now browsing by tag
#cybersecurity | #hackerspace | NEW TECH: CyCognito employs offensive bot network to put companies a step a head of attackers
When it comes to defending their networks, most companies have had it drilled into them, by now, that it’s essential to erect layered defenses.
Related:Promise vs. pitfalls of IoT
For small- and mid-sized businesses, firewalls, antivirus suites and access management systems represent the entry stakes for participating in today’s digital economy. Security-mature SMBs go the next step and embrace incidence response and disaster recovery planning, as well
Meanwhile, large enterprises pour tens of billions of dollars annually into next-gen firewalls, EDR, DLP and IDS technologies, each system generating a fire-hose of threat feeds, with all of this threat intel flooding, hour-by-hour, into SIEMs, UEBAs and other analytics platforms.
And yet, after a couple of decades of piling up layer upon layer of defenses, catastrophic breaches persist — they’re occurring as often as ever, and causing more harm than ever. Threat actors simply seek out the endless fresh attack vectors arising as an unintended consequence of digital transformation. In short, layered defenses have turned out to be cheesecloth.
Acknowledging this, a few cybersecurity innovators are taking a different tack. Instead of offering up more layers of defense, they’ve slipped on the shoes of the attackers and taken an offensive approach to defending IT assets. One of the most single-minded of these security vendors is startup CyCognito.
The company was launched in Tel Aviv in 2017 by a couple of former Israeli military cyber ops attack specialists, Rob Gurzeev and Dima Potekhin. Gurzeev and Potekhin set out to mirror the perspective of threat actors — and then help companies tactically leverage this attackers’ view to shore up their porous networks.
“The attackers need only to find a single blind spot to gain entry – it’s like singling out the weakest zebra in the herd,” says Gurzeev, CyCognito’s CEO. “Defenders, meanwhile, have to guard everything all of the time, and most organizations have many more Internet pathways than they even know about, much less are taking steps to defend.”
CyCognito’s employment of a bot network is what struck me most after I sat down with the team and learned in more detail what they’re up to. They’re not just borrowing a few pages from the attackers’ handbook; they’re actually utilizing the bad guys’ core tool – botnets They’ve set out to boldly redirect botnet-power towards helping, instead of exploiting, the good guys.
I first wrote about criminal botnets at USA TODAY in 2004. Botnets at the time were just emerging; they’ve since become entrenched as the engine that drives all of cybercrime. A bot is a computing nodule that strictly obeys instructions from a command and control server. A criminal botnet is a network of bots under control of an individual attacker.
Botnets are the nimble infrastructure that enables criminals to blast out massive ransomware and denial of service attacks and also to execute intricate advanced persistent threat (APT) hacks that play out over months and go very deep. Bots traditionally have arisen from compromised, or “pwned,” computing devices. Today bots are more often spun up as virtual instances of computing devices. Bad actors are spinning up these virtual bots by the million, utilizing computing resources sold, no questions asked, by the major cloud service providers, Amazon Web Services, Microsoft Azure and Google Cloud .
By contrast, CyCognito’s 60,000 nodule-strong bot network is comprised of computing instances distributed globally with the expressed intent to help enterprises protect themselves. Bots do what they’re told. CyCognito’s bot network actively crawls the Internet identifying and mapping all exposed IP assets, fingerprinting each asset. This is essentially identical to the ground-level crawling and probing reconnaissance tasks that criminal botnets perform every day.
Upon finding an exposed IT asset, say a web server or a gateway router, CyCognito can pinpoint the IP address, confirm what type of asset it is and check whether the asset has any open ports; it can even ferret out snippets of coding or text, such as a copyright, that indicates more granularly what specific functions the asset performs, who the asset belongs to and what other assets it communicates with.
CyCognito’s bots feed this ground-level intelligence back to an analytics platform, which makes correlations and may ask for more information. This results in an assessment of the business context surrounding each asset. “We’re building a live picture of what’s out there, not specifically looking for problems, at that stage,” explains Raphael Reich, CyCognito’s vice president of product marketing. “We’re collecting information to build associations between assets that other solutions miss: assets in the cloud, in subsidiaries, in third-party networks.”
Another thing about bots, they do what they’re told — for as long as they’re told to do it. Over the past couple of years, CyCognito’s botnet has surveilled and fingerprinted some 3.5 billion Internet-exposed IT assets, resulting in rich data sets that are fed into the company’s analytics. CyCognito has been able to map details of specific assets to thousands of organizations in much the way a criminal ring would do, which allows it to understand attackers’ easiest pathways i
Last November, the company released findings from an analysis it conducted to identify what it calls “shadow risk” – exposures that, for whatever reasons, enterprise IT and security teams are often blind to. Shadow risk creates attack vectors that are externally exposed to anyone with the skill and desire to go find them. The data reveals that a stunning percentage of organizations have a significant number of security blind spots, most often stemming from third-party and cloud interconnectivity. For instance, CyCognito’s research found:
•Organizations are unaware of as much as 75% of their attack surface.
•Some 82% of these hidden assets impact the organization’s cybersecurity posture and are managed by their cloud providers, partners or subsidiaries.
•Some 87% of organizations have critical exposures that are visible to attackers at a given point in time.
These findings are not at all surprising. Quite the opposite, they ring very true. Companies never found a way to stop intruders from breaching and plundering with impunity, even when all they had to defend were on-premises IT systems. Today we’re in the throes of digital transformation. Agility, speed, and modular transactions happen on the fly and in the cloud. This sets up a much more complex security challenge than setting up trip-wire alarms around an on-prem data center.
“Most organizations have expanded and broadly diversified their IT resources on-premises and in the cloud, making continuous monitoring and timely mitigation extremely challenging,” observes Potekhin, CyCognito’s CTO. “The inspiration for the CyCognito platform was the realization that the explosive growth in the numbers of threat actors and the sophistication of their tools has leapfrogged the capabilities of legacy security solutions and most of today’s enterprises, even those who are highly security-aware.”
What CyCognito has set out to do is outflank attackers and one of the results is a high-definition snapshot of the threat landscape, on any given day. That’s a major step forward. I hope they are able to trigger a new era of advances in the overall field of attack surface monitoring.
Meanwhile, as you might expect, the company has also designed its botnet and analytics platform to be available for hire — to drill down on individual companies’ IT assets. This can help companies identify and address open attack vectors — before the bad guys can get to them. “We looked to create a new class of solution to beat the attackers at their own game,” Gurzeev says. “It’s heartening that from Day One on our platform, customers are finding, assessing and closing open pathways.”
I expect layered defenses will continue to have a place, moving forward. But it’s going to be fascinating to see how adding a bit of offensive punch to defending networks catches on, and how much of a difference offensive security solutions will make, overall. I’ll keep watching.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/new-tech-cycognito-deploys-offensive-bot-network-to-put-companies-a-step-a-head-of-attackers/
View full post on National Cyber Security
Cybersecurity is the set of practices, processes and systems for protecting Information Technologies (IT), which consists of computers, networks, software and stored information, from digital attack. Cybersecurity has become a preoccupation for the government, private sector, institutions and individuals. Billions are spent annually to defend governmental, corporate, and personal IT from cyber intrusion. Innovative companies have developed new ways of providing security.
A major aspect of cybersecurity is the protection of critical infrastructure. The Department of Homeland Security defines critical infrastructure as “the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety.” There are 16 critical infrastructure sectors, including energy, communications, food and agriculture, transportation, water and wastewater, nuclear power and materials, major manufacturing, and defense industries.
All these sectors are dependent on IT, not merely for communications or billing, but for the operation of major physical systems. Most of them employ IT-based supervisory control and data acquisition (SCADA) systems to monitor and operate a wide variety of hardware. For example, the energy sector is critically dependent on SCADA technology to manage the flow of power, direct the operation of production and storage facilities, and monitor the state of energy usage.
The threat to these large, complex systems, essential to not only the way we live but our very lives, is quite severe. The same IT and SCADA systems that allow for the efficient management and operation of critical infrastructure sectors also create enormous vulnerabilities that adversaries will seek out to exploit. The cyber threat to our energy sector, perhaps the most critical of all, has been growing for years. According to a report by the Idaho National Laboratory prepared for the Department of Energy: “Cybersecurity for energy delivery systems has emerged as one of the Nation’s most serious grid modernization and infrastructure protection issues.”
The dominant focus of infrastructure security is on protecting computers and networks from the introduction of malware. When it comes to critical infrastructure, hackers look for ways of entering the networks and then wend their way to the software programs that control operations. Often, the hackers will look for easy entry points, such as electronic billing systems or supply chain communications, from which they can then launch attacks against SCADA systems or other IT-based means of monitoring and directing operations within a sector.
It is becoming harder to protect entire networks from hacking. The explosive growth in the use of IT for personal and business purposes, and the move to a world where the so-called Internet of Things is ubiquitous, has resulted in a massive increase in potential entry points for hackers. Recently, it was discovered that IT-enabled baby monitors could be hacked. Moreover, hackers keep finding new network vulnerabilities and investing in ever-more sophisticated malware.
Protecting critical infrastructure is a never-ending problem. Operating systems must be constantly patched as vulnerabilities are uncovered. Computer systems and networks are routinely needing upgrades as new malware is developed. The expense of that is significant. Some experts have characterized IT security spending as a “black hole.” Any new approach that does not have to be constantly enhanced would significantly reduce future costs of cyber defense.
An alternative approach to establishing a high level of infrastructure security at an affordable cost is by focusing on operational technologies or OT. OT consists of hardware, such as valves, pumps, generators and SCADA-enabled machinery, all of which are critical to the operation of networks that deliver power, water, and oil and gas.
By focusing appropriate critical infrastructure protection on keeping OT secure, utility companies and others in critical infrastructure sectors can simplify their cybersecurity requirements and significantly reduce costs. The key is to focus on protecting IT-directed OT, rather than an entire network. This can be done by placing a device that only allows pre-defined, legitimate signals to be sent to the OT on a network. No non-specified commands could pass through a protective device. Even if a hacker could penetrate an electric utility’s network, no malware intended to cause OT malfunction could penetrate a device or machine.
Such a system, called Binary Armor, already exists. It could revolutionize the protection of OT. Essentially, it places an in-line barrier to cyber intrusion on a network in front of the OT device. The Binary Armor unit monitors all communications to a piece of OT. Only legitimate commands within the defined operating parameters of the OT can pass through. A command that would cause the OT to behave improperly, or self-destructively, could not pass, regardless of how cleverly the malware was written. This system also will prevent accidentally sending the wrong command to the OT, which is what happened in the Chernobyl disaster.
Because the system is “pre-loaded” with the legitimate commands and operating parameters for that OT, it will rarely need to be upgraded, unlike typical cybersecurity systems. Moreover, Binary Armor would allow utilities and other critical infrastructure sectors to use commercial networks, rather than proprietary ones, further reducing cybersecurity costs. Finally, it would radically increase the problem and costs for the hacker, primarily because a Binary Armor unit must be physically accessed to be reprogrammed.
Currently, a Binary Armor unit must be installed on a network. This is not difficult. The current Binary Armor unit is a 3x2x2 inch box with two Ethernet access ports and a power source. It weighs about six pounds. But in the future, the basic technologies could be embedded into OT, simplifying the cybersecurity challenge.
Strong action needs to be taken now by all critical infrastructure sectors, particularly for energy, to enhance their cybersecurity protections. Public utilities would be remiss in not testing Binary Armor to understand its applicability for their networks.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans Worldwide spending on information security and risk management systems will reach $131B in 2020, increasing to $174B in 2022 approximately $50B will be dedicated to protecting the endpoint according to Gartner’s latest Information Security and Risk Management forecast. Cloud Security platform and application sales are predicted […] View full post on AmIHackerProof.com
Source: National Cyber Security – Produced By Gregory Evans Almost three-quarters of enterprises plan to have a zero-trust access model by the end of the year, but nearly half of cybersecurity professionals lack the knowledge to implement the right technologies, experts say. Worried about protecting data, the likelihood of breaches, and the rise of insecure […] View full post on AmIHackerProof.com
Whenever we hear about major cyber security attacks such as data breaches, it’s typically larger enterprises that are the victims. That makes sense, considering those events can potentially impact a lot of people and therefore are more likely to grab headlines and garner attention.
But that doesn’t mean small and mid-sized companies (SMBs) are immune to such attacks. In fact, smaller organizations are frequent targets of cyber incidents, and they generally have far fewer resources with which to defend themselves.
A recent study by the Ponemon Institute, which conducts research on a variety of security-related topics, presents a clear picture of the cyber security challenges SMBs are facing. The report, “The 2019 Global State of Cybersecurity in SMBs,” states that for the third consecutive year small and medium-sized companies reported a significant increase in targeted cyber security breaches.
For its report, Ponemon conducted an online survey of 2,391 IT and IT security practitioners worldwide in August and September 2019, and found that attacks against U.S., U.K., and European businesses are growing in both frequency and sophistication.
Nearly half of the respondents (45%) described their organization’s IT posture as ineffective, with 39% reporting that they have no incident response plan in place.
Cyber criminals are continuing to evolve their attacks with more sophisticated tactics, and companies of all sizes are in their crosshairs, noted Larry Ponemon, chairman and founder of the Ponemon Institute. The report shows that cyber attacks are a global phenomenon, as is the lack of awareness and preparedness by businesses globally, he said.
Overall, cyber attacks are increasing dramatically, the report said. About three quarters of the U.S. companies surveyed (76%) were attacked within the previous 12 months, up from 55% in a 2016 survey. Globally, 66% of respondents reported attacks in the same timeframe.
Attacks that rely on user deception are on the rise, the study said. Overall, attacks are becoming more sophisticated, with phishing (57%), compromised or stolen devices (33%), and credential theft (30%) among the most common attacks waged against SMBs globally.
Data loss is among the most common impact of cyber security events. Worldwide, 63% of businesses reported an incident involving the loss of sensitive information about customers and employees in the previous year.
SMBs around the world increasingly are adopting emerging technologies such as mobile devices and apps, the Internet of Things (IoT), and biometrics, despite having a lack of confidence in their ability to protect their sensitive information.
Nearly half of the survey respondents (48%) access more than 50% of their business-critical applications from mobile devices, yet virtually the same portion of respondents said the use of mobile devices to access critical applications diminishes their organization’s security posture.
Furthermore, a large majority of respondents (80%) think it is likely that a security incident related to unsecured IoT devices could be catastrophic. Still, only 21% monitor the risk of IoT devices in the workplace.
The report also suggests that biometrics might finally be moving toward the mainstream. Three quarters of SMBs currently use biometrics to identify and authenticate users or have plans to do so soon.
Small and mid-sized companies can take several steps to bolster their cyber security programs. One is to educate users and managers throughout the organization about the importance of strong security and taking measures to keep data safe.
Because so many attacks begin with employees opening suspicious email attachments or clicking on links that lead to malware infestations or phishing, training users to identify these threats is vital. Companies can leverage a number of free training resources online to help spread the word about good security hygiene.
Smaller companies, particularly those will limited internal cyber security skills, can also consider hiring a managed security services provider (MSSP) to help build up a security program. Many of these firms are knowledgeable about in the latest threats, vulnerabilities, and tools, and can help SMBs quickly get up to speed from security standpoint.
And companies can deploy products and services that are specifically aimed at securing small businesses. Such tools provide protection for common IT environments such as Windows, macOS, Android, and iOS devices. They are designed to protects businesses against ransomware and other new and existing cyber threats, and prevent data breaches that can put personal and financial data at risk.
Some of these offerings can be installed in a matter of minutes with no cyber security or IT skills required, which is ideal for smaller companies with limited resources and a need to deploy stronger defenses quickly.
View full post on National Cyber Security
Chief information security officer, or CISO for short—it’s a very popular title lately, being added to C-suites at companies of all sizes. It seems corporate boards feel a company isn’t considered serious if it doesn’t have a CISO or similarly titled executive in board meetings. And due to their popularity, they are not cheap positions to fill. According to Salary.com, the average base salary for a CISO runs $168,000 to $287,000 per year. And yet, a survey by Bitglass showed that 38% of the Fortune 500 did not have a named CISO.
Company size alone may not indicate when it’s appropriate to add a CISO to your executive team. Other factors come into play, including regulatory requirements, industry, geography and whether there’s a focus on information security as a corporate priority.
Do You Need a CISO?
The most important factor as to whether a company has a CISO seems to be how regulated their industry is. In fact, many compliance regulations require having a named officer in charge of security, privacy or related matters. The FDIC and OCC, major regulators of the finance sector, both highly recommend in their guidance documents having an owner at the executive level for security functions. The GDPR (the sweeping EU privacy regulation) and CCPA (a similar law covering California residents) require officers managing the privacy of their customer’s data. Health care, gaming, legal, transportation, energy and many sectors of manufacturing also require various levels of executive involvement in information security.
When a company is highly regulated, the size really doesn’t matter. Even the smallest community bank will generally have an information security officer, though sometimes these roles have a dual responsibility. Even if your industry regulations don’t specifically require a CISO position, you may want a CISO just to coordinate the large amount of security and compliance reporting at the management and board level. However, in compliance-focused industries, it is not generally recommended that CISOs report up through IT or operational lines. You don’t want the person checking the security of your corporate infrastructure to be the same person building that infrastructure.
Does Your Industry Need a CISO?
The industry also takes a larger role than size when it comes to needing a CISO. Certain industries seem to be more security-focused than others, which might be due to the regulatory concerns listed above, the value of trade secrets and IP, public safety or other considerations. For example, the transportation industry has the highest rate of CISO positions overall. This seems obvious when you consider we don’t want hackers inside our self-driving cars or accessing airliner flight systems. Technology companies also seem to have a higher number of CISOs, especially in the security sector, since their work is more likely to have digital and online outputs. The same study by Bitglass found the hospitality industry has the lowest level of security officer positions. And, possibly not unrelated, that industry has been the target of a number of high-profile, large breaches, with both the Hilton and Marriott chains suffering multi-million record breaches in the last few years.
Does Location Matter?
Geography also has a bit to do with whether a company has a CISO. Midsized companies in the European Union are more likely to have appointed a security officer due to the GDPR regulation, which affects every size of a company in the EU. Companies located in the United States and other first-world countries also have a higher rate of CISO penetration of the C-suite compared to those in less developed countries. Hackers are generally after the richer, more established companies, and where more of a premium is placed on information security.
Should Your Company Invest in a CISO?
Forward-thinking board of directors, even at midsized companies, are adding CISOs. This isn’t always just because of regulations or significant IP to protect, but because threats to company security are being seen as existential threats more than ever before. The near-total reliance on the internet and IT services at most companies means that having secure and available information services is as essential as having functional sales, marketing and accurate financial reporting. Indeed, with the increasing use of external SaaS services for those functions, the security and availability of those services must be there for the other departments to do their jobs properly.
So there are many reasons that a midsized company may decide to add a CISO to its management team. Above the smallest companies, it seems that size does not have as much to do with it as the company’s industry, the amount of compliance and regulation it faces, location and an increasing belief among boards and top company leaders that information security and privacy is a core business function worthy of C-level responsibility and management.
The post #cybersecurity | #hackerspace |<p> Do Midsized Companies Need a CISO? <p> appeared first on National Cyber Security.
View full post on National Cyber Security
On bikes and scooters, messengers with bright orange satchels whipped and weaved through Manhattan’s teeming streets. Their bags held snacks, DVDs, and diapers for a start-up called Kozmo.com, which promised deliveries in under an hour. It was the year 2000. And it all seemed magical.
The real magic, it soon turned out, was Kozmo’s ability to raise more than $250 million in funding despite running a money-losing operation. As the dot-com bubble burst later in 2000, a planned initial public offering was canceled. Kozmo was liquidated in April 2001. Among the investors left holding the bag were
(ticker: AMZN) and the venture-capital arm of SoftBank Group (9984.Japan).
Two decades later, Kozmo-like businesses are raising huge sums of money and delighting consumers. New movies get streamed straight to TVs, car service shows up instantly, and meals and goods arrive with the push of a button. Companies like
and SoftBank are still footing the bill.
Each new service undercuts the incumbents.
(LYFT) are cheaper than city cabs. A month of content from
(NFLX) costs less than one movie ticket; and Amazon makes every day feel like Black Friday.
But now we are on the precipice of another Kozmo-like reckoning. WeWork’s failed IPO—and a sudden focus on profits—has forced venture capital to rein in its voracious appetite. Investors have begun to feel the pain of a more discriminating market.
Consumers are likely to be next. Their free lunch—fueled by technology and generous private capital—is coming to an end. As the spigot turns off in both public and private markets, consumers will probably see changes from ride-sharing to food delivery that pinch their pocketbooks.
Billionaire investor and owner of the National Basketball Association’s Dallas Mavericks Mark Cuban says it will be difficult for many companies to adapt to the new reality. And it will be painful for consumers who have grown accustomed to great tech and low prices.
“It’s hard to sustain the growth rates that IPO investors look for, and it’s even harder to retrain customers to accept higher and profitable pricing after [companies’] subsidizing the cost for so long,” Cuban tells Barron’s in an email.
Several customers of these start-up services agree. “There is a tipping point,” says Kristen Ruby, president and founder of the Ruby Media Group, who spends $30 to $40 on food delivery multiple times a week. “Consumers will be put over the edge if the fees continue to get any higher.”
Andy Bachman, a rabbi who works as executive director of a New York City organization called the Jewish Community Project Downtown, says he orders with Seamless or
(GRUB) a couple of times each month. “Many people in the city who have more disposable income, they’re not going to have a problem with a small rise in delivery price,” he says. “But a normal family like ours, we’d stop using it.”
For much of the past decade, investors poured billions of dollars into start-ups, choosing to judge success by scale. Profits were for another day. Then, investors started to fear that the day might never come.
First came the weak performance of the unicorn IPOs. The share prices of hotly anticipated new stocks like Uber and
(PINS) have tumbled by more than 30% from their summer highs. The direct listing for
(WORK) has also proved to be a disappointment.
The turning point was the failed IPO of WeWork, the shared office-space company. At its peak, the company was worth $47 billion in the private market. Its IPO filing—which detailed huge losses and bewildering managerial decisions—triggered a reawakening among investors who suddenly remembered lessons from the internet bubble. WeWork was forced to shelve its offering and ultimately needed a bailout from SoftBank to stay solvent.
“The WeWork IPO process instilled a level of discipline in the market that hadn’t been there for a while,” says Mario Cibelli, manager of hedge fund Marathon Partners Equity Managment. “From the summer to the fall, you have gotten into a completely different environment. That exit opportunity that a lot of the private companies would be eyeing essentially dissipated. The public markets are demanding a different kind of risk profile and behavior.”
Jim Chanos, the short seller best known for predicting the collapse of Enron, blames SoftBank and its $100 billion dollar Vision Fund for fueling many of the unsustainable strategies. The Japanese company was WeWork’s largest investor.
“It’s very clear now that SoftBank got swept up and led the vanguard on this and maybe didn’t spend the time they should have on the business models,” says Chanos, the founder and managing partner of Kynikos Associates. “The whole WeWork thing was silly from the beginning.”
SoftBank declined to comment on the criticism over its business-model analysis of WeWork. But in an investor presentation in November, SoftBank said that it was now telling companies to focus on generating free cash flow (a measure of profitability) and that they should aim to be “self-financing.” It also started a new “no rescue package” policy for its portfolio companies.
“SoftBank figured that out a little bit late,” Chanos says. “Maybe these companies should have a path to profitability.”
The shift in sentiment has hit private markets, too. In the third quarter, start-ups received $27.5 billion in new venture capital during the third quarter, down 17% from the previous quarter and the lowest total in nearly two years, according to Dow Jones VentureSource.
Some of the start-ups won’t survive the new environment, while established businesses will be forced to raise consumer prices.
Internet TV is a good lesson for what consumers can expect. Virtual cable bundles, or virtual MVPDs (multichannel video programming distributors), hit the market roughly three years ago, promising to allow cord-cutters to get the best of live TV at a fraction of the cost of cable. At first, YouTube TV, Hulu Live TV,
PlayStation Vue, and DirecTV Now (currently called AT&T TV Now) all offered live-TV packages streamed over the internet for just $30 to $40 a month.
The low prices didn’t last. Craig Moffett, MoffettNathanson’s telecom analyst, says the virtual bundlers wrongly assumed that the business would have the winner-take-all economics akin to Google and
But content businesses are weighed down by a cost structure that doesn’t scale like native web businesses.
“The math never made any sense,” Moffett says. “The programming costs alone were north of $30 for those packages. After customer-service and customer-acquisition costs, there was simply no way anyone was going to make money.”
Faced with rising losses, Moffett notes, the internet TV services were forced to replicate the same price increases that drove people to cut the cord in the first place. As the prices went higher, subscriber growth sputtered. In October, Sony announced that it would shut down its Vue service in January. AT&T TV Now, meanwhile, raised its price so high—$65 a month, from the initial $35—that customers started to defect. Net subscriber losses for the service totaled nearly 700,000 in the past four quarters, according to MoffettNathanson. Internet TV now looks much like cable TV—both in cost and subscriber trends.
“Everybody initially hoped they would be able to grab market share and build a position that would give them more negotiating leverage and eventually be profitable to raise prices,” Moffett says. “In retrospect, neither of those assumptions held water.”
Moffett thinks the virtual-cable story could be repeated in other markets.
So what can consumers expect to happen in the ride-hailing, food-delivery, and streaming-video-subscriptions markets in the near future? Here’s a breakdown by industry:
With stocks of the major U.S. ride-hailing players—Uber and Lyft—battered in recent months, consumers should expect to see a wave of price increases in the coming year.
Wall Street data indicate that the ride-hailing firms can get away with higher prices. Canaccord Genuity says its latest price tracker shows that Lyft and Uber fares were up 6% on average since May, adjusted by ride class. Last month,
released an analysis of New York City ride-hail data, suggesting that demand for the service was inelastic. The firm found that when per-ride pricing rose 23% because of a congestion surcharge, it resulted in only a 10% decline in volume.
There are strong signals that a sea change is already under way. On Lyft’s last earnings call, the company’s chief financial officer said there was “increasing rationality” in the market, noting that average ride prices were higher year over year, adjusted for type of ride. Moreover, the company’s September-quarter adjusted margin on earnings before interest, taxes, depreciation, and amortization, or Ebitda, improved 32 percentage points, to a negative 13%, from the prior year. Lyft has said that it expects to be profitable by late 2021.
Marcelo Lima, a hedge fund manager at Heller House whose firm owns Lyft shares, sees a brewing duopoly in the U.S. ride-hailing space. He is more optimistic about Lyft than Uber because of the former’s North American focus. “I like the focus of Lyft; it’s a clear story,” he says. “They have a good chance of reaching very good economics soon.”
Uber, meanwhile, is being held back by its other money-losing units, like autonomous driving and food delivery.
What kind of actual price changes can consumers expect in the near term? Mike Puangmalai, a private investor who spent eight years as an analyst at Relational Investors, says, “For a $25 trip, don’t be surprised if it’s $30 this coming year. I do think prices will go up.”
Uber’s willingness to lose money has thrown the nascent food-delivery business into disarray. Four well-funded players—DoorDash, Uber Eats, Grubhub, and Postmates—have been trying to outdo one another with wider networks and better discounts. Staggering losses and great deals for customers are the result.
Uber Eats lost more than $300 million in the September quarter, with losses up nearly 70% year over year. Grubhub shares plunged 43% in late October, when it offered profit guidance well below Wall Street expectations. Industry analysts widely believe that DoorDash and Postmates are losing money and will have difficulty going public, given recent trends.
DoorDash and Postmates didn’t respond to emailed requests for comment.
Chanos, whose firm is short shares of Grubhub, believes that the food-delivery companies are facing pressure from restaurants asking for lower commission rates. He also expects that consumers will see fewer coupons and promotions from the delivery firms, adding that higher prices would probably result in far lower delivery volume.
In a statement, Grubhub said that it “has proved itself as the only food-delivery business in the U.S. with a profitable, transparent, and sustainable business model.”
“Several of our peers have achieved national scale,” Grubhub said, “but we are the only one that has grown without unsustainable shortcuts like incurring massive operating losses, offering irrational diner pricing, and giving drivers substantial subsidies.”
Cibelli, whose firm owns Grubhub shares, predicts that all of the players will have to fix their businesses by cutting back on the discounts that attracted customers in the first place. “Uber Eats, Postmates, and DoorDash are all going to have to approach break-even and cease their cash burn,” he says. “The odds of consolidation are quite high. Likely, you will eventually have two dominant players.”
The hedge fund manager believes that with fewer players, aggregate industry profitability will improve as the overlap in operating expenses such as marketing and administrative spending gets eliminated. After the consolidation, he predicts, the remaining companies will be able to raise prices, benefiting Grubhub’s stock price.
Bulls and bears agree that the current competitive landscape isn’t sustainable. Cibelli says that the private companies that used their enormous fund raising to chase low-profit-margin sales will face the biggest obstacles.
“DoorDash, especially, has created transactions more aggressively than would have occurred naturally by offering too good of a deal for consumers, especially on the fast-food-chain side,” Cibelli says. “It’s nice to press a button to have
delivered to you very cheaply, but these are inferior transactions.”
consumer survey revealed that 58% of diners said promotions and deals played a role in their food-delivery decisions. Furthermore, only 36% of consumers said they were exclusive to one platform.
Fast-food orders are especially problematic in terms of profitability. Morgan Stanley estimates that two-thirds of fast-food orders were under $7. In a typical $10 fast-food order, the firm says that a food-delivery company would lose $3.80 because of a $5 cost per delivery, net of fees.
Consumers are unlikely to readily accept higher delivery prices, as they might be with higher ride-hailing costs.
“If there are less promotions like free delivery, I’m not going to order as much personal meals,” says Puangmalai, 37, who is also a freelance software developer. “My usage will go down on the lower-ticket stuff.”
While the ride-hailing and food-delivery industries are due for a reckoning, online video streaming has a longer runway. The “free lunch” in video could last for a while, thanks to the deep pockets of big tech and media.
These companies have already told their investors to expect many years of continued losses, as they build their streaming libraries. AT&T, for example, expects its HBO Max to lose more than $4 billion before turning profitable in 2025.
The WeWork moment hasn’t hit the streaming business largely because video-streaming companies have other profitable businesses, like theme parks, movies, wireless services, and smartphones that can subsidize the streaming efforts at attractive price points.
(DIS) launched its Disney+ streaming service at just $7 a month, about 45% lower than Netflix’s standard plan. In its first year, Disney plans to have a library of 7,500 TV episodes and 500 movies—including the company’s Pixar, Star Wars, and Marvel films. Disney has told investors that it won’t make money on Disney+ until 2024.
Disney isn’t alone in firing large shots in the streaming wars. In October, WarnerMedia unveiled details for its HBO Max streaming service, which will start in May. Warner says the service will have 10,000 hours of content from HBO, Warner Bros., DC Entertainment, CNN, TNT, Cartoon Network, Adult Swim, and other WarnerMedia properties. It will have 50 “Max Originals” by 2021. Despite having double the content, HBO Max will cost $14.99 a month, the same current cost as standard HBO.
The low cost of streaming is all the more striking given the costs being spent on content to power the services. Cowen estimates that Netflix and Amazon will spend $15 billion and $8 billion, respectively, for content in 2019. The firm thinks that
(AAPL), which just introduced its Apple TV+ service at $4.99 a month, will spend $6 billion annually within two years.
“The pricing environment will definitely be more muted than in the past five years due to the increased competition,” says Cowen analyst John Blackledge.
Indeed, Netflix may be looking to cut the entry price in certain markets. It is already trying lower-priced mobile-only plans in India, suggesting that cheap plans may be the key to its international expansion.
The problem for Netflix is that running a streaming service continues to get more expensive. On its last earnings call, Netflix’s management acknowledged that the content cost for the hottest TV shows with multiple bidders had risen 30% over the past year. The bull case for Netflix stock has always been its potential to raise subscription prices over time. But new streaming options are sure to limit Netflix’s pricing power.
Over the past year, it was quite the roller-coaster ride for the streaming giant’s investors. Netflix’s stock price started 2019 strong, with a 40% rally through July, but it then lost all those gains in just two months after the company posted a disappointing second quarter. Netflix shares did rebound into year-end, closing up 21% for 2019, though materially lagging the major indexes. Shareholders should expect more volatility and lackluster relative returns for the next few years.
The uncertainty for the longtime market darling speaks to a new dynamic on Wall Street. Delighted consumers are no longer aligned with happy investors. As the unicorns grow up, they’ll look more like cable companies and less like nonprofits.
“If something is too good to be true, it probably is,” Moffett says.
Josh Nathan-Kazis contributed to this article.
Write to Tae Kim at firstname.lastname@example.org
View full post on National Cyber Security
#cyberfraud | #cybercriminals | Cyber Risk Update for Construction Companies | Stoel Rives – Global Privacy & Security Blog®
Updated: May 25, 2018:
JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.
Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the “My Account” dashboard (available if you are logged into your JD Supra account).
Collection of Information
Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account (“Registration Data“), such as your:
- First Name
- Last Name
- Company Name
- Company Industry
Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.
Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.
How do we use this information?
We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:
- Operate our Website and Services and publish content;
- Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
- Measure readership and usage of the Website and Services;
- Communicate with you regarding your questions and requests;
- Authenticate users and to provide for the safety and security of our Website and Services;
- Conduct research and similar activities to improve our Website and Services; and
- Comply with our legal and regulatory responsibilities and to enforce our rights.
How is your information shared?
- Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
- If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
- Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
- Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
- Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals’ personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
- To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.
How We Protect Your Information
JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at email@example.com.
Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.
Links to Other Websites
Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.
Information for EU and Swiss Residents
JD Supra’s principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.
- Your Rights
- Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
- Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
- Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.
You can make a request to exercise any of these rights by emailing us at firstname.lastname@example.org or by writing to us at:
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965
You can also manage your profile and subscriptions through our Privacy Center under the “My Account” dashboard.
We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use “automatic decision making” or “profiling” as those terms are defined in the GDPR.
- Onward Transfer to Third Parties: As noted in the “How We Share Your Data” Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.
California Privacy Rights
Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.
You can make a request for this information by emailing us at email@example.com or by writing to us at:
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965
Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.
Access/Correct/Update/Delete Personal Information
For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to firstname.lastname@example.org. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the “My Account” dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to email@example.com.
Contacting JD Supra
As with many websites, JD Supra’s website (located at www.jdsupra.com) (our “Website“) and our services (such as our email article digests)(our “Services“) use a standard technology called a “cookie” and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.
- Improve the user experience on our Website and Services;
- Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user’s login session and requires a valid username and password to obtain. It is required to access the user’s profile information, subscriptions, and analytics;
- Track anonymous site usage; and
- Permit connectivity with social media networks to permit content sharing.
There are different types of cookies and other technologies used our Website, notably:
- “Session cookies” – These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
- “Persistent cookies” – These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
- “Web Beacons/Pixels” – Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.
JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.
Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:
- HubSpot – For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
- New Relic – For more information on New Relic cookies, please visit www.newrelic.com/privacy.
- Google Analytics – For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.
Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the “Like,”https://www.jdsupra.com/”Tweet,” or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.
Controlling and Deleting Cookies
The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser’s “Help” function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.
Updates to This Policy
Contacting JD Supra
View full post on National Cyber Security
16 million passwords have been found to have been added to Dark Web sites over the last 12-months according to a report published by cybersecurity firm ImmuniWeb.
The passwords, many of which had been obtained off the back of a 50% increase in data breaches in the first quarter of 2019, came via a whopping 4 billion compromised records in over 4,000 data breaches.
Using their own in-house technology, ImmuniWeb discovered over 21 million credentials belonging to Fortune 500 companies with 16 million dating to the last 12 months. The most popular sources for the data breaches were found to be third parties – websites and other resources unrelated to the organizations themselves followed by trust third-parties, partners, suppliers and vendors to Fortune 500 companies.
Despite years of news about data breaches and education campaigns about the need for strong passwords, the report found that basic, guessable passwords such as 12345678, abc123 and even password still remain widely used. Of the full 21 million records analyzed, the report only found 4.9 million unique passwords.
“This is an interesting glimpse into the inner-workings of underground criminal hacking markets,” Craig Young, computer security researcher for security firm Tripwire Inc.’s vulnerability and exposure research team told SiliconANGLE. “It illustrates just how easy it can be for an adversary to obtain a foothold into a target organization.”
“Some criminal hackers are very good at spear-fishing or breaching random websites, but may have little ability to directly monetize the information,” Young explained. “Others may specialize in escalating access within an organization but have little capability in the way of initially obtaining access. Underground markets typically hosted on TOR allow these threat actors to collaborate with relative anonymity.”
Jarrod Overson, director of engineering at cybersecurity company Shape Security Inc. noted that “credential stuffing is one of the most common types of attacks due to how cheap it is to perform and how successful it is.”
“Successful credential stuffing attacks provide criminals with accounts they can then use to defraud individuals and companies,” Overson said. “Attackers monetize everything from store credit, to loyalty points, to prescription drug refills.”
“Users can protect themselves by never reusing passwords and turning on two-factor authentication whenever possible,” Overson added. “Password managers like 1Password can help users manage hundreds of unique passwords across devices easily.”
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
The post #deepweb | <p> 16M passwords from Fortune 500 companies found on the dark web <p> appeared first on National Cyber Security.
View full post on National Cyber Security