::: Shailendra Nair :::

Cyberattacks hitting one company after another — including defense contractor QinetiQ — have garnered plenty of headlines in recent months. And while that’s got to cause headaches for victims, it might not be such a bad thing, because it makes governments and other businesses notice. It turns out that venture capitalists have taken note, too, and have been putting more of their dollars behind security startups in hopes that those companies go big.

The numbers bear out the trend. In the first quarter of 2013, VCs dumped nearly $353 million into IT security deals, up 90 percent over that quarter the previous year, according to MoneyTree Report data provided to GigaOM by the National Venture Capital Association. If you divide the total funding by the number of deals, the average amount was more than $16 million, up 125 percent over the $7.1 million amount in the first quarter of 2012.Security startups that have taken on VC funding rounds this year include Cylance, TraceVector and vArmour Networks, among others.

The intersection of big data and security has been a hot space, as companies move to collect lots of information and analyze it all as fast as possible, just as companies want to derive insights on increasing and more complex data sets that can lead to overhead reductions and new revenue streams. For example, in October, EMC said it would buy Silver Tail Systems, which tracks web and mobile-app traffic and points to unusual behavior and violations that customers can set. To separate the wheat from the chaff of vulnerabilities that multiple security systems might discover and to use security staffers efficiently, Risk I/O prioritizes issues. Last year it got $5.25 million.

Are the cyberattacks nudging VCs to shell out millions? Shirish Sathaye, a general partner at Khosla Ventures, which has invested in Cylance and TraceVector along with Lookout and DB Networks, thinks the cyberattack news onslaught is making a difference.

“The first reason is, yes, every time you open a newspaper, you read about somebody being attacked,” he said, whether against consumers or companies. The likelihood and complexity of attacks only become greater as more people get online, often with multiple devices.

The multiplicity of devices accessing a network — a trend in its own right — could pose security challenges on its own, and Tenable Network Security picked up $50 million last year following the addition of features that look for vulnerabilities popping up as mobile devices and provide information on devices such as whether they are jailbroken. Last month Ionic Security, which keeps data encrypted as it moves to devices, said it had raised $9.4 million in new funding.

Another reason for the security funding boom, Sathaye said, is the success of network security player Palo Alto Networks. Prior to its public offering last year, threats might well have helped its appeal.

From Sathaye’s point of view, it’s critical to nurture the ecosystem of options for strengthening network and endpoint security. “As bad guys keep innovating, good guys have to innovate at least as fast as them, if not faster,” he said. With more money going toward IT-security startups, it does seem that plenty of other VCs think there’s an opportunity here.

As published on http://gigaom.com/2013/05/03/funding-soars-for-security-startups-as-cyberattacks-keep-coming/

Here’s a funny detail from James Temple at the San Francisco Chronicle.

As Samsung has grown in popularity with consumers around the world, it’s also growing in popularity with muggers.

Temple talked to Capt. Joe Garrity of San Francisco’s Tenderloin Station.

Garrity says that half of the robberies reported are electronics. And half of those robberies are iPhones.

However, Temple reports, “Samsung phones earned their own category this month, after officers noted a sharp rise this year in swipes of phones like the company’s Galaxy line.”

The reason Samsung is on the rise is that more people are walking around with them.

“It’s whatever is popular,” Garrity said. “The opportunists are grabbing what they can.”

As published on http://www.businessinsider.com/muggers-are-going-after-samsung-phones-2013-5

Reputation.com, a service that helps people and companies manage negative search results, has suffered a security breach that has exposed user names, e-mail and physical addresses, and in some cases, password data.

In an e-mail sent to users on Tuesday, officials with the Redwood City, California-based company said the passwords were “highly encrypted (‘salted’ and ‘hashed’),” a highly vague description that can mean different things to different people. “Although it was highly unlikely that these passwords could ever be decrypted, we immediately changed the password of every user to prevent any possible unauthorized account access,” the e-mail added unconvincingly.

It’s unfortunate that companies make such assurances, because they may give users a false sense of security. As Ars has been reporting for nine months, gains in cracking techniques means the average password has never been weaker, allowing attackers to decipher even long passwords with numbers, letters, and symbols in them. Even Ars’ own Nate Anderson—a self-described newbie to password cracking—was able to crack more than 45 percent of a 17,000-hash list using software and dictionaries he downloaded online.

Jeremi Gosney, a password cracking expert with Stricture Consulting Group recently explained in an Ars forum post that it’s highly unusual for a leaked password list to go uncracked, as suggested by the Reputation.com e-mail.

“It definitely depends on the specific leak we’re talking about, but generally speaking, your average security expert/penetration tester/casual password cracker is probably only going to be able to recover at most 50-60% of passwords in any given leak,” he wrote. “Seasoned password crackers will likely recover 70-75%; and truly exceptional password crackers will recover 80% or more.”

Adding cryptographic salt to passwords is crucial to the safe storage of passwords because it forces password cracking programs to guess the plaintext for each individual hash, rather than guessing passwords for thousands or millions of hashes all at once. (Yes, it also thwarts rainbow-table attacks, but no one uses this method anymore.) But it’s easy to overstate the benefits of salting. It in no way slows down the cracking of a single hash, so if an attacker locates the hash belonging to a particular high-value Reputation.com user, the measure does nothing to thwart the cracking of that hash. The security value of salting alone only slows down cracking of large lists by a multiple of the number of unique salts, so that value decreases with each hash that is decoded.

A far more meaningful security measure is the type of algorithm that’s used to convert plaintext passwords into cryptographic hashes. If the company used SHA1, SHA3, MD5, or any number of other “fast” hashes, it’s extremely likely that at least some of the leaked password data has already been cracked. If, on the other hand, the company used bcrypt, scrypt, PBKDF2 or another “slow” algorithm specifically designed to hash passwords, the chances are significantly lower. Reputation.com makes no mention of the algorithm it used, so users should presume the worst. Anyone who used their Reputation.com password to protect one or more accounts on other sites should change those passcodes immediately. Passwords should be randomly generated by a password-manager, contain a minimum length of 11 characters, and include numbers, letters, and symbols. They should also be unique to each site.

Article as published on http://arstechnica.com/security/2013/05/why-you-should-take-hacked-sites-password-assurances-with-a-grain-of-salt/