Does Your Domain Have a Registry Lock?

If you’re running a business online, few things can be as disruptive or destructive to your brand as someone stealing your company’s domain name and doing whatever they wish with it. Even so, most major Web site owners aren’t taking full advantage of the security tools available to protect their domains from being hijacked. Here’s the story of one recent victim who was doing almost everything possible to avoid such a situation and still had a key domain stolen by scammers.

On December 23, 2019, unknown attackers began contacting customer support people at OpenProvider, a popular domain name registrar based in The Netherlands. The scammers told the customer representatives they had just purchased from the original owner the domain e-hawk.net — which is part of a service that helps Web sites detect and block fraud — and that they were having trouble transferring the domain from OpenProvider to a different registrar.

The real owner of e-hawk.net is Raymond Dijkxhoorn, a security expert and entrepreneur who has spent much of his career making life harder for cybercrooks and spammers. Dijkxhoorn and E-HAWK’s CEO Peter Cholnoky had already protected their domain with a “registrar lock,” a service that requires the registrar to confirm any requested changes with the domain owner via whatever communications method is specified by the registrant.

In the case of e-hawk.net, however, the scammers managed to trick an OpenProvider customer service rep into transferring the domain to another registrar with a fairly lame social engineering ruse — and without triggering any verification to the real owners of the domain.

Specifically, the thieves contacted OpenProvider via WhatsApp, said they were now the rightful owners of the domain, and shared a short screen grab video showing the registrar’s automated system blocking the domain transfer (see video below).

“The support agent helpfully tried to verify if what the [scammers] were saying was true, and said, ‘Let’s see if we can move e-hawk.net from here to check if that works’,” Dijkxhoorn said. “But a registrar should not act on instructions coming from a random email address or other account that is not even connected to the domain in question.”

Dijkxhoorn shared records obtained from OpenProvider showing that on Dec. 23, 2019, the e-hawk.net domain was transferred to a reseller account within OpenProvider. Just three days later, that reseller account moved e-hawk.net to another registrar — Public Domain Registry (PDR).

“Due to the previously silent move to another reseller account within OpenProvider, we were not notified by the registrar about any changes,” Dijkxhoorn said. “This fraudulent move was possible due to successful social engineering towards the OpenProvider support team. We have now learned that after the move to the other OpenProvider account, the fraudsters could silently remove the registrar lock and move the domain to PDR.”

REGISTRY LOCK

Dijkxhoorn said one security precaution his company had not taken with their domain prior to the fraudulent transfer was a “registry lock,” a more stringent, manual (and sometimes offline) process that effectively neutralizes any attempts by fraudsters to social engineer your domain registrar.

With a registry lock in place, your registrar cannot move your domain to another registrar on its own. Doing so requires manual contact verification by the appropriate domain registry, such as Verisign — which is the authoritative registry for all domains ending in .com, .net, .name, .cc, .tv, .edu, .gov and .jobs. Other registries handle locks for specific top-level or country-code domains, including Nominet (for .co.uk or .uk domains), EURID (for .eu domains), CNNIC for (for .cn) domains, and so on.

According to data provided by digital brand protection firm CSC, while domains created in the top three most registered top-level domains (.com, .jp and .cn) are eligible for registry locks, just 22 percent of domain names tracked in Forbes’ list of the World’s Largest Public Companies have secured registry locks.

Unfortunately, not all registrars support registry locks (a list of top-level domains that do allow registry locks is here, courtesy of CSC). But as we’ll see in a moment, there are other security precautions that can and do help if your domain somehow ends up getting hijacked.

Dijkxhoorn said his company first learned of the domain theft on Jan. 13, 2020, which was the date the fraudsters got around to changing the domain name system (DNS) settings for e-hawk.net. That alert was triggered by systems E-HAWK had previously built in-house that continually monitor their stable of domains for any DNS changes.

By the way, this continuous monitoring of one’s DNS settings is a powerful approach to help blunt attacks on your domains and DNS infrastructure. Anyone curious about why this might be a good approach should have a look at this deep-dive from 2019 on “DNSpionage,” the name given to the exploits of an Iranian group that has successfully stolen countless passwords and VPN credentials from major companies via DNS-based attacks.

DNSSEC

Shortly after pointing e-hawk.net’s DNS settings to a server they controlled, the attackers were able to obtain at least one encryption certificate for the domain, which could have allowed them to intercept and read encrypted Web and email communications tied to e-hawk.net.

But that effort failed because E-HAWK’s owners also had enabled DNSSEC for their domains (a.k.a. “DNS Security Extensions”), which protects applications from using forged or manipulated DNS data by requiring that all DNS queries for a given domain or set of domains be digitally signed.

With DNSSEC properly enabled, if a name server determines that the address record for a given domain has not been modified in transit, it resolves the domain and lets the user visit the site. If, however, that record has been modified in some way or doesn’t match the domain requested, the name server blocks the user from reaching the fraudulent address.

While fraudsters who have hijacked your domain and/or co-opted access to your domain registrar can and usually will try to remove any DNSSEC records associated with the hijacked domain, it generally takes a few days for these updated records to be noticed and obeyed by the rest of the Internet.

As a result, having DNSSEC enabled for its domains bought E-HAWK an additional 48 hours or so with which to regain control over its domain before any encrypted traffic to and from e-hawk.net could have been intercepted.

In the end, E-HAWK was able to wrest back its hijacked domain in less than 48 hours, but only because its owners are on a first-name basis with many of the companies that manage the Internet’s global domain name system. Perhaps more importantly, they happened to know key people at PDR — the registrar to which the thieves moved the stolen domain.

Dijkxhoorn said without that industry access, E-HAWK probably would still be waiting to re-assume control over its domain.

“This process is normally not that quick,” he said, noting that most domains can’t be moved for at least 60 days after a successful transfer to another registrar.

In an interview with KrebsOnSecurity, OpenProvider CEO and Founder Arno Vis said said OpenProvider is reviewing its procedures and building systems to prevent support employees from overriding security checks that come with a registrar lock.

“We are building an extra layer of approval for things that support engineers shouldn’t be doing in the first place,” Vis said. “As far as I know, this is the first time something like this has happened to us.”

As in this case, crooks who specialize in stealing domains often pounce during holidays, when many registrars are short on well-trained staff. But Vis said the attack against E-HAWK targeted the company’s most senior support engineer.

“This is why social engineering is such a tricky thing, because in the end you still have a person who has to make a decision about something and in some cases they don’t make the right decision,” he said.

WHAT CAN YOU DO?

To recap, for maximum security on your domains, consider adopting some or all of the following best practices:

-Use registration features like Registry Lock that can help protect domain names records from being changed. Note that this may increase the amount of time it takes going forward to make key changes to the locked domain (such as DNS changes).

-Use DNSSEC (both signing zones and validating responses).

-Use access control lists for applications, Internet traffic and monitoring.

-Use 2-factor authentication, and require it to be used by all relevant users and subcontractors.

-In cases where passwords are used, pick unique passwords and consider password managers.

-Review the security of existing accounts with registrars and other providers, and make sure you have multiple notifications in place when and if a domain you own is about to expire.

-Monitor the issuance of new SSL certificates for your domains by monitoring, for example, Certificate Transparency Logs.

Enterprise & IoT | 500,000 Passwords Leak & What It Means For You

The rising trend in IoT devices on corporate networks brings with it an increased, and often invisible, risk of exposed assets. From printers and security cameras to “smart” office novelties, most of these wired devices come with baked-in default login credentials that are widely known and shared among cyber criminals. Even when a policy exists to change these defaults, many organizations use easily guessable passwords for the convenience of IT maintenance. While it’s true that managing risk can often be a trade-off between security and convenience, there’s no doubt that improperly managed IoT and other devices offer a path to compromise just waiting to be exploited.

image of leaked passwords

Exactly that danger was graphically illustrated this week when a list of over half a million Telnet credentials belonging to severs, home routers and IoT devices were dumped on a hacking forum. The dump included the IP address, username and password for each of some 515,000 devices’ Telnet ports. 

image of telnet password leak

 Source

Is Telnet Still a (IoT) Thing?

Most networking admins will know all about telnet, which remains a popular networking tool, but if you’re not familiar with it don’t be surprised. It’s been disabled in Windows Desktop versions by default for a long time, and Apple completely removed  the telnet client from macOS 10.12 High Sierra (i.e., September 2017) onwards. Both major OSs regard telnet’s clear text communication protocol as a security hazard and recommend other more secure options like SSH. 

However, while telnet may have been the protocol targeted in this case, the issue is less with which protocol these devices use than it is with the failure of admins to use secure passwords to protect them. Indeed, this is the exact same methodology notoriously deployed to such great effect over three years ago by the original Mirai botnet attack. Clearly, lessons have not been learned.

How Do Hackers Discover Device Passwords?

The list of leaked credentials was compiled, and leaked, by a cyber criminal running a DDoS (Distributed Denial of Service) for Hire Attack service. Such services provide low-level threat actors (aka ‘Script Kiddies’) with the ability to target specific web sites or domains that they want to disrupt. Ordinarily, we’d expect the people behind such services to keep a list of compromised devices for their own use. However, in this case, the leaker said he no longer needed to use IoT botnets and had switched to “renting high output servers from cloud providers” instead. That suggests the list was compiled sometime before the leaker had decided on his new strategy, and indeed the ‘Date Modified’ file metadata in the dump span through October and November of last year. 

For IT and Security admins, the greatest concern here should be the ease with which such a list can be compiled. Port scanners like Masscan and NMAP can rapidly surveil the entire Internet, and services like Shodan can be used to collect data on servers with open FTP, SSH, Telnet , RTSP and other ports. This data can then be used to access things like webcams, routers and other connected devices. 

Attackers can not only quickly scan for open ports but also test them for default credentials like admin:admin and root:root. Offensive security tools like hydra can automate password cracking against remote targets through brute force and password spraying, in which a list of commonly used or weak passwords are tested against each account.

In the video below, we demonstrate how easy it is for attackers to harvest leaked passwords from public resources and use them to login to a Ring device, but the same principle applies regardless of the platform or kind of device targeted.

The effectiveness of this technique is evidenced by the size of the recent dump, and the fact that in 2017 a similar dump yielded over 30,000 account credentials. While that dump probably whittled down to no more than 8000 or so valid, unique credentials, that’s still a sizeable army for a botnet to recruit. More worryingly, every device whose credentials are leaked in dumps like these represents a possible entry point to business compromise and lateral movement if it belongs to a device connected to an enterprise network.

Forgotten Devices | Invisible Threats on Your Network

Aside from the danger of network admins using weak or default passwords for maintenance convenience, there is also the danger of forgotten devices. 

The ease with which ‘smart’ devices like printers and security cameras can be set up in a plug-and-play manner and then be forgotten is a danger for any enterprise that does not have full visibility across its networks.

Add to that the fact that many embedded devices can be difficult or impossible to patch, it’s easy to see that even a device bought today and protected by strong credentials could become a risk in the future when its OS or firmware have been found to contain exploitable bugs. Without a full and updated inventory of what’s running on your network, the danger of “forgetting” about devices that could at some point be exploited is one that businesses can’t afford to ignore.

If the situation is worrying, the good news is it is entirely preventable. First, implement and enforce a password policy for your IoT devices just like you would for any other device. Second, ensure you have the tools for full network visibility and control so that forgotten assets can be discovered and managed.

Conclusion

Any connected device with an open, internet-facing port will be found and tested by cyber criminals. Not just “one day”, but likely thousands of times a day. Any device that is not secured with a strong password will almost certainly be compromised. Being recruited into a botnet is probably the least worst fate in such a scenario. The far more worrying possibility is that an exposed asset will serve as an entry point into your network for ransomware, Emotet, TrickBot or any other number of trojans, or lateral movement by a targeted attacker. We are not helpless here, however. Device security is manageable provided you have visibility and enforce secure password protocols. If you’d like to see how SentinelOne can help improve the security of IoT and all other devices across your network, contact us or request a free demo


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Crisp, the demand forecast platform for the food industry, goes live

The food industry may be the biggest industry in the world, but it’s also one of the least efficient. BCG says 1.6 billions tons of food, worth $1.2 trillion, is wasted in food every year and those numbers are only expected to go up.

A number of players have stepped up to try and solve their own portion of the problem, and one such solution is Crisp. The company, which received $14 million in Series A funding last year led by FirstMark Capital, is today going live with its platform (which has been in beta).

Crisp aims to solve the global food waste problem via demand forecasts. Founder and CEO Are Traasdahl, a serial founder, believes that a lack of communication and data flow between the many players in the supply chain is a main cause for all this waste, a great deal of which happens long before the food reaches the consumer.

Right now, forecasting demand is no where close to a perfect science for many of these players. From food brands to distributors to grocery stores, the problem is usually solved by looking at a spreadsheet from last year’s sales for hours to try to determine the signals that played into this or that SKU’s sales performance.

And then there was Crisp.

Integrated with almost any ERP software a company might have, Crisp ingests historical data from these food brands and combines that data with signals around other demand drivers, such as seasonality, holidays, price sensitivity and other pricing information, marketing campaigns, competitive landscape, weather that might affect the sale or shipment of certain produce or other ingredients.

Using these data points, and historical sales data, Crisp believes it can give a much more accurate picture of demand over the next day, week, month or year.

But Crisp isn’t just for food brands, such as Nounós Creamery, a Crisp customer that says its reduced scrapped inventory by 80 percent since switching to the platform. Crisp serves almost every player in the food supply chain, from retailers to distributors to brands to brokers.

And the more customers it gets, the better it is at predicting demand on a very specific level. For instance, the demand forecasting Crisp offers for a particular grocery store, based on external data, will obviously get much better once that grocery store is a customer on the platform.

Traasdahl was initially concerned that his customers would be reluctant to hand over this type of sensitive sales data, and also that players within the industry might be anxious to hand over such data to a platform that’s aggregating everyone’s data, including their competitors. Turns out, the food industry has more of a “better together” mentality.

“Other industries are not as dependent on each other,” said Traasdahl. “If I am a creamery and need to buy blueberries for my yogurt, I may have five different vendors for those blueberries. And if they don’t get delivered on the right day, Costco will yell at me for being late with the yogurt. Everyone in the supply chain is somewhat dependent on each other.”

For that reason, it’s been easier to attract clients to the platform than expected. The prospect of a collaborative demand forecast platform, that’s pulling signals from across the entire industry, is going to be more accurate than siloed demand forecasts produced by a single vendor or brand.

During the beta program, which launched in October, Crisp brought on more than 30 companies to the platform, including Gilbert’s Craft Sausages, SunFed Perfect Produce, Nounós Creamery, Hofseth, REMA and Superior Farms.

Apple Addresses iPhone 11 Location Privacy Concern

Apple is rolling out a new update to its iOS operating system that addresses the location privacy issue on iPhone 11 devices that was first detailed here last month.

Beta versions of iOS 13.3.1 include a new setting that lets users disable the “Ultra Wideband” feature, a short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature.

In December, KrebsOnSecurity pointed out the new iPhone 11 line queries the user’s location even when all applications and system services are individually set never to request this data.

Apple initially said the company did not see any privacy concerns and that the location tracking icon (a small, upward-facing arrow to the left of the battery icon) appears for system services that do not have a switch in the iPhone’s settings menu.

Apple later acknowledged the mysterious location requests were related to the inclusion of an Ultra Wideband chip in iPhone 11, Pro and Pro Max devices.

The company further explained that the location information indicator appears because the device periodically checks to see whether it is being used in a handful of countries for which Apple hasn’t yet received approval to deploy Ultra Wideband.

Apple also stressed it doesn’t use the UWB feature to collect user location data, and that this location checking resided “entirely on the device.” Still, it’s nice that iPhone 11 users will now have a setting to disable the feature if they want.

Spotted by journalist Brandon Butch and published on Twitter last week, the new toggle switch to turn off UWB now exists in the “Networking & Wireless” settings in beta versions of iOS 13.3.1, under Locations Services > System Services. Beta versions are released early to developers to help iron out kinks in the software, and it’s not clear yet when 13.3.1 will be released to the general public.

Battle for Supremacy | Hacktivists from Turkey and Greece Exchange Virtual Blows

Tensions between Greece and its neighbor, Turkey, are nothing new. Conflict in the Aegean extends back to the days of Homer, who described how a Greek army decimated the town of Troy, located near Hisarlik in Turkey. The animosity between these nations may date centuries into the past, but the weapons and tactics used in the conflict today are cutting edge cyber tools.

Greece and Turkey are now engaged in a diplomatic conflict focused on the maritime boundaries surrounding the Greek island of Crete. The row comes after Turkey and the Libyan government agreed to seek to map out a boundary that would potentially reduce Greece’s maritime territory. This conflict raises patriotic tensions on both sides, some of which have become manifest in cyberspace.   

image of battle for supremecy

Turkish hackers last week claimed responsibility for cyber attacks on Greek government sites, including those of the Greek National Intelligence Services (EYP), Greek Parliament, the Greek Ministry of Foreign Affairs and the Greek Ministry of Finance among others. Turkish hackers AnkaNeferler said these were in retaliation for the Greek government’s stance on the Turkish agreement with Libya (the Turkish government is providing military support and plans to send its military troops). 

Meanwhile, Greece is furious at the pact between Turkey and Sarraj’s government as it threatens to skim the Greek island of Crete, which Greece and its allies say is contrary to international law. 

image of turkey greek hacktivist

Greek hackers have not stood idly by. According to different reports, a group called Anonymous Greece retaliated with a cyber-attack of their own just hours after the original Turkish attack. 

As the Turks hit yesterday, so do we the day after in response. Let it be known that the attacks have just begun. For every new attack, we will posting a new article. We will now show what we have hit in a matter of hours“, wrote Anonymous Greece on their website.

The list of Turkish websites that have been hit:

  • 112 Emergency Call number
  • Sabah Email Service
  • Hurricane Email Service
  • 112 Emergency Email Service
  • Turkish Police (EGM) Email Service
  • Saglik Email service
  • Economics Email service
  • Enerji Email service
  • SIP-VOIP of Turkish Energy
  • MIT Email service

But these attacks were rather insignificant in comparison to what happened next. Yesterday, it was reported that Turkey’s telecommunications giant Türk Telekom was hit by a cyber attack that caused hours-long problems with Internet access throughout the country.

tweet of hacktivism

Source

Who’s Doing What?

It is unclear at this point if any of these attacks had any affiliation to the authorities on either side. It is also unclear what type of attacks have occured. The first attacks were thought to be DDoS attacks, then DNS hacks, but it seems that at least some of these attacks included one or more malware infections. According to sources, all Greek embassies and diplomatic missions such as Consulates faced major communication problems as the server of the Ministry of Foreign Affairs went down for several days.

What Should Enterprises Do?

Given the nature of these conflicts and the way businesses operate today, it is highly conceivable that hostilities won’t stop any time soon and that some enterprises will be hit as collateral damage. And while there is not much an enterprise can do if an ISP (Internet Service Provider) service is disrupted, there are many things it can do to reduce risk.

Past conflicts have demonstrated that as long as these conflicts last, more juvenile hacking groups enter the game and try to wreak havoc on the opposing nation’s side. In the process, they target anything and anyone they can (as long as these are affiliated with the opponent’s flag). They also utilize much more common tools and techniques, looking for quick psychological wins. So the the best way to reduce the risk would be to ensure that standard defenses are all intact.

Disable unnecessary ports and protocols. A review of your network security device logs should help you determine which ports and protocols are exposed but not needed. For those that are, monitor these for suspicious, command & control-like activity.

Log and limit the use of PowerShell. If a user or account does not need PowerShell, disable it via the Group Policy Editor. For those that do, enable code signing of PowerShell scripts, log all PowerShell commands and turn on Script Block Logging. Learn more from Microsoft.

Set policies to alert on new hosts joining the network. To reduce the possibility of rogue devices on your network, increase visibility and have key security personnel notified when new hosts attempt to join the network.

Backup now, and test your recovery process for business continuity. It is easy to let backup policies slide, or fail to prove that you can restore in practice. Also, ensure you have redundant backups, ideally using a combination of hot, warm and/or cold sites.

Step up monitoring of network and email traffic. The most common vectors for intruders are unprotected devices on your network and targeted phishing emails. Follow best practices for restricting attachments via email and other mechanisms and review network signatures.

Patch externally facing equipment. Attackers actively scan for and will exploit vulnerabilities, particularly those that allow for remote code execution or denial of service attacks.

Conclusion

It’s too early to predict where this cyber conflict is heading. It is possible that we’ve seen the apex of offensive activities, or perhaps it is only the beginning. Regardless, enterprises, organizations and individuals face increasing risk of becoming accidental victims caught in the cyber crossfire of this conflict. CISOs are advised to take precautions as to minimize this risk.    


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

TriggerMesh scores $3M seed from Index and Crane to help enterprises embrace ‘serverless’

TriggerMesh, a startup building on top of the open-source Kubernetes software to help enterprises go “serverless” across apps running in the cloud and traditional data centers, has raised $3 million in seed funding.

The round is led by Index Ventures and Crane Venture Partners. TriggerMesh says the investment will be used to scale the company and grow its development team in order to offer what it bills as the industry’s first “cloud native integration platform for the serverless era.”

Founded by two prominent names in the open-source community — Sebastien Goasguen (CEO) and Mark Hinkle (CMO), based in Geneva and North Carolina, respectively — TriggerMesh’s platform will enable organizations to build enterprise-grade applications that span multiple cloud and data center environments, therefore helping to address what the startup says is a growing pain point as serverless architectures become more prevalent.

TriggerMesh’s platform and serverless cloud bus is said to facilitate “application flow orchestration” to consume events from any data center application or cloud event source and trigger serverless functions.

“As cloud-native applications use a greater number of serverless offerings in the cloud, TriggerMesh provides a declarative API and a set of tools to define event flows and functions that compose modern applications,” explains the company.

One feature TriggerMesh is specifically talking up and very relevant to legacy enterprises is its integration functionality with on-premise software. Via its wares, it says it is easy to connect SaaS, serverless cloud offerings and on-premises applications to provide scalable cloud-native applications at a low cost and quickly.

“There are huge numbers of disconnected applications that are unable to fully benefit from cloud computing and increased network connectivity,” noted Scott Sage, co-founder and partner at Crane Venture Partners, in a statement. “Most companies have some combination of cloud and on-premises applications and with more applications around, often from different vendors, the need for integration has never been greater. We see TriggerMesh’s solution as the ideal fit for this need which made them a compelling investment.”

Descartes Labs launches its new platform for analyzing geospatial data

Descartes Labs, a wellfunded startup based in New Mexico, provides businesses with geospatial data and the tools to analyze it in order to make business decisions. Today, the company announced the launch of its Descartes Labs Platform, which promises to bring its data together with all of the tools data scientists — including those with no background in analyzing this kind of information — would need to work with these images to analyze them and build machine learning models based on the data in them.

Descartes Labs CEO Phil Fraher, who took this position only a few months ago, told me that the company’s current business often includes a lot of consulting work to get its customers started. These customers span the range from energy and mining companies to government agencies, financial services and agriculture businesses, but many don’t have the in-house expertise to immediately make use of the data that Descartes Labs provides.

“For the most part, we still have to evangelize how to use geospatial data to solve business problems. And so a lot of our customers rely on us to do consulting,” Fraher said. “But what’s really interesting is that even with some of our existing customers, we’re now seeing more early adopters, more business and analysis teams and data scientists being hired, that do focus on geospatial data. So what’s really exciting with this launch is we’re now going to put our platform tool in the hands of those particular individuals that now can do their own work.”

In many ways, this new platform gives these customers access to the tools and data that Descartes Labs’ own team uses and allows them to collaborate with the company to solve their problems and use the new modeling tools to build solutions for their individual businesses.

“Previously, a data science team at a company that’s interested in this kind of analysis would also have to know how to wrangle very large-scale or petabyte-scale Earth observation data sets,” Fraher said. “These are very unique and specific skillsets and because of that kind of barrier to entry, the adoption of some of this technology and data sources has been slow.”

To enable more businesses to get started with working with this data (and become Descartes Labs customers), the company is betting on the standard tools in the industry, with hosted Jupyter notebooks, Python support and a set of APIs. It also includes tools to transform and clean the incoming data from Descartes’ third-party partners in order to make it usable for data scientists.

“It’s not just like some simple ETL-like data processing pipeline,” Descartes Labs’ head of Engineering Sam Skillman noted. “It’s something where we have to combine very in-depth data science, remote sensing and large-scale compute capabilities to bring all of that data in in a way that normalizes it and gets it ready for analysis.”

All of this analysis is handled in the cloud, of course.

The new platform is now available to businesses that want to give it a try.

Shared inbox startup Front raises $59 million round led by other tech CEOs

Front is raising a $59 million Series C funding round. Interestingly, the startup hasn’t raised with a traditional VC firm leading the round. A handful of super business angels are investing directly in the productivity startup and leading the round.

Business angels include Atlassian co-founder and co-CEO Mike Cannon-Brookes, Atlassian President Jay Simons, Okta co-founder and COO Frederic Kerrest, Qualtrics co-founders Ryan Smith and Jared Smith and Zoom CEO Eric Yuan. Existing investors including Sequoia Capital, Initialized Capital and Anthos Capital are participating in this round as well.

While Front doesn’t share its valuation, the company says that the valuation has quadrupled compared to the previous funding round. Annual recurring venue has also quadrupled over the same period.

The structure of this round is unusual, but it’s on purpose. Front, like many other startups, is trying to redefine the future of work. That’s why the startup wanted to surround itself with leaders of other companies who share the same purpose.

“First, because we didn’t need to raise (we still had two years of runway), and it’s always better to raise when we don’t need it. The last few months have given me much more clarity into our go-to-market strategy,” Front co-founder and CEO Mathilde Collin told me.

Front is a collaborative inbox for your company. For instance, if you want to share an email address with your coworkers (support@mycompany.com or jobs@mycompany.com), you can integrate those shared inboxes with Front and work on those conversations as a team.

It opens up a ton of possibilities. You can assign conversations to a specific person, @-mention your coworkers to send them a notification, start a conversation with your team before you hit reply, share a draft with other people, etc.

Front also supports other communication channels, such as text messages, WhatsApp messages, a chat module on your website and more. As your team gets bigger, Front helps you avoid double replies by alerting other users when you’re working on a reply.

In addition to those collaboration features, Front helps you automate your workload as much as possible. You can set up automated workflows so that a specific conversation ends up in front of the right pair of eyes. You can create canned responses for the entire team as well.

Front also integrates with popular third-party services, such as Salesforce, HubSpot, Clearbit and dozens of others. Front customers include MailChimp, Shopify and Stripe.

While Front supports multiple channels, email represents the biggest challenge. If you think about it, email hasn’t changed much over the past decade. The last significant evolution was the rise of Gmail, G Suite and web-based clients. In other words, Front wants to disrupt Outlook and Gmail.

With today’s funding round, the company plans to iterate on the product front with Office 365 support for its calendar, an offline mode and refinements across the board. The company also plans to scale up its sales and go-to-market team with an office in Phoenix and a new CMO.

Snyk snags $150M investment as its valuation surpasses $1B

Snyk, the company that wants to help developers secure their code as part of the development process, announced a $150 million investment today. The company indicated the investment brings its valuation to more than $1 billion (although it did not share the exact figure).

Today’s round was led by Stripes, a New York City investment firm, with help from Coatue, Tiger Global, BoldStart,Trend Forward, Amity and Salesforce Ventures. The company reports it has now raised more than $250 million.

The idea behind Snyk is to fit security firmly in the development process. Rather than offloading it to a separate team, something that can slow down a continuous development environment, Snyk builds in security as part of the code commit.

The company offers an open-source tool that helps developers find open-source vulnerabilities when they commit their code to GitHub, Bitbucket, GitLab or any CI/CD tool. It has built up a community of more than 400,000 developers with this approach.

Snyk makes money with a container security product, and by making available to companies as a commercial product the underlying vulnerability database they use in the open-source product.

CEO Peter McKay, who came on board last year as the company was making a move to expand into the enterprise, says the open-source product drives the revenue-producing products and helped attract this kind of investment. “Getting to [today’s] funding round was the momentum in the open source model from the community to freemium to [land] and expand — and that’s where we are today,” he told TechCrunch.

He said the company wasn’t looking for this money, but investors came knocking and gave them a good offer, based on Snyk’s growing market momentum. “Investors said we want to take advantage of the market, and we want to make sure you can invest the way you want to invest and take advantage of what we all believe is this very large opportunity,” McKay said.

In fact, the company has been raising money at a rapid clip since it came out of the gate in 2016 with a $3 million seed round. A $7 million Series A and $22 million Series B followed in 2018, with a $70 million Series C last fall.

The company reports over 4X revenue growth in 2019 (without giving exact revenue figures), and some major customer wins, including the likes of Google, Intuit, Nordstrom and Salesforce. It’s worth noting that Salesforce thought enough of the company that it also invested in this round through its Salesforce Ventures investment arm.

DDoS Mitigation Firm Founder Admits to DDoS

A Georgia man who co-founded a service designed to protect companies from crippling distributed denial-of-service (DDoS) attacks has pleaded to paying a DDoS-for-hire service to launch attacks against others.

Tucker Preston, 22, of Macon, Ga., pleaded guilty last week in a New Jersey court to one count of damaging protected computers by transmission of a program, code or command. DDoS attacks involve flooding a target Web site with so much junk Internet traffic that it can no longer accommodate legitimate visitors.

Preston was featured in the 2016 KrebsOnSecurity story DDoS Mitigation Firm Has History of Hijacks, which detailed how the company he co-founded — BackConnect Security LLC — had developed the unusual habit of hijacking Internet address space it didn’t own in a bid to protect clients from attacks.

Preston’s guilty plea agreement (PDF) doesn’t specify who he admitted attacking, and refers to the target only as “Victim 1.” Preston declined to comment for this story.

But that 2016 story came on the heels of an exclusive about the hacking of vDOS — at the time the world’s most popular and powerful DDoS-for-hire service.

KrebsOnSecurity exposed the co-administrators of vDOS and obtained a copy of the entire vDOS database, including its registered users and a record of the attacks those users had paid vDOS to launch on their behalf.

Those records showed that several email addresses tied to a domain registered by then 19-year-old Preston had been used to create a vDOS account that was active in attacking a large number of targets, including multiple assaults on networks belonging to the Free Software Foundation (FSF).

The 2016 story on BackConnect featured an interview with a former system administrator at FSF who said the nonprofit briefly considered working with BackConnect, and that the attacks started almost immediately after FSF told the company’s owners they would need to look elsewhere for DDoS protection.

Perhaps having fun at the expense of the FSF was something of a meme that the accused and his associates seized upon, but it’s interesting to note that the name of the FSF’s founder — Richard Stallmanwas used as a nickname by the co-author of Mirai, a potent malware strain that was created for the purposes of enslaving Internet of Things (IoT) devices for large-scale DDoS attacks.

Ultimately, it was the Mirai co-author’s use of this nickname that contributed to him getting caught, arrested, and prosecuted for releasing Mirai and its source code (as well as for facilitating a record-setting DDoS against this Web site in 2016).

According to a statement from the U.S. Justice Department, the count to which he pleaded guilty is punishable by a maximum of 10 years in prison and a fine of up to $250,000, or twice the gross gain or loss from the offense. He is slated to be sentenced on May 7.