Shared posts

24 Apr 21:48

Network issues with VMware Tools 10.2.0 and Windows Server 2008 R2 Guest VMs

by afokkema
When you’re (still) running Windows 2008 R2 and are using VMware Tools 10.2.0 you might run in an issue regarding to network loss. VMware has published KB54459. Windows Server 2008 R2 guest VM ports are exhausted after upgrading to VMware Tools 10.2.0 Details: Guest virtual machine ports are exhausted after a few days. Networking is […]
23 Apr 21:14

Facebook Tries to Share Details of What Exactly Advertisers Know About You

by Rafia Shaikh

facebook gdpr

In its ongoing efforts to win back user trust, Facebook is today talking about what advertisers know about you on the platform. The company continues to suggest that it has to rely on advertisers to make the platform “affordable” for everyone – something that it has been saying since Apple’s Tim Cook took a jab on the social networking site for using people as its products.

“Advertising lets us keep Facebook free,” Facebook’s Rob Goldman, Vice President, Ads wrote in today’s blog post. “But we aren’t blind to the challenges this model poses. It requires a steadfast commitment to privacy.”

Goldman said that “relevant advertising and privacy aren’t in conflict,” promising that the company doesn’t sell information to advertisers or tell them who you are. While many have contradicted this claim explaining how data can be easily deanonymized, Facebook is equating its advertising model to the one used by TV networks.

“We sell advertisers space on Facebook – much like TV or radio or newspapers do,” the company said without going into the fact that TV, radio or newspapers do not have access to personal and often intimate information of their subscribers that Facebook has access to.

If you’re not selling advertisers my data, what are you giving them?

We don’t sell your information. When an advertiser runs a campaign on Facebook, we share reports about the performance of their ad campaign. We could, for example, tell an advertiser that more men than women responded to their ad, and that most people clicked on the ad from their phone.

The detailed Q&A gives a somewhat clearer – if not a misleading – picture of what advertisers know about you through Facebook. Apart from its comparison with publishing businesses (Facebook continues to argue it should not be taken as a media company), it has also emphasized that its users aren’t its products.

If I’m not paying for Facebook, am I the product?

No. Our product is social media – the ability to connect with the people that matter to you, wherever they are in the world. It’s the same with a free search engine, website or newspaper. The core product is reading the news or finding information – and the ads exist to fund that experience.

One of the reasons Facebook has found itself in the hot waters is because it failed to protect user data – not necessarily if it sold that data to advertisers. A single researcher managed to take data of millions of Facebook users without actually hacking into the platform or using any other malicious tactics.

What if I don’t want my data used to show me ads?

You can’t opt out of ads altogether because ads are what keep Facebook free, but you do have different options to control how your data can and can’t be used to show you ads.

While today’s blog post makes it loud and clear that you cannot get yourself out of the advertising model because let’s face it, that’s how the company runs, it doesn’t help users who are still wondering why Facebook avoided to alert them when the incident occurred and how many similar incidents are yet to be uncovered.

– If you want to continue using Facebook, you can head over to ad preferences to control what data can be used by advertisers. More tips are available in our earlier guide

The post Facebook Tries to Share Details of What Exactly Advertisers Know About You by Rafia Shaikh appeared first on Wccftech.

23 Apr 12:54

City of Atlanta Ransomware Attack Proves Disastrously Expensive

by Kevin Townsend

City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not

read more

20 Apr 17:46

FDA Reveals New Plans for Medical Device Security

by Eduard Kovacs

The U.S. Food and Drug Administration (FDA) this week announced its medical device safety action plan, which includes seeking additional funding and authorities that would help it improve cybersecurity in the healthcare industry.

read more

19 Apr 15:55

NIST Publishes New Version of its Cybersecurity Framework

by Sharon Nelson

The National Institute of Standards and Technology (NIST) announced on April 16th that it had released version 1.1 of its popular Framework for Improving Critical Infrastructure Cybersecurity, more widely known as the Cybersecurity Framework.

"Cybersecurity is critical for national and economic security," said Secretary of Commerce Wilbur Ross. "The voluntary NIST Cybersecurity Framework should be every company's first line of defense. Adopting version 1.1 is a must do for all CEOs."

The framework was developed with a focus on industries vital to national and economic security, including energy, banking, communications and the defense industrial base. It has since proven flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, as well as by federal, state and local governments.

Version 1.1 includes updates on:

  • authentication and identity,
  • self-assessing cybersecurity risk,
  • managing cybersecurity within the supply chain; and
  • vulnerability disclosure.

The changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to assist NIST in comprehensively addressing stakeholder inputs.

"This update refines, clarifies and enhances Version 1.0," said Matt Barrett, program manager for the Cybersecurity Framework. "It is still flexible to meet an individual organization's business or mission needs, and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things."

Later this year, NIST plans to release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which describes key areas of development, alignment and collaboration.

NIST will host a free public Webcast explaining Version 1.1 in detail on April 27, 2018, at 1 p.m. Eastern time. Worth signing up for - I am regrettably on the road at the time, but hope to catch up with this shortly.

E-mail: snelson@senseient.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

18 Apr 12:18

Chrome 66 Released With Security Improvements & New JavaScript APIs

Google has rolled out Chrome 66 to its stable channel for Linux desktop users as well as other supported desktop/mobile operating systems...
16 Apr 20:46

Lessons from cybersecurity exits

by Jonathan Shieber
Mahendra Ramsinghani Contributor
Mahendra Ramsinghani is the founder of Secure Octane, a Silicon Valley-based cybersecurity seed fund.

To: ceo@cybersecuritystartup.com

Subject: Lessons from cybersecurity exits

Dear F0und3r:

What a month this has been for cybersecurity! One unicorn IPO and two nice acquisitions – Zscaler’s great debut on wall street,  a $300 million acquisition of Evident.io by Palo Alto Networks and a $350 million acquisition of Phantom Cyber by Splunk has gotten all of us excited.

Word on the street is that in each of those exits, the founders took home ~30% to 40% of the proceeds. Which is not bad for ~ 4 /5 years of work. They can finally afford to buy two bedroom homes in Silicon Valley.

My math is not that good but looks like even some VCs made a decent return. Back of the envelope scribbles indicate that True Ventures scored an estimated ~44X multiple on its seed investment. Others like Bain snagged a ~10X on the A round investment and Venrock which led the Series B round took home ~6X.

We see a similar pattern with Phantom Cyber, which got acquired by Splunk for $350 million. A little bird told me that they had booking in the range of $10 million. But before we all get too self-congratulatory, lets ask – why did these companies sell at $300 million to $350 million when everyone in the valley wants to ride a unicorn? Clearly, funds like GV, Bain and Kleiner could have fueled more rounds to make unicorns out of Evident.io and Phantom Cyber.

(Data Source: Pitchbook)

Some of the board members might have peeked at the exit data gathered by the hardworking analysts at Momentum Cyber, a cybersecurity advisory firm. Look at security exit trends from 2010-2017. You might notice that ~68% of security exits were below $100 million. And as much as 85% of exits occur below $300 million.

Agreed that there are very few exceptional security CEO’s like Jay Chaudhry who grew up in a Himalayan village, and led ZScaler to an IPO. This was Jay’s fifth startup and he kept over 25.5% of the proceeds, with another 28.3% owned by his trust. TPG Growth owned less than 10%. After all, he himself funded a substantial part of the company (which raised a total of $110 million).  But not everyone is as driven, successful and it’s ok to sell if the exit numbers are meaningful. Remember what that bard of avon once said:

For I must tell you friendly in your ear,

Sell when you can; you are not for all markets.

(Shakespeare, As you Like It, Act 3, Scene V)

(68% of security exits occur below $100 million. M & A Data from 2010-2017. Source: Momentum Cyber)

My friend Dino Boukouris, a director at Momentum Cyber, offers some sage advice to all founders who are smitten by unicorns. “Before a founder raises their next round, I would reflect on the market’s ability to purchase companies. The exit data says it all. As you raise more capital, your exit value goes up, timing gets stretched and the number of buyers who can afford you drops.” Dino has a point, you see. As we inflate valuations, your work, my dear CEO, becomes much harder.

If you don’t believe Dino, let’s look at another recent exit, PhishMe, which was acquired by a private equity consortium for $400 million. That’s a nice number, correct? At the first look, you’ll notice that the dilution and financial return patterns are similar to that of Phantom. Except that PhishMe took 7 years and consumed $58 million of capital, while Phantom took 3 years and consumed $22.7 million. Timing and capital efficiency matter as much as exit value. It’s not just the exit value ~ but how long and how much. Back to my man, Dino who will gently remind you that for the 175 M & A transactions in 2017, the median value was $68 milion. Read that last sentence again — very slowly. $68 million. Ouch!

(Data Source: Pitchbook)

Two years ago  in Cockroaches versus Unicorns – The Golden Age of Cybersecurity Startups cybersecurity founders were urged to avoid the unicorn hubris. A lot of bystanders, your ego included, will cheer you as you get higher valuations. But aren’t we all rational human beings, always making data based decisions?

Marc Andreessen will remind you that his best friend, Jim Barksdale, once said “If we have data, let’s look at data. If all we have are opinions, let’s go with mine.”   Since 2012, my VC friends have funded 1242 cybersecurity companies, investing a whopping $17.8bn. But chief information security officers say that they don’t need 1242 security products. One exhausted CISO told me they get fifteen to seventeen cold calls a day. They hide away from LinkedIn, being bombarded relentlessly.

Enrique Salem (former CEO of Symantec) and Noah Carr, both with Bain Capital are celebrating the successful sale of Evident.io. They pointed out that the founders — Tim Prendergast and Justin Lundy had lived the public cloud security problem in their previous lives at Adobe. “Such deep domain expertise allowed them to gain credibility in the market. It’s not easy to earn the trust of their customers. But given their strong engineering team, they were able to build an “easy to deploy” solution that could scale to customers with 1000s of AWS / Azure accounts. Customers were more willing to be reference-able, given this aligned relationship.”

(Source: Momentum Cyber)

You, my dear CEO, should take a page from that playbook. Because Jake Flomenberg, Partner at Accel Partners says, “CISOs are suffering from indigestion. They are looking to rationalize toolsets and add very selectively. New layer X for new threat vector Y is an increasingly tough sell.” According to Cack Wilhelm Partner at Accomplice, “Security analysts have alert fatigue, and CISOs have vendor fatigue.”  You are one of those possibly, wouldn’t you agree?

Besides indigestion and fatigue, the CISO roles have become demanding. William Lin, Principal at Trident Capital Cyber, a $300m fund pointed out that “the role of CISO has bifurcated into managing risk akin to an auditor and at the same time, managing complex engineering and technology environments.”  So naturally, they are managing their time more cautiously and not looking forward to meeting one more startup.

Erik Bloch, Director of Security Products at SalesForce says that while he keeps an open mind and is willing to look at innovative startups, it takes him weeks to arrange calls with the right people, and months to scope a POC. And let’s not forget the mountain of paperworks and legal agreements. “It’s great to say you have a Fortune 100 as an early customer, but just be warned that it’ll be a long, hard road to get there, so plan appropriately” he pointed out.

So, my dear founder, as the road gets harder, funding slows down. Look at 2017 —  despite all those big hacks, Series A funding dropped by 25% in 2017. Clearly, many of our seed funded companies are not delivering those Fortune 100 POC milestones. And are unable to raise a Series A.  Weep, if we must, but let us remind ourselves that out point solutions are not that impressive to the CISOs.

All the founders I know are trying to raise a formulaic $8m Series A on $40m pre. But not every startup that wants 8 on 40 deserves it. Revenues and growth rate, those quaint metrics matter more than ever. And some investors look for the quality of your customers.  Aaron Jacobson of NEA, a multi-billion dollar venture fund says, ”A key value driver is a thought-leader CISO as a customer. This is often a good indicator of value creation.“

When markets get crowded and all startups sound the same, investors seek quality, or move to later stages.  They like to see well proven companies, that have solved a lot of basic problems. And eliminated riskier stumbling blocks. Like product-market fit, pricing and go-to-market issues. Naturally, the later stage valuations are rising faster. Money is chasing quality, growth and returns.

Median Post-Money Valuation by stage for cybersecurity companies (Source: Pitchbook)

The security IPOs offer a sobering view. This is a long journey, not for the faint of heart. Okta moved fast, consumed ~4X more capital as compared to Sailpoint and delivered great returns.

Innovating with go-to-market strategies

In the near term,  the big challenge for you, dear security founder, is selling in an over crowded market. If I were you, I’d remember that innovation should not be restricted to merely technology, but can extend into sales and marketing. We lack creativity when it comes to marketing – ask Kelly Shortridge of Security ScoreCard. She should get some kind of BlackHat award for developing this godforsaken Infosec Startup Bingo. If you find any startup vendor that uses all these words, and wins this bingo, please DM me ~ I will promptly shave my head in shame. We got here because we do not possess simple marketing muscles. We copy each other while our customers roll their eyes when we pitch them.

Sid Trivedi of Omidyar Technology Ventures wants to work with the developer focussed startups. He says, “Look at companies like Auth0. The sales efficiency on developer-focused platforms is tremendous. You can go to a CISO, CIO or CTO and point out that X number of developers are paying to use my technology. Here are their names, why don’t you talk to them? And then, let’s discuss an enterprise license for the full company?” That approach works like magic. Overwhelming majority of the software IPOs like Twilio, Mulesoft, SendGrid are developer platforms.”

If you go top-down in a hurry, you can crash and burn. I am aware of an impatient security vendor who used executive level pressure at a Fortune 50 company. They kicked their way into the POC. And got kicked out by the infosec team. The furios infosec team destroyed the vendor in a technical assessment. I was told that the product was functional but the vendor’s impatience and political gymnastics killed the deal. Let us not forget simple truth: many times CISOs turn to their subordinates for advice and decision-making, so don’t just sell to the top. Nor ignore the rest of the people in the room.

With more noise, the buyers freeze. Margins shrink. Revenues and growth slows down. Which means it’s harder to get to your milestones before your next round. Running out of cash is not fun. Nor is a down round, layoffs and such. So while this is easier said than done, please raise less and do more. And maybe, just maybe, you can keep 40% of a $350 million exit.

If you have questions or existential dilemmas, you can always find me, chatting with a friendly VC in South Park.  Or I’m always around in a trusted secure world of Signal.

Stay safe at that annual security stampede called RSA.

Kindly,

Mahendra

PS: Let’s not forget to express our gratitude to those analysts at Momentum Cyber and Pitchbook for painstakingly tracking every investment, analyzing and presenting meaningful data. They help us look at the forest, and make our journey easier. Send them a thank-you tweet, some wine, chocolates, flowers or home-baked cookies.

16 Apr 01:32

Available for download - PowerCLI 10 Poster

by nospam@example.com (Eric Sloof)

13 Apr 17:34

In Penetration Tests, 27% of Employees Fall for Phishing E-mails

by Sharon Nelson

TechRepublic reported on April 9th that, according to a 2018 report by security firm Positive Technologies, phishing was the most effective form of social engineering attack. 27% of recipients clicked a phishing link, which led to a fake website.

The firm studied its 10 largest penetration testing projects performed for clients in 2016 and 2017. These tests included 3,332 emails sent to employees with links to websites, password entry forms, and attachments, mimicking the work of hackers.

"To make the emails more effective, attackers may combine different methods: a single message may contain a malicious file and a link, which leads to a website containing multiple exploits and a password entry form," Leigh-Anne Galloway, cyber security resilience lead at Positive Technologies, said in a press release. "Malicious attachments can be blocked by properly configured antivirus protection; however, there is no surefire way to prevent users from being tricked into divulging their password."

At times, employees complained that the malicious files or links would not open. In some cases, these employees tried to open the files or enter their password on the fake site 30-40 times, according to the report. This cracked me up. Some employees won't apply the same determination to their work that they will to getting a fake site to open up and compromise their employer.

Sometimes, they were so frustrated that they were unable to open the files that they forwarded them to the IT department for help—further increasing the risk to the organization, as IT staff are more likely to trust their colleagues and attempt to open the file. Well, the report may say that, but my own experience is that IT folks are far more likely to recognize phishing e-mails, especially when forwarded from employees. IT has been around the block with problematic employees more than a few times!

Hackers have also learned that sending messages from fake companies is less effective than in the past, causing only 11% of risky actions from employees, the report found. However, sending messages from the fake account of a real company and person increases the odds of success to 33%. That makes perfect sense of course – and that does parallel what we see.

But here's what I found to be the most comical part of the report. Attackers carefully select email subject lines to illicit a response from employees, including "list of employees to be fired" (which caused 38% of risky actions), and "annual bonuses" (which caused 25%). Yup, curiosity killed the cat, as did greed (did I get a bonus?).

Running phishing attack simulations is an excellent idea for law firms – and any other kind of entity. You'd be amazed at the extent to which you can reduce your risk for phishing if you adequately train employees.

E-mail: snelson@senseient.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson