The Good, the Bad and the Ugly in Cybersecurity – Week 25

/0 Comments/in /by

The Good

A 40-year old man, by the name of Andrew Rakhshan, has been given the maximum sentence possible as a result of his involvement in DDoS attacks against Leagle.com. The legal news aggregation site has posted publicly available data regarding Rakhshan’s past criminal convictions in Canada. The actual events in question occurred in January 2015, at which point Rakhshan coordinated multiple DDoS attacks against the site, which was hosted by a provider in the Dallas/Ft. Worth area.

Rakhshan (born Kamyar Jahanrakhshan) received a sentence of 5 years in prison and was ordered to pay over $520,000 in fees and restitution costs. This was not the first run through of the case, however. The original trial took place in March 2018. A new trial was granted based on the defense attorneys’ claim that their defense (at the time) was ineffective. A conspiracy charge was added in the subsequent trial, adding to the previous findings of the original case.

Any time the law can be used as an effective tool against cyber crime is a celebratory occasion. This is not always easy and cases often lag for years, or are tried ineffectively due to a lack of technical prowess across all involved parties. That being said, cheers to all involved in this case, and let it serve as a lesson. Even “simple” DDoS attacks can result in steep penalties.

The Bad

This week, Israeli security consulting company, JSOF disclosed 19 unique vulnerabilities within a commonly-shared TCP/IP software library developed by Treck. The library, developed in the late 1990s, is a lightweight TCP/IP stack estimated to be used in “hundreds of millions” of network devices. Affected vendors range from individual developers to well-established Fortune 100 enterprises (e.g., Intel, Schneider Electric, and HP) and vulnerable devices include almost everything from home ‘smart’ devices to power grid infrastructure, transportation systems, healthcare systems and even devices used in commercial aircraft.

Four of the vulnerabilities are considered critical. JSOF said they plan to release updated information along with exploitation details at Black Hat USA 2020. Here’s a quick summary on each CVE:

  • CVE-2020-11896 (Critical RCE): IPv4 tunneling flaw in Treck TCP/IP Stack
  • CVE-2020-11897 (Critical OOB Write): OOB Write via malformed IPv6 packets in Treck TCP/IP stack
  • CVE-2020-11901 (Critical RCE): Remote code execution via invalid DNS response in Treck TCP/IP stack
  • CVE-2020-11898 (Critical ID): Information Disclosure through improper handling of IPv4 or ICMPv4 Length Parameter Inconsistency
  • CVE-2020-11900 (UAF): Double Free / Use-After-Free via IPv4 tunneling in Treck TCP/IP stack
  • CVE-2020-11902 (OOB Read): Out-of-Bounds read via IPv6OverIPv4 tunneling in Treck TCP/IP stack
  • CVE-2020-11904 (OB Write): Integer Overflow due to improper memory allocation in Treck TCP/IP stack
  • CVE-2020-11899 (OOB Read): Out-of-Bounds read via IPv6 malformed transmission in Treck TCP/IP stack
  • CVE-2020-11903 (ID): Out-of-Bounds read via DHCP control request in Treck TCP/IP stack
  • CVE-2020-11905 (ID): Out-of-Bounds read via DHCP over IPv6 in Treck TCP/IP stack
  • CVE-2020-11906 (IU): Integer Underflow via Ethernet Link Layer in Treck TCP/IP stack
  • CVE-2020-11907 (IU): Integer Underflow via Length Parameter Inconsistency in Treck TCP/IP stack
  • CVE-2020-11909 (IU): Integer Underflow via malformed IPv4 data in Treck TCP/IP stack
  • CVE-2020-11910 (OOB Read): Out-of-Bounds read via malformed IPv4 transmission data in Treck TCP/IP stack
  • CVE-2020-11911 (MC): Improper ICMPv4 Access Control behavior in Treck TCP/IP stack
  • CVE-2020-11912 (OOB Read): Out-of-Bounds Read in Treck TCP/IP stack
  • CVE-2020-11913 (OOB Read): Out-of-Bounds read via IPv6 in Treck TCP/IP stack
  • CVE-2020-11914 (OOB Read): Out-of-Bounds read via malformed ARP data in Treck TCP/IP stack
  • CVE-2020-11908 (ID): Information disclosure via improper handling of ‘’ termination markers in DHCP.

As of this writing, the following resources have been made available:

We strongly recommend that IT and security teams review the applicable CERT advisories and vendor advisories for the latest updates and remediation options. Identifying vulnerable devices, gauging exposure, and preventing post-exploitation activities is key with these types of flaws. SentinelOne’s Ranger provides a robust and streamlined interface for asset discovery, risk management and threat prevention.

The Ugly

It is no secret that the bad guys are well aware of many of the tools that the good guys use and rely on everyday in our ongoing battle. Online multi-scanners and sandboxes are leveraged by both sides. When the good guys provide details on some fancy new tool or process, you can bet that the bad guys will find a way to use it if it benefits them as well. One such recent case of this pertains to the Thanos ransomware family and their implementation of the RIPlace evasion technique, publicized by Nyotron.

The RIPlace tool can be used to evade certain AV products, allowing the malware to run uninhibited. Nyotron released their findings on RIPlace in November of 2019 in an effort to educate the public on this newly observed evasion technique. In addition, researchers from Recorded Future indicate that the actors behind Thanos have been repeatedly modifying new variants of the ransomware over the last several months. They are using RIPlace to specifically evade Malwarebytes AntiMalware and Windows Defender products. There is a high likelihood that variants tuned to other products are present in the wild as well.

SentinelOne’s Endpoint Protection platform is fully capable of detection and prevention of Thanos ransomware, as well as threats incorporating the RIPlace evasion technique.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy

/0 Comments/in /by

An information technology specialist at the Federal Emergency Management Agency (FEMA) was arrested this week on suspicion of hacking into the human resource databases of University of Pittsburgh Medical Center (UPMC) in 2014, stealing personal data on more than 65,000 UPMC employees, and selling the data on the dark web.

On June 16, authorities in Michigan arrested 29-year-old Justin Sean Johnson in connection with a 43-count indictment on charges of conspiracy, wire fraud and aggravated identity theft.

Federal prosecutors in Pittsburgh allege that in 2013 and 2014 Johnson hacked into the Oracle PeopleSoft databases for UPMC, a $21 billion nonprofit health enterprise that includes more than 40 hospitals.

According to the indictment, Johnson stole employee information on all 65,000 then current and former employees, including their names, dates of birth, Social Security numbers, and salaries.

The stolen data also included federal form W-2 data that contained income tax and withholding information, records that prosecutors say Johnson sold on dark web marketplaces to identity thieves engaged in tax refund fraud and other financial crimes. The fraudulent tax refund claims made in the names of UPMC identity theft victims caused the IRS to issue $1.7 million in phony refunds in 2014.

“The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false form 1040 tax returns in 2014 using UPMC employee PII,” reads a statement from U.S. Attorney Scott Brady. “These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela.”

Johnson could not be reached for comment. At a court hearing in Pittsburgh this week, a judge ordered the defendant to be detained pending trial. Johnson’s attorney declined to comment on the charges.

Prosecutors allege Johnson’s intrusion into UPMC was not an isolated occurrence, and that for several years after the UPMC hack he sold personally identifiable information (PII) to buyers on dark web forums.

The indictment says Johnson used the hacker aliases “DS and “TDS” to market the stolen records to identity thieves on the Evolution and AlphaBay dark web marketplaces. However, archived copies of the now-defunct dark web forums indicate those aliases are merely abbreviations that stand for “DearthStar” and “TheDearthStar,” respectively.

“You can expect good things come tax time as I will have lots of profiles with verified prior year AGIs to make your refund filing 10x easier,” TheDearthStar advertised in an August 2015 message to AlphaBay members.

In some cases, it appears these DearthStar identities were actively involved in not just selling PII and tax refund fraud, but also stealing directly from corporate payrolls.

In an Aug. 2015 post to AlphaBay titled “I’d like to stage a heist but…,” TheDearthStar solicited people to help him cash out access he had to the payroll systems of several different companies:

“… I have nowhere to send the money. I’d like to leverage the access I have to payroll systems of a few companies and swipe a chunk of their payroll. Ideally, I’d like to find somebody who has a network of trusted individuals who can receive ACH deposits.”

When another AlphaBay member asks how much he can get, TheDearthStar responds, “Depends on how many people end up having their payroll records ‘adjusted.’ Could be $1,000 could be $100,000.”

2014 and 2015 were particularly bad years for tax refund fraud, a form of identity theft which cost taxpayers and the U.S. Treasury billions of dollars. In April 2014, KrebsOnSecurity wrote about a spike in tax refund fraud perpetrated against medical professionals that caused many to speculate that one or more major healthcare providers had been hacked.

A follow-up story that same month examined the work of a cybercrime gang that was hacking into HR departments at healthcare organizations across the country and filing fraudulent tax refund requests with the IRS on employees of those victim firms.

The Justice Department’s indictment quotes from Johnson’s online resume as stating that he is proficient at installing and administering Oracle PeopleSoft systems. A LinkedIn resume for a Justin Johnson from Detroit says the same, and that for the past five months he has served as an information technology specialist at FEMA. A Facebook profile with the same photo belongs to a Justin S. Johnson from Detroit.

Johnson’s resume also says he was self-employed for seven years as a “cyber security researcher / bug bounty hunter” who was ranked in the top 1,000 by reputation on Hacker One, a program that rewards security researchers who find and report vulnerabilities in software and web applications.

The CISO Side: A Certifiable Journey

/0 Comments/in /by

Two CISO insights about obtaining certifications in the information security industry – a guest post by Rachel Arnold

Obtaining certifications in Information Security is one of the many ways professionals are choosing to use their time wisely these days. SecureNation asked some of our favorite Tulsa, Oklahoma CISOs (Chief Information Security Officers) about their experiences as information technology and security professionals. Jonathan Kimmitt, serves as CISO at the University of Tulsa as well as a member of the local ISSA board where Pedro Serrano serves as ISSA Oklahoma Chapter President and is the CISO at the Grand River Dam Authority. Both are very passionate about their roles not only professionally but also as leaders.

 

“It matters![That] may sound canned or out of a self-deployment book, but the real meaning is you are making an impact on the day to day activities of the company.”-Pedro Serrano, Grand River Dam Authority CISO

We had the pleasure of meeting these gentlemen last year and find their insights invaluable here at SecureNation. They mold who we are and what we do within the Information Security Community.

How did you connect with one another professionally?

Pedro: After being in Oklahoma City for 15 years we moved to Tulsa and I meet Jonathan when I was the IT chair for one of the local universities. It’s been 10 years since then and Jonathan and I have been involved in the local Information System Security Association (ISSA) group where I serve as the president and he is the communication officer.

Jonathan: The first time I met Pedro was at the very first BSides Oklahoma many years ago. I remember I stopped by his presentation and one of my work colleagues was there, so I sat down to talk. This colleague knew Pedro because they taught together at a college here in Tulsa. So, stories were shared, and my respect for Pedro grew.

Pedro and I crossed paths again at the local ISSA meetings. After a few months of meetings, he asked me to join the ISSA Board. Since then we have done presentations together, hosted events together, and generally became close colleagues in IT Security. He is a great sounding board and can always make me feel better when it has been a rough day at work.

Tell us a little about your journey, how did you each come to be passionate about security and privacy?

Pedro: My background is military communications, 20 years serving in the Air Force installing, upgrading and managing infrastructure as well as ground network systems. It [Information security] matters because you matter. There is great personal fulfillment in truly moving knowledge forward for all things cyber.

Jonathan: In the early 2000’s, after college, I had been offered a temporary position as Help Desk Supervisor at the University of Tulsa. The previous supervisor had quit, and they were needing someone to cover until a search committee could find a replacement. After a few months, they offered me the position full time. After a year or two, IT Security was becoming more popular in higher education. The university did not have a CISO, and probably didn’t even know what a CISO was at the time, but they knew they needed volunteers to be part of a security team.

How did you gain the knowledge you would need for that new role?

Jonathan: There was a system administrator from one of the colleges that was leading the team, so we did a lot of investigations, training, and incidents together. He was the one that started me down the CISSP(Certified Information Systems Security Professional) path originally.

Jonathan is currently one of the first in the industry to obtain the Certified Data Privacy Solutions Engineer certification launched earlier this year by ISACA. He has over 10 certifications combined from IAPP, (ISC)2, GIAC, and more, to name a few.

After a few years, he [system administrator] decided to take a position outside the University, so I was asked to take leadership of the CSRT. I ran the team for many years, dealing with all kinds of investigations and incidents on campus. Around 2013-2014, I was the only member of the CSRT, as everyone else had moved on or quit the team. This was the same time we had gotten a new CIO in IT, and one of his objectives was to create a formal IT Security department. Since I had been part of or managing the CSRT for 12+ years, they offered the additional title of Chief Information Security Officer and a new position for a security analyst. Unfortunately, this was alongside my role as Chief Services Officer. Within 2 years, the needs of IT Security had grown significantly, investigations and incidents had exploded. So, the university transitioned the Help Desk Services responsibilities over to another officer, and my role became solely CISO.

There must have been challenges, what were they and what resources did you rely on?

Jonathan: As a newly formed CISO, one of my first duties was to determine what we needed in terms of security, and start building resources. Before I came to the university, I was in law enforcement for a short time, so the idea of protecting people was always at the forefront of my mind. Not having a specific starting point for security at the university, I started looking at the safety of our people and working out from there. While I did not know it at the time, this was effectively building privacy concepts into the security foundation. To this day, my primary goal in security is about protecting people.

Not only is Jonathan viewed as an expert among his colleagues, but he also has experience providing IT Security expert testimony and evidence in criminal and civil proceedings.

Additionally, but quite separately, PCI (Payment Card Industry Data Security Standard) had become an issue on campus, and I was volunteered to be the PCI coordinator, mostly due to nobody else wanting to do it. I am quite grateful because learning the PCI-DSS allowed me to use it as the framework for IT Security on campus. To this day, I use the 12 requirements of PCI-DSS for anybody that needs to start an IT Security Program in their own organization.

After attaining PCI-compliance that first year, and enjoying the process of working with the auditors, the university leadership added GLBA (Gramm-Leach-Bliley Act), GDPR (General Data Protection Regulation), some FERPA(Family Educational Rights and Privacy Act), some HIPAA(Health Insurance Portability and Accountability), and a few others to my compliance list. I quickly found that a strong foundation of security concepts would meet many of the compliance requirements. Each time a new compliance was added, I was able to strengthen our security stance a little bit more, overall helping protect more people on campus.

I like formal frameworks for learning new things or skillsets. While I agree that at times it is appropriate for many of us to ‘google it’ and figure stuff out, I think that process can limit people in what they learn. A formal framework may let people learn about things that may not be needed right now, but in the future, they will remember and know where to look for more information.

What would you say to those that do not see the value of obtaining certifications?

Jonathan: I think that everyone has a different way of doing things. This process has worked for me. It has also worked for many people that I have helped along in their careers.

 Training and certification are my preferred method. I enjoy the time and effort that I put in, and the value it has given me over the years. My plan is to continue with that process.

I recommend that everyone finds their best method that meets their requirements. I also recommend, that people at least try (and be successful) at different methods before they decide which one is NOT for them.  I equate to my daughter not liking mustard when she has never tried it.  How do you know there is not value when you have never been successful at it?

Pedro: For me, it’s the ability to show that you are teachable. In my mind, it takes effort to pass a certification and it means that you have to study and apply yourself. In information security, if you are not learning constantly you WILL be behind!

What advice would you give to incoming security professionals and current security professionals about which certifications to pursue as a part of continuing education and building skillsets?

Jonathan: My personal belief is that in the beginning, you should start with a generalized training & certification such as Security + or SANS SEC401. This will give you a wide view of different aspects of IT Security. People say it is a mile wide and an inch deep.

Then based on your job or your interest, you should begin deepening your knowledge and skillsets in the areas that make sense. If you are interested in the pentesting/vulnerability assessment side, then CEH( Certified Ethical Hacker), GPEN(GIAC Certified Penetration Tester), and OSCP(Offensive Security Certified Professional) may be your path. If you are interested in engineering secure systems, then working on your Microsoft or CISCO engineer certs may be more appropriate. If you are working in compliance, then maybe HIPAA and PCI certifications might be a good idea.

I am a huge supporter of constantly learning. I personally spend upwards of 8 hours a week on training, podcast, webinars, etc. I feel like if you are not learning in Security or Privacy that you are falling behind. With trying to absorb that much information, for myself, it’s important to have goals and frameworks to help me keep things organized. 

Pedro: Start where you are today. Here is my thinking- I would pursue the CompTIA Security + certification. It’s very generic and it exposes you to all the domains in security. You want to be comfortable and happy with what you do, there are so many ramifications of security that you can specialize in and be very successful.

Together, we are exploring community voices through meaningful conversations about all things information security. We look forward to following Pedro, Jonathan, and other security professionals on their journeys. People make the process and technology can help make it possible here at SecureNation.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Outreach nabs $50M at a $1.33B valuation for software that helps with sales engagement

/0 Comments/in /by

CRM software has become a critical piece of IT when it comes to getting business done, and today a startup focusing on one specific aspect of that stack — sales automation — is announcing a growth round of funding underscoring its own momentum. Outreach, which has built a popular suite of tools used by salespeople to help identify and reach out to prospects and improve their relationships en route to closing deals, has raised $50 million in a Series F round of funding that values the company at $1.33 billion. 

The funding will be used to continue expanding geographically — headquartered in Seattle, Outreach also has an office in London and wants to do more in Europe and eventually Asia — as well as to invest in product development.

The platform today essentially integrates with a company’s existing CRM, be it Salesforce, or Microsoft’s, or Kustomer, or something else — and provides an SaaS-based set of tools for helping to source and track meetings, have to-hand information on sales targets, and a communications manager that helps with outreach calls and other communication in real time. It will be investing in more AI around the product, such as its newest product Kaia (an acronym for “knowledge AI assistant”), and it has also hired a new CFO, Melissa Fisher, from Qualys, possibly a sign of where it hopes to go next as a business.

Sands Capital — an investor out of Virginia that also backs the likes of UiPath and DoorDash — is leading the round, Outreach noted, with “strong participation” also from strategic backer Salesforce Ventures. Other investors include Operator Collective (a new backer that launched last year and focuses on B2B) and previous backers Lone Pine Capital, Spark Capital, Meritech Capital Partners, Trinity Ventures, Mayfield and Sapphire Ventures.

Outreach has raised $289 million to date, and for some more context, this is definitely an up round: the startup was last valued at $1.1 billion when it raised a Series E in April 2019.

The funding comes on the heels of strong growth for the company: More than 4,000 businesses now use its tools, including Adobe, Tableau, DoorDash, Splunk, DocuSign and SAP, making Outreach the biggest player in a field that also includes Salesloft (which also raised a significant round last year on the heels of Outreach’s), ClariChorus.aiGongConversica and Afiniti. Its sweet spot has been working with technology-led businesses and that sector continues to expand its sales operations, even as much of the economy has contracted in recent months. 

“You are seeing a cambric explosion of B2B startups happening everywhere,” Manny Medina, CEO and co-founder of Outreach, said in a phone interview this week. “It means that sales roles are being created as we speak.” And that translates to a growing pool of potential customers for Outreach.

It wasn’t always this way.

When Outreach was first founded in 2011 in Seattle, it wasn’t a sales automation company. It was a recruitment startup called GroupTalent working on software to help source and hire talent, aimed at tech companies. That business was rolling along, until it wasn’t: In 2015, the startup found itself with only two months of runway left, with little hope of raising more. 

“We were not hitting our stride, and growth was hard. We didn’t make the numbers in 2014 and then had two months of cash left and no prospects of raising more,” Medina recalled. “So I sat down with my co-founders,” — Gordon Hempton, Andrew Kinzer and Wes Hather, none of whom are at the company anymore — “and we decided to sell our way out of it. We thought that if we generated more meetings we could gain more opportunities to try to sell our recruitment software.

“So we built the engine to do that, and we saw that we were getting 40% reply rates to our own outreaching emails. It was so successful we had a 10x increase in productivity. But we ran out of sales capacity, so we started selling the meetings we had managed to secure with potential talent directly to the tech companies themselves,” in other words, the other side of its marketplace, those looking to fill vacancies.

That quickly tipped over into a business opportunity of its own. “Companies were saying to us, ‘I don’t want to buy the recruitment software. I need that sales engine!” The company never looked back, and changed its name to work for the pivot.

Fast-forward to 2020, and times are challenging in a completely different way, defined as we are by a global health pandemic that affects what we do every day, where we go, how we work, how we interact with people and much more. 

Medina says the impact of the novel coronavirus has been a significant one for the company and its customers, in part because it fits well with two main types of usage cases that have emerged in the world of sales in the time of COVID-19.

“Older sellers now working from home are accomplished and don’t need to be babysat,” he said, but added they can’t rely on their traditional touchpoints “like meetings, dinners and bar mitzvahs” anymore to seal deals. “They don’t have the tools to get over the line. So our product is being called in to help them.”

Another group at the other end of the spectrum, he said, are “younger and less experienced salespeople who don’t have the physical environment [many live in smaller places with roommates] nor experience to sell well alone. For them it’s been challenging not to come into an office because especially in smaller companies, they rely on each other to train, to listen to others on calls to learn how to sell.”

That’s the other scenario where Outreach is finding some traction: They’re using Outreach’s tools as a proxy for physically sitting alongside and learning from more experienced colleagues, and using it as a supplement to learning the ropes in the old way.

“Outreach’s leadership position in the market, clear mission, and value-added approach make the company a natural investment choice for us,” said Michael Clarke, partner at Sands Capital’s Global Innovation Fund, in a statement. “Now more than ever, companies need an AI-powered sales engagement platform like Outreach. Enterprise sales teams are rapidly adopting sales engagement platforms and Outreach’s rapid growth reflects this.”

Like a lot of sales tools that are powered by AI, Outreach in part is taking on some of the more mundane jobs of salespeople.

But Medina doesn’t believe that this will play out in the “man versus machine” scenario we often ponder when we think about human obsolescence in the face of technological efficiency. In other words, he doesn’t think we’re close to replacing the humans in the mix, even at a time when we’re seeing so many layoffs.

“We are at the early innings,” he said. “There are 6.8 million sales people and we only have north of 100,000 users, not even 2% of the market. There may be a redefinition of the role, but not a reduction.”

13 Boston-focused VCs share the advice they’re giving portfolio companies

/0 Comments/in /by

TechCrunch is focusing a bit more on the Boston-area startup and venture capital ecosystem lately, which has gone pretty well so far.

In fact, we had originally intended on releasing this regional investor survey as a single piece, but since so many VCs took part, we’re breaking it into two. The first part deals with the world we live in today, and the remainder will detail what Boston-area investors think about the future.

We broke our questions into two parts to better track investor sentiment. But, we were also curious what was going to come when things got back closer to normal. So, this first entry in our Boston investor survey covers our questions concerning what’s going on now. On Thursday we’ll have the second piece, looking at what’s ahead.

Here’s who took part:

What follows is a quick digest of what stood out from the collected answers, though there’s a lot more that we didn’t get to.

Boston VC in the COVID-19 era

Parsing through thousands of words and notes from our participating VCs, a few things stood out.

Boston startups aren’t having as bad a time — yet, at least — as area investors expected

Fewer companies than they anticipated are laying off staff for example. From our perspective, the number of Boston investors who noted that their portfolio companies were executing layoffs or furloughs (we asked for each to be precise) was very low; far more Boston-area startups are hiring than even freezing headcount. Layoffs appear somewhat rare, but as we all know cost cutting can take many forms for startups. Especially startups on the seed and early-stage side, which makes up the majority of these firm’s portfolio companies.

According to Glasswing’s Rudina Seseri, startup duress has come in “significantly under what [her firm was] expecting at the beginning of COVID-19.”

This may be due to a strong first quarter helping companies in the city and its surrounding area make it another few quarters. We might not know the full bill of COVID-19 and its related disruptions until next year.

More investors than we expected noted that their Boston portfolio companies aren’t raising this year

So what we’re gleaning from that fact is that any decline in Q2 and Q3 VC data is not because companies can’t raise, but because they don’t need to. Comments echoed a theme we wrote about in April: Boston broke records in Q1 in terms of dollars raised, but saw a dip in the number of checks cut.

Pillar VC’s Jamie Goldstein said that “about 15% of our companies are planning to raise capital this year,” which felt about average. Underscore VC’s Lily Lyman simply noted that, “Yes,” her Boston-area portfolio companies would hunt for new capital this year. Bill Geary of Flare Capital is on the other side of that coin, saying that “each of [his firm’s] Boston-based investments has successfully recently raised capital and will not be raising additional funds until 2021.”

It’s hard not to wonder if what happened to Boston unicorns Toast and EzCater was the exception and not the rule

 You see, Boston’s startup scene skews relatively early stage, so smaller companies don’t have high-profile cuts because, to be frank, there isn’t much staff to cut in the first place. It puts Boston in a unique setting to focus in on its early stage market, and investors all agreed that this is an important moment for the ecosystem.

The March-era stress tests are now months in the rearview mirror, and every startup has shaken up their spend and growth plans. Perhaps we have met the new normal, and it’s time to let the runway do the talking.

With that, let’s get into full questions and answers.

Rudina Seseri, Glasswing Ventures

What is the top-line advice you’re giving your portfolio companies right now?

This is a pivotal time, be efficient and drive execution. Cut costs where possible but at the same time don’t be afraid to spend for growth acceleration.

What percentage of your Boston-based portfolio companies are still hiring, not including those merely backfilling?

About 60%.

What percentage of your Boston-based portfolio companies have frozen new hires?

About 20%.

What percentage of your Boston-based portfolio companies have furloughed staff?

None.

What percentage of your Boston-based portfolio companies have cut staff?

One company that represents about 4% of the portfolio.

Are your Boston-based portfolio companies looking to raise new capital this year?

Most have raised recently, and consequently are not looking to raise at this time.

If not, are they often delaying due to COVID-19?

No, because of their recent raises, their fundraising considerations will take place in 2021.

Has duress amidst your Boston-based portfolio companies undershot, matched or overshot your expectations from March?

It has been significantly under what we were expecting at the beginning of COVID-19.

How has your investment appetite changed in terms of pace and location, if at all?

We have been very active and closed deals in this environment. Our expectation is that our investment appetite will remain the same going forward.

Are you making investments in Q2 into net-new founders and companies?

Yes, as a matter-of-fact we just closed a yet-to-be announced investment this month.

Are there particular sectors of startups in Boston that you expect to do well, aside from SaaS businesses that are benefiting from secular trends? Are there any sectors you have become newly bearish on?

Yes, those that are in our core focus areas — solutions that bring down the cost of cloud and data, platforms and tools leveraging AI, those that facilitate cost reduction, and intelligent solutions in cybersecurity that protect the enterprise.

How does the uncertainty of schools reopening impact the startup ecosystem?

This will further drive and institutionalize distributed teams and remote working as a go-forward mode of operating.

Payfone raises $100M for its mobile phone-based digital verification and ID platform

/0 Comments/in /by

As an increasing number of daily and essential services move to digital platforms — a trend that’s had a massive fillip in the last few months — having efficient but effective ways to verify that people are who they say they are online is becoming ever more important. Now, a startup called Payfone, which has built a B2B2C platform to identify and verify people using data (but no personal data) gleaned from your mobile phone, has raised $100 million to expand its business. Specifically, Rodger Desai, the co-founder and CEO, said in an interview that plan will be to build in more machine learning into its algorithms, expand to 35 more geographies, and to make strategic acquisitions to expand its technology stack.

The funding is being led by Apax Digital, with participation from an interesting list of new and existing backers. They include Sandbox Insurtech Ventures, a division of Sandbox Industries, which connects corporate investment funds with strategic startups in their space); Ralph de la Vega, the former Vice Chairman of AT&T; MassMutual Ventures; Synchrony; Blue Venture Fund (another Sandbox outfit); Wellington Management LLP; and the former CEO of LexisNexis, Andrew Prozes.

Several of these investors have a close link to the startup’s business: Payfone counts carriers, healthcare and insurance companies, and banks among its customers, who use Payfone technology in their backends to help verify users making transactions and logging in to their systems.

Payfone tells me it has now raised $175 million to date, and while it’s not disclosing its valuation with this round, according to PitchBook, in April 2019 when it raised previously it was valued at $270 million. Desai added that Payfone is already profitable and business has been strong lately.

“In 2019 we processed 20 billion authentications, mostly for banks but also healthcare companies and others, and more generally, we’ve been growing 70% year-over-year,” he said. The aim is to boost that up to 100 billion authentications in the coming years, he said.

Payfone was founded in 2008 amongst a throng of mobile payment startups (hence its name) that emerged to help connect consumers, mobile content businesses and mobile carriers with simpler ways to pay using a phone, with a particular emphasis on using carrier billing infrastructure as a way of letting users pay without inputting or using cards (especially interesting in regions where credit and debit card penetration and usage are lower).

That has been an interesting if slowly growing business so around 2015 Payfone starting to move towards using its tech and infrastructure to delve into the adjacent and related space of applying its algorithms, which use authentication data from mobile phones and networks, to help carriers, banks, and many other kinds of businesses verify users on their networks.

(Indeed, the connection between the technology used for mobile payments that bypasses credit/debit cards and the technology that might be used for ID verification is one that others are pursuing, too: Carrier billing startup Boku — which yesterday acquired one of its competitors, Fortumo, in a $41 million deal as part of a wider consolidation play — also acquired one of Payfone’s competitors, Danal, 18 months ago to add user authentication into its own range of services.)

The market for authentication and verification services was estimated to be worth some $6 billion in 2019 and is projected to grow to $12.8 billion by 2024, according to research published by MarketsandMarkets. But within that there seems to be an almost infinite amount of variations, approaches, and companies offering services to carry out the work. That includes authentication apps, password managers, special hardware that generates codes, new innovations in biometrics using fingerprints and eye scans, and more.

While some of these require active participation from consumers (say by punching in passwords or authentication codes or using fingerprints), there’s also a push to develop more seamless and user-friendly, and essentially invisible, approaches, and that’s where Payfone sits.

As Desai describes it, Payfone’s behind-the-scenes solution is used either as a complement to other authentication techniques and on its own, depending on the implementation. In short, it’s based around creating “signal scores” and tokens, and is built on the concept of “data privacy and zero data knowledge architecture.” That is to say, the company’s techniques do not store any personal data and do not need personal data to provide verification information.

As he describes it, while many people might only be in their 20s when getting their first bank account (one of the common use cases for Payfone is in helping authenticate users who are signing up for accounts via mobile), they will have likely already owned a phone, likely with the same phone number, for a decade before that.

“A phone is with you and in your use for daily activities, so from that we can opine information,” he said, which the company in turn uses to create a “trust score” to identify that you are who you say you are. This involves using, for example, a bank’s data and what Desai calls “telecoms signals” against that to create anonymous tokens to determine that the person who is trying to access, say, a bank account is the same person identified with the phone being used. This, he said, has been built to be “spoof proof” so that even if someone hijacks a SIM it can’t be used to work around the technology.

While this is all proprietary to Payfone today, Desai said the company has been in conversation with other companies in the ecosystem with the aim of establishing a consortium that could compete with the likes of credit bureaus in providing data on users in a secure way.

“The trust score is based on our own proprietary signals but we envision making it more like a clearing house,” he said.

The fact that Payfone essentially works in the background has been just as much of a help as a hindrance for some observers. For example, there have been questions raised previously about how data is sourced and used by Payfone and others like it for identification purposes. Specifically, it seems that those looking closer at the data that these companies amass have taken issue not necessarily with Payfone and others like it, but with the businesses using the verification platforms, and whether they have been transparent enough about what is going on.

Payfone does provide an explanation of how it works with secure APIs to carry out its services (and that its customers are not consumers but the companies engaging Payfone’s services to work with consumer customers), and offers a route to opt out of of its services for those that seek to go that extra mile to do so, but my guess that this might not be the end of that story if people continue to learn more about personal data, and how and where it gets used online.

In the meantime, or perhaps alongside however that plays out, there will continue to be interesting opportunities for approaches to verify users on digital platforms that respect their personal data and general right to control how any identifying detail — personal or not — gets used. Payfone’s traction so far in that area has helped it stand out to investors.

“Identity is the key enabling technology for the next generation of digital businesses,” said Daniel O’Keefe, managing partner of Apax Digital, in a statement. “Payfone’s Trust Score is core to the real-time decisioning that enterprises need in order to drive revenue while thwarting fraud and protecting privacy.” O’Keefe and his colleague, Zach Fuchs, a principal at Apax Digital, are both joining the board.

“Payfone’s technology enables frictionless customer experience, while curbing the mounting operating expense caused by manual review,” said Fuchs. 

Superhuman’s Rahul Vohra says recession is the ‘perfect time’ to be aggressive for well-capitalized startups

/0 Comments/in /by

Email is one of those things that no one likes but that we’re all forced to use. Superhuman, founded by Rahul Vohra, aims to help everyone get to inbox zero.

Launched in 2017, Superhuman charges $30 per month and is still in invite-only mode with more than 275,000 people on the waitlist. That’s by design, Vohra told us earlier this week on Extra Crunch Live.

“I think a lot of folks misunderstand the nature of our waitlist,” he said. “They assume it’s some kind of FOMO-generating technique or some kind of false scarcity. Nothing could be further from the truth. The real reason we have the waitlist is that I want everyone who uses Superhuman to be deliriously happy with their experience.”

Today, the app is only available for desktop and iOS. Superhuman started with iOS because most premium users have iPhones, Vohra said. Still, many users have Android, so Superhuman’s waitlist consists mostly of Android users.

“We don’t think that if we onboard them they’d have the best experience with Superhuman because email really is an ecosystem product,” he said. “You do it just as much on the go as you do from your laptop. There’s a lot of reasons like that. So if you’re a person who identifies that as a must-have, well, we’ll take in the survey, we’ll learn about you so we know when to reach out to you. Then when we have those things built or integrated, we’ll reach out.”

We also chatted about his obsession with email, determining pricing for a premium product, the impact of COVID-19, diversity in tech in light of the police killing of George Floyd and so much more.

Throughout the conversation, Vohra also offered up some good practical advice for founders. Here are some highlights from the conversation.

On competition from Hey, the latest buzzy email app

Yeah, I’m not at all worried. I used to get worried about this. You know, 10 years ago, even as recently as five years ago, I would get worried about competitors. But I think Paul Graham has really, really great advice on this. I think he says pretty much verbatim: Startups don’t kill other startups. Competition generally doesn’t kill the startup. Other things do, like running out of money being the biggest one, or lack of momentum or lack of motivation or co-founder feuds; these are all really dangerous things.

Competition from other startups generally isn’t the thing that gets you and you know, props to the Basecamp team and everything they’ve done with Hey. It’s really impressive. I think it’s for an entirely different demographic than Superhuman is for.

Superhuman is for the person for whom essentially email is work and work is email. Our users kind of almost personally identify with their email inbox, and they’re coming from Gmail or G Suite. Typically it’s overflowing so they often receive hundreds if not thousands of emails a day, and they send off 100 emails a day. Superhuman is for high-volume email for whom email really matters. Power users, essentially, though power users isn’t quite the right articulation. What I actually say is prosumers because there’s a lot of people who come to us at Superhuman and they’re not yet power users of email, but they know they need to be.

That’s what I would call a prosumer — someone who really wants to be brilliant at doing email. Now Hey doesn’t seem to be designed for that target market. It doesn’t seem to be designed for high-volume emailers or prosumers or power users.

Intercom announces the promotion of Karen Peacock to CEO

/0 Comments/in /by

Three years ago almost to the day, Intercom announced that it was bringing former Intuit exec Karen Peacock on board as COO. Today, she got promoted to CEO, effective July 1st. Current CEO and company co-founder Eoghan McCabe will become Chairman.

As it turns out, these moves aren’t a coincidence. McCabe had been actively thinking about a succession plan when he hired Peacock. “When I first started talking to Eoghan three years ago, he shared with me that his vision was to hire someone as COO, who could then become the CEO at the right time and he could transition into the chairman role,” Peacock told TechCrunch.

She said while the idea was always there, they didn’t feel the need to rush the process. “We were just looking for whatever the right time was, and it wasn’t something we were expected to do in the first year or two. And now is really the right time to transition with all of the momentum that we’re seeing in the market,” she said.

She said as McCabe makes the transition away from running the company he helped found, he will still be around, and they will continue working together on things like product and marketing strategy, but Peacock brings a pedigree of her own to the new role.

Not only has she been in charge of commercial aspects of the Intercom business for the past three years, prior to that she was SVP at Intuit where she ran small business products that included QuickBooks, and grew it from a $500 million business to a hefty $2.5 billion during her tenure.

McCabe says that experience was one of the reasons he spent six months trying to convince Peacock to become COO at Intercom in 2017. “It’s really hard to find a leader that’s as well rounded, and as unique as Karen is. You know she doesn’t actually fit your typical very experienced operator,” he said. He points to her deep product background, calling her a “product nerd,” and her undergraduate degree in applied mathematics from Harvard as examples.

In spite of the pandemic, she’s taking over a company that’s still managing to grow. The company’s business messenger products, which enable companies to chat with customers online have become increasingly important during the pandemic with many brick and mortar businesses shut down and the majority of business is being conducted digitally.

“Our overall revenue is $150 million in annual recurring revenue, and a supporting data point to what we were just talking about is that our new business to up market customers through our sales teams has doubled year over year. So we’re really seeing some quite nice acceleration there,” she said.

Peacock says she wants to continue building the company and using her role to build a diverse and inclusive culture. “I believe that [diversity and inclusion] is not one person’s job, it’s all of our jobs, but we have one person who’s the center post of that (a head of D&I). And then we work with outside consulting firms as well to just try and stay in a place where we understand all of what’s possible and what we can do in the world.”

She adds, “I will say that we need to make more progress on diversity and inclusion, I wouldn’t step back and, and pat ourselves on the back and say we’ve done this perfectly. There’s a lot more that we need to do, and it’s one of the things that I’m very excited to tackle as CEO.”

According to a February Wall Street Journal article, less than 6% of women hold CEO jobs in the U.S. Peacock certainly sees this and wants to continue to mentor women as she takes over at Intercom. “It is something that I’m very passionate about. I do speak to various different groups of up and coming women leaders, and I mentor a group of women outside of Intercom,” she said. She also sits on the board at Dropbox with other women leaders like Condoleezza Rice and Meg Whitman.

Peacock says that taking over during a pandemic makes it interesting, and instead of visiting the company’s offices, she’ll be doing a lot of video conferences. But neither is she coming in cold to the company having to ramp up on the business side of things, while getting to know everyone.

“I feel very fortunate to have been with Intercom for three years, and so I know all the people and they all know me. And so I think it’s a lot easier to do that virtually than if you’re meeting people for the very first time. Similarly, I also know the business very well, and so it’s not like I’m trying to both ramp up on the business and deal with a pandemic,” she said.

Intercom lands former Intuit exec Karen Peacock as its new COO

When Security Takes a Backseat to Productivity

/0 Comments/in /by

“We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.” -CIA’s Wikileaks Task Force.

So ends a key section of a report the U.S. Central Intelligence Agency produced in the wake of a mammoth data breach in 2016 that led to Wikileaks publishing thousands of classified documents stolen from the agency’s offensive cyber operations division. The analysis highlights a shocking series of security failures at one of the world’s most secretive entities, but the underlying weaknesses that gave rise to the breach also unfortunately are all too common in many organizations today.

The CIA produced the report in October 2017, roughly seven months after Wikileaks began publishing Vault 7 — reams of classified data detailing the CIA’s capabilities to perform electronic surveillance and cyber warfare. But the report’s contents remained shrouded from public view until earlier this week, when heavily redacted portions of it were included in a letter by Sen. Ron Wyden (D-Ore.) to the Director of National Intelligence.

The CIA acknowledged its security processes were so “woefully lax” that the agency probably would never have known about the data theft had Wikileaks not published the stolen documents online. What kind of security failures created an environment that allegedly allowed a former CIA employee to exfiltrate so much sensitive data? Here are a few, in no particular order:

  • Failing to rapidly detect security incidents.
  • Failing to act on warning signs about potentially risky employees.
  • Moving too slowly to enact key security safeguards.
  • A lack of user activity monitoring or robust server audit capability.
  • No effective removable media controls.
  • No single person empowered to ensure IT systems are built and maintained securely throughout their lifecycle.
  • Historical data available to all users indefinitely.

Substitute the phrase “cyber weapons” with “productivity” or just “IT systems” in the CIA’s report and you might be reading the post-mortem produced by a security firm hired to help a company recover from a highly damaging data breach.

A redacted portion of the CIA’s report on the Wikileaks breach.

DIVIDED WE STAND, UNITED WE FALL

A key phrase in the CIA’s report references deficiencies in “compartmentalizing” cybersecurity risk. At a high level (not necessarily specific to the CIA), compartmentalizing IT environments involves important concepts such as:

  • Segmenting one’s network so that malware infections or breaches in one part of the network can’t spill over into other areas.
  • Not allowing multiple users to share administrative-level passwords
  • Developing baselines for user and network activity so that deviations from the norm stand out more prominently.
  • Continuously inventorying, auditing, logging and monitoring all devices and user accounts connected to the organization’s IT network.

“The Agency for years has developed and operated IT mission systems outside the purview and governance of enterprise IT, citing the need for mission functionality and speed,” the CIA observed. “While often fulfilling a valid purpose, this ‘shadow IT’ exemplifies a broader cultural issue that separates enterprise IT from mission IT, has allowed mission system owners to determine how or if they will police themselves.”

All organizations experience intrusions, security failures and oversights of key weaknesses. In large enough enterprises, these failures likely happen multiple times each day. But by far the biggest factor that allows small intrusions to morph into a full-on data breach is a lack of ability to quickly detect and respond to security incidents.

Also, because employees tend to be the most abundant security weakness in any organization, instituting some kind of continuing security awareness training for all employees is a good idea. Some security experts I know and respect dismiss security awareness programs as a waste of time and money, observing that no matter how much training a company does, there will always be some percentage of users who will click on anything.

That may or may not be accurate, but even if it is, at least the organization then has a much better idea which employees probably need more granular security controls (i.e. more compartmentalizing) to keep them from becoming a serious security liability.

Sen. Wyden’s letter (PDF), first reported on by The Washington Post, is worth reading because it points to a series of continuing security weaknesses at the CIA, many of which have already been addressed by other federal agencies, including multi-factor authentication for domain names and access to classified/sensitive systems, and anti-spam protections like DMARC.

Contentful raises $80M Series E round for its headless CMS

/0 Comments/in /by

Headless CMS company Contentful today announced that it has raised an $80 million Series E funding round led by Sapphire Ventures, with participation from General Catalyst, Salesforce Ventures and a number of other new and existing investors. With this, the company has now raised a total of $158.3 million and a Contentful spokesperson tells me that it is approaching a $1 billion valuation.

In addition, the company also today announced that it has hired Bridget Perry as its CMO. She previously led Adobe’s marketing efforts across Europe, the Middle East and Africa.

Currently, 28% of the Fortune 500 use Contentful to manage their content across platforms. The company says it has a total of 2,200 paying customers right now and these include the likes of Spotify,  ITV, the British Museum, Telus and Urban Outfitters.

Steve Sloan, the company’s CEO who joined the company late last year, attributes its success to the fact that virtually every business today is in the process of figuring out how to become digital and serve its customers across platforms – and that’s a process that has only been accelerated by the coronavirus pandemic.

“Ten or fifteen years ago, when these content platforms or content management systems were created, they were a) really built for a web-only world and b) where the website was a complement to some other business,” he said. “Today, the mobile app, the mobile web experience is the front door to every business on the planet. And that’s never been any more clear than in this recent COVID crisis, where we’ve seen many, many businesses — even those that are very traditional businesses — realize that the dominant and, in some cases, only way their customers can interact with them is through that digital experience.”

But as they are looking at their options, many decide that they don’t just want to take an off-the-shelf product, Sloan argues, because it doesn’t allow them to build a differentiated offering.

Image Credits: Contentful /

Perry also noted that this is something she saw at Adobe, too, as it built its digital experience business. “Leading marketing at Adobe, we used it ourselves,” she said. “And so the challenge that we heard from customers in the market was how complex it was in some cases to implement, to organize around it, to build those experiences fast and see value and impact on the business. And part of that challenge, I think, stemmed from the kind of monolithic, all-in-one type of suite that Adobe offered. Even as a marketer at Adobe, we had challenges with that kind of time to market and agility. And so what’s really interesting to me — and one of the reasons why I joined Contentful — is that Contentful approaches this in a very different way.”

Sloan noted that putting the round together was a bit of an adventure. Contentful’s existing investors approached the company around the holidays because they wanted to make a bigger investment in the company to fuel its long-term growth. But at the time, the company wasn’t ready to raise new capital yet.

“And then in January and February, we had inbound interest from people who weren’t yet investors, who came to us and said, ‘hey, we really want to invest in this company, we’ve seen the trend and we really believe in it.’ So we went back to our insiders and said, ‘hey, we’re going to think about actually moving in our timeline for raising capital,” Sloan told me. “And then, right about that time is when COVID really broke out, particularly in Western Europe in North America.”

That didn’t faze Contentful’s investors, though.

“One of the things that really stood out about our investors — and particularly our lead investor for this round Sapphire — is that when everybody else was really, really frightened, they were really clear about the opportunity, about their belief in the team and about their understanding of the progress we had already made. And they were really unflinching in terms of their support,” Sloan said.

Unsurprisingly, the company plans to use the new funding to expand its go-to-market efforts (that’s why it hired Perry, after all) but Sloan also noted that Contentful plans to invest quite a bit into R&D as well as it looks to help its customers solve more adjacent problems as well.

Contentful raises $33.5M for its headless CMS platform