Menu

Timesdelhi.com

June 16, 2019
Category archive

spokesperson

Thousands of vulnerable TP-Link routers at risk of remote hijack

in california/computing/cybercrime/Cyberwarfare/Delhi/dns/dyn/gps/Hardware/India/Politics/Router/search engines/Security/spokesperson/telecommunications/United Kingdom/United States by

Thousands of TP-Link routers are vulnerable to a bug that can be used to remotely take control the device, but it took over a year for the company to publish the patches on its website.

The vulnerability allows any low-skilled attacker to remotely gain full access to an affected router. The exploit relies on the router’s default password to work, which many don’t change.

In the worst case scnario, an attacker could target vulnerable devices on a massive scale, using similar mechanism to how botnets like Mirai worked — by scouring the web and hijacking routers using default passwords like “admin” and “pass”.

Andrew Mabbitt, founder of U.K. cybersecurity firm Fidus Information Security, first discovered and disclosed the remote code execution bug to TP-Link in October 2017. TP-Link released a patch a few weeks later for the vulnerable WR940N router, but Mabbitt warned TP-Link again in January 2018 that another router, TP-Link’s WR740N, was also vulnerable to the same bug because the company reused vulnerable code between devices.

TP-Link said the vulnerability was quickly patched in both routers. But when we checked, the firmware for WR740N wasn’t available on the website.

When asked, a TP-Link spokesperson said the update was “currently available when requested from tech support,” but wouldn’t explain why. Only after TechCrunch reached out, TP-Link updated the firmware page to include the latest security update.

Top countries with vulnerable WR740N routers. (Image: Shodan)

Routers have long been notorious for security problems. At the heart of any network, any flaw affecting a router can have disastrous effects on every connected device. By gaining complete control over the router, Mabbitt said an attacker could wreak havoc on a network. Modifying the settings on the router affects everyone who’s connected to the same network, like altering the DNS settings to trick users into visiting a fake page to steal their login credentials.

TP-Link declined to disclose how many potentially vulnerable routers it had sold, but said that the WR740N had been discontinued a year earlier in 2017. When we checked two search engines for exposed devices and databases, Shodan and Binary Edge, each suggested there are anywhere between 129,000 and 149,000 devices on the internet — though the number of vulnerable devices is likely far lower.

Mabbitt said he believed TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.

Both the U.K. and the U.S. state of California are set to soon require companies to sell devices with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline.

The Mirai botnet downed Dyn, a domain name service giant, which knocked dozens of major sites offline for hours — including Twitter, Spotify and SoundCloud.

Read more:

Indonesia restricts WhatsApp, Facebook and Instagram usage following deadly riots

in Asia/Delhi/Facebook/Government/India/Indonesia/instagram/Jakarta/operating systems/Politics/president/presidential election/Social/social media/Software/spokesperson/Sri Lanka/WhatsApp/world wide web by

Indonesia is the latest nation to hit the hammer on social media after the government restricted the use of WhatsApp and Instagram following deadly riots yesterday.

Numerous Indonesia-based users are today reporting difficulties sending multimedia messages via WhatsApp, which is one of the country’s most popular chat apps, and posting content to Facebook, while the hashtag #instagramdown is trending among the country’s Twitter users due to problems accessing the Facebook-owned photo app.

Wiranto, a coordinating minister for political, legal and security affairs, confirmed in a press conference that the government is limiting access to social media and “deactivating certain features” to maintain calm, according to a report from Coconuts.

Rudiantara, the communications minister of Indonesia and a critic of Facebook, explained that users “will experience lag on Whatsapp if you upload videos and photos.”

Facebook — which operates both WhatsApp and Instagram — didn’t explicitly confirm the blockages , but it did say it has been in communication with the Indonesian government.

“We are aware of the ongoing security situation in Jakarta and have been responsive to the Government of Indonesia. We are committed to maintaining all of our services for people who rely on them to communicate with their loved ones and access vital information,” a spokesperson told TechCrunch.

A number of Indonesia-based WhatsApp users confirmed to TechCrunch that they are unable to send photos, videos and voice messages through the service. Those restrictions are lifted when using Wi-Fi or mobile data services through a VPN, the people confirmed.

The restrictions come as Indonesia grapples with political tension following the release of the results of its presidential election on Tuesday. Defeated candidate Prabowo Subianto said he will challenge the result in the constitutional court.

Riots broke out in capital state Jakarta last night, killing at least six people and leaving more than 200 people injured. Following this, it is alleged that misleading information and hoaxes about the nature of riots and people who participated in them began to spread on social media services, according to local media reports.

Protesters hurl rocks during clash with police in Jakarta on May 22, 2019. – Indonesian police said on May 22 they were probing reports that at least one demonstrator was killed in clashes that broke out in the capital Jakarta overnight after a rally opposed to President Joko Widodo’s re-election. (Photo by ADEK BERRY / AFP)

For Facebook, seeing its services forcefully cut off in a region is no longer a rare incident. The company, which is grappling with the spread of false information in many markets, faced a similar restriction in Sri Lanka in April, when the service was completely banned for days amid terrorist strikes in the nation. India, which just this week concluded its general election, has expressed concerns over Facebook’s inability to contain the spread of false information on WhatsApp, which is its largest chat app with over 200 million monthly users.

Indonesia’s Rudiantara expressed a similar concern earlier this month.

“Facebook can tell you, ‘We are in compliance with the government’. I can tell you how much content we requested to be taken down and how much of it they took down. Facebook is the worst,” he told a House of Representatives Commission last week, according to the Jakarta Post.

Update 05/22 02:30 PDT: The original version of this post has been updated to reflect that usage of Facebook in Indonesia has also been impacted.

Samsung spilled SmartThings app source code and secret keys

in Android/Apps/computing/data breach/Delhi/Dubai/Gadgets/gitlab/India/Password/Politics/Samsung/Security/smartphones/smartthings/SMS/Software/spokesperson/Stratics Networks by

A development lab used by Samsung engineers was leaking highly sensitive source code, credentials and secret keys for several internal projects — including its SmartThings platform, a security researcher found.

The electronics giant left dozens of internal coding projects on a GitLab instance hosted on a Samsung-owned domain, Vandev Lab. The instance, used by staff to share and contribute code to various Samsung apps, services and projects, was spilling data because the projects were set to “public” and not properly protected with a password, allowing anyone to look inside at each project, access, and download the source code.

Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk who discovered the exposed files, said one project contained credentials that allowed access to the entire AWS account that was being used, including over a hundred S3 storage buckets that contained logs and analytics data.

Many of the folders, he said, contained logs and analytics data for Samsung’s SmartThings and Bixby services, but also several employees’ exposed private GitLab tokens stored in plaintext, which allowed him to gain additional access from 42 public projects to 135 projects, including many private projects.

Samsung told him some of the files were for testing but Hussein challenged the claim, saying source code found in the GitLab repository contained the same code as the Android app, published in Google Play on April 10.

The app, which has since been updated, has more than 100 million installs to date.

“I had the private token of a user who had full access to all 135 projects on that GitLab,” he said, which could have allowed him to make code changes using a staffer’s own account.

Hussein shared several screenshots and a video of his findings for TechCrunch to examine and verify.

The exposed GitLab instance also contained private certificates for Samsung’s SmartThings’ iOS and Android apps.

Hussein also found several internal documents and slideshows among the exposed files.

“The real threat lies in the possibility of someone acquiring this level of access to the application source code, and injecting it with malicious code without the company knowing,” he said.

Through exposed private keys and tokens, Hussein documented a vast amount of access that if obtained by a malicious actor could have been “disastrous,” he said.

A screenshot of the exposed AWS credentials, allowing access to buckets with GitLab private tokens. (Image: supplied).

Hussein, a white-hat hacker and data breach discoverer, reported the findings to Samsung on April 10. In the days following, Samsung began revoking the AWS credentials but it’s not known if the remaining secret keys and certificates were revoked.

Samsung still hasn’t closed the case on Hussein’s vulnerability report, close to a month after he first disclosed the issue.

“Recently, an individual security researcher reported a vulnerability through our security rewards program regarding one of our testing platforms,” Samsung spokesperson Zach Dugan told TechCrunch when reached prior to publication. “We quickly revoked all keys and certificates for the reported testing platform and while we have yet to find evidence that any external access occurred, we are currently investigating this further.”

Hussein said Samsung took until April 30 to revoke the GitLab private keys. Samsung also declined to answer specific questions we had and provided no evidence that the Samsung-owned development environment was for testing.

Hussein is no stranger to reporting security vulnerabilities. He recently disclosed a vulnerable back-end database at Blind, an anonymous social networking site popular among Silicon Valley employees — and found a server leaking a rolling list of user passwords for scientific journal giant Elsevier.

Samsung’s data leak, he said, was his biggest find to date.

“I haven’t seen a company this big handle their infrastructure using weird practices like that,” he said.

Read more:

Startups Weekly: All these startups are raising big rounds

in 3d printing/Access Industries/Adidas/Airbnb/alex wilhelm/Asia/boston/ceo/China/connie loizos/delaware/Delhi/deutsche bank/EC/Economy/editor-in-chief/Entrepreneur/Entrepreneurship/Eric Min/executive/Finance/FirstMark Capital/Germany/Greylock Partners/India/jonathan shieber/Kleiner Perkins/Mamoon Hamid/manufacturing/Mary Meeker/money/PayPal/Politics/Private equity/Sonder/sosv/Spark Capital/spokesperson/Startup company/Startups/structure capital/taiwan/the wall street journal/Uber/Ulrich Kranz/Venture Capital/wall-street-journal/wing venture capital/wireless broadband by

TechCrunch’s Connie Loizos published some interesting stats on seed and Series A financings this week, courtesy of data collected by Wing Venture Capital. In short, seed is the new Series A and Series A is the new Series B. Sure, we’ve been saying that for a while, but Wing has some clean data to back up those claims.

Years ago, a Series A round was roughly $5 million and a startup at that stage wasn’t expected to be generating revenue just yet, something typically expected upon raising a Series B. Now, those rounds have swelled to $15 million, according to deal data from the top 21 VC firms. And VCs are expecting the startups to be making money off their customers.

“Again, for the old gangsters of the industry, that’s a big shift from 2010, when just 15 percent of seed-stage companies that raised Series A rounds were already making some money,” Connie writes.

As for seed, in 2018, the average startup raised a total of $5.6 million prior to raising a Series A, up from $1.3 million in 2010.

Now on to IPO updates, then a closer look at all the companies raising big rounds. Want more TechCrunch newsletters? Sign up here. Contact me at kate.clark@techcrunch.com or @KateClarkTweets.

IPO corner

Slack: The workplace communication software provider dropped its S-1 on Friday ahead of a direct listing. That’s when companies sell existing shares directly to the market, allowing them to skip the roadshow and minimize the astronomical fees typically associated with an initial public offering. Here’s the TLDR on financials: Slack reported revenues of $400.6 million in the fiscal year ending January 31, 2019, on losses of $138.9 million. That’s compared to a loss of $140.1 million on revenue of $220.5 million for the year before. Slack’s losses are shrinking (slowly), while its revenues expand (quickly). It’s not profitable yet, but is that surprising?

Uber: The ride-hail giant is fast approaching its IPO, expected as soon as next week. On Friday, the company established an IPO price range of $44 to $50 per share to raise between $7.9 billion and $9 billion at a valuation of approximately $84 billion, significantly lower than the $100 billion previously reported estimations. The most likely outcome is Uber will price above range and all the latest estimates will be way off course. Best to sit back and see how Uber plays it. Oh, and PayPal said it would make a $500 million investment in the company in a private placement, as part of an extension of the partnership between the two.

There are a lot of fascinating companies raising colossal rounds, so I thought I’d dive a bit deeper than I normally do. Bear with me.

Carbon: The poster child for 3D printing has authorized the sale of $300 million in Series E shares, according to a Delaware stock filing uncovered by PitchBook. If Carbon raises the full amount, it could reach a valuation of $2.5 billion. Using its proprietary Digital Light Synthesis technology, the business has brought 3D-printing technology to manufacturing, building high-tech sports equipment, a line of custom sneakers for Adidas and more. It was valued at $1.7 billion by venture capitalists with a $200 million Series D in 2018.

Canoo: The electric vehicle startup formerly known as Evelozcity is on the hunt for $200 million in new capital. Backed by a clutch of private individuals and family offices from China, Germany and Taiwan, the company is hoping to line up the new capital from some more recognizable names as it finalizes supply deals with vendors, according to reporting from TechCrunch’s Jonathan Shieber. The company intends to make its vehicles available through a subscription-based model and currently has 400 employees. Canoo was founded in 2017 after Stefan Krause, a former executive at BMW and Deutsche Bank, and another former BMW executive, Ulrich Kranz, exited Faraday Future amid that company’s struggles.

Starry: The Boston-based wireless broadband internet startup has authorized the sale of Series D shares worth up to $125 million, according to a Delaware stock filing. If Starry closes the full authorized raise it will hold a post-money valuation of $870 million. A spokesperson for the company confirmed it had already raised new capital, but disputed the numbers. The company has already raised more than $160 million from investors, including FirstMark Capital and IAC. The company most recently closed a $100 million Series C this past July.

Selina & Sonder: The Airbnb competitor Sonder is in the process of closing a financing worth roughly $200 million at a $1 billion valuation, reports The Wall Street Journal. Investors including Greylock Partners, Spark Capital and Structure Capital are likely to participate. Sonder is four years old but didn’t emerge from stealth until 2018. The startup, which turns homes into hotels, quickly attracted more than $100 million in venture funding. Meanwhile, another hospitality business called Selina has raised $100 million at an $850 million valuation. The company, backed by Access Industries, Grupo Wiese and Colony Latam Partners, builds living/co-working/activity spaces across the world for digital nomads.

Fresh funds: Mary Meeker has made history with the close of her new fund, Bond Capital, the largest VC fund founded and led by a female investor to date. Bond has $1.25 billion in committed capital. If you remember, Meeker ditched Kleiner Perkins last fall and brought the firm’s entire growth team with her. Kleiner said it was a peaceful split that would allow the firm to focus more on its early-stage efforts, leaving the growth investing to Bond. Fortune, however, reported this week that a power struggle of sorts between Meeker and Mamoon Hamid, who joined recently to reenergize the early-stage side of things, was a larger cause of her exit.

Plus, SOSV, a multi-stage venture firm that was founded as the personal investment vehicle of entrepreneur Sean O’Sullivan after his company went public in 1994, has raised $218 million for its third fund. The vehicle has a $250 million target that SOSV expects to meet. Already, the fund is substantially larger than the firm’s previous vehicle, which closed with $150 million.

A grocery delivery startup crumbles: Honestbee, the online grocery delivery service in Asia, is nearly out of money and trying to offload its business. Despite looking impressive from the outside, the company is currently in crisis mode due to a cash crunch — there’s a lot happening right now. TechCrunch’s Jon Russell dives in deep here.

Extra Crunch: When it comes to working with journalists, so many people are, frankly, idiots. I have seen reporters yank stories because founders are assholes, play unfairly, or have PR firms that use ridiculous pressure tactics when they have already committed to a story.” Sign up for Extra Crunch for a full list of PR don’ts. Here are some other EC pieces to hit the wire this week:

Equity: If you enjoy this newsletter, be sure to check out TechCrunch’s venture-focused podcast, Equity. In this week’s episode, available here, Crunchbase News editor-in-chief Alex Wilhelm and I chat about Kleiner Perkins, Chinese IPOs and Slack & Uber’s upcoming exits. 

Binance’s hotly-anticipated Singapore crypto exchange is now live — and underwhelming

in Asia/author/Binance/Bitcoin/blockchain/coinbase/cryptocurrencies/cryptocurrency/decentralization/Delhi/digital currencies/Economy/India/money/Politics/Singapore/Southeast Asia/spokesperson/temasek/Uganda/United States/xfers by

Binance, the company widely seen as the world’s largest crypto exchange, has officially set up shop in Singapore after it launched a service in the country.

The new Singapore service, however, bears more of a resemblance to U.S. rival Coinbase than a classic Binance exchange. Binance’s rapid ascent is thanks to a service that lets users trade a range of crypto tokens with very little verification or individual data required. It’s Singapore venture is quite the opposite: it allows customers to purchase Bitcoin only and at fixed prices. Initially, it appeared that purchased Bitcoin could not be moved out of the exchange at this point but that issue seems to be fixed now.

We checked in with Binance for more details, but the company is yet to respond. [Update: Binance’s response is further down — tl;dr it said that the Singapore exchange is a work in progress.]

Binance’s Singapore launch follows an investment from Vertex, a VC firm backed by Singapore’s sovereign fund Temasek, in October. Binance has been testing a ‘beta’ version of its service in the country since late 2018 in communication with Singaporean regulator MAS.

The company has prioritized creating fiat ramps — exchanges that allow customers to buy into crypto using currency — over the past six months as it seeks to gain increased legitimacy and play within regulated jurisdictions. CEO Changpeng Zhao has also stressed the importance of going beyond retail customers to reach institutional money and enable it to enter crypto. As a global financial hub, Singapore is its biggest effort on fiat to date.

The Singapore venture is Binance’s third fiat effort following exchanges in Uganda and Jersey — a joint-venture in Lichenstein is yet to launch — although it remains to be seen just how useful the Singapore offering will be in its current form.

Binance users have long been accustomed to a choice of a vast array of crypto assets on sale, but the Binance Singapore exchange falls short on that count, despite considerable expectation for its launch.

Interestingly, information on the website indicates that the new Binance venture appears to be a partnership with Xfers, a crypto startup in Southeast Asia that helped Coinbase set up its service in Singapore. Coinbase ended the partnership and quit the country last year claiming that Xfers was “not suitable in its current form to handle the growth” it had seen. Let’s see how Binance gets on.

The new Binance Singapore exchange is limited to Bitcoin only

In response to the launch, a Binance spokesperson provided the following comment:

Binance Singapore has full deposit/withdrawal functionality. Any functionality issues may be user-specific and are best addressed by customer service.

The issue Coinbase had with Xfers last year was prior to Xfers obtaining their WASVF license, which they acquired recently. We support our partnership with Xfers and will work together to build a key fiat gateway that will grow the industry.

BTC/SGD is the initial pair Binance Singapore is offering with the soft launch. There may be more pairs added as regulations allow.

Meanwhile, the company made another significant announcement after it officially launched its decentralized exchange, also known as Dex — its other major priority besides fiat.

There are no initial fireworks here — the Dex doesn’t yet include trading pairs or native tokens — but the launch means that blockchain companies are now able to migrate from Ethereum, EOS or other blockchains and begin to issue tokens on Binance Chain. A Binance spokesperson confirmed that the first of those migrations are expected to happen this week. The first is Binance’s own BNB token, which is moving from ERC20 to BEP2.

The Dex has been in testing since February, during which the company said that some 8.5 million transactions have been made. The real test will be when projects begin moving over and (if) traders begin to utilize the platform in large volumes going forward. Binance has always claimed that its Dex will operate as an alternative to its existing centralized exchanges, rather than as a replacement.

Binance draws revenue from over-the-counter (OTC) trading, trading fees on its platform and via BNB. Eventually, the Dex could augment that monetization as Binance will gain a share of network fees when its nodes are used in transactions on the Dex. Likewise, increased usage of the Dex and Binance Chain could raise the value of BNB — which has been on an incredible run this year, outpacing Bitcoin itself.

The value of Binance’s BNB token has quadrupled since the start of 2019, as data from Coinmarketcap.com shows

Valued at $6.02 on January 1, BNB broke $25 last week. Today, the price is $24.20, according to data from Coinmarketcap.com, and it remains to be seen how these two developments will impact it.

Note: The original version of this article has been updated to reflect that purchased Bitcoin can now be moved out of the Binance Singapore exchange.

The author owns a small amount of cryptocurrency. Enough to gain an understanding, not enough to change a life.

1 2 3 8
Go to Top