X is hiring staff for security and safety after two years of layoffs

by with No Comment Tech

Elon Musk, chief executive officer of Tesla Inc., at the US Capitol in Washington, DC, US, on Wednesday, July 24, 2024.

Image Credits: Samuel Corum/Bloomberg / Getty Images

Nearly two years after the layoffs across X’s trust, safety and security teams, Elon Musk’s social media company is now trying to hire new employees to help moderate content and secure its platform, according to X’s official job listings. 

In the last month, X posted two dozen job openings evenly split across its safety and cybersecurity teams. 

The jobs on X’s safety team range from director of strategic response on X’s safety team to government affairs managers. On its cybersecurity teams, X is hiring several security engineers and a threat intelligence specialist. 

These are small numbers compared to the number of staff Musk laid off following his $44 billion acquisition of the company, formerly known as Twitter, in late 2022. In April 2023, Musk told the BBC that Twitter, as it was known then, reduced its headcount by 6,000 workers in six months, leaving the company’s workforce at around 1,500 employees when layoffs were completed.

Those cuts had included significant reductions for the company’s trust and safety team. In January this year, following an inquiry from Australia’s online safety commissioner, X said that it had laid off 80% of its trust and safety staff since Musk’s takeover. X also said in its responses that before Musk’s acquisition, the company had 279 engineers on its trust and safety teams around the world, which were cut down to 55 by the end of May 2023. 

Overall, X said it reduced its 4,062-strong trust and safety team by almost a third to 2,849 employees; its full-time content moderation team from 107 to 51 employees; and its contracted moderators from 2,613 to 2,305 employees, according to the Australian eSafety Commissioner’s report at the time.

a screenshot of the Australian government's eSafety review into X (formerly Twitter)
A screenshot of the Australian eSafety Commissioner’s report on X, which included statistics on X’s job cuts from its trust and safety and content moderation teams.
Image Credits: TechCrunch / screenshot

The recent job listings appear to confirm that X is trying to further beef up its safety team following the company’s announcement in January that it would create a new Trust and Safety center in Austin, Texas, which will include 100 full-time content moderators. 

Nine of the two-dozen jobs posted in the last month mention Austin among the possible locations, though the postings also include other cities, like New York City and Palo Alto, California, plus international offices like Manila in the Philippines and Delhi in India. 

When TechCrunch asked X’s press team a series of questions about these new hires, including the size of the company’s safety and cybersecurity teams, the company responded with an automated message: “Busy now, please check back later.”

Departure’s in X’s trust and safety and cybersecurity teams have not been limited to its staff, but also included senior leadership. Since Musk took over, both the company’s chief cybersecurity officer Lea Kissner and the company’s trust and safety lead Ella Irwin have left. 

The reduction in staff on the trust and safety and cybersecurity teams appear to have hurt X’s ability to secure itself and its users, as well as deal with complex content moderation issues all over the world. 

On Friday, the Supreme Court in Brazil essentially banned X across the country after Musk refused to remove accounts spreading misinformation. Since taking over as Twitter’s owner, Musk himself has been accused of spreading hateful content and misinformation. On Tuesday, Musk promoted a podcast episode featuring a guest accused of engaging in Holocaust denialism. Also this week, Musk posted on X several images from an AI generator showing someone that looks vaguely like Vice President Kamala Harris wearing a beret with the Communist hammer-and-sickle. 

On the cybersecurity side, Musk hosted an X Spaces event with former President Donald Trump, which crashed and was delayed. Musk blamed the crash — without providing evidence — on “a massive [distributed denial-of-service] attack on X.”

Stop playing games with online security, Signal president warns EU lawmakers

by with No Comment Tech

Signal messaging application President Meredith Whittaker.

Image Credits: PATRICIA DE MELO MOREIRA/AFP / Getty Images

A controversial European Union legislative proposal to scan the private messages of citizens in a bid to detect child sexual abuse material (CSAM) is a risk to the future of web security, Meredith Whittaker warned in a public blog post Monday. She’s the president of the not-for-profit foundation behind the end-to-end encrypted (E2EE) messaging app Signal.

“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe,” she wrote.

The European Commission presented the original proposal for mass scanning of private messaging apps to counter the spread of CSAM online back in May 2022. Since then, Members of the European Parliament have united in rejecting the approach. They also suggested an alternative route last fall, which would have excluded E2EE apps from scanning. However the European Council, the legislative body made up of representatives of Member States governments, continues to push for strongly encrypted platforms to remain in scope of the scanning law.

The most recent Council proposal, which was put forward in May under the Belgian presidency, includes a requirement that “providers of interpersonal communications services” (aka messaging apps) install and operate what the draft text describes as “technologies for upload moderation”, per a text published by Netzpolitik.

Article 10a, which contains the upload moderation plan, states that these technologies would be expected “to detect, prior to transmission, the dissemination of known child sexual abuse material or of new child sexual abuse material.”

Last month, Euractiv reported that the revised proposal would require users of E2EE messaging apps to consent to scanning to detect CSAM. Users who did not consent would be prevented from using features that involve the sending of visual content or URLs it also reported — essentially downgrading their messaging experience to basic text and audio.

Whittaker’s statement skewers the Council’s plan as an attempt to use “rhetorical games” to try to rebrand client-side scanning, the controversial technology which security and privacy experts argue is incompatible with the strong encryption that supports confidential communications.

“[M]andating mass scanning of private communications fundamentally undermines encryption. Full stop,” she emphasized. “Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted.”

“We can call it a backdoor, a front door, or ‘upload moderation’. But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability.”

Also hitting out at the revised Council proposal in a statement last month, Pirate Party MEP Patrick Breyer — who has opposed the Commission’s controversial message-scanning plan from the start — warned: “The Belgian proposal means that the essence of the EU Commission’s extreme and unprecedented initial chat control proposal would be implemented unchanged. Using messenger services purely for texting is not an option in the 21st century.”

The EU’s own data protection supervisor has also voiced concern. Last year, it warned that the plan poses a direct threat to democratic values in a free and open society.

Pressure on governments to force E2EE apps to scan private messages, meanwhile, is likely coming from law enforcement.

Back in April European police chiefs put out a joint statement calling for platforms to design security systems in such a way that they can still identify illegal activity and send reports on message content to law enforcement. Their call for “technical solutions” to ensure “lawful access” to encrypted data did not specify how platforms should achieve this sleight of hand. But, as we reported at the time, the lobbying was for some form of client-side scanning. It looks no accident, therefore, that just a few weeks later the Council produced its proposal for “upload moderation”.

The draft text does contain a few statements that seek to pop a proverbial fig leaf atop the gigantic security and privacy black hole that “upload moderation” implies — including a line that states “without prejudice to Article 10a, this Regulation shall not prohibit or make impossible end-to-end encryption”; as well as a claim that service providers will not be required to decrypt or provide access to E2EE data; a clause saying they should not introduce cybersecurity risks “for which it is not possible to take any effective measures to mitigate such risk”; and another line stating service providers should not be able to “deduce the substance of the content of the communications”.

“These are all nice sentiments, and they make of the proposal a self negating paradox,” Whittaker told TechCrunch when we sought her response to these provisos. “Because what is proposed — bolting mandatory scanning onto end-to-end encrypted communications — would undermine encryption and create a significant vulnerability.”

The Commission and the Belgian presidency of the Council were contacted for a response to her concerns but at press time neither had provided a response.

EU lawmaking is typically a three-way affair — so it remains to be seen where the bloc will finally end up on CSAM scanning. Once the Council agrees on its position, so-called trilogue talks kick off with the parliament and Commission to seek a final compromise. But it’s also worth noting that the make-up of the parliament has changed since MEPs agreed their negotiating mandate last year following the recent EU elections.

EU plan to force messaging apps to scan for CSAM risks millions of false positives, experts warn

Europe’s CSAM-scanning plan is a tipping point for democratic rights, experts warn

Semperis, a specialist in Active Directory security now worth more than $1B, raises $125M

by with No Comment Tech

Digital security padlock with encrypted binary code on abstract circuit board.

Image Credits: Yuichiro Chino (opens in a new window) / Getty Images

Active Directory, the Microsoft directory service for connecting users with network resources, is used by more than 90% of all Fortune 1000 companies and many more besides. So it’s no surprise that it’s a giant target for malicious hackers. 

That also means a lot of attention for the security companies that are building tools to protect and recover Active Directory (AD) services. On Thursday, Semperis, a Hoboken, New Jersey, startup focused on AD protection, said it had raised $125 million from J.P. Morgan and Hercules Capital, and will be using it for R&D and business development.

In addition to Active Directory, Semperis also provides threat detection, response, recovery and related services for users of Entra ID (formerly known as Azure Active ID) and Okta. Its customers include Lenovo, Prime Healthcare, Sanofi, United Airlines, Starbucks, Hertz and many others, covering some 100 million user identities in all. 

The funding has come almost exactly two years since Semperis raised a $200 million Series C. 

Unlike that round, this financing is a mix of equity and debt, and TechCrunch has confirmed the valuation of the company: It’s now worth over $1 billion. Or, in the words of Mickey Bresman, Semperis’ founder and CEO, “I have a horn.”

Alongside the financing, Semperis is also adding three executives that Bresman said will be critical for the company’s next steps as a business, which, he said, currently looks like an IPO. I’d say they could also be M&A in the right situation, given how much consolidation we’ve been witnessing in the cybersecurity market in the last few years.

Jeff Bray is coming on as a CFO; Mike DeGaetano is joining as its chief revenue officer, and Annabel Lewis is coming on as chief legal officer and corporate secretary. All three have extensive backgrounds with some of the more successful cyber companies of the last decade. 

Semperis has been around since 2013 (it started offering services in 2015), and Bresman says he likes to joke that the company was both too early and too late to the market. 

He feels it was early because cybersecurity simply was not as big of a deal just 10 years ago, and the conversation was not really about ID management (which is a huge theme today). And he thinks it was also late because actually AD was launched in 1999 and already being used ubiquitously, thus laying the groundwork for the extensive hacking that would eventually grip companies that use it. There have been waves upon waves of attacks exploiting vulnerabilities through the Active Directory architecture. 

And despite the beating drum of cloud services, on-premises services are still huge, and AD is how many of them are used at enterprises. One of the more recent and damaging AD-exploitations was NotPetya, which has been described as one of the “most devastating” attacks in cyber history. 

Since then, of course, a number of other companies focused on AD have emerged. They include Palo Alto Networks, Bitsight, BigID, Wiz and many others.

One of the problems with a lot of AD attacks is that across a distributed system, breaches can be complicated, costly and drawn out to fix. Semperis’ pitch is that it can cut that time by 90%. With downtime being typically even more costly to a business than the breach itself, lowering that downtime, if not avoiding it altogether, becomes a primary focus for cyber buyers.

“As CISOs shift their focus towards securing and building resiliency into their identity infrastructure, we see enormous demand for specialized hybrid AD and Entra ID protection,” said Bray in a statement.

“Semperis is a clear leader in the urgently needed area of identity system defense, with machine-learning-based attack prevention, detection and response,” added Scott Bluestein, CEO and CIO at Hercules Capital. “Leading organizations around the world depend on Semperis to safeguard their hybrid Active Directory environment, which is foundational to the IT infrastructure and heavily targeted by attackers.”

As for why the company took debt instead of equity, Bresman simply said that the company had multiple options, but it chose this one in part because it has the mix of investors on its cap table that it wants. (He didn’t say the following, but it also means that it has to give up less equity en route to an IPO.)

“Semperis, with new support from J.P. Morgan and Hercules Capital, and our existing team of world-class backers, KKR, Insight Partners, Ten Eleven Ventures, Paladin, Advocate Health and others, will continue to drive innovations to disrupt cyberattacks,” said Bray. “The growth financing complements an already strong balance sheet, allowing Semperis to accelerate the investment in R&D and expand our global footprint to meet market demand.”

The best hacks and security research from Black Hat and Def Con 2024

by with No Comment Tech

a photo showing the entrance of the business hall at the Black Hat security conference in Las Vegas in August 2024

Image Credits: Lorenzo Franceschi-Bicchierai / TechCrunch

Thousands of hackers, researchers and security professionals descended on the Black Hat and Def Con security conferences in Las Vegas this week, an annual pilgrimage aimed at sharing the latest research, hacks and knowledge across the security community. And TechCrunch was on the ground to report on the back-to-back shows and to cover some of the latest research.

CrowdStrike took center stage, and picked up an “epic fail” award it certainly didn’t want. But the company acknowledged it messed up and handled its scandal several weeks after releasing a buggy software update that sparked a global IT outage. Hackers and security researchers seemed largely willing to forgive, though maybe not easily forget.

As another round of Black Hat and Def Con conferences wrap up, we look back at some of the highlights and the best in research from the show that you might’ve missed.

Hacking Ecovac robots to spy on their owners over the internet

Security researchers revealed in a Def Con talk that it was possible to hijack a range of Ecovacs home vacuum and lawnmower robots by sending a malicious Bluetooth signal to a vulnerable robot within a close proximity. From there, the on-board microphone and camera can be remotely activated over the internet, allowing the attacker to spy on anyone within ear- and camera-shot of the robot.

The bad news is that Ecovacs never responded to the researchers, or TechCrunch’s request for comment, and there is no evidence that the bugs were ever fixed. The good news is that we still got this incredible screenshot of a dog taken from the on-board camera of a hacked Ecovacs robot. 

A dog seen through a hacked Ecovacs device.
A dog seen through a hacked Ecovacs device.
Image Credits: Dennis Giese and Braelynn

The long game of infiltrating the LockBit ransomware game and doxing its ringleader

An intense cat and mouse game between security researcher Jon DiMaggio and the ringleader of the LockBit ransomware and extortion racket, known only as LockBitSupp, led DiMaggio down a rabbit hole of open source intelligence gathering to identify the real-world identity of the notorious hacker. 

In his highly detailed diary series, DiMaggio, spurred on by an anonymous tip of an email address allegedly used by LockBitSupp and a deep-rooted desire to get justice for the gang’s victims, finally identified the man, and got there even before federal agents publicly named the hacker as the Russian national, Dmitry Khoroshev. At Def Con, DiMaggio told his story from his perspective to a crowded room for the first time.

Hacker develops laser microphone that can hear your keyboard taps

Renowned hacker Samy Kamkar developed a new technique aimed at stealthily determining each tap from a laptop’s keyboard by aiming an invisible laser through a nearby window. The technique, demonstrated at Def Con and as explained by Wired, “takes advantage of the subtle acoustics created by tapping different keys on a computer,” and works so long as the hacker has a line-of-sight from the laser to the target laptop itself. 

Prompt injections can easily trick Microsoft Copilot

A new prompt injection technique developed by Zenity shows it’s possible to extract sensitive information from Microsoft’s AI-powered chatbot companion, Copilot. Zenity chief technology officer Michael Bargury demonstrated the exploit at the Black Hat conference, showing how to manipulate Copilot AI’s prompt to alter its output.

In one example he tweeted out, Bargury showed it was possible to feed in HTML code containing a bank account number controlled by a malicious attacker and trick Copilot into returning that bank account number in responses returned to ordinary users. That can be used to trick unsuspecting people into sending money to the wrong place, the basis of some popular business scams. 

Six companies saved from hefty ransoms, thanks to ransomware flaws in ransomware leak sites

Security researcher Vangelis Stykas set out to scope dozens of ransomware gangs and identify potential holes in their public-facing infrastructure, such as their extortion leak sites. In his Black Hat talk, Stykas explained how he found vulnerabilities in the web infrastructure of three ransomware gangs — Mallox, BlackCat and Everest — allowing him to get decryption keys to two companies and notify four others before the gangs could deploy ransomware, saving in total six companies from hefty ransoms. 

Ransomware isn’t getting better, but the tactics law enforcement are using against gangs that encrypt and extort their victims are getting more novel and interesting, and this could be an approach to consider with gangs going forward.

a photo showing the entrance of the business hall at the Black Hat security conference in Las Vegas in August 2024

The best hacks and security research from Black Hat and Def Con 2024

by with No Comment Tech

a photo showing the entrance of the business hall at the Black Hat security conference in Las Vegas in August 2024

Image Credits: Lorenzo Franceschi-Bicchierai / TechCrunch

Thousands of hackers, researchers and security professionals descended on the Black Hat and Def Con security conferences in Las Vegas this week, an annual pilgrimage aimed at sharing the latest research, hacks, and knowledge across the security community. And TechCrunch was on the ground to report on the back-to-back shows and to cover some of the latest research.

CrowdStrike took center stage, and picked up an “epic fail” award it certainly didn’t want. But the company acknowledged it messed up and handled its scandal several weeks after releasing a buggy software update that sparked a global IT outage. Hackers and security researchers seemed largely willing to forgive, though maybe not easily forget.

As another round of Black Hat and Def Con conferences wrap up, we look back at some of the highlights and the best in research from the show that you might’ve missed.

Hacking Ecovac robots to spy on their owners over the internet

Security researchers revealed in a Def Con talk that it was possible to hijack a range of Ecovacs home vacuum and lawnmower robots by sending a malicious Bluetooth signal to a vulnerable robot within a close proximity. From there, the on-board microphone and camera can be remotely activated over the internet, allowing the attacker to spy on anyone within ear- and camera-shot of the robot.

The bad news is that Ecovacs never responded to the researchers, or TechCrunch’s request for comment, and there is no evidence that the bugs were ever fixed. The good news is that we still got this incredible screenshot of a dog taken from the on-board camera of a hacked Ecovacs robot. 

A dog seen through a hacked Ecovacs device.
A dog seen through a hacked Ecovacs device. Image Credits: Dennis Giese and Braelynn / supplied.
Image Credits: Dennis Giese and Braelynn

The long game of infiltrating the LockBit ransomware game and doxing its ringleader

An intense cat and mouse game between security researcher Jon DiMaggio and the ringleader of the LockBit ransomware and extortion racket, known only as LockBitSupp, led DiMaggio down a rabbit hole of open source intelligence gathering to identify the real-world identity of the notorious hacker. 

In his highly detailed diary series, DiMaggio, spurred on by an anonymous tip of an email address allegedly used by LockBitSupp and a deep-rooted desire to get justice for the gang’s victims, finally identified the man, and got there even before federal agents publicly named the hacker as the Russian national, Dmitry Khoroshev. At Def Con, DiMaggio told his story from his perspective to a crowded room for the first time.

Hacker develops laser microphone that can hear your keyboard taps

Renowned hacker Samy Kamkar developed a new technique aimed at stealthily determining each tap from a laptop’s keyboard by aiming an invisible laser through a nearby window. The technique, demonstrated at Def Con and as explained by Wired, “takes advantage of the subtle acoustics created by tapping different keys on a computer,” and works so long as the hacker has a line-of-sight from the laser to the target laptop itself. 

Prompt injections can easily trick Microsoft Copilot

A new prompt injection technique developed by Zenity shows it’s possible to extract sensitive information from Microsoft’s AI-powered chatbot companion, Copilot. Zenity chief technology officer Michael Bargury demonstrated the exploit at the Black Hat conference, showing how to manipulate Copilot AI’s prompt to alter its output.

In one example he tweeted out, Bargury showed it was possible to feed in HTML code containing a bank account number controlled by a malicious attacker and trick Copilot into returning that bank account number in responses returned to ordinary users. That can be used to trick unsuspecting people into sending money to the wrong place, the basis of some popular business scams. 

Six companies saved from hefty ransoms, thanks to ransomware flaws in ransomware leak sites

Security researcher Vangelis Stykas set out to scope dozens of ransomware gangs and identify potential holes in their public-facing infrastructure, such as their extortion leak sites. In his Black Hat talk, Stykas explained how he found vulnerabilities in the web infrastructure of three ransomware gangs — Mallox, BlackCat, and Everest — allowing him to get decryption keys to two companies and notify four others before the gangs could deploy ransomware, saving in total six companies from hefty ransoms. 

Ransomware isn’t getting better, but the tactics law enforcement are using against gangs that encrypt and extort their victims are getting more novel and interesting, and this could be an approach to consider with gangs going forward.

Stop playing games with online security, Signal president warns EU lawmakers

by with No Comment Tech

Signal messaging application President Meredith Whittaker.

Image Credits: PATRICIA DE MELO MOREIRA/AFP / Getty Images

A controversial European Union legislative proposal to scan the private messages of citizens in a bid to detect child sexual abuse material (CSAM) is a risk to the future of web security, Meredith Whittaker warned in a public blog post Monday. She’s the president of the not-for-profit foundation behind the end-to-end encrypted (E2EE) messaging app Signal.

“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe,” she wrote.

The European Commission presented the original proposal for mass scanning of private messaging apps to counter the spread of CSAM online back in May 2022. Since then, Members of the European Parliament have united in rejecting the approach. They also suggested an alternative route last fall, which would have excluded E2EE apps from scanning. However the European Council, the legislative body made up of representatives of Member States governments, continues to push for strongly encrypted platforms to remain in scope of the scanning law.

The most recent Council proposal, which was put forward in May under the Belgian presidency, includes a requirement that “providers of interpersonal communications services” (aka messaging apps) install and operate what the draft text describes as “technologies for upload moderation”, per a text published by Netzpolitik.

Article 10a, which contains the upload moderation plan, states that these technologies would be expected “to detect, prior to transmission, the dissemination of known child sexual abuse material or of new child sexual abuse material.”

Last month, Euractiv reported that the revised proposal would require users of E2EE messaging apps to consent to scanning to detect CSAM. Users who did not consent would be prevented from using features that involve the sending of visual content or URLs it also reported — essentially downgrading their messaging experience to basic text and audio.

Whittaker’s statement skewers the Council’s plan as an attempt to use “rhetorical games” to try to rebrand client-side scanning, the controversial technology which security and privacy experts argue is incompatible with the strong encryption that supports confidential communications.

“[M]andating mass scanning of private communications fundamentally undermines encryption. Full stop,” she emphasized. “Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted.”

“We can call it a backdoor, a front door, or ‘upload moderation’. But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability.”

Also hitting out at the revised Council proposal in a statement last month, Pirate Party MEP Patrick Breyer — who has opposed the Commission’s controversial message-scanning plan from the start — warned: “The Belgian proposal means that the essence of the EU Commission’s extreme and unprecedented initial chat control proposal would be implemented unchanged. Using messenger services purely for texting is not an option in the 21st century.”

The EU’s own data protection supervisor has also voiced concern. Last year, it warned that the plan poses a direct threat to democratic values in a free and open society.

Pressure on governments to force E2EE apps to scan private messages, meanwhile, is likely coming from law enforcement.

Back in April European police chiefs put out a joint statement calling for platforms to design security systems in such a way that they can still identify illegal activity and send reports on message content to law enforcement. Their call for “technical solutions” to ensure “lawful access” to encrypted data did not specify how platforms should achieve this sleight of hand. But, as we reported at the time, the lobbying was for some form of client-side scanning. It looks no accident, therefore, that just a few weeks later the Council produced its proposal for “upload moderation”.

The draft text does contain a few statements that seek to pop a proverbial fig leaf atop the gigantic security and privacy black hole that “upload moderation” implies — including a line that states “without prejudice to Article 10a, this Regulation shall not prohibit or make impossible end-to-end encryption”; as well as a claim that service providers will not be required to decrypt or provide access to E2EE data; a clause saying they should not introduce cybersecurity risks “for which it is not possible to take any effective measures to mitigate such risk”; and another line stating service providers should not be able to “deduce the substance of the content of the communications”.

“These are all nice sentiments, and they make of the proposal a self negating paradox,” Whittaker told TechCrunch when we sought her response to these provisos. “Because what is proposed — bolting mandatory scanning onto end-to-end encrypted communications — would undermine encryption and create a significant vulnerability.”

The Commission and the Belgian presidency of the Council were contacted for a response to her concerns but at press time neither had provided a response.

EU lawmaking is typically a three-way affair — so it remains to be seen where the bloc will finally end up on CSAM scanning. Once the Council agrees on its position, so-called trilogue talks kick off with the parliament and Commission to seek a final compromise. But it’s also worth noting that the make-up of the parliament has changed since MEPs agreed their negotiating mandate last year following the recent EU elections.

EU plan to force messaging apps to scan for CSAM risks millions of false positives, experts warn

Europe’s CSAM-scanning plan is a tipping point for democratic rights, experts warn

Semperis, a specialist in Active Directory security now worth more than $1B, raises $125M

by with No Comment Tech

Digital security padlock with encrypted binary code on abstract circuit board.

Image Credits: Yuichiro Chino (opens in a new window) / Getty Images

Active Directory – the Microsoft directory service for connecting users with network resources – is used by more than 90% of all Fortune 1000 companies and many more besides. So it’s no surprise that it’s a giant target for malicious hackers. 

That also means a lot of attention for security companies that are building tools to protect and recover AD services. 

Today, Semperis – a Hoboken, NJ, startup focused on AD protection – is announcing funding of $125 million from J. P. Morgan and Hercules Capital, money that it will be using for R&D and business development. In addition to Active Directory, these days Semperis also provides threat detection, response, recovery and related services for users of Entra ID (formerly known by the more wordy name Azure Active ID) and Okta in cases where customers are using these for some or all of their cloud services. Its customers include Lenovo, Prime Healthcare, Sanofi, United Airlines, Starbucks, Hertz and many others, covering some 100 million user identities in all. 

The funding is coming almost exactly two years since Semperis raised a $200 million Series C. 

Unlike that round, this financing is a mix of equity and debt – more on why it took debt below – and also unlike that round, TechCrunch has confirmed the valuation of the company: it’s now over $1 billion – or, in the words of Mickey Bresman, Semperis’ founder and CEO, “I have a horn.”

(The $651 million noted in PitchBook is inaccurate.)

Alongside the financing, Semperis is also adding three executives that Bresman said will be critical for it taking its next steps as a business, which he said currently looks like an IPO, but I’d say could also be M&A in the right situation, given how much consolidation we’ve been witnessing in the cybersecurity market in the last few years.

Jeff Bray is coming on as a CFO; Mike DeGaetano is joining as its chief revenue officer, and Annabel Lewis is coming on as chief legal officer and corporate secretary. All three have extensive backgrounds with some of the more successful cyber companies of the last decade. 

Semperis has been around since 2013 (with services formally launching in 2015), and Bresman says he likes to joke that the company was both too early and too late to the market. 

Early because cybersecurity simply was not as big of a deal just ten years ago, and the conversation was not really about ID management ( today that is a huge theme). Late because actually AD was launched in 1999 already being used very ubiquitously, thus laying the groundwork for the extensive hacking that would eventually grip AD-using organizations. There have been waves upon waves of attacks exploiting vulnerabilities through the Active Directory architecture. 

And despite the beating drum of cloud services (and more specifically the beating drum of the cloud services marketing machine), on premises services are still huge, and AD is the route to how many of them are used among enterprises. One of the more recent and damaging AD-exploitations was NotPetya, which has been described as one of the “most devastating” attacks in cyber history. 

Since then, of course, a number of others focused on AD have emerged. They include Palo Alto Networks, Bitsight, BigID, Wiz and many others.

One of the problems with a lot of AD attacks is that across a distributed system, breaches can be complicated, costly, and drawn out to fix. Semperis’ pitch is that it can cut that time by 90%. With downtime being typically even more costly to a business than the breach itself, bringing it down, if not avoiding it altogether, becomes a primary focus for cyber buyers.

“As CISOs shift their focus towards securing and building resiliency into their identity infrastructure, we see enormous demand for specialized hybrid AD and Entra ID protection,” said Bray in a statement.

“Semperis is a clear leader in the urgently needed area of identity system defense, with machine-learning-based attack prevention, detection, and response,” added Scott Bluestein, CEO and CIO at Hercules Capital. “Leading organizations around the world depend on Semperis to safeguard their hybrid Active Directory environment, which is foundational to the IT infrastructure and heavily targeted by attackers.”

As for why the company took debt instead of equity, Bresman simply said that the company had multiple options but it chose this one in part because it has the mix of investors on its cap table that it wants. (He didn’t say the following, but it also means that it has to give up less equity en route to an IPO.)

“Semperis, with new support from J.P. Morgan and Hercules Capital, and our existing team of world-class backers, KKR, Insight Partners, Ten Eleven Partners, Paladin, Advocate Health and others, will continue to drive innovations to disrupt cyberattacks,” said Bray. “The growth financing complements an already strong balance sheet, allowing Semperis to accelerate the investment in R&D and expand our global footprint to meet market demand.”

Stop playing games with online security, Signal president warns EU lawmakers

by with No Comment Tech

Signal messaging application President Meredith Whittaker poses for a photograph before an interview at the Europe's largest tech conference, the Web Summit, in Lisbon on November 4, 2022. (Photo by PATRICIA DE MELO MOREIRA/AFP via Getty Images)

Image Credits: PATRICIA DE MELO MOREIRA/AFP / Getty Images

A controversial European Union legislative proposal to scan the private messages of citizens in a bid to detect child sexual abuse material (CSAM) is a risk to the future of web security, Meredith Whittaker warned in a public blog post Monday. She’s the president of the not-for-profit foundation behind the end-to-end encrypted (E2EE) messaging app Signal.

“There is no way to implement such proposals in the context of end-to-end encrypted communications without fundamentally undermining encryption and creating a dangerous vulnerability in core infrastructure that would have global implications well beyond Europe,” she wrote.

The European Commission presented the original proposal for mass scanning of private messaging apps to counter the spread of CSAM online back in May 2022. Since then, Members of the European Parliament have united in rejecting the approach. They also suggested an alternative route last fall, which would have excluded E2EE apps from scanning. However the European Council, the legislative body made up of representatives of Member States governments, continues to push for strongly encrypted platforms to remain in scope of the scanning law.

The most recent Council proposal, which was put forward in May under the Belgian presidency, includes a requirement that “providers of interpersonal communications services” (aka messaging apps) install and operate what the draft text describes as “technologies for upload moderation”, per a text published by Netzpolitik.

Article 10a, which contains the upload moderation plan, states that these technologies would be expected “to detect, prior to transmission, the dissemination of known child sexual abuse material or of new child sexual abuse material.”

Last month, Euractiv reported that the revised proposal would require users of E2EE messaging apps to consent to scanning to detect CSAM. Users who did not consent would be prevented from using features that involve the sending of visual content or URLs it also reported — essentially downgrading their messaging experience to basic text and audio.

Whittaker’s statement skewers the Council’s plan as an attempt to use “rhetorical games” to try to rebrand client-side scanning, the controversial technology which security and privacy experts argue is incompatible with the strong encryption that supports confidential communications.

“[M]andating mass scanning of private communications fundamentally undermines encryption. Full stop,” she emphasized. “Whether this happens via tampering with, for instance, an encryption algorithm’s random number generation, or by implementing a key escrow system, or by forcing communications to pass through a surveillance system before they’re encrypted.”

“We can call it a backdoor, a front door, or ‘upload moderation’. But whatever we call it, each one of these approaches creates a vulnerability that can be exploited by hackers and hostile nation states, removing the protection of unbreakable math and putting in its place a high-value vulnerability.”

Also hitting out at the revised Council proposal in a statement last month, Pirate Party MEP Patrick Breyer — who has opposed the Commission’s controversial message-scanning plan from the start — warned: “The Belgian proposal means that the essence of the EU Commission’s extreme and unprecedented initial chat control proposal would be implemented unchanged. Using messenger services purely for texting is not an option in the 21st century.”

The EU’s own data protection supervisor has also voiced concern. Last year, it warned that the plan poses a direct threat to democratic values in a free and open society.

Pressure on governments to force E2EE apps to scan private messages, meanwhile, is likely coming from law enforcement.

Back in April European police chiefs put out a joint statement calling for platforms to design security systems in such a way that they can still identify illegal activity and send reports on message content to law enforcement. Their call for “technical solutions” to ensure “lawful access” to encrypted data did not specify how platforms should achieve this sleight of hand. But, as we reported at the time, the lobbying was for some form of client-side scanning. It looks no accident, therefore, that just a few weeks later the Council produced its proposal for “upload moderation”.

The draft text does contain a few statements that seek to pop a proverbial figleaf atop the gigantic security and privacy black hole that “upload moderation” implies — including a line that states “without prejudice to Article 10a, this Regulation shall not prohibit or make impossible end-to-end encryption”; as well as a claim that service providers will not be required to decrypt or provide access to E2EE data; a clause saying they should not introduce cybersecurity risks “for which it is not possible to take any effective measures to mitigate such risk”; and another line stating service providers should not be able to “deduce the substance of the content of the communications”.

“These are all nice sentiments, and they make of the proposal a self negating paradox,” Whittaker told TechCrunch when we sought her response to these provisos. “Because what is proposed — bolting mandatory scanning onto end-to-end encrypted communications — would undermine encryption and create a significant vulnerability.”

The Commission and the Belgian presidency of the Council were contacted for a response to her concerns but at press time neither had provided a response.

EU lawmaking is typically a three-way affair — so it remains to be seen where the bloc will finally end up on CSAM scanning. Once the Council agrees its position, so-called trilogue talks kick off with the parliament and Commission to seek a final compromise. But it’s also worth noting that the make-up of the parliament has changed since MEPs agreed their negotiating mandate last year following the recent EU elections.

EU plan to force messaging apps to scan for CSAM risks millions of false positives, experts warn

Europe’s CSAM-scanning plan is a tipping point for democratic rights, experts warn

Cloud-native cybersecurity startup Aqua Security raises $60M and remains a unicorn

by with No Comment Tech

Aqua Security

Image Credits: Aqua Security

Aqua Security, an Israeli cybersecurity startup that helps companies protect their cloud services, has raised $60 million in funding, extending its previously announced $135 million Series E round of funding to $195 million.

Founded in 2015, Tel Aviv- and Boston-based Aqua Security claims customers such as PayPal, Netflix and Samsung, which use the Aqua platform for services spanning cloud workload protection (CWPP), cloud security posture management, Kubernetes security posture management, software supply chain security, risk and vulnerability scanning, malware protection and more.

The company has now raised around $325 million since its inception, and with its Series E extension round Aqua ushers in lead investor Evolution Equity Partners, a venture capital firm substantively focused on the cybersecurity industry and which launched a new $400 million fund two years ago.

Existing Aqua Security investors including Lightspeed Venture Partners, Insight Partners and StepStone Group also participated in the round.

In an arid funding landscape where much beyond low single-digit seed rounds are hard to come by, Aqua’s latest cash injection could indicate a degree of investor confidence as the company seeks new capital to power growth. However, Aqua Security’s valuation has seemingly remained the same as it was some three years ago when its Series E round was first announced. In March, 2021, Aqua Security said its valuation was “in excess of $1 billion,” and today it says its valuation is “above” $1 billion.

Three years is a long time to woo would-be investors with impressive growth metrics, so a stagnant valuation could suggest that business isn’t entirely rosy — but on the flip-side, a new lead investor could also serve as an additional external validation of the startup’s potential prospects.

Detail of shipping container door

Software supply chain security remains a challenge for most enterprises

by with No Comment Tech

Detail of shipping container door

Image Credits: Busà Photography / Getty Images

Log4j, maybe more than any other security issue in recent years, thrust software supply chain security into the limelight, with even the White House weighing in. But even though virtually every technology executive is at least aware of the importance of creating a trustworthy and secure software supply chain, most continue to struggle with how to best implement a strategy around it.

The number of CVEs (Common Vulnerabilities and Exposures) continues to increase at a steady pace and there’s nary a container out there that doesn’t include at least some vulnerabilities. Some of those may be in libraries that aren’t even used when the container is in production, but they are vulnerabilities nevertheless.

Image Credits: Slim.ai

According to Slim.ai‘s latest Container Report, the average organization now deploys well over 50 containers from their vendors every month (and almost 10% deploy more than 250). Yet only 12% of the security leaders who responded to Slim.ai’s survey said they were able to achieve their own vulnerability remediation goals. Everybody else says they are “greatly” struggling or see significant room for improvement. And while those organizations are all pressuring their vendors to improve their security stance and deliver, the vendors and buyers often can’t even agree on which CVE’s actually need patching in a container.

As Ayse Kaya, Slim.ai’s VP for Strategic Insights and Analytics told me, the interaction between buyers and vendors is often still driven by the exchange of spreadsheets and ad hoc meetings between security groups. According to the company’s report, which it created in partnership with research firm Enterprise Strategy Group, that’s still how 75% of organizations exchange information with their vendors, even as virtually all security leaders (84%) would look to see a centralized collaboration platform for managing vulnerabilities. For the time being, though, it seems like emailing spreadsheets back and forth remains to be the state of the art.

Image Credits: Slim.ai

All of this inevitably leads to inefficiencies. The majority of organizations that responded to the survey said they employ six or more specialists who focus on vulnerability remediation (with a quarter of respondents employing more than 10). One of the major problems in the industry is that more than 40% of the alerts these teams get are false positives — often for libraries that may be part of a container but aren’t used in production. Because of this, Kaya for example greatly advocates for creating minimal container images. One could argue that this should be a best practice anyway, since it creates a smaller attack surface and reduces false positives.

It’s not just security teams that have to deal with these vulnerabilities, though, of course. All of these efforts slow down the overall development process, too. Most companies see some disruptions multiple times a week because they detect a vulnerability in a production container, for example. According to Slim.ai’s report, the average container now sees a new release roughly every 11 days and the average container is now affected by 311 CVEs (up from 282 in 2022). All of that means more work, more interruptions and more effort expended in working with vendors to get them fixed.