Announcing the agenda for TC Sessions: Enterprise | San Francisco, September 5

TechCrunch Sessions is back! On September 5, we’re taking on the ferociously competitive field of enterprise software, and thrilled to announce our packed agenda, overflowing with some of the biggest names and most exciting startups in the enterprise industry. And you’re in luck, because $249 early-bird tickets are still on sale — make sure you book yours so you can enjoy all the agenda has to offer.

Throughout the day, you can expect to hear from industry experts and partake in discussions about the potential of new technologies like quantum computing and AI, how to deal with the onslaught of security threats, investing in early-stage startups and plenty more

We’ll be joined by some of the biggest names and the smartest and most prescient people in the industry, including Bill McDermott at SAP, Scott Farquhar at Atlassian, Julie Larson-Green at Qualtrics, Wendy Nather at Duo Security, Aaron Levie at Box and Andrew Ng at Landing AI.

Our agenda showcases some of the powerhouses in the space, but also plenty of smaller teams that are building and debunking fundamental technologies in the industry. We still have a few tricks up our sleeves and will be adding some new names to the agenda over the next month, so keep your eyes open. In the meantime, check out these agenda highlights:

AGENDA

Investing with an Eye to the Future
Jason Green (Emergence Capital), Maha Ibrahim (Canaan Partners) and Rebecca Lynn (Canvas Ventures)
9:35 AM – 10:00 AM

In an ever-changing technological landscape, it’s not easy for VCs to know what’s coming next and how to place their bets. Yet, it’s the job of investors to peer around the corner and find the next big thing, whether that’s in AI, serverless, blockchain, edge computing or other emerging technologies. Our panel will look at the challenges of enterprise investing, what they look for in enterprise startups and how they decide where to put their money.


Talking Shop
Scott Farquhar (Atlassian)
10:00 AM – 10:20 AM

With tools like Jira, Bitbucket and Confluence, few companies influence how developers work as much as Atlassian. The company’s co-founder and co-CEO Scott Farquhar will join us to talk about growing his company, how it is bringing its tools to enterprises and what the future of software development in and for the enterprise will look like.


Q&A with Investors 
10:20 AM – 10:50 AM

Your chance to ask questions of some of the greatest investors in enterprise.


Innovation Break: Deliver Innovation to the Enterprise
DJ Paoni (
SAP), Sanjay Poonen (VMware) and Shruti Tournatory (Sapphire Ventures)
10:20 AM – 10:40 AM

For startups, the appeal of enterprise clients is not surprising — signing even one or two customers can make an entire business, and it can take just a few hundred to build a $1 billion unicorn company. But while corporate counterparts increasingly look to the startup community for partnership opportunities, making the jump to enterprise sales is far more complicated than scaling up the strategy startups already use to sell to SMBs or consumers. Hear from leaders who have experienced successes and pitfalls through the process as they address how startups can adapt their strategy with the needs of the enterprise in mind. Sponsored by SAP.


Coming Soon!
10:40 AM – 11:00 AM


Box’s Enterprise Journey
Aaron Levie (Box)
11:15 AM – 11:35 AM

Box started life as a consumer file-storage company and transformed early on into a successful enterprise SaaS company, focused on content management in the cloud. Levie will talk about what it’s like to travel the entire startup journey — and what the future holds for data platforms.


Bringing the Cloud to the Enterprise
George Brady (Capital One), Byron Deeter (Bessemer Venture Partners) and a speaker to be announced
11:35 AM – 12:00 PM

Cloud computing may now seem like the default, but that’s far from true for most enterprises, which often still have tons of legacy software that runs in their own data centers. What does it mean to be all-in on the cloud, which is what Capital One recently accomplished. We’ll talk about how companies can make the move to the cloud easier, what not to do and how to develop a cloud strategy with an eye to the future.


Keeping the Enterprise Secure
Martin Casado (Andreessen Horowitz), Wendy Nather (Duo Security) and a speaker to be announced
1:00 PM – 1:25 PM

Enterprises face a litany of threats from both inside and outside the firewall. Now more than ever, companies — especially startups — have to put security first. From preventing data from leaking to keeping bad actors out of your network, enterprises have it tough. How can you secure the enterprise without slowing growth? We’ll discuss the role of a modern CSO and how to move fast… without breaking things.


Keeping an Enterprise Behemoth on Course
Bill McDermott (SAP)

1:25 PM – 1:45 PM

With over $166 billion is market cap, Germany-based SAP is one of the most valuable tech companies in the world today. Bill McDermott took the leadership in 2014, becoming the first American to hold this position. Since then, he has quickly grown the company, in part thanks to a number of $1 billion-plus acquisitions. We’ll talk to him about his approach to these acquisitions, his strategy for growing the company in a quickly changing market and the state of enterprise software in general.


How Kubernetes Changed Everything
Brendan Burns (Microsoft), Tim Hockin (Google Cloud), Craig McLuckie (VMware)
and Aparna Sinha (Google)
1:45 PM – 2:15 PM

You can’t go to an enterprise conference and not talk about Kubernetes, the incredibly popular open-source container orchestration project that was incubated at Google. For this panel, we brought together three of the founding members of the Kubernetes team and the current director of product management for the project at Google to talk about the past, present and future of the project and how it has changed how enterprises think about moving to the cloud and developing software.


Innovation Break: Data: Who Owns It
(SAP)

2:15 PM – 2:35 PM

Enterprises have historically competed by being closed entities, keeping a closed architecture and innovating internally. When applying this closed approach to the hottest new commodity, data, it simply does not work anymore. But as enterprises, startups and public institutions open themselves up, how open is too open? Hear from leaders who explore data ownership and the questions that need to be answered before the data floodgates are opened. Sponsored by SAP.


AI Stakes its Place in the Enterprise
Bindu Reddy (Reality Engines), Jocelyn Goldfein (Zetta Venture Partners)
and a speaker to be announced
2:35 PM – 3:00 PM

AI is becoming table stakes for enterprise software as companies increasingly build AI into their tools to help process data faster or make more efficient use of resources. Our panel will talk about the growing role of AI in enterprise for companies big and small.


Q&A with Founders
3:00 PM – 3:30 PM

Your chance to ask questions of some of the greatest startup minds in enterprise technology.


The Trials and Tribulations of Experience Management
Julie Larson-Green (Qualtrics), Peter Reinhardt (Segment) and a speaker to be announced
3:15 PM – 3:40 PM

As companies gather more data about their customers, it should theoretically improve the customer experience, buy myriad challenges face companies as they try to pull together information from a variety of vendors across disparate systems, both in the cloud and on prem. How do you pull together a coherent picture of your customers, while respecting their privacy and overcoming the technical challenges? We’ll ask a team of experts to find out.


Innovation Break: Identifying Overhyped Technology Trends
James Allworth (
Cloudflare), George Mathew (Kespry) and Max Wessel (SAP)
3:40 PM – 4:00 PM

For innovation-focused businesses, deciding which technology trends are worth immediate investment, which trends are worth keeping on the radar and which are simply buzzworthy can be a challenging gray area to navigate and may ultimately make or break the future of a business. Hear from these innovation juggernauts as they provide their divergent perspectives on today’s hottest trends, including Blockchain, 5G, AI, VR and more. Sponsored by SAP.


Fireside Chat
Andrew Ng (Landing AI)
4:00 PM – 4:20 PM

Few technologists have been more central to the development of AI in the enterprise than Andrew Ng . With Landing AI and the backing of many top venture firms, Ng has the foundation to develop and launch the AI companies he thinks will be winners. We will talk about where Ng expects to see AI’s biggest impacts across the enterprise.


The Quantum Enterprise
Jim Clarke (Intel), Jay Gambetta (IBM)
and Krysta Svore (Microsoft)
4:20 PM – 4:45 PM

While we’re still a few years away from having quantum computers that will fulfill the full promise of this technology, many companies are already starting to experiment with what’s available today. We’ll talk about what startups and enterprises should know about quantum computing today to prepare for tomorrow.


Overcoming the Data Glut
Benoit Dageville (Snowflake), Ali Ghodsi (Databricks) and a speaker to be announced
4:45 PM – 5:10 PM

There is certainly no shortage of data in the enterprise these days. The question is how do you process it and put it in shape to understand it and make better decisions? Our panel will discuss the challenges of data management and visualization in a shifting technological landscape where the term “big data” doesn’t begin to do the growing volume justice.


Early-bird tickets are on sale now for just $249. That’s a $100 savings before prices go up — book yours today.

Students, save big with our super discounted $75 ticket when you book here.

Are you a startup? Book a demo table package for just $2,000 (includes 4 tickets) — book here.

Google Cloud makes it easier to set up continuous delivery with Spinnaker

Google Cloud today announced Spinnaker for Google Cloud Platform, a new solution that makes it easier to install and run the Spinnaker continuous delivery (CD) service on Google’s cloud.

Spinnaker was created inside Netflix and is now jointly developed by Netflix and Google. Netflix open-sourced it back in 2015 and over the course of the last few years, it became the open-source CD platform of choice for many enterprises. Today, companies like Adobe, Box, Cisco, Daimler, Samsung and others use it to speed up their development process.

With Spinnaker for Google Cloud Platform, which runs on the Google Kubernetes Engine, Google is making the install process for the service as easy as a few clicks. Once up and running, the Spinnaker install includes all of the core tools, as well as Deck, the user interface for the service. Users pay for the resources used by the Google Kubernetes Engine, as well as Cloud Memorystore for Redis, Google Cloud Load Balancing and potentially other resources they use in the Google Cloud.

could spinnker.max 1100x1100

The company has pre-configured Spinnaker for testing and deploying code on Google Kubernetes Engine, Compute Engine and App Engine, though it also will work with any other public or on-prem cloud. It’s also integrated with Cloud Build, Google’s recently launched continuous integration service, and features support for automatic backups and integrated auditing and monitoring with Google’s Stackdriver.

“We want to make sure that the solution is great both for developers and DevOps or SRE teams,” says Matt Duftler, tech lead for Google’s Spinnaker effort, in today’s announcement. “Developers want to get moving fast with the minimum of overhead. Platform teams can allow them to do that safely by encoding their recommended practice into Spinnaker, using Spinnaker for GCP to get up and running quickly and start onboard development teams.”

 

TrustRadius, a customer-generated B2B software review platform, raises $12.5M

Customer reviews play a key role in helping people decide what to buy on consumer-focused marketplaces like Amazon or app stores, and the same tendency exists in the B2B world, where nearly half a trillion dollars is spent annually on software and IT purchases. TrustRadius, one of the startups capitalising on the latter trend with total feedback sessions today standing at close to 190,000 reviews, has now picked up a Series C of $12.5 million led by Next Coast Ventures with existing investors Mayfield Fund and LiveOak Ventures also participating.

The funding, which brings the total raised by TrustRadius to $25 million (modest compared to some of its competitors) will be used to build more partnerships and use cases for its reviews, as well as continue expanding that total number of users providing feedback.

In addition to its main site — which goes up against a huge number of other online software comparison services like TrustPilot, G2 Crowd, Owler, and many others — TrustRadius is already working with vendors like LogMeIn, Tibco and more (including a number of huge IT companies that have asked not to be named).

TrustRadius mainly works with them on two tracks: to source a wider range of reviews from their existing customer bases to improve their profiles on the site; and then to help them use those reviews in their own marketing materials. Partnerships like these form the core of TrustRadius’s business model: people posting reviews or using the site to read them access it for free.

Vinay Bhagat, founder and CEO of TrustRadius, believes that his company’s mission — to help IT decision makers vet software by tapping into feedback from other IT buyers — has found particular relevance in the current market.

“I think that gravity is on our side,” he said in an interview. “If you think about how the tech industry is evolving and getting things done, IT decisions are getting decentralized and moving out of the CIO’s office. Millennials are ageing into positions of authority, and it means that the way people had previously bought software — by way of salespeople or on the basis of analyst reports — are changing. There is pent-up demand to hear the roar of peers and that’s where we come in.”

User-generated reviews have come under a lot of criticism in recent times. Regulators have been going after companies for not being vigilant enough about policing their platforms for “fake” reviews, either planted to big up a product, or by rivals to knock it down, or coming from people who are being paid to put in a good word. The argument has been that the marketplaces hosting those reviews are still bringing in eyeballs and product conversions based on that feedback, so they are less concerned with the corruption even if it longer term can likely sour consumers on the trustworthiness of the whole platform.

That belief is not wholly true, of course: Amazon for one has recently been making a huge effort to improve trust, by going after dodgy reviewers and setting up systems to halt the trafficking of counterfeit goods.

And Bhagat argued to me that it doesn’t hold for TrustRadius, either. The company has a focused enough mandate — B2B software purchasing — within a crowded enough field, that losing trust by posting blindly positive reviews would get it nowhere fast.

At the same time, he noted that the company has held a firm line with its customers on making sure that the “truth” about a product is made clear even if it’s not completely rosy, in the hopes that they can use that to work on improvements, and also provide more balanced feed back at the least from existing customers in order to give a more complete picture. (It also, like other reviews sites, makes people who provide feedback do so using professional credentials like work emails and LinkedIn profiles.)

That line has so far carried it into relationships with a number of software companies, which are using reviews as a complement to their own sales teams, and the papers and analysis published by analysts like Gartner and Ovum and Forester, to reach people who are weighing up different options for their IT solutions.

“TrustRadius has become an integral part of today’s economic cycle”, said Bill Wagner, CEO of LogMeIn, in a statement. “Software buyers today need detailed reviews to make sure that the product works for a business professional like themselves. TrustRadius provides that in a transparent way, so buyers can make confident decisions, even about enterprise-grade software.”

The recent swing in the digital world towards data protection and people getting increasingly aware of how their own personal details are used in ways they never intended, has presented an interesting challenge for the world of online services. Most of us don’t like getting marketing and will generally opt out of any “yes, I consent to getting updates from XYZ and its partners!” boxes — if we happen to spot them amid the dark patterning of the net.

TrustRadius and companies like it have an opportunity through that, though: by targeting IT buyers who have to make complicated purchasing decisions and most likely more than one, and in a way that ensures each purchase works with the rest of an existing tech stack, they represent one of the rare cases of where a user might actually want to hear more.

Indeed, one of the company’s plans longer term is to continue developing how it can work with its users through that IT lifecycle by providing suggestions of software based on previous software purchases and also what that user’s feedback has been around a past purchase.

“From day one we have been deal with complex purchasing decisions,” Bhagat said. “Buying technology that will be used to run your business is not the same as buying an app that you use casually. It can be make or break for your company.”

In spite of slowing growth, Microsoft has been flexing its cloud muscles

When Microsoft reported its FY19, Q4 earnings last week, the numbers were mostly positive, but as we pointed out, Azure earnings growth has stalled. Productivity and business, which includes Office 365, has also mostly flattened out. But slowing growth is not always as bad as it may seem. In fact, it’s an inevitability that once you start to reach Microsoft’s market maturity, it gets harder to maintain large growth numbers.

That said, AWS launched the first cloud infrastructure service, Amazon Elastic Compute Cloud in August, 2006. Microsoft came much later to the cloud, launching Azure in February, 2010, but so were other established companies in Microsoft’s market share rearview. What did it do differently to achieve this success that the companies chasing it — Google, IBM and Oracle — failed to do? It’s a key question.

Let’s look at some numbers

For starters, let’s look at the most numbers for Productivity & Business Processes this year. This category includes all of its commercial and consumer SaaS products including Office 365 commercial and consumer, Dynamics 365, LinkedIn and others. The percentage growth started FY19 at 19% but ended at 14%

Screenshot 2019 07 19 14.34.00

When you look at just Office365 commercial earnings growth, it started at 36% and dropped down to 31% by Q4.

What You Should Know About the Equifax Data Breach Settlement

Big-three credit bureau Equifax has reportedly agreed to pay at least $650 million to settle lawsuits stemming from a 2017 breach that let intruders steal personal and financial data on roughly 148 million Americans. Here’s a brief primer that attempts to break down what this settlement means for you, and what it says about the value of your identity.

 

Q: What happened?

A: If the terms of the settlement are approved by a court, the Federal Trade Commission says Equifax will be required to spend up to $425 million helping consumers who can demonstrate they were financially harmed by the breach. The company also will provide up to 10 years of free credit monitoring to those who had their data exposed.

Q: What about the rest of the money in the settlement?

A: An as-yet undisclosed amount will go to pay lawyers fees for the plaintiffs.

Q: $650 million seems like a lot. Is that some kind of record?

A: If not, it’s pretty close. The New York Times reported earlier today that it was thought to be the largest settlement ever paid by a company over a data breach, but that statement doesn’t appear anywhere in their current story.

Q: Hang on…148 million affected consumers…out of that $425 million pot that comes to just $2.87 per victim, right?

A: That’s one way of looking at it. But as always, the devil is in the details. You won’t see a penny or any other benefit unless you do something about it, and how much you end up costing the company (within certain limits) is up to you.

The Times reports that the proposed settlement assumes that only around seven million people will sign up for their credit monitoring offers. “If more do, Equifax’s costs for providing it could rise meaningfully,” the story observes.

Q: Okay. What can I do?

A: You can visit www.equifaxbreachsettlement.com, although none of this will be official or on offer until a court approves the settlement.

Q: Uh, that doesn’t look like Equifax’s site…

A: Good eyes! It’s not. It’s run by a third party. But we should probably just be grateful for that; given Equifax’s total dumpster fire of a public response to the breach, the company has shown itself incapable of operating (let alone securing) a properly functioning Web site.

Q: What can I get out of this?

A: In a nutshell, affected consumers are eligible to apply for one or more remedies, including:

Free credit monitoring: At least three years of credit monitoring via all three major bureaus simultaneously, including Equifax, Experian and Trans Union. The settlement also envisions up to six more years of single bureau monitoring through Experian. Or, if you don’t want to take advantage of the credit monitoring offers, you can opt instead for a $125 cash payment. You can’t get both.

Reimbursement: …For the time you spent remedying identity theft or misuse of your personal information caused by the breach, or purchasing credit monitoring or credit reports. This is capped at 20 total hours at $25 per hour ($500). Total cash reimbursement payment will not exceed $20,000 per consumer.

Help with ongoing identity theft issues: Up to seven years of “free assisted identity restoration services.” Again, the existing breach settlement page is light on specifics there.

Q: Does this cover my kids/dependents, too?

A: The FTC says if you were a minor in May 2017 (when Equifax first learned of the breach), you are eligible for a total of 18 years of free credit monitoring.

Q: How do I take advantage of any of these?

A: You can’t yet. The settlement has to be approved first. The settlement Web site says to check back again later. In addition to checking the breach settlement site periodically, consumers can sign up with the FTC to receive email updates about this settlement.

The settlement site said consumers also can call 1-833-759-2982 for more information. Press #2 on your phone’s keypad if you want to skip the 1-minute preamble and get straight into the queue to speak with a real person.

KrebsOnSecurity dialed in to ask for more details on the “free assisted identity restoration services,” and the person who took my call said they’d need to have some basic information about me in order to proceed. He said they needed my name, address and phone number to proceed. I gave him a number and a name, and after checking with someone he came back and said the restoration services would be offered by Equifax, but confirmed that affected consumers would still have to apply for it.

He added that the Equifaxbreachsettlement.com site will soon include a feature that lets visitors check to see if they’re eligible, but also confirmed that just checking eligibility won’t entitle one to any of the above benefits: Consumers will still need to file a claim through the site (when it’s available to do so).

ANALYSIS

We’ll see how this unfolds, but I’ll be amazed if anything related to taking advantage of this settlement is painless. I still can’t even get a free copy of my credit report from Equifax, as I’m entitled to under the law for free each year. I’ve even requested a copy by mail, according to their instructions. So far nothing.

But let’s say for the sake of argument that our questioner is basically right — that this settlement breaks down to about $3 worth of flesh extracted from Equifax for each affected person. The thing is, this figure probably is less than what Equifax makes selling your credit history to potential creditors each year.

In a 2017 story about the Equifax breach, I quoted financial fraud expert Avivah Litan saying the credit bureaus make about $1 every time they sell your credit file to a potential creditor (or identity thief posing as you). According to recent stats from the New York Federal Reserve, there were around 145 million hard credit pulls in the fourth quarter of 2018 (it’s not known how many of those were legitimate or desired).

But there is something you can do to stop the Equifax and the other bureaus from profiting this way: Freeze your credit files with them.

A security freeze essentially blocks any potential creditors from being able to view or “pull” your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you. And it’s now free for all Americans.

This post explains in detail what’s involved in freezing your files; how to place, thaw or remove a freeze; the limitations of a freeze and potential side effects; and alternatives to freezes.

What’s wrong with just using credit monitoring, you might ask? These services do not prevent thieves from using your identity to open new lines of credit, and from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon after an ID thief does steal your identity.

If past experience is any teacher, anyone with a freeze on their credit file will need to briefly thaw their file at Equifax before successfully signing up for the service when it’s offered. Since a law mandating free freezes across the land went into effect, all three bureaus have made it significantly easier to place and lift security freezes.

Probably too easy, in fact. Especially for people who had freezes in place before Equifax revamped its freeze portal. Those folks were issued a numeric PIN to lift, thaw or remove a freeze, but Equifax no longer lets those users do any of those things online with just the PIN.

These days, that PIN doesn’t play a role in any freeze or thaw process. To create an account at the MyEquifax portal, one need only supply name, address, Social Security number, date of birth, any phone number  (all data points exposed in the Equifax breach, and in any case widely available for sale in the cybercrime underground) and answer 4 multiple-guess questions whose answers are often available in public records or on social media.

And so this is yet another reason why you should freeze your credit: If you don’t sign up as you at MyEquifax, someone else might do it for you.

What else can you do in the meantime? Be wary of any phone calls or emails you didn’t sign up for that invoke this data breach settlement and ask you to provide personal and/or financial information.

And if you haven’t done so lately, go get a free copy of your credit report from annualcreditreport.com; by law all Americans are entitled to a free report from each of the major bureaus annually. You can opt for one report, or all three at once. Either way, make sure to read the report(s) closely and dispute anything that looks amiss.

It has long been my opinion that the big three bureaus are massively stifling innovation and offering consumers so little choice or say in the bargain that’s being made on the backs of their hard work, integrity and honesty. The real question is, if someone or something eventually serves to dis-intermediate the big three and throw the doors wide open to competition, what would the net effect for consumers?

Obviously, there is no way to know for sure, but a company that truly offered to pay consumers anywhere near what their data is actually worth would probably wipe these digital dinosaurs from the face of the earth.

That is, if the banks could get on board. After all, the banks and their various fingers are what drive the credit industry. And these giants don’t move very nimbly. They’re massively hard to turn on the simplest changes. And they’re not known for quickly warming to an entirely new model of doing business (i.e. huge cost investments).

My hometown Sen. Mark Warner (D-Va.) seems to suggest the $650 million settlement was about half what it should be.

“Americans don’t choose to have companies like Equifax collecting their data – by the nature of their business models, credit bureaus collect your personal information whether you want them to or not. In light of that, the penalties for failing to secure that data should be appropriately steep. While I’m happy to see that customers who have been harmed as a result of Equifax’s shoddy cybersecurity practices will see some compensation, we need structural reforms and increased oversight of credit reporting agencies in order to make sure that this never happens again.”

Sen. Warner sponsored a bill along with Sen. Elizabeth Warren (D-Ma.) called “The Data Breach Prevention and Compensation Act,” which calls for “robust compensation to consumers for stolen data; mandatory penalties on credit reporting agencies (CRAs) for data breaches; and giving the FTC more direct supervisory authority over data security at CRAs.

“Had the bill been in effect prior to the 2017 Equifax breach, the company would have had to pay at least $1.5 billion for their failure to protect Americans’ personal information,” Warner’s statement concludes.

Update, 4:44 pm: Added statement from Sen. Warner.

The Good, the Bad and the Ugly in Cybersecurity – Week 29

The Good

Drupal have patched a critical bug that could let hackers take over sites powered by the popular, open-source web content management platform. The vulnerability, CVE-2019-6342, only affects Drupal 8.7.4, and only when the experimental Workspaces module is enabled. Although there’s no known exploit for this vulnerability to date, updating to version 8.7.5 is strongly recommended. 

The first half of 2019 saw record investment in Israeli tech companies reaching a record-breaking $3.9 billion. The three biggest deals, leading the way in a total of 250 deals that attracted investors in the first six months of 2019, were with firms Lemonade, Monday, and SentinelOne

The Bad

According to a report by the FBI this week, Business Email Compromises are on the rise, with cybercriminals raking in as much as $300 million last year alone, a figure that’s three times the amount stolen just two years ago. Top targets are manufacturing and construction businesses, commercial services and real estate outfits. Criminals typically pose as a customer or senior management and fool unsuspecting employees into paying phoney invoices or making other fraudulent wire transfers. Attackers use phishing campaigns and spyware to steal the data necessary to compromise email accounts.

There was also bad news for internet users in Kazakhstan this week, and a warning of a dangerous precedent that should worry us all. In an anti-privacy move, the government there has made it mandatory for all ISPs to use a national MITM Certificate Agency to intercept all encrypted HTTPS traffic. End users have been told to install a government-issued certificate authority on all devices and all browsers. Government-spying or necessary for national security? Where have we had that debate before…

The Ugly

Seems like Cylance found out the hard way this week something we’ve been saying for a long time. Next-Gen security solutions need to use a layered model that is updated frequently and not simply rely on one supposedly “killer” feature. The point was impressively proven by Australian researchers who easily tricked the Cylance engine into tagging a malicious file as benign simply by appending some strings to the end of a WannaCry sample. The benign strings caused the Cylance engine to give more weight to the appended strings and mis-categorize the ransomware as safe. 

image of cylance vulnerability

Continuing on from last week’s Zoom saga, Apple have since released TWO more updates for MRT.app in the last few days, in a continuing effort to nail the RCE vulnerability found to exist in many spin-off (White label) versions of the popular video conferencing app. If your head’s also in a bit of a spin trying to keep up with all these updates, you should (at the time of publishing this) currently be on v1.47. Here’s how to check from the command line:

system_profiler SPInstallHistoryDataType | grep -A4 MRTConfig

Alternatively, from the Apple menu, choose “About This Mac” and click the System Report button. Scroll down to Software > Installations, then type “MR” to find the start of the listing for MRTConfigData. 

image of apple MRT update

⬅ Subscribe to our email digest and get a weekly email including similar news summary and other posts on the SentinelOne blog.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack

Cloud hosting provider iNSYNQ says it is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data for the past three days. Unfortunately for iNSYNQ, the company appears to be turning a deaf ear to the increasingly anxious cries from its users for more information about the incident.

A message from iNSYNQ to customers.

Gig Harbor, Wash.-based iNSYNQ specializes in providing cloud-based QuickBooks accounting software and services. In a statement posted to its status page, iNSYNQ said it experienced a ransomware attack on July 16, and took its network offline in a bid to contain the spread of the malware.

“The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible,” the company said. “As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment.”

iNSYNQ said it has engaged outside cybersecurity assistance and to determine whether any customer data was accessed without authorization, but that so far it has no estimate for when those files might be available again to customers.

Meanwhile, iNSYNQ’s customers — many of them accountants who manage financial data for a number of their own clients — have taken to Twitter to vent their frustration over a lack of updates since that initial message to users.

In response, the company appears to have simply deleted or deactivated its Twitter account (a cached copy from June 2019 is available here). Several customers venting about the outage on Twitter also accused the company of unpublishing negative comments about the incident from its Facebook page.

Some of those customers also said iNSYNQ initially blamed the outage on an alleged problem with U.S.-based nationwide cable ISP giant Comcast. Meanwhile, competing cloud hosting providers have been piling on to the tweetstorms about the iNSYNQ outage by marketing their own services, claiming they would never subject their customers to a three-day outage.

iNSYNQ has not yet responded to requests for comment.

Update, 4:35 p.m. ET: I just heard from iNSYNQ’s CEO Elliot Luchansky, who shared the following:

While we have continually updated our website and have emailed customers once if not twice daily during this malware attack, I acknowledge we’ve had to keep the detail fairly minimal.

Unfortunately, and as I’m sure you’re familiar with, the lack of detailed information we’ve shared has been purposeful and in an effort to protect our customers and their data- we’re in a behind the scenes trench warfare doing everything we possibly can to secure and restore our system and customer data and backups. I understand why our customers are frustrated, and we want more than anything to share every piece of information that we have.

Our customers and their businesses are our number one priority right now. Our team is working around the clock to secure and restore access to all impacted data, and we believe we have an end in sight in the near future.

You know as well as we that no one is 100% impervious to this – businesses large and small, governments and individuals are susceptible. iNSYNQ and our customers were the victims of a malware attack that’s a totally new variant that hadn’t been detected before, confirmed by the experienced and knowledgeable cybersecurity team we’ve employed.

Original story: There is no question that a ransomware infestation at any business — let alone a cloud data provider — can quickly turn into an all-hands-on-deck, hair-on-fire emergency that diverts all attention to fixing the problem as soon as possible.

But that is no excuse for leaving customers in the dark, and for not providing frequent and transparent updates about what the victim organization is doing to remediate the matter. Particularly when the cloud provider in question posts constantly to its blog about how companies can minimize their risk from such incidents by trusting it with their data.

Ransomware victims perhaps in the toughest spot include those providing cloud data hosting and software-as-service offerings, as these businesses are completely unable to serve their customers while a ransomware infestation is active.

The FBI and multiple security firms have advised victims not to pay any ransom demands, as doing so just encourages the attackers and in any case may not result in actually regaining access to encrypted files.

In practice, however, many cybersecurity consulting firms are quietly urging their customers that paying up is the fastest route back to business-as-usual. It’s not hard to see why: Having customer data ransomed or stolen can send many customers scrambling to find new providers. As a result, the temptation to simply pay up may become stronger with each passing day.

That’s exactly what happened in February, when cloud payroll data provider Apex Human Capital Management was knocked offline for three days following a ransomware infestation.

On Christmas Eve 2018, cloud hosting provider Dataresolution.net took its systems offline in response to a ransomware outbreak on its internal networks. The company was adamant that it would not pay the ransom demand, but it ended up taking several weeks for customers to fully regain access to their data.

KrebsOnSecurity will endeavor to update this story as more details become available. Any iNSYNQ affected by the outage is welcome to contact this author via Twitter (my direct messages are open to all) or at krebsonsecurity @ gmail.com.

11 Things You Didn’t Know About Black Hat USA 2019

It’s almost that time of year again, when hackers, researchers, gurus, and just about everybody with an interest in cybersecurity descends on Las Vegas for the annual Black Hat USA conference. This year is the venerable expo’s 22nd in succession and promises 6 action-packed days stuffed with intensive training courses, cutting-edge briefings, demos of innovative products and, of course, plenty of social networking. There’s no shortage of information on what to expect, but check out our guide below to make sure you haven’t missed anything essential. We’ve also got some tips for those of you that wish you were going but couldn’t make it, so read on!

11 Things You Didn't Know About Black Hat USA 2019

1. Everybody is Anonymous!

Black Hat USA 2019, which runs from August 3rd to August 8th, is expected to host almost 20,000 attendees, which means there’s one statistic that applies to us all: almost nobody will know you, and you will know almost nobody. One of the main aims of Black Hat is to put some small dent in that statistic so that you come away having made some new friends and acquaintances. Since everyone is in the same boat, don’t worry about being shy and strike up conversations with all those strangers! A great place to network is the hosted parties. We’ll be hosting our own on Tuesday 6th at 5.30pm, so join us for golf, gaming and a whole lot more!

image of sentinelone black hat party

2. It’s Not Paranoia If They’re Really After You!

Every year there’s a warning about being hacked at Black Hat, and to be fair, a gathering of thousands of hackers is not a place where you want to hang out if you have no idea about security. The organizers recommend Faraday bags and RFID blocking sleeves. If you’re bringing a laptop device, a good idea is to flash it with a clean install, put the bare minimum of data on it you need to survive the week, and restrict unnecessary services like Bluetooth and Wifi. When you get home, pull off any files you need to keep and restore the device from a backup. For phones, some people take a burner, others use a Faraday bag to keep out unwanted attention. Watch out for ATM skimmers, too, and because you’re a security professional we don’t need to tell you: don’t plug in any USBs handed out by strangers (or newly-met friends)!

3. Don’t Tell Your Boss, But They’re Hiring!

Black Hat USA 2019 is all about the tech, hacker craft, and improving your skill set. And it’s also a great place to pick up a new gig. With the massive shortage in cybersecurity skills facing the industry, everyone’s looking to hire talent, and if you’re in the market you’ll find plenty of people interested. Personal networking in the Business Hall is a great place to start. There’s also a Who’s Hiring page on the Black Hat USA website you can check out. 

4. You Can Be There Without Attending!

As cool as it can be to hang out with a whole tribe of like-minded infosec professionals, not everyone can find the time (or the cash!) to get to Black Hat USA 2019. While that means you will miss out on the parties and the swag in the Business Hall, it doesn’t mean you have to miss out on the most important Briefings (Black Hat lingo for conference presentations). You can sign up for online streaming access and even get a USB – we’ll trust the organizers to provide one that’s free of malware and trojans! – with recordings of all the presentations. Costs start at $299, and rise depending on which package you choose.

5. Black Hat Has Been Hacked Before

Speaking of hacking and online streaming, Black Hat themselves got pwned by Mozilla’s Michael Coates back in 2010 when he signed up for the online streaming. He quickly found a way to get the service without dishing up the cash due to a vulnerability in the web application that was supposed to handle the registration. Of course, Michael informed the organizers immediately, and the issue was quickly fixed. We wonder if they gave him a free sub after all? If like Michael, you happen to stumble across an unexpected vulnerability, responsible disclosure is the key. See the next item!

6. Don’t Do Cyber Crime!

The commencement of Black Hat USA 2019 just happens to coincide – almost to the day – with the 2nd anniversary of Marcus Hutchins’ arrest by FBI agents on August 2nd, 2017, which occurred shortly after the Black Hat and Def Con conferences of that year. Marcus, better known by his handle MalwareTech in InfoSec circles, had become the ‘accidental hero’ of the WannaCry ransomware outbreak earlier that year when he inadvertently tripped a kill switch by registering a domain he found hardcoded into the malware. That brought the ransomware infection to a sudden halt, and brought Marcus a lot of attention. Marcus fell foul of the Feds after trying to make his way home after Black Hat USA 2017 when agents charged him with distributing the Kronos banking malware some years earlier. Marcus’ story’ provides a cautionary tale: hackers attending the con who are guilty of real cyber crimes? Beware.  

7. There’s a Black Hat CTF Open to All

Everybody loves a good Capture the Flag competition, and this year there’s an online CTF aimed at all levels running throughout Wednesday 8th, with a $1000 prize for 1st place (there’s runner up prizes, too!). Don’t worry if you’re not a hardcore hacker: even first timers are welcome to participate and learn first-hand the fun of a CTF competition. Build your skills through self-learning challenges in forensics, web exploitation, scripting and reverse engineering. It’s free and open to non-attendees, so you can do it from home. What’s not to like? Find out more here.

8. You Can’t Be In Two Places At The Same Time

Yup, that old law of physics which applies to everyone (except Star Trek characters) means you’re going to have to make some hard choices about what to attend and what to miss. Schedule clashes like this for pretty much every time slot mean you’re going to have to make sacrifices.

image of black hat briefings

Fortunately, at least the Trainings and Briefings run on separate schedules, but you’ll still need to think carefully about which is most important as access depends on what kind of pass you buy. Trainings are generally well-regarded, some have even sold out already and most are nearing full subscription, so plan ahead as to what might interest you. Be aware that Trainings won’t offer you any kind of certification, but will put you in the hands of industry professionals who live and breathe their work. Briefings are vital to keep up with the direction of the latest research, but plan ahead of time which you want to attend and get there early. Queues will be long, so have a backup plan if you can’t get in to a session that’s your first choice.

9. Your World Is Walking

If you’re used to sitting behind a desk (or on a sofa) staring at your computer display for long hours, then there’s another kind of Black Hat Training you might want to consider before the con even kicks off: upping your exercise regime! You’re going to be putting in a lot of steps as there’s plenty of miles to cover between halls, conference rooms, bars, restaurants and the like. And when you’re not walking, you’re going to be spending a lot of time standing, so choose footwear with comfort not fashion in mind. You’ll also want this handy floor plan to help you find the shortest distance between two places.

10. Human Bodies Run On Water

We don’t mean that like “walk on water, only faster”, but as in “water is the elixir of life”. You’re going to the desert, in August. Water might not be everywhere, and it certainly won’t be cheap, but if you’re going to get the max out of your hectic schedule you need to ensure that you’re properly hydrated. Alcohol (no surprise) will dehydrate you, but so will lots of talking – or shouting during noisy parties. Take a refillable water bottle with you and replenish it at every available opportunity. Moisturiser for dry lips will come in handy, too.

11. The Party Has Only Just Begun

If you’re not entirely exhausted by Thursday the 8th and are lamenting not being able to see all your new found buddies till Black Hat USA 2020, the good news is Def Con 27 is waiting for you just down the strip. That’s right, Def Con begins on the last day of Black Hat, so if you really want to push yourself to the max, meet even more people, share any of the amazing things you’ve learned while loading up your knowledge base still further, there’s four more days of fun to be had. Def Con 2019 runs from August 8th to 11th, and you can check out all they have to offer here.

Conclusion

Whether you’re going to Black Hat to meet like-minded people, learn new tricks or explore the latest security solutions, you’ll find plenty of each and much more besides. With 125 Trainings, 124 Briefings and hundreds of vendors exhibiting in the Business Hall, you’ll come away with a unique insight into all the latest trends in Infosec. SentinelOne will be there, of course, so come and join us at Tuesday’s party and drop by and say hello at Booth 222 in the Business Hall.  


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Intel announces deep, multi-year partnership with SAP

Intel announced a deep partnership with SAP today around using advanced Intel technology to optimize SAP software tools. Specifically, the company plans to tune its Intel Xeon Scalable processors and Intel Optane DC persistent memory for SAP’s suite of applications.

The multi-year partnership includes giving SAP early access to emerging Intel technologies and building a Center of Excellence. “We’re announcing a multi-year technology partnership that’s focused on optimizing Intel’s platform innovations… across the entire portfolio of SAP’s end-to-end enterprise software applications including SAP S/4HANA,” Rajeeb Hazra, corporate vice president of Intel’s Enterprise and Government Business, told TechCrunch.

He says that this will cover broad areas of Intel technology, including CPU, accelerators, data center, persistent memory and software infrastructure. “We’re taking all of that data-centric portfolio to move data faster, store data more efficiently and process all kinds of data for all kinds of workloads,” he explained.

The idea is to work closely together to help customers understand and use the two sets of technologies in tandem in a more efficient manner. “The goal here is [to expose] a broad portfolio of Intel technologies for the data-centric era, close collaboration with SAP to accelerate the pace of innovation of SAP’s entire broad suite of enterprise class applications, while making it easier for customers to see, test and deploy this technology,” he said.

Irfan Khan, president of Platform and Technologies at SAP, says this partnership should help deliver better performance across the SAP suite of products including SAP S/4HANA, its in-memory database product. “Our expanded partnership with Intel will accelerate our customers’ move to SAP S/4HANA by allowing organizations to unlock the value of data assets with greater ease and operate with increased visibility, focus and agility,” Khan said in a statement.

Hazra says that this is part of a broader enterprise strategy the company has been undertaking for many years, but it is focusing specifically on SAP for this agreement because of its position in the enterprise software ecosystem. He believes that by partnering with SAP at this level, the two companies can gain further insight that could help customers as they use advanced technologies like AI and machine learning.

“This partnership is [significant for us] given SAP’s focus and position in the markets that they serve with enterprise class applications, and the importance of what they’re doing for our core enterprise customers in those areas of the enterprise. This includes the emerging areas of machine learning and AI. With their suite [of products], it gives those customers the ability to accelerate innovation in their businesses by being able to see, touch, feel and consume this innovation much more efficiently,” he said.

InCountry raises $15M for its cloud-based private data storage-as-a-service solution

The rise of data breaches, along with an expanding raft of regulations (now numbering 80 different regional regimes, and growing) have thrust data protection — having legal and compliant ways of handling personal user information — to the top of the list of things that an organization needs to consider when building and operating their businesses. Now a startup called InCountry, which is building both the infrastructure for these companies to securely store that personal data in each jurisdiction, as well as a comprehensive policy framework for them to follow, has raised a Series A of $15 million. The funding is coming in just three months after closing its seed round — underscoring both the attention this area is getting and the opportunity ahead.

The funding is being led by three investors: Arbor Ventures of Singapore, Global Founders Capital of Berlin and Mubadala of Abu Dhabi. Previous investors Caffeinated Capital, Felicis Ventures, Charles River Ventures and Team Builder Ventures (along with others that are not being named) also participated. It brings the total raised to date to $21 million.

Peter Yared, the CEO and founder, pointed out in an interview the geographic diversity of the three lead backers: he described this as a strategic investment, which has resulted from InCountry already expanding its work in each region. (As one example, he pointed out a new law in the UAE requiring all health data of its citizens to be stored in the country — regardless of where it originated.)

As a result, the startup will be opening offices in each of the regions and launching a new product, InCountry Border, to focus on encryption and data handling that keep data inside specific jurisdictions. This will sit alongside the company’s compliance consultancy as well as its infrastructure business.

“We’re only 28 people and only six months old,” Yared said. “But the proposition we offer — requiring no code changes, but allowing companies to automatically pull out and store the personally identifiable information in a separate place, without anything needed on their own back end, has been a strong pull. We’re flabbergasted with the meetings we’ve been getting.” (The alternative, of companies storing this information themselves, has become massively unpalatable, given all the data breaches we’ve seen, he pointed out.)

In part because of the nature of data protection, in its short six months of life, InCountry has already come out of the gates with a global viewpoint and global remit.

It’s already active in 65 countries — which means it’s already equipped to store, process and regulate profile data in the country of origin in these markets — but that is actually just the tip of the iceberg. The company points out that more than 80 countries around the world have data sovereignty regulations, and that in the U.S., some 25 states already have data privacy laws. Violating these can have disastrous consequences for a company’s reputation, not to mention its bottom line: In Europe, the U.K. data regulator is now fining companies the equivalent of hundreds of millions of dollars when they violate GDPR rules.

This ironically is translating into a big business opportunity for startups that are building technology to help companies cope with this. Just last week, OneTrust raised a $200 million Series A to continue building out its technology and business funnel — the company is a “gateway” specialist, building the welcome screens that you encounter when you visit sites to accept or reject a set of cookies and other data requests.

Yared says that while InCountry is very young and is still working on its channel strategy — it’s mainly working directly with companies at this point — there is a clear opportunity both to partner with others within the ecosystem as well as integrators and others working on cloud services and security to build bigger customer networks.

That speaks to the complexity of the issue, and the different entry points that exist to solve it.

“The rapidly evolving and complex global regulatory landscape in our technology driven world is a growing challenge for companies,” said Melissa Guzy of Arbor Ventures, in a statement. Guzy is joining the board with this round. “InCountry is the first to provide a comprehensive solution in the cloud that enables companies to operate globally and address data sovereignty. We’re thrilled to partner and support the company’s mission to enable global data compliance for international businesses.”