ways to digitize processes that previously required in-person meetings with manual approaches. Investors appear to be rewarding companies who can achieve this. iObeya, a French company that helps digitize management planning processes like lean and agile, announced a $17 million Series A today.

Red River West led the round with help from Atlantic Bridge Capital and Fortino Capital Partners. It has now raised a total of $20 million, according to the company.

Tim McCracken, who heads up the company’s US operations, says the name comes from the Japanese word for the large room where companies did all their planning. Many companies gather a group of people in a conference room and line the walls with sticky notes and white boards with their plans for the coming weeks and months.

Even before the pandemic struck, it wasn’t the most effective way to record this valuable business content, and iObeya has developed a service to put it in the digital realm. “And so one of the things that they did with those obeya rooms was they had lots of different visual management boards with post it notes and with different types of indicators that they would use to manage their business. And so what iObeya does is digitize that type of visual management, so that you can access it from multiple locations and share it amongst teams and basically eliminate the need for doing it on paper and on walls,” McCracken explained.

This involves digitizing four main areas that include lean management, factory floor management, agile programming and finally what they call the digital workplace, which includes design thinking, virtual whiteboarding and brainstorming. All of these approaches have lots of planning associated with them and could benefit from being moved online.

Image Credits: iObeya

They are approaching 100 employees with the majority in France right now with a small office in the U.S. in Seattle, but they will be using this money to expand with plans to add 50 more. He says that the company has always looked at diversity when it comes to its hiring practices.

“We want to try to attract, not only experienced salespeople, as well as the support organization around them, but also really do as much outreach in the local community to see how we can ensure that our workforce reflects the community,” he said.

As the company had to shut down offices due to COVID-19, McCracken says their own software helped them make that transition more smoothly. “We actually use our own software to manage business so we had very little disruption to our actual work. At the same time, the volume of work increased probably four to five fold, simply because of increased demand for the software. So we had to manage not only moving from working in an office to work at home, but also the increased workload,” he said.

The company was founded near Paris in 2011. They plan to use the money to expand operations in the U.S. and build awareness of the company through greater sales and marketing spend.

NY Charges First American Financial for Massive Data Leak

/0 Comments/in /by

In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties.

First American Financial Corp.

Santa Ana, Calif.-based First American [NYSE:FAF] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019.

As first reported here last year, First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.

The documents were available without authentication to anyone with a Web browser.

According to a filing (PDF) by the New York State Department of Financial Services (DFS), the weakness that exposed the documents was first introduced during an application software update in May 2014 and went undetected for years.

Worse still, the DFS found, the vulnerability was discovered in a penetration test First American conducted on its own in December 2018.

“Remarkably, Respondent instead allowed unfettered access to the personal and financial data of millions of its customers for six more months until the breach and its serious ramifications were widely publicized by a nationally recognized cybersecurity industry journalist,” the DFS explained in a statement on the charges.

A redacted screenshot of one of many millions of sensitive records exposed by First American’s Web site.

Reuters reports that the penalties could be significant for First American: The DFS considers each instance of exposed personal information a separate violation, and the company faces penalties of up to $1,000 per violation.

In a written statement, First American said it strongly disagrees with the DFS’s findings, and that its own investigation determined only a “very limited number” of consumers — and none from New York — had personal data accessed without permission.

In August 2019, the company said a third-party investigation into the exposure identified just 32 consumers whose non-public personal information likely was accessed without authorization.

When KrebsOnSecurity asked last year how long it maintained access logs or how far back in time that review went, First American declined to be more specific, saying only that its logs covered a period that was typical for a company of its size and nature.

But in Wednesday’s filing, the DFS said First American was unable to determine whether records were accessed prior to Jun 2018.

“Respondent’s forensic investigation relied on a review of web logs retained from June 2018 onward,” the DFS found. “Respondent’s own analysis demonstrated that during this 11-month period, more than 350,000 documents were accessed without authorization by automated ‘bots’ or ‘scraper’ programs designed to collect information on the Internet.

The records exposed by First American would have been a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property buyers into wiring funds to fraudsters. According to the FBI, BEC scams are the most costly form of cybercrime today.

First American’s stock price fell more than 6 percent the day after news of their data leak was published here. In the days that followed, the DFS and U.S. Securities and Exchange Commission each announced they were investigating the company.

First American released its first quarter 2020 earnings today. A hearing on the charges alleged by the DFS is slated for Oct. 26.

Reflect wants to help you automate web testing without writing code

/0 Comments/in /by

Reflect, a member of the Y Combinator Summer 2020 class, is building a tool to automate website and web application testing, making it faster to get your site up and running without waiting for engineers to write testing code, or for human testers to run the site through its paces.

Company CEO and co-founder Fitz Nowlan says his startup’s goal is to allow companies to have the ease of use and convenience of manual testing, but the speed of execution of automated or code-based testing.

“Reflect is a no-code tool for creating automated tests. Typically when you change your website, or your web application, you have to test it, and you have the choice of either having your engineers build coded tests to run through and ensure the correctness of your application, or you can hire human testers to do it manually,” he said.

With Reflect, you simply teach the tool how to test your site or application by running through it once, and based on those actions, Reflect can create a test suite for you. “You enter your URL, and we load it in a browser in a virtual machine in the cloud. From there, you just use your application just like a normal user would, and by using your application, you’re telling us what is important to test,” Nowlan explained.

He adds, “Reflect will observe all of your actions throughout that whole interaction with that whole browser session. And then from those actions, it will distill that down into a repeatable machine executable test.”

Nowlan and co-founder Todd McNeal started the company in September 2019 after spending five years together at a digital marketing startup near Philadelphia, where they experienced problems with web testing first-hand.

They launched a free version of this product in April, just as we were beginning to feel the full force of the pandemic in the U.S, a point that was not lost on him. “We didn’t want to delay any longer and we just felt like, you know you got to get up there and swing the bat,” he said.

Today, the company has 20 paying customers, and he has found that the pandemic has helped speed up sales in some instances, while slowing it down in others.

He says the remote YC experience has been a positive one, and in fact he couldn’t have participated had they had to show up in California as they have families and homes in Pennsylvania.  He says that the remote nature of the current program forces you to be fully engaged mentally to get the most out of the program.

“It’s just a little more mental work to prepare yourself and to have the mental energy to stay locked in for a remote batch. But I think if you can get over that initial hump, the information flow and the knowledge sharing is all the same,” he said.

He says as technical founders, the program has helped them focus on the sales and marketing side of the equation, and taught them that it’s more than building a good product. You still have to go out there and sell it to build a company.

He says his short-term goal is to get as many people as he can using the platform, which will help them refine their ability to automate the test building. For starters, that involves recording activities on-screen, but over time they plan to layer on machine learning and that requires more data.

“We’re going to focus primarily over the next six to 12 months on growing our customer base — both paid and unpaid — and I really mean that we want people to come in and create tests. Even if they [use the free product], we’re benefiting from that creation of that test,” he said.

huddl.ai wants to bring more intelligence to online meetings

/0 Comments/in /by

As the pandemic has shut down in-person meetings, and pushed us online, products like Zoom, Cisco WebEx, Google Meet and Microsoft Teams have become part of our daily lives. Into the fray jumps huddl.ai, a 3.5-year-old startup from a serial entrepreneur who wants to bring a dose of artificial intelligence to meeting technology.

Company co-founder and CEO Krishna Yarlagadda says while these companies have introduced the video meeting concept, his startup has a vision of taking it further. “As we move forward. I think the next [era] is going to be about intelligence,” Yarlagadda told TechCrunch.

That involves using AI tools to transcribe the meeting, pull out the salient points and help users understand what happened without poring over notes to find the key information in a long session. “Primarily there’s a purpose for every meeting, or essentially we’re meeting for outcomes, and that’s where Huddl comes in,” he said.

Yarlagadda said that current solutions simply give you a link to a cloud room and everyone involved clicks and enters. Huddl wants to bring some more structure to that whole process. “We’ve developed a very user-centric architecture and also added a layer called meeting memory, which essentially captures the core aspects of the meeting — the agenda, action items and moments and then added search,” he explained.

They call these meeting elements moments, and they involve capturing three key aspects of the meeting: the agenda and collaborative notes participants take during the meeting, screen captures the user takes using a built-in tool and, finally, audio, which captures a recording of the meeting. Users can search across these elements to find the parts of the meeting that are most relevant to them.

Image Credits: huddl.ai

Further, it integrates with other enterprise applications like Slack or Salesforce to move to applicable tools items discussed during these meetings when it makes sense. “Essentially what we’re trying to do is create a five-minute version of your 60-minute meeting that is stored in your memory and that becomes part of your search. Post-meeting this content has a life, and through APIs and integrations, we can [share it with the right programs],” he said.

For instance, if it’s an action item in a sales meeting, it would go to Salesforce, and if it is a software bug in an engineering meeting, it could be shared with Jira.

The company was started in 2017, and has raised $8.7 million in seed money to date. It has 50 employees, with 10 in the U.S. and the others in India, and has plans to hire 15-20 additional people this year between the U.S. and India offices.

Daily Crunch: Slack files antitrust complaint against Microsoft

/0 Comments/in /by

An antitrust battle is brewing between Microsoft and Slack, Apple continues to defend its App Store policies and Dexterity raises funding for warehouse robots. Here’s your Daily Crunch for July 22, 2020.

PS: I’m going to be on vacation until Wednesday of next week. Until then, I leave you in Darrell Etherington’s capable hands!

The big story: Slack files antitrust complaint against Microsoft

The complaint was filed in the European Union and alleges that Microsoft is unfairly bundling its Teams product with the broader Office suite.

“Microsoft has illegally tied its Teams product into its market-dominant Office productivity suite, force installing it for millions, blocking its removal, and hiding the true cost to enterprise customers,” Slack said in a statement.

When Microsoft first announced Teams in 2016, Slack took out an ad mocking the company and saying it welcomed competition. In April, Microsoft said Teams has grown to 75 million daily active users, compared to the 12.5 million that Slack reported in March.

The tech giants

Apple digs in heels over its App Store commission structure with release of new study — Apple has been commissioning research that defends its 30% commission on App Store purchases.

Spotify and Universal sign new licensing deal, will partner on development of marketing tools — In addition to re-securing Universal’s catalog for the music streaming service, the deal signs up Universal as an early adopter of Spotify’s future products for labels and artists.

Twitter cracks down on QAnon conspiracy theory, banning 7,000 accounts — Moving forward, Twitter said it will be removing QAnon-related topics from its trending pages and algorithmic recommendations and blocking any associated URLs.

Startups, funding and venture capital

Dexterity exits stealth with $56.2 million raised for its collaborative warehouse robots — The startup’s system combines hardware and software for warehouse tasks like bin picking and box packing.

Misfits Market raises $85 million Series B to send you ‘ugly’ fruits and veggies — Users sign up for a weekly produce box and can also add chocolate, snacks, chips, coffee, herbs, grains, lentils, sauces and spices.

YC-backed Glimpse helps Airbnb hosts make money through product placement — Airbnbs could the perfect place to convince someone to try a new mattress or a new kind of coffee.

Advice and analysis from Extra Crunch

What you need to know before selling your company’s stock — Part 3 of financial adviser Peyton Carr’s guide for startup founders.

Messenger tools can help you recover millions in lost revenue — Rank Secure CEO Baruch Labunski says messenger tools have helped a single client recover more than $5 million in lost revenue.

(Reminder: Extra Crunch is our subscription membership program, which aims to democratize information about startups. You can sign up here.)

Everything else

GEDmatch confirms data breach after users’ DNA profile data made available to police — The company said that during the breach, “Users who did not opt-in for law enforcement matching were also available for law enforcement matching, and conversely, all law enforcement profiles were made visible to Gedmatch users.”

Go SPAC yourself — I’d never heard of SPACs before today, but the latest episode of Equity explains that they could offer a way for companies to go public through a different pricing mechanism.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Twitter Hacking for Profit and the LoLs

/0 Comments/in /by

The New York Times last week ran an interview with several young men who claimed to have had direct contact with those involved in last week’s epic hack against Twitter. These individuals said they were only customers of the person who had access to Twitter’s internal employee tools, and were not responsible for the actual intrusion or bitcoin scams that took place that day. But new information suggests that at least two of them operated a service that resold access to Twitter employees for the purposes of modifying or seizing control of prized Twitter profiles.

As first reported here on July 16, prior to bitcoin scam messages being blasted out from such high-profile Twitter accounts @barackobama, @joebiden, @elonmusk and @billgates, several highly desirable short-character Twitter account names changed hands, including @L, @6 and @W.

A screenshot of a Discord discussion between the key Twitter hacker “Kirk” and several people seeking to hijack high-value Twitter accounts.

Known as “original gangster” or “OG” accounts, short-character profile names confer a measure of status and wealth in certain online communities, and such accounts can often fetch thousands of dollars when resold in the underground.

The people involved in obtaining those OG accounts on July 15 said they got them from a person identified only as “Kirk,” who claimed to be a Twitter employee. According to The Times, Kirk first reached out to the group through a hacker who used the screen name “lol” on OGusers, a forum dedicated to helping users hijack and resell OG accounts from Twitter and other social media platforms. From The Times’s story:

“The hacker ‘lol’ and another one he worked with, who went by the screen name ‘ever so anxious,’ told The Times that they wanted to talk about their work with Kirk in order to prove that they had only facilitated the purchases and takeovers of lesser-known Twitter addresses early in the day. They said they had not continued to work with Kirk once he began more high-profile attacks around 3:30 p.m. Eastern time on Wednesday.

‘lol’ did not confirm his real-world identity, but said he lived on the West Coast and was in his 20s. “ever so anxious” said he was 19 and lived in the south of England with his mother.

Kirk connected with “lol” late Tuesday and then “ever so anxious” on Discord early on Wednesday, and asked if they wanted to be his middlemen, selling Twitter accounts to the online underworld where they were known. They would take a cut from each transaction.”

Twice in the past year, the OGUsers forum was hacked, and both times its database of usernames, email addresses and private messages was leaked online. A review of the private messages for “lol” on OGUsers provides a glimpse into the vibrant market for the resale of prized OG accounts.

On OGUsers, lol was known to other members as someone who had a direct connection to one or more people working at Twitter who could be used to help fellow members gain access to Twitter profiles, including those that had been suspended for one reason or another. In fact, this was how lol introduced himself to the OGUsers community when he first joined.

“I have a twitter contact who I can get users from (to an extent) and I believe I can get verification from,” lol explained.

In a direct message exchange on OGUsers from November 2019, lol is asked for help from another OGUser member whose Twitter account had been suspended for abuse.

“hello saw u talking about a twitter rep could you please ask if she would be able to help unsus [unsuspend] my main and my friends business account will pay 800-1k for each,” the OGUusers profile inquires of lol.

Lol says he can’t promise anything but will look into it. “I sent her that, not sure if I will get a reply today bc its the weekend but ill let u know,” Lol says.

In another exchange, an OGUser denizen quizzes lol about his Twitter hookup.

“Does she charge for escalations? And how do you know her/what is her department/job. How do you connect with them if I may ask?”

“They are in the Client success team,” lol replies. “No they don’t charge, and I know them through a connection.”

As for how he got access to the Twitter employee, lol declines to elaborate, saying it’s a private method. “It’s a lil method, sorry I cant say.”

In another direct message, lol asks a fellow OGUser member to edit a comment in a forum discussion which included the Twitter account “@tankska,” saying it was his IRL (in real life) Twitter account and that he didn’t want to risk it getting found out or suspended (Twitter says this account doesn’t exist, but a simple text search on Twitter shows the profile was active until late 2019).

“can u edit that comment out, @tankska is a gaming twitter of mine and i dont want it to be on ogu :D’,” lol wrote. “just dont want my irl getting sus[pended].”

Still another OGUser member would post lol’s identifying information into a forum thread, calling lol by his first name — “Josh” — in a post asking lol what he might offer in an auction for a specific OG name.

“Put me down for 100, but don’t note my name in the thread please,” lol wrote.

WHO IS LOL?

The information in lol’s OGUsers registration profile indicates he was probably being truthful with The Times about his location. The hacked forum database shows a user “tankska” registered on OGUsers back in July 2018, but only made one post asking about the price of an older Twitter account for sale.

The person who registered the tankska account on OGUsers did so with the email address jperry94526@gmail.com, and from an Internet address tied to the San Ramon Unified School District in Danville, Calif.

According to 4iq.com, a service that indexes account details like usernames and passwords exposed in Web site data breaches, the jperry94526 email address was used to register accounts at several other sites over the years, including one at the apparel store Stockx.com under the profile name Josh Perry.

Tankska was active only briefly on OGUsers, but the hacked OGUsers database shows that “lol” changed his username three times over the years. Initially, it was “freej0sh,” followed by just “j0sh.”

lol did not respond to requests for comment sent to email addresses tied to his various OGU profiles and Instagram accounts.

ALWAYS IN DISCORD

Last week’s story on the Twitter compromise noted that just before the bitcoin scam tweets went out, several OG usernames changed hands. The story traced screenshots of Twitter tools posted online back to a moniker that is well-known in the OGUsers circle: PlugWalkJoe, a 21-year-old from the United Kingdom.

Speaking with The Times, PlugWalkJoe — whose real name is Joseph O’Connor — said while he acquired a single OG Twitter account (@6) through one of the hackers in direct communication with Kirk, he was otherwise not involved in the conversation.

“I don’t care,” O’Connor told The Times. “They can come arrest me. I would laugh at them. I haven’t done anything.”

In an interview with KrebsOnSecurity, O’Connor likewise asserted his innocence, suggesting at least a half dozen other hacker handles that may have been Kirk or someone who worked with Kirk on July 15, including “Voku,” “Crim/Criminal,” “Promo,” and “Aqua.”

“That twit screenshot was the first time in a while I joke[d], and evidently I shouldn’t have,” he said. “Joking is what got me into this mess.”

O’Connor shared a number of screenshots from a Discord chat conversation on the day of the Twitter hack between Kirk and two others: “Alive,” which is another handle used by lol, and “Ever So Anxious.” Both were described by The Times as middlemen who sought to resell OG Twitter names obtained from Kirk. O’Connor is referenced in these screenshots as both “PWJ” and by his Discord handle, “Beyond Insane.”

The negotiations over highly-prized OG Twitter usernames took place just prior to the hijacked celebrity accounts tweeting out bitcoin scams.

Ever So Anxious told Kirk his OGU nickname was “Chaewon,” which corresponds to a user in the United Kingdom. Just prior to the Twitter compromise, Chaewon advertised a service on the forum that could change the email address tied to any Twitter account for around $250 worth of bitcoin. O’Connor said Chaewon also operates under the hacker alias “Mason.”

“Ever So Anxious” tells Kirk his OGUsers handle is “Chaewon,” and asks Kirk to modify the display names of different OG Twitter handles to read “lol” and “PWJ”.

At one point in the conversation, Kirk tells Alive and Ever So Anxious to send funds for any OG usernames they want to this bitcoin address. The payment history of that address shows that it indeed also received approximately $180,000 worth of bitcoin from the wallet address tied to the scam messages tweeted out on July 15 by the compromised celebrity accounts.

The Twitter hacker “Kirk” telling lol/Alive and Chaewon/Mason/Ever So Anxious where to send the funds for the OG Twitter accounts they wanted.

SWIMPING

My July 15 story observed there were strong indications that the people involved in the Twitter hack have connections to SIM swapping, an increasingly rampant form of crime that involves bribing, hacking or coercing employees at mobile phone and social media companies into providing access to a target’s account.

The account “@shinji,” a.k.a. “PlugWalkJoe,” tweeting a screenshot of Twitter’s internal tools interface.

SIM swapping was thought to be behind the hijacking of Twitter CEO Jack Dorsey‘s Twitter account last year. As recounted by Wired.com, @jack was hijacked after the attackers conducted a SIM swap attack against AT&T, the mobile provider for the phone number tied to Dorsey’s Twitter account.

Immediately after Jack Dorsey’s Twitter handle was hijacked, the hackers tweeted out several shout-outs, including one to @PlugWalkJoe. O’Connor told KrebsOnSecurity he has never been involved in SIM swapping, although that statement was contradicted by two law enforcement sources who closely track such crimes.

However, Chaewon’s private messages on OGusers indicate that he very much was involved in SIM swapping. Use of the term “SIM swapping” was not allowed on OGusers, and the forum administrators created an automated script that would watch for anyone trying to post the term into a private message or discussion thread.

The script would replace the term with “I do not condone illegal activities.” Hence, a portmanteau was sometimes used: “Swimping.”

“Are you still swimping?” one OGUser member asks of Chaewon on Mar. 24, 2020. “If so and got targs lmk your discord.” Chaewon responds in the affirmative, and asks the other user to share his account name on Wickr, an encrypted online messaging app that automatically deletes messages after a few days.

Chaewon/Ever So Anxious/Mason did not respond to requests for comment.

O’Connor told KrebsOnSecurity that one of the individuals thought to be associated with the July 15 Twitter hack — a young man who goes by the nickname “Voku” — is still actively involved in SIM-swapping, particularly against customers of AT&T and Verizon.

Voku is one of several hacker handles used by a Canton, Mich. youth whose mom turned him in to the local police in February 2018 when she overheard him talking on the phone and pretending to be an AT&T employee. Officers responding to the report searched the residence and found multiple cell phones and SIM cards, as well as files on the kid’s computer that included “an extensive list of names and phone numbers of people from around the world.”

The following month, Michigan authorities found the same individual accessing personal consumer data via public Wi-Fi at a local library, and seized 45 SIM cards, a laptop and a Trezor wallet — a hardware device designed to store crytpocurrency account data. In April 2018, Voku’s mom again called the cops on her son — identified only as confidential source #1 (“CS1”) in the criminal complaint against him — saying he’d obtained yet another mobile phone.

Voku’s cooperation with authorities led them to bust up a conspiracy involving at least nine individuals who stole millions of dollars worth of cryptocurrency and other items of value from their targets.

CONSPIRACY

Samy Tarazi, an investigator with the Santa Clara County District Attorney’s Office, has spent hundreds of hours tracking young hackers during his tenure with REACT, a task force set up to combat SIM swapping and bring SIM swappers to justice.

According to Tarazi, multiple actors in the cybercrime underground are constantly targeting people who work in key roles at major social media and online gaming platforms, from Twitter and Instagram to Sony, Playstation and Xbox.

Tarazi said some people engaged in this activity seek to woo their targets, sometimes offering them bribes in exchange for the occasional request to unban or change the ownership of specific accounts.

All too often, however, employees at these social media and gaming platforms find themselves the object of extremely hostile and persistent personal attacks that threaten them and their families unless and until they give in to demands.

“In some cases, they’re just hitting up employees saying, ‘Hey, I’ve got a business opportunity for you, do you want to make some money?’” Tarazi explained. “In other cases, they’ve done everything from SIM swapping and swatting the victim many times to posting their personal details online or extorting the victims to give up access.”

Allison Nixon is chief research officer at Unit 221B, a cyber investigations company based in New York. Nixon says she doesn’t buy the idea that PlugWalkJoe, lol, and Ever So Anxious are somehow less culpable in the Twitter compromise, even if their claims of not being involved in the July 15 Twitter bitcoin scam are accurate.

“You have the hackers like Kirk who can get the goods, and the money people who can help them profit — the buyers and the resellers,” Nixon said. “Without the buyers and the resellers, there is no incentive to hack into all these social media and gaming companies.”

Mark Rasch, Unit 221B’s general counsel and a former U.S. federal prosecutor, said all of the players involved in the Twitter compromise of July 15 can be charged with conspiracy, a legal concept in the criminal statute which holds that any co-conspirators are liable for the acts of any other co-conspirator in furtherance of the crime, even if they don’t know who those other people are in real life or what else they may have been doing at the time.

“Conspiracy has been called the prosecutor’s friend because it makes the agreement the crime,” Rasch said. “It’s a separate crime in addition to the underlying crime, whether it be breaking in to a network, data theft or account takeover. The ‘I just bought some usernames and gave or sold them to someone else’ excuse is wrong because it’s a conspiracy and these people obviously don’t realize that.”

In a statement on its ongoing investigation into the July 15 incident, Twitter said it resulted from a small number of employees being manipulated through a social engineering scheme. Twitter said at least 130 accounts were targeted by the attackers, who succeeded in sending out unauthorized tweets from 45 of them and may have been able to view additional information about those accounts, such as direct messages.

On eight of the compromised accounts, Twitter said, the attackers managed to download the account history using the Your Twitter Data tool. Twitter added that it is working with law enforcement and is rolling out additional company-wide training to guard against social engineering tactics.

Microsoft introduces Customer Voice, a real-time customer feedback tool

/0 Comments/in /by

At Microsoft Inspire today, the company made several Dynamics 365 announcements, including Dynamics 365 Customer Voice, a real-time customer feedback tool that could compete with Qualtrics, the company SAP bought in 2018 for a cool $8 billion.

Microsoft General Manager Brenda Bown says that as more customers move online during the pandemic, it’s more important than ever to capture real-time customer feedback that you can combine with other data to build a more complete picture of the customer that could lead to more successful interactions in the future.

“Customer Voice is a feedback management solution, and it’s designed to empower businesses and organizations to build better products, deliver better experiences to customers and really build the relationships for the customers with that feedback management tool,” Bown told TechCrunch.

The data gets shared with Microsoft’s customer data platform (CDP), and is built on top of Dynamics 365 and the Power Platform. The latter provides a way to customize the Customer Voice tool to meet the needs of an individual company.

Brent Leary, partner and co-founder at CRM Essentials, says this solves the problem of getting feedback as the interaction is happening. He adds that being able to share that data directly with the CDP makes it even more valuable.

“Customer feedback has to be done as close to the interaction/transaction as possible and as frictionless as possible for it to really work, or else customers won’t give it to you. And then the data has to be integrated into the CDP with all the other data automatically to really be of use. And having a platform to handle both the feedback capture and the data integration optimizes the likelihood of this happening,” Leary said.

The company also announced Dynamics 365 Connected Store, a set of tools designed to help stores manage in-store and curbside traffic, among other things. As the pandemic limits the number of people in a store at one time, using sensors and cameras, Connected Store can help managers understand and manage the number of people inside the store at any given time to help aid in social distancing.

It can also help add a level of automation to curbside pickup, letting an employee know when the customer has pulled up. “It alerts the employee and they can bring out the order for a more seamless and quick pickup. And obviously this scenario is super important today because of [more people wanting] contactless pickup,” Bown said.

Finally, the company announced a fraud protection component. She says that Dynamics 365 Fraud Protection helps protect businesses online or in physical stores from fraudulent activities, which she says is even more important as more transactions are conducted digitally. New capabilities include account protection and loss prevention tooling.

Inspire is the company’s annual partner conference, which is being held virtually this year. Bown says by running it virtually, the company can involve even more partners than a typical in-person conference because companies that couldn’t previously attend because of cost and distance are able to participate this year.

GDPR Turns Two! Has Anything Really Changed?

/0 Comments/in /by

It’s been two years since the advent of the EU’s groundbreaking GDPR scheme, which was implemented in an attempt to force data collectors to tighten up security over the information they collected on users of their services and to provide more transparency and standardization about exactly what and how they collect data. The GDPR is far from an exercise in toothless bureaucracy, though, with penalties faced by those found to be in breach of the regulations regarded as among the most stringent ever proposed.

With data breaches still a regular occurrence and increasingly among the primary objectives of cyber threat actors, just how successful has the GDPR “stick” of punishing fines been after two years of implementation? Has the “fear of a GDPR fine” changed the landscape of data protection, or merely increased the burden on organizations already struggling to deal with gathering and securing the masses of data needed to drive their businesses forward?

GDPR: Fines in Action

There have been around 340 GDPR fines amounting to a total of around $180 million over the last two years, although two of the largest fines amounting to another $350 million together are still to be confirmed in the coming weeks. That could total up to around half a billion USD before 2020 is done and dusted.

The first fine under GDPR was enacted on a bank in Bulgaria for ignoring the right to be forgotten, almost immediately after GDPR became mandatory in May 2018. The first UK GPDR fine was declared more than a year later, in December 2019, regarding a London firm called Doorstep Dispensaree Ltd, that supplies medicines to thousands of elderly care home residents. The company stored 500,000 medical documents containing sensitive information outside its offices, in unlocked containers. This earned the company a £275,000 fine for breaching GDPR rules. The most interesting facet of this incident is that it did not involve any digital record of any kind, only paper documents.

However, in the 18 months that have passed since this incident, many other organizations and companies have joined the not-so-prestigious club. The most recent country to impose a GDPR fine was Ireland, which in May 2020 fined Tusla, a child and family agency, for disclosing the location of children to unauthorised parties.

While the smallest fine has been a meager €90 received by a hospital in Hungary in November 2019, some of the larger fines have been extremely severe:

  • British Airways – $229 million proposed fine for a data breach affecting half a million customers.

  • Marriott Hotels – $123 million proposed fine, or 3% of global annual revenue, for a breach leaking records of 339 million guests.

  • Google – fined $57 million for lack of transparency on how its Android operating system processed user data.

  • TIM (Italian telecommunications operator) – fined  $27.8 million for unlawful data processing, non-compliant aggressive marketing strategies, invalid collection of consent and an excessive data retention period.

  • Österreichische Post AG (Austrian postal service) – fined $20 million for illegally using marketing data.

  • Deutsche Wohnen SE (German real-estate company) – fined $16.5 million for retaining historical data without a lawful basis.

  • Eni Gas e Luce (Italian gas and electric company) – fined $13 million for processing personal data and activating unsolicited contracts.

  • 1&1 Telecom GmbH (German telecom) – fined $11 million for failing to have sufficient protections to prevent unauthorized access to customer information.

  • Dixons Carphone, UK – fined $630,000 for a data breach that exposed customer data to hackers for over 9 months.

  • Equifax – fined $630,000 for failing to protect user data belonging to 15 million British customers in its 2017 data breach.

(note: organizations are always fined in their local currency, the above figures are approximate USD equivalents at the time of writing)

The Marriott and British Airways cases are still under review, with the final decisions expected to be announced in August 2020.

Additional decisions are being considered regarding fines for Google, Twitter and fashion retailer H&M. It seems that the larger the company and the heavier the fine, the longer it takes the regulators to charge the violators and then to actually fine them.

Has COVID-19 Impacted GDPR?

On May 4, 2020, the Hungarian Government issued a Decree that suspends, during the COVID-19 state of emergency, the one-month deadline that controllers have under the GDPR to reply to data subject rights requests. The Decree also allows public entities to refuse or suspend freedom of information (“FOIA”) requests in certain situations. The Decree has been heavily criticized by civil society groups and prompted scrutiny by the European Data Protection Board (“EDPB”). For organizations with data collection activities that fall under Hungarian jurisdiction, it is worth noting that the EU may well challenge the Hungarian government’s suspension and could even rule it illegal.

More generally, it is likely that the ongoing trend of “Working from home” will also have some effect on data breaches, and these are likely to increase in the 2nd half of 2020, triggering additional GDPR notifications and responses. The International Association of IT Asset Managers (IATAM) has warned that at-home work due to the COVID-19 pandemic is leading to a spike in data breaches that’s greater than anticipated.

Contemporary Trends, Threats And Challenges

GDPR was supposed to reduce the overall number and severity of data breaches by providing companies with an incentive to avoid being fined. But evidence suggests that the effect was not conclusive or uniform across all member countries since it came into effect.

In Britain, for example, breach reporting increased almost 324.24% between May 2018 and May 2019, with the Information Commissioner’s Office (ICO) recording 14,000 breaches over the period. However, the same body reported it received 19% fewer data breach notifications in the first quarter of 2020 than it did in the same period the previous year. This might indicate less fear of the regulator, either due to fines being less punitive than anticipated or to the UK’s impending exit from EU regulation (“Brexit”) and uncertainty about what, if any, regulations businesses will face from the ICO once GDPR is no longer part of British law.

The recent DBIR report noted that hackers are specifically looking for credentials and personal data. 58% of attacks resulted in compromised personal data, and 37% of attacks either used or stole user credentials. This spells bad news for organizations since theft of such data will almost always trigger GDPR notification. Another recent trend is that aggressive ransomware gangs extort enterprise victims not only by denying them access to their own corporate data but also by threatening to dump that data in the public domain, again triggering breach notifications and all the subsequent headaches.

Has the GDPR Achieved Its Aims?

GDPR redefined privacy as a fundamental right and made our corporate entities stewards of our data. As a result, proper data identification and handling is mandated under GDPR with fines as a severe stick for non-compliance. To measure its success, however, we need to look not so much at the total amount of fines collected, but rather at the mindshift it has created.

This is not limited to European territories, of course. The regulation has become a model for many national laws outside EU, including Chile, Japan, Brazil, South Korea, Argentina, Indonesia and Kenya. The California Consumer Privacy Act (CCPA), adopted on 28 June 2018, has many similarities with GDPR.

GDPR and similar regulations such as those mentioned above have encouraged organizations to try and prevent or limit the risks of a potential data breach by upgrading and improving their cybersecurity measures, and that can only be a good thing for all.

However, it remains a challenge to many businesses to factor in the cost of non-compliance, when fines can amount to as much as 4% of global annual turnover. For this reason, many businesses operating within the jurisdiction of GDPR or similar regulations have seen fit not only to upgrade their cybersecurity defences but also to instate a Data Protection Officer to take responsibility for overseeing compliance.

Conclusion

There is no doubt that GDPR has changed the landscape of data collection and protection since May 2018, not just in Europe but across much of the world’s markets. However, despite the penalties, the data breaches keep on rolling, and customer data keeps on being leaked and traded.

To some extent, this can be seen as enterprise still playing catch up on years of poor or neglected data protection practices and legacy security technology. The threat actors are still out there punishing those that have not upgraded the technology they need to secure their clients’ data, and the regulators are out there punishing those that have not upgraded their data collection procedures and policies. If that tells us anything, it should be that data protection is a fundamental priority of every data collector. If an organization gets punished by the bad guys, it can expect the regulators to be lining up right behind them.

To learn more about how SentinelOne can help your business achieve GDPR and similar regulatory compliance, click here.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Jamf ups its IPO range, now targets a valuation of up to $2.7B

/0 Comments/in /by

Today Jamf, a software company that helps other firms manage their Apple devices, raised its IPO price range.

The company had previously targeted a $17 to $19 per-share range. A new SEC filing from the firm today details a far higher $21 to $23 per-share IPO price interval.

Jamf still intends to sell up to 18.4 million shares in its debut, including 13.5 million in primary stock, 2.5 million shares from existing shareholders and an underwriter option worth 2.4 million shares. The whole whack at $21 to $23 per share would tally between $386.4 million and $423.2 million, though not all those funds would flow to the company.

The IPO market stays hot, as nCino prices above range and Jamf targets a ~$2B valuation

At the low and high-end of its new IPO range, Jamf is worth between $2.44 billion and $2.68 billion, steep upgrades from its prior valuation range of $1.98 billion to $2.21 billion.

Jamf follows in the footsteps of recent IPOs like nCino, Vroom and others in seeing demand for its public offering allow its pricing to track higher the closer it gets to its public offering. Such demand from public-market investors indicates there is ample demand for debut shares in mid-2020, a fact that could spur other companies to the exit market.

Coinbase, Airbnb and DoorDash are three such companies that are expected to debut in the next year’s time, give or take a quarter or two.

Results, multiples

In anticipation of the Jamf debut that should come this week, let’s chat about the company’s recent performance.

Observe the following table from the most-recent Jamf S-1/A:

From even a quick glance we can learn much from this data. We can see that Jamf is growing, has improving gross margins and has managed to swing from an operating loss to operating profit in Q2 2020, compared to Q2 2019. And, for you fans out there of adjusted metrics, that Jamf managed to generate more non-GAAP operating income in its most recent period than the year-ago quarter.

In more precise terms:

  • Jamf grew from 26.5% to 29.0% on a year-over-year basis in Q2 2020
  • Its gross margin grew by 6% in gross terms, and 8.3% in relative terms
  • Its non-GAAP operating income grew 123.4%, to 150.9% in Q2 2020 compared to the year-ago quarter

Profits! Growth! Software! Improving margins! It’s not a huge surprise that Jamf managed to bolster its IPO price range.

Finally, for the SaaS-heads out there, the following:

This data lets us have a little fun. Recall that we have seen possible valuations for Jamf at IPO that started at $1.98 billion to $2.21 billion, and now include $2.44 billion and $2.68 billion? With our two ARR ranges for the end of Q2, we can now come up with eight ARR multiples for Jamf, from the low-end of its initial IPO price estimate, to the top-end of its new range.

Here they are:

  • Multiple at $1.98 billion valuation and $238 million ARR: 8.3x
  • Multiple at $1.98 billion valuation and $241 million ARR: 8.2x
  • Multiple at $2.21 billion valuation and $238 million ARR: 9.3x
  • Multiple at $2.21 billion valuation and $241 million ARR: 9.2x
  • Multiple at $2.44 billion valuation and $238 million ARR: 10.3x
  • Multiple at $2.44 billion valuation and $241 million ARR: 10.1x
  • Multiple at $2.68 billion valuation and $238 million ARR: 11.3x
  • Multiple at $2.68 billion valuation and $241 million ARR: 11.2x

From that perspective, the pricing changes feel a bit more modest, even if they work out to a huge spread on a valuation basis.

Regardless, this is the current state of the Jamf IPO. Rackspace also filed a new S-1/A today, but we can’t find anything useful in it. A bit like the Jamf S-1/A from Friday. Perhaps we’ll get a new Rackspace document soon with pricing notes.

And, of course, like the rest of the world we await the Palantir S-1 with bated breath. Consider that our white whale.

Apple device management company Jamf files S-1 as it prepares to go public