VComply raises $2.5 million seed round led by Accel to simplify risk and compliance management

Risk and compliance management platform VComply announced today that it has picked up a $2.5 million seed round led by Accel Partners for its international growth plan. The funding will be used to acquire more customers in the United States, open a new office in the United Kingdom to support customers in Europe and expand its presence in New Zealand and Australia.

The company was founded in 2016 by CEO Harshvardhan Kariwala and has customers in a wide range of industries, including Acreage Holdings, Ace Energy Solutions, CHD, the United Kingdom’s Department of International Trade and Burger King. It currently claims about 4,000 users in more than 100 countries. VComply is meant to be used by all departments in a company, with compliance information organized into a central dashboard.

While there are already a roster of governance, risk and compliance management solutions on the market (including ones from Oracle, HPE, Thomson Reuters, IBM and other established enterprise software companies), VComply’s competitive edge may be its flexibility, simple user interface and easy deployment (the company claims customers can on-board and start using the solution for compliance tasks in about 30 minutes). It also seeks out smaller companies whose needs have not been met by compliance solutions meant for large enterprises.

Kariwala told TechCrunch in an email that he began thinking of creating a new risk and compliance solution while working at his first startup, LIME Learning Systems, an education management platform, after being hit with a $4,000 penalty due to a non-compliance issue.

“Believe me, $4,000 really hurts when you’re bootstrapped and trying to save every single cent you can. In this case, I had asked our outsourced accounting partners to manage this compliance and they forgot!,” he said. After talking to other entrepreneurs, he realized compliance posed a challenge for most of them. LIME’s team built an internal compliance tracking tool for their own use, but also shared it with other people. After getting good feedback, Kariwala realized that despite the many governance, risk and compliance management solutions already on the market, there was still a gap in the market, especially for smaller businesses.

VComply is designed so organizations can customize it for their industry’s regulations and standards, as well as their own workflow and data needs, with competitive pricing for small to medium-sized organizations (a subscription starts at $3,999 a year).

“Most of the traditional GRC solutions that exist today are expensive, have a steep learning curve and entail a prolonged deployment. Not only are they expensive, they are also rigid, which means that organizations have little to no control or flexibility,” Kariwala said. “A GRC tool is often looked at as an expense, while it should really be treated as an investment. It is particularly the SMB sector that suffers the most. With the current solutions costing thousands of dollars (and sometimes millions), it becomes the least of their priorities to invest in a GRC platform, and as a result they fall prey to heightened risks and hefty penalties for non-compliance.”

In a press statement, Accel partner Dinesh Katiyar said, “The first generation of GRC solutions primarily allowed companies to comply with industry-mandated regulations. However, the modern enterprise needs to govern its operations to maintain integrity and trust, and monitor internal and external risks to stay successful. That is where VComply shines, and we’re delighted to be partnering with a company that can redefine the future of enterprise risk management.”

Investor Jocelyn Goldfein to join us on AI panel at TechCrunch Sessions: Enterprise

Artificial intelligence is quickly becoming a foundational technology for enterprise software development and startups have begun addressing a variety of issues around using AI to make software and processes much more efficient.

To that end, we are delighted to announce that Jocelyn Goldfein, a Managing Director at Zetta Venture Partners will be joining on us a panel to discuss AI in the enterprise. It will take place at the TechCrunch Sessions: Enterprise show on September 5 at the Yerba Buena Center in San Francisco.

It’s not just startups that are involved in AI in the enterprise. Some of the biggest names in enterprise software including Salesforce Einstein, Adobe Sensei and IBM Watson have been addressing the need for AI to help solve the enterprise data glut.

Computers can process large amounts of information much more quickly than humans, and as enterprise companies generate increasing amounts of data, they need help understanding it all as the volume of information exceeds human capacity to sort through it.

Goldfein brings a deep engineering background to her investment work. She served as a VP of engineering at VMware and as an engineering director at Facebook, where she led the project that adopted machine learning for the News Feed ranker, launched major updates in photos and search, and helped spearhead Facebook’s pivot to mobile. Goldfein drove significant reforms in Facebook hiring practices and is a prominent evangelist for women in computer science. As an investor, she primarily is focused on startups using AI to take more efficient approaches to infrastructure, security, supply chains and worker productivity.

At TC Sessions: Enterprise, she’ll be joining Bindu Reddy from Reality Engines along with other panelists to discuss the growing role of AI in enterprise software with TechCrunch editors. You’ll learn why AI startups are attracting investor attention and how AI in general could fundamentally transform enterprise software.

Prior to joining Zetta, Goldfein had stints at Facebook and VMware, as well as startups Datify, MessageOne and Trilogy/pcOrder.

Early Bird tickets to see Joyce at TC Sessions: Enterprise are on sale for just $249 when you book here; but hurry, prices go up by $100 soon! Students, grab your discounted tickets for just $75 here.

What is OSINT? (And How Is It Used?)

The first step in a targeted attack – or a penetration test or red team activity – is gathering intelligence on the target. While there are ways and means to do this covertly, intelligence gathering usually starts with scraping information from public sources, collectively known as open source intelligence or OSINT. There is such a wealth of legally collectible OSINT available now thanks to social media and the prevalence of online activities that this may be all that is required to give an attacker everything they need to successfully profile an organization or individual.

In this post, we’ll get you up to speed on what OSINT is all about and how you can learn to use OSINT tools to better understand your own digital footprint.

What is OSINT?

If you’ve heard the name but are wondering what it means, OSINT stands for open source intelligence, which refers to any information that can legally be gathered from free, public sources about an individual or organization. In practice, that tends to mean information found on the internet, but technically any public information falls into the category of OSINT whether it’s books or reports in a public library, articles in a newspaper or statements in a press release.

OSINT also includes information that can be found in different types of media, too. Though we typically think of it as being text-based, information in images, videos, webinars, public speeches and conferences all fall under the term.

What is OSINT Used For?

By gathering publicly available sources of information about a particular target an attacker – or friendly penetration tester – can profile a potential victim to better understand its characteristics and to narrow down the search area for possible vulnerabilities. Without actively engaging the target, the attacker can use the intelligence produced to build a threat model and develop a plan of attack. Targeted cyber attacks, like military attacks, begin with reconnaissance, and the first stage of digital reconnaissance is passively acquiring intelligence without alerting the target.

Gathering OSINT on yourself or your business is also a great way to understand what information you are gifting potential attackers. Once you are aware of what kind of intel can be gathered about you from public sources, you can use this to help you or your security team develop better defensive strategies. What vulnerabilities does your public information expose? What can an attacker learn that they might leverage in a social engineering or phishing attack?

How Can OSINT Be Gathered?

Gathering information from a vast range of sources is a time consuming job, but there are many tools to make intelligence gathering simpler. While you may have heard of tools like Shodan and port scanners like Nmap and Zenmap, the full range of tools is vast. Fortunately, security researchers themselves have begun to document the tools available.

A great place to start is the OSINT Framework put together by Justin Nordine. The framework provides links to a large collection of resources for a huge variety of tasks from harvesting email addresses to searching social media or the dark web.

image of osint framework

In many articles on OSINT tools you’ll see reference to one or two packages included in the Kali Linux penetration testing distribution, such as theHarvester or Maltego, but for a complete overview of available OSINT tools available for Kali, check out the Kali Tools listing page, which gives both a run down of the tools and examples of how to use each of them.

image of kali tools listing

Among the many useful tools you’ll find here for open source intelligence gathering are researcher-favorites like Nmap and Recon-ng. The Nmap tool allows you to specify an IP address, say, and determine what hosts are available, what services those hosts offer, the operating systems they run, what firewalls are in use and many other details.

image of namp results

Recon-Ng is a tool written in Python by Tim Tomes for web reconnaissance. You can use it to do things like enumerate the subdomains for a given domain, but there are dozens of modules that allow you to hook into things like the Shodan internet search engine, Github, Jigsaw, Virustotal and others, once you add the appropriate API keys. Modules are categorized in groups such as Recon, Reporting and Discovery modules.

image of recon ng

What Other OSINT Tools Are There?

One of the most obvious tools for use in intelligence gathering is, of course, web search engines like Google, Bing and so on. In fact, there’s dozens of search engines, and some may return better results than others for a particular kind of query. The problem is, then, how can you query these many engines in an efficient way?

A great tool that solves this problem and makes web queries more effective is Searx. Searx is metasearch engine which allows you to anonymously and simultaneously collect results from more than 70 search services. Searx is free and you can even host your own instance for ultimate privacy. Users are neither tracked nor profiled, and cookies are disabled by default. Searx can also be used over Tor for online anonymity.

image of searx admin

Many public instances of Searx are also available for those who either don’t want or don’t need to host their own instance. See the Searx wiki for a listing.

image of anonymize

There are many people working on new tools for OSINT all the time, and a great place to keep up with them and just about anything else in the cybersecurity world is, of course, by following people on Twitter. Keeping track of things on Twitter, though, can be difficult. Fortunately, there’s an OSINT tool for that, too, called Twint.

Twint is a Twitter scrapping tool written in Python that makes it easy to anonymously gather and hunt for information on Twitter without signing up to the Twitter service itself or using an API key as you would have to do with a tool like Recon-ng. With Twint, there’s no authentication or API needed at all. Just install the tool and start hunting. You can search by user, geolocation and time range, among other possibilities. Here’s just some of Twint’s options, but many others are available, too.

image of twint help

So how can you use Twint to help you keep up with developments in OSINT? Well, that’s easy and is a great example of Twint in action. As Twint allows you to specify a --since option to only pull tweets from a certain date onwards, you could combine that with Twint’s search verb to scrape new tweets tagged with #OSINT on a daily basis. You could automate that script and feed the results into a database to view at your convenience by using Twint’s --database option that saves to SQLite format.

Looks like there’s been 58 #OSINT tweets so far today!

twint -s '#osint' --since 2019-07-17

image of twint search

Another great tool you can use to collect public information is Metagoofil. This tool uses the Google search engine to retrieve public PDFs, Word Documents, Powerpoint and Excel files from a given domain. It can then autonomously extract metadata from these documents to produce a report listing information like usernames, software versions, servers and machine names.

image of metagoofil

Conclusion

In this post, we’ve covered the basic idea of OSINT and why it’s useful. We’ve looked at a couple of great places where you can discover many OSINT tools to help you with virtually any kind of information gathering you need to do, and we’ve also given you a taste of a few individual tools and shown how they can be put to work.

For anyone involved in cybersecurity, understanding how to collect open source intelligence is a vital skill. Whether you’re defending an enterprise network or testing it for weaknesses, the more you understand about its digital footprint the better able you are to see it from an attacker’s point of view. Armed with that knowledge, you can then go on to develop better defensive strategies.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Stonly lets you create interactive step-by-step guides to improve support

French startup Stonly wants to empower users so that they can solve their issues by themselves. Instead of relying on customer support agents, Stonly wants to surface relevant content so that you can understand and solve issues.

“I’m trying to take the opposite stance of chatbots,” founder and CEO Alexis Fogel told me. “The issue [with chatbots] is that technology is not good enough and you often end up searching through the help center.”

If you’re in charge of support for a big enough service, chances are your customers often face the same issues. Many companies have built help centers with lengthy articles. But most customers won’t scroll through those pages when they face an issue.

That’s why Stonly thinks you need to make this experience more interactive. The service lets you create scripted guides with multiple questions to make this process less intimidating. Some big companies have built question-based help centers, but Stonly wants to give tools to small companies so they can build their own scenarios.

A Stonly module is basically a widget you can embed on any page or blog. It works like a deck of slides with buttons to jump to the relevant slide. Companies can create guides in the back end without writing a single line of code. You can add an image, a video and some code to each slide.

At any time, you can see a flowchart of your guide to check that everything works as expected. You can translate your guides in multiple languages, as well.

Once you’re done and the module is live, you can look back at your guides and see how you can improve them. Stonly lets you see if users spend more time on a step, close the tab and drop in the middle of the guide, test multiple versions of the same guide, etc.

But the startup goes one step further by integrating directly with popular support services, such as Zendesk and Intercom. For instance, if a user contacts customer support after checking a Stonly guide, you can see in Zendesk what they were looking at. Or you can integrate Stonly in your Intercom chat module.

Editor 01

As expected, a service like Stonly can help you save on customer support. If users can solve their own issues, you need a smaller customer support team. But that’s not all.

“It’s not just about saving money, it’s also about improving engagement and support,” Fogel said.

Password manager company Dashlane is a good example of that. Fogel previously co-founded Dashlane before starting Stonly. And it’s one of Stonly’s first clients.

“Dashlane is a very addictive product, but the main issue is that you want to help people get started,” he said. It’s true that it can be hard to grasp how you’re supposed to use a password manager if you’ve never used one in the past. So the onboarding experience is key with this kind of product.

Stonly is free if you want to play with the product and build public guides. But if you want to create private guides and access advanced features, the company has a Pro plan ($30 per month) and a Team plan (starting at $100 per month with bigger bills as you add more people to your team and use the product more extensively).

The company has tested its product with a handful of clients, such as Dashlane, Devialet, Happn and Malt. The startup has raised an undisclosed seed round from Eduardo Ronzano, Thibaud Elzière, Nicolas Steegmann, Renaud Visage and PeopleDoc co-founders. And Stonly is currently part of the Zendesk incubator at Station F.

ClassPass introduces a corporate wellness program

ClassPass has set up yet another revenue stream, signing to a corporate wellness program partners like Facebook, Glossier, Google, Morgan Stanley, Under Armour, Etsy, Southwest Airlines and Gatorade.

The program will give employees at these companies access to the ClassPass network of more than 22,000 studio partners across 2,500 cities around the world, which includes studio brands like Barry’s Bootcamp, Flywheel Sports and CorePower Yoga. Corporate partners also get access to a “large library” of on-demand audio and video workouts.

This comes after ClassPass retooled the ClassPass Live product, in which it invested the resources to build out a new live broadcast studio, and rebuilt it into a library of on-demand video workouts.

The company launched ClassPass Live in 2018 with the hopes that users could workout from home within the ClassPass ecosystem. CEO Fritz Lanman told TechCrunch in June that the company stopped doing live classes in April 2019 and repackaged the content into free, on-demand video classes.

According to the release, one of the issues with corporate wellness programs is that HR departments have to patch together programs based on the regions in which their companies have offices/employees. ClassPass argues that its scale across the country, and in 17 other countries, gives it an edge with corporations that have global workforces.

Moreover, the ClassPass corporate wellness program only charges employers when employees actually use the service, and allows employers to reward good behaviors (going to a certain number of classes per month) by offering additional credits toward ClassPass experiences.

Here’s what Lanman had to say about it in a prepared statement:

The ClassPass Corporate Program enables employers of all sizes to offer the world’s most extensive, one-stop fitness and wellness program to their employees worldwide. ClassPass is the best fitness program ever created for consumers. With this launch, it’s now also the best fitness program ever created for employers and their employees.

Dust Identity secures $10M Series A to identify objects with diamond dust

The idea behind Dust Identity was originally born in an MIT lab where the founders developed the base technology for uniquely identifying objects using diamond dust. Since then, the startup has been working to create a commercial application for the advanced technology, and today it announced a $10 million Series A round led by Kleiner Perkins, which also led its $2.3 million seed round last year.

Airbus Ventures and Lockheed Martin Ventures, New Science Ventures, Angular Ventures and Castle Island Ventures also participated in the round. Today’s investment brings the total raised to $12.3 million.

The company has an unusual idea of applying a thin layer of diamond dust to an object with the goal of proving that that object has not been tampered with. While using diamond dust may sound expensive, the company told TechCrunch last year at the time of its seed round funding that it uses low-cost industrial diamond waste, rather than the expensive variety you find in jewelry stores.

As CEO and co-founder Ophir Gaathon told TechCrunch last year, “Once the diamonds fall on the surface of a polymer epoxy, and that polymer cures, the diamonds are fixed in their position, fixed in their orientation, and it’s actually the orientation of those diamonds that we developed a technology that allows us to read those angles very quickly.”

Ilya Fushman, who is leading the investment for Kleiner, says the company is offering a unique approach to identity and security for objects. “At a time when there is a growing trust gap between manufacturers and suppliers, Dust Identity’s diamond particle tag provides a better solution for product authentication and supply chain security than existing technologies,” he said in a statement.

The presence of strategic investors Airbus and Lockheed Martin shows that big industrial companies see a need for advanced technology like this in the supply chain. It’s worth noting that the company partnered with enterprise computing giant SAP last year to provide a blockchain interface for physical objects, where they store the Dust Identity identifier on the blockchain. Although the startup has a relationship with SAP, it remains blockchain agnostic, according to a company spokesperson.

While it’s still early days for the company, it has attracted attention from a broad range of investors and intends to use the funding to continue building and expanding the product in the coming year. To this point, it has implemented pilot programs and early deployments across a range of industries, including automotive, luxury goods, cosmetics and oil, gas and utilities.

Southeast Asian cloud communications platform Wavecell acquired by 8×8 in deal worth $125 million

Wavecell, a cloud-communications platform for companies in Southeast Asia, announced today that it has been acquired by 8×8 in a deal worth about $125 million. The acquisition will help San Jose, California-based 8×8 expand in Asia, where Wavecell already has offices in Singapore, Indonesia, the Philippines, Thailand and Hong Kong.

Wavecell’s cloud API platform, which includes SMS, chat, video and voice messaging, is used by companies such as Paidy, Lalamove and Tokopedia. It has relationships with 192 network operators and partners like WhatsApp and claims its infrastructure is used to share more than two billion messages each year.

The terms of the deal includes $69 million in cash and about $56 million in 8×8 common shares. Founded in 2010, Wavecell’s investors included Qualgro VC, Wavemaker Partners and MDI Ventures.

In a prepared statement, 8×8 CEO Vik Verma said “8×8 is now the only cloud provider that owns the full, global-scale, cloud-native, technology stack offering voice, video, messaging, and contact center delivered both as pre-packaged applications and as enterprise-class APIs. We’re excited to welcome the Wavecell employees to the 8×8 family. We now have a significant market presence in Asia and expect to continue to expand in the region and globally in order to meet evolving customer requirements.”

AT&T signs $2 billion cloud deal with Microsoft

While AWS leads the cloud infrastructure market by a wide margin, Microsoft isn’t doing too badly, ensconced firmly in second place, the only other company with double-digit share. Today, it announced a big deal with AT&T that encompasses both Azure cloud infrastructure services and Office 365.

A person with knowledge of the contract pegged the combined deal at a tidy $2 billion, a nice feather in Microsoft’s cloud cap. According to a Microsoft blog post announcing the deal, AT&T has a goal to move most of its non-networking workloads to the public cloud by 2024, and Microsoft just got itself a big slice of that pie, surely one that rivals AWS, Google and IBM (which closed the $34 billion Red Hat deal last week) would dearly have loved to get.

As you would expect, Microsoft CEO Satya Nadella spoke of the deal in lofty terms around transformation and innovation. “Together, we will apply the power of Azure and Microsoft 365 to transform the way AT&T’s workforce collaborates and to shape the future of media and communications for people everywhere,” he said in a statement in the blog post announcement.

To that end, they are looking to collaborate on emerging technologies like 5G and believe that by combining Azure with AT&T’s 5G network, the two companies can help customers create new kinds of applications and solutions. As an example cited in the blog post, they could see using the speed of the 5G network combined with Azure AI-powered live voice translation to help first responders communicate instantaneously with someone who speaks a different language.

It’s worth noting that while this deal to bring Office 365 to AT&T’s 250,000 employees is a nice win, that part of the deal falls under the SaaS umbrella, so it won’t help with Microsoft’s cloud infrastructure market share. Still, any way you slice it, this is a big deal.

Party Like a Russian, Carder’s Edition

“It takes a certain kind of man with a certain reputation
To alleviate the cash from a whole entire nation…”

KrebsOnSecurity has seen some creative yet truly bizarre ads for dodgy services in the cybercrime underground, but the following animated advertisement for a popular credit card fraud shop likely takes the cake.

The name of this particular card shop won’t be mentioned here, and its various domain names featured in the video have been pixelated so as not to further promote the online store in question.

But points for knowing your customers, and understanding how to push emotional buttons among a clientele that mostly views America’s financial system as one giant ATM that never seems to run out of cash.

WARNING: Some viewers may find this video disturbing. Also, it is almost certainly Not Safe for Work.

The above commercial is vaguely reminiscent of the slick ads produced for and promoted by convicted Ukrainian credit card fraudster Vladislav “BadB” Horohorin, who was sentenced in 2013 to serve 88 months in prison for his role in the theft of more than $9 million from RBS Worldpay, an Atlanta-based credit card processor. (In February 2017, Horohorin was released and deported from the United States. He now works as a private cybersecurity consultant).

The clip above is loosely based on the 2016 music video, “Party Like a Russian,” produced by British singer-songwriter Robbie Williams.

Tip of the hat to Alex Holden of Hold Security for finding and sharing this video.

Qualtrics’ Julie Larson-Green will talk experience management at TC Sessions: Enterprise

We’re less than two months out from our first TC Sessions: Enterprise event, which is happening in San Francisco on September 5, and did you know our buy-one-get-one-free sale ends today too! Among the many enterprise and startup executives that’ll join us for the event is Qualtrics’ Julie Larson-Green. If that name sounds familiar to you, it’s most likely because you remember her from her 25 years at Microsoft. After a successful career in Redmond, Larson-Green left Microsoft in 2017 to become the chief experience officer at SAP’s Qualtrics .

In that role, she’s perfect for our panel about — you guessed it — experience management.

Larson-Green joined Microsoft as a program manager for Visual C++ back in 1993. After moving up the ladder inside the company, she oversaw the launch of Windows 7 and became the co-lead of Microsoft’s hardware, games, music and entertainment division in 2013. At the time, she was seen as a potential replacement for then-CEO Steve Ballmer .

Later, during a period of reshuffling at the company in the wake of the Nokia acquisition, she became the chief experience officer of Microsoft’s Applications and Services group.

Larson-Green joined Qualtrics before it was acquired by SAP for $8 billion in cash. Qualtrics offers a number of products that range from customer experience tools to brand tracking and ad testing services, as well as employee research products for gathering feedback about managers, for example. At the core of its product is an analytics engine that helps businesses make sense of their employee and customer data, which in turn should help them optimize their customer experience scores and reduce employee attrition rates.


Our buy-one-get-one-free ticket deal ends today! Book a ticket for just $249 and you can bring a buddy for free. Book here before this deal ends.

We’re still selling startup demo tables, and each package comes with four tickets. Learn more here.

( function() {
var func = function() {
var iframe = document.getElementById(‘wpcom-iframe-57cf0ce86e96afe191659be3de9a8ed9’)
if ( iframe ) {
iframe.onload = function() {
iframe.contentWindow.postMessage( {
‘msg_type’: ‘poll_size’,
‘frame_id’: ‘wpcom-iframe-57cf0ce86e96afe191659be3de9a8ed9’
}, “https://tcprotectedembed.com” );
}
}

// Autosize iframe
var funcSizeResponse = function( e ) {

var origin = document.createElement( ‘a’ );
origin.href = e.origin;

// Verify message origin
if ( ‘tcprotectedembed.com’ !== origin.host )
return;

// Verify message is in a format we expect
if ( ‘object’ !== typeof e.data || undefined === e.data.msg_type )
return;

switch ( e.data.msg_type ) {
case ‘poll_size:response’:
var iframe = document.getElementById( e.data._request.frame_id );

if ( iframe && ” === iframe.width )
iframe.width = ‘100%’;
if ( iframe && ” === iframe.height )
iframe.height = parseInt( e.data.height );

return;
default:
return;
}
}

if ( ‘function’ === typeof window.addEventListener ) {
window.addEventListener( ‘message’, funcSizeResponse, false );
} else if ( ‘function’ === typeof window.attachEvent ) {
window.attachEvent( ‘onmessage’, funcSizeResponse );
}
}
if (document.readyState === ‘complete’) { func.apply(); /* compat for infinite scroll */ }
else if ( document.addEventListener ) { document.addEventListener( ‘DOMContentLoaded’, func, false ); }
else if ( document.attachEvent ) { document.attachEvent( ‘onreadystatechange’, func ); }
} )();