Year: 2019

WhatsApp has filed a suit in federal court accusing NSO Group, an Israeli mobile surveillance maker, of creating an exploit that allowed the spyware’s operator to hack into a target’s phone and remotely spy on them.

The lawsuit, filed in a California federal court, said the mobile surveillance outfit “developed their malware in order to access messages and other communications after they were decrypted” on target devices.

The attack worked by exploiting an audio-calling vulnerability in WhatsApp. Users would appear to get an ordinary call, but the malware would quietly infect the device with spyware, giving the attackers full access to the device.

In some cases it happened so quickly, the target’s phone may not have rung at all.

Because WhatsApp is end-to-end encrypted, it’s near-impossible to access the messages as they traverse the internet. But in recent years, governments and mobile spyware companies have begun targeting the devices where the messages were sent or received. The logic goes that if you hack the device, you can obtain its data.

Thats’s what WhatsApp says happened.

WhatsApp, owned by Facebook, quickly patched the vulnerability. Although blame fell fast on NSO Group, WhatsApp did not publicly accuse the company at the time.

In an op-ed, WhatsApp head Will Cathart said the messaging giant “learned that the attackers used servers and Internet-hosting services that were previously associated” with NSO Group, and that certain WhatsApp accounts used during the attacks were traced back to the company.

“While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” said Cathart.

The attack involved disgusing the malicious code as call settings, allowing the surveillance outfit to deliver the code as if it came from WhatsApp’s signaling servers. Once the malicious calls were delivered to the target’s phone, they “injected the malicious code into the memory of the target device — even when the target did not answer the call,” the complaint read. When the code was run, it sent a request to the surveillance company’s servers, and downloaded additional malware to the target’s device.

In total, some 1,400 targeted devices were affected by the exploit, the lawsuit said.

Most people were unaffected by the WhatsApp exploit. But WhatsApp said that over a hundred human rights defenders, journalists and “other members of civil society” were targeted by the attack. Other targets included government officials and diplomats.

WhatsApp is asking for a jury trial.

We’ve reached out to NSO Group for comment, but did not hear back.

It’s a year since the European Commission got a bunch of adtech giants together to spill ink on a voluntary Code of Practice to do something — albeit, nothing very quantifiable — as a first step to stop the spread of disinformation online.

Its latest report card on this voluntary effort sums to the platforms could do better.

The Commission said the same in January. And will doubtless say it again. Unless or until regulators grasp the nettle of online business models that profit by maximizing engagement. As the saying goes, lies fly while the truth comes stumbling after. So attempts to shrink disinformation without fixing the economic incentives to spread BS in the first place are mostly dealing in cosmetic tweaks and optics.

Signatories to the Commission’s EU Code of Practice on Disinformation are: Facebook, Google, Twitter, Mozilla, Microsoft and several trade associations representing online platforms, the advertising industry, and advertisers — including the Internet Advertising Bureau (IAB) and World Federation of Advertisers (WFA).

In a press release assessing today’s annual reports, compiled by signatories, the Commission expresses disappointment that no other Internet platforms or advertising companies have signed up since Microsoft joined as a late addition to the Code this year.

“We commend the commitment of the online platforms to become more transparent about their policies and to establish closer cooperation with researchers, fact-checkers and Member States. However, progress varies a lot between signatories and the reports provide little insight on the actual impact of the self-regulatory measures taken over the past year as well as mechanisms for independent scrutiny,” write commissioners Věra Jourová, Julian King, and Mariya Gabriel said in a joint statement. [emphasis ours]

“While the 2019 European Parliament elections in May were clearly not free from disinformation, the actions and the monthly reporting ahead of the elections contributed to limiting the space for interference and improving the integrity of services, to disrupting economic incentives for disinformation, and to ensuring greater transparency of political and issue-based advertising. Still, large-scale automated propaganda and disinformation persist and there is more work to be done under all areas of the Code. We cannot accept this as a new normal,” they add.

The risk, of course, is that the Commission’s limp-wristed code risks rapidly cementing a milky jelly of self-regulation in the fuzzy zone of disinformation as the new normal, as we warned when the Code launched last year.

The Commission continues to leave the door open (a crack) to doing something platforms can’t (mostly) ignore — i.e. actual regulation — saying it’s assessment of the effectiveness of the Code remains ongoing.

But that’s just a dangled stick. At this transitionary point between outgoing and incoming Commissions, it seems content to stay in a ‘must do better’ holding pattern. (Or: “It’s what the Commission says when it has other priorities,” as one source inside the institution put it.)

A comprehensive assessment of how the Code is working is slated as coming in early 2020 — i.e. after the new Commission has taken up its mandate. So, yes, that’s the sound of the can being kicked a few more months on.

Summing up its main findings from signatories’ self-marked ‘progress’ reports, the outgoing Commission says they have reported improved transparency between themselves vs a year ago on discussing their respective policies against disinformation. 

But it flags poor progress on implementing commitments to empower consumers and the research community.

“The provision of data and search tools is still episodic and arbitrary and does not respond to the needs of researchers for independent scrutiny,” it warns. 

This is ironically an issue that one of the signatories, Mozilla, has been an active critic of others over — including Facebook, whose political ad API it reviewed damningly this year, finding it not fit for purpose and “designed in ways that hinders the important work of researchers, who inform the public and policymakers about the nature and consequences of misinformation”. So, er, ouch.

The Commission is also critical of what it says are “significant” variations in the scope of actions undertaken by platforms to implement “commitments” under the Code, noting also differences in implementation of platform policy; cooperation with stakeholders; and sensitivity to electoral contexts persist across Member States; as well as differences in EU-specific metrics provided.

But given the Code only ever asked for fairly vague action in some pretty broad areas, without prescribing exactly what platforms were committing themselves to doing, nor setting benchmarks for action to be measured against, inconsistency and variety is really what you’d expect. That and the can being kicked down the road. 

The Code did extract one quasi-firm commitment from signatories — on the issue of bot detection and identification — by getting platforms to promise to “establish clear marking systems and rules for bots to ensure their activities cannot be confused with human interactions”.

A year later it’s hard to see clear sign of progress on that goal. Although platforms might argue that what they claim is increased effort toward catching and killing malicious bot accounts before they have a chance to spread any fakes is where most of their sweat is going on that front.

Twitter’s annual report, for instance, talks about what it’s doing to fight “spam and malicious automation strategically and at scale” on its platform — saying its focus is “increasingly on proactively identifying problematic accounts and behaviour rather than waiting until we receive a report”; after which it says it aims to “challenge… accounts engaging in spammy or manipulative behavior before users are ​exposed to ​misleading, inauthentic, or distracting content”.

So, in other words, if Twitter does this perfectly — and catches every malicious bot before it has a chance to tweet — it might plausibly argue that bot labels are redundant. Though it’s clearly not in a position to claim it’s won the spam/malicious bot war yet. Ergo, its users remain at risk of consuming inauthentic tweets that aren’t clearly labeled as such (or even as ‘potentially suspect’ by Twitter). Presumably because these are the accounts that continue slipping under its bot-detection radar.

There’s also nothing in Twitter’s report about it labelling even (non-malicious) bot accounts as bots — for the purpose of preventing accidental confusion (after all satire misinterpreted as truth can also result in disinformation). And this despite the company suggesting a year ago that it was toying with adding contextual labels to bot accounts, at least where it could detect them.

In the event it’s resisted adding any more badges to accounts. While an internal reform of its verification policy for verified account badges was put on pause last year.

Facebook’s report also only makes a passing mention of bots, under a section sub-headed “spam” — where it writes circularly: “Content actioned for spam has increased considerably, since we found and took action on more content that goes against our standards.”

It includes some data-points to back up this claim of more spam squashed — citing a May 2019 Community Standards Enforcement report — where it states that in Q4 2018 and Q1 2019 it acted on 1.8 billion pieces of spam in each of the quarters vs 737 million in Q4 2017; 836 million in Q1 2018; 957 million in Q2 2018; and 1.2 billion in Q3 2018. 

Though it’s lagging on publishing more up-to-date spam data now, noting in the report submitted to the EC that: “Updated spam metrics are expected to be available in November 2019 for Q2 and Q3 2019″ — i.e. conveniently late for inclusion in this report.

Facebook’s report notes ongoing efforts to put contextual labels on certain types of suspect/partisan content, such as labelling photos and videos which have been independently fact-checked as misleading; labelling state-controlled media; and labelling political ads.

Labelling bots is not discussed in the report — presumably because Facebook prefers to focus attention on self-defined spam-removal metrics vs muddying the water with discussion of how much suspect activity it continues to host on its platform, either through incompetence, lack of resources or because it’s politically expedient for its business to do so.

Labelling all these bots would mean Facebook signposting inconsistencies in how it applies its own policies –in a way that might foreground its own political bias. And there’s no self-regulatory mechanism under the sun that will make Facebook fess up to such double-standards.

For now, the Code’s requirement for signatories to publish an annual report on what they’re doing to tackle disinformation looks to be the biggest win so far. Albeit, it’s very loosely bound self-reporting. While some of these ‘reports’ don’t even run to a full page of A4-text — so set your expectations accordingly.

The Commission has published all the reports here. It has also produced its own summary and assessment of them (here).

“Overall, the reporting would benefit from more detailed and qualitative insights in some areas and from further big-picture context, such as trends,” it writes. “In addition, the metrics provided so far are mainly output indicators rather than impact indicators.”

Of the Code generally — as a “self-regulatory standard” — the Commission argues it has “provided an opportunity for greater transparency into the platforms’ policies on disinformation as well as a framework for structured dialogue to monitor, improve and effectively implement those policies”, adding: “This represents progress over the situation prevailing before the Code’s entry into force, while further serious steps by individual signatories and the community as a whole are still necessary.”

Self-driving vehicle technology company Waymo has expanding its business relationship with automotive retail company AutoNation, the companies announced today. The new extension builds on the existing partnership between Waymo and AutoNation, which began as a way for Waymo to service its Phoenix, Arizona-based vehicles, and which grew last year into an arrangement wherein Waymo would provide autonomous transportation to AutoNation customers on their way to the dealerships.

Now, the partnership enters a new, third real of business: business-to-business goods transportation. Waymo vehicles in the Phoenix, Arizona area will now be used to move car parts between AutoNation’s Toyota Tempe locations and other repair shops in the area, including those run by independent third parties.

Waymo has been focused primarily on passenger transportation, launching and operating a pilot ride-hailing service using its autonomous cars in the Phoenix testing area where its vehicles are cleared to operate. The Alphabet-owned company’s CEO John Krafcik told a group of reporters on Sunday in Detroit that driverless delivery likely has a better chance of catching on early vs. passenger transportation, which could explain why this latest pilot sees Waymo look towards repeatable delivery routes for commonly transported goods.

There are two types of enterprise startups: those that create value and those that protect value. Cybersecurity is most definitely part of the latter group, and as a vertical, it has sprawled the past few years as the scale of attacks on companies, organizations, and governments has continuously expanded.

That may be a constant threat for the executives of major companies, but for cybersecurity VCs who pick the right startup targets for investment, it’s a potential gold mine. Here at Extra Crunch, we compiled a list of top VCs who have invested in cybersecurity and enterprise more broadly and asked them what’s interesting in the space these days. We compiled ten of their responses as part of our investor survey and you should definitely take a look for their interesting takes on the space.

But we wanted to go a bit deeper on the topic to learn more about what’s happening right now in cybersecurity. So today, we talk with Arif Janmohamed of Lightspeed Venture Partners, one of the leading investors at one of the top enterprise VC firms in the world. He’s invested in companies ranging from cloud-access security broker Netskope and search analytics platform ThoughtSpot to Qubole (big data analytics), Nutanix (hyper-converged infrastructure), and Arceo.ai (cyber risk management).

TechCrunch’s security guru Zack Whittaker, managing editor Danny Crichton and operations editor Arman Tabatabai sat down with him to discuss what he’s seeing at the earliest stages in cybersecurity, which trends are being ignored by the industry and what he sees as the future of security in an always-changing present.

Introduction and Background

The following interview has been condensed and edited for clarity.

Danny Crichton: Let’s start with a bit of your background.

Arif Janmohamed: Sure. I’m on the early-stage side, so I have the most fun when I’m working with founders at the very earliest stages of company formation, where I can focus on company design, product and go-to-market and then find the right balance of teams to fill that out.

I’m on the board of Netskope, which is a cloud-security company. That one I did the Series B back in 2013. I’m on the board of TripActions, which is a corporate travel company, I did that one and then led the Series A and the Series B. I’m on the board of Moveworks, which is an AI engine for IT that was seeded by me and then I’ve supported them through their subsequent financing. I’m also on the board of a number of other companies.

Am I purely security-focused? The answer is no, I’m very much enterprise-focused. Security in my mind really fits within that rubric of the enterprise stack that’s getting rebuilt for a cloud-first world.

What’s snake oil and what has real value?

Zack Whittaker: So I’ve got a question that I just want to jump right in with. I’m always curious about this, especially when it comes to the very early stage, how do you go about distinguishing between potential snake oil and the things that seem really viable in the security world?

Security is one of the toughest things to get right; a hacker only needs to win once, but businesses have to get it right every single time.

Not every company faces the same field of threats. That’s what makes security particularly difficult — there are no panaceas, and the cybersecurity startup field is crowded. So much so, some entrepreneurs complain that the vast number of solutions on the market are weighing down chief security officers with a deluge of data but not the clear visibility they need.

Or, as one of the cybersecurity-focused VCs we surveyed called it: “startup fatigue.”

Many of the rising cybersecurity startups focus on the same or overlapping problems could lead to a “cybersecurity consolidation,” one that’s dictated by customers and not necessarily the businesses themselves.

But there’s usually one element that feeds into everything — data.

As hacks and breaches become more common, companies and customers alike are reevaluating their relationships with data. Customers want more ownership of their data and the ability to give it out granularly, while an increasing number of businesses are shifting away from central banks of data and leaning towards a “zero data” approach.

By minimizing the amount of information companies store or collect, it’s validation that even some larger startups don’t even trust themselves to secure data properly.

Not only that, there’s as much mistrust inside their own networks. That’s where “zero trust” comes into play — where you don’t trust, but you certainly verify. The idea is that you get no extra special access inside a company’s four walls. Many big companies, like Google, treat all employees the as if they present the same level of security risk whether they’re in the office, at home, or in a coffee shop down the street.

“You should be able to run your whole business out of a Starbucks,” said Google security chief Heather Adkins at Disrupt SF.

Why the mistrust? Because security isn’t just a technology problem, it’s a people problem. And it’s not only people creating the solutions, it’s people with the solutions to create these startups to begin with.

We asked ten leading cybersecurity VCs who work at firms that span early to growth stages to share where they see opportunity in this sector:

• Amit Karp, Partner at Bessemer Venture Partners
• Rama Sekhar, Partner at Norwest Venture Partners
• Ping Li, Partner at Accel
• Saam Motamedi, Partner at Greylock
• Deepak Jeevankumar, Managing Director at Dell Technologies Capital
• Lenard Marcus, General Partner at Edison Partners
• Arun Mathew, Partner at Accel
• Matt Carbonara, Managing Director at Citi Ventures
• Matt Robinson, Vice President at TCV
• Enrique Salem, Partner at Bain Capital Ventures

In addition, we did a deep-dive interview with Arif Janmohamed at Lightspeed about how he and his firm are targeting the sector and what he sees as the next-generation of cybersecurity startups. Be sure to check it out.

Now, let’s get to the data.

Answers have been edited for clarity.

Amit Karp, Partner at Bessemer Venture Partners

In cybersecurity, what are you most interested in right now from an investment perspective?

Unfortunately, the cybersecurity landscape is overcrowded with many vendors that offer point solutions. I believe CISOs are tired of deploying additional security products which for the most part have overlapping functionality. So I am very cautious with additional tools that are deployed inside the enterprise perimeter (network, endpoint, etc.).  I am looking for companies that can be deployed quickly and demonstrate immediate value to CISOs, and do not overwhelm the CISO with many new alerts.

What are the most interesting trends in the space, particularly ones you think are under-appreciated by other investors?

I think there are still many opportunities to improve application security. The combination of every company becoming a software company on the one hand and development environments becoming more chaotic on the other hand, results in many new risks and opportunities in securing your software. This includes securing third-party APIs or open-source components which are outside your control and giving developers and devops engineers more security tools while not hindering the pace of development.

Another interesting trend is micro-segmentation and authorization — with the adoption of zero-trust frameworks and authentication becoming a solved problem — deciding who gets access to what has become increasingly important.

Are there any startups in cybersecurity you wish existed, but haven’t seen yet?