1010Computers | Computer Repair & IT Support

Flaw in Cyberoam firewalls exposed corporate networks to hackers

Sophos said it is fixing a vulnerability in its Cyberoam firewall appliances, which a security researcher says can allow an attacker to gain access to a company’s internal network without needing a password.

The vulnerability allows an attacker to remotely gain “root” permissions on a vulnerable device, giving them the highest level of access, by sending malicious commands across the internet. The attack takes advantage of the web-based operating system that sits on top of the Cyberoam firewall.

Once a vulnerable device is accessed, an attacker can jump onto a company’s network, according to the researcher who shared their findings exclusively with TechCrunch.

Cyberoam devices are typically used in large enterprises, sitting on the edge of a network and acting as a gateway to allow employees in while keeping hackers out. These devices filter out bad traffic, and prevent denial-of-service attacks and other network-based attacks. They also include virtual private networking (VPN), allowing remote employees to log on to their company’s network when they are not in the office.

It’s a similar vulnerability to recently disclosed flaws in corporate VPN providers, notably Palo Alto Networks, Pulse Secure and Fortinet, which allowed attackers to gain access to a corporate network without needing a user’s password. Many large tech companies, including Twitter and Uber, were affected by the vulnerable technology, prompting Homeland Security to issue an advisory to warn of the risks.

Sophos, which bought Cyberoam in 2014, issued a short advisory this week, noting that the company rolled out fixes on September 30.

The researcher, who asked to remain anonymous, said an attacker would only need an IP address of a vulnerable device. Getting vulnerable devices was easy, they said, by using search engines like Shodan, which lists around 96,000 devices accessible to the internet. Other search engines put the figure far higher.

A Sophos spokesperson disputed the number of devices affected, but would not provide a clearer figure.

“Sophos issued an automatic hotfix to all supported versions in September, and we know that 99% of devices have already been automatically patched,” said the spokesperson. “There are a small amount of devices that have not as of yet been patched because the customer has turned off auto-update and/or are not internet-facing devices.”

Customers still affected can update their devices manually, the spokesperson said. Sophos said the fix will be included in the next update of its CyberoamOS operating system, but the spokesperson did not say when that software would be released.

The researcher said they expect to release the proof-of-concept code in the coming months.

Powered by WPeMatico

Get ready to see more looping videos on Spotify, as Canvas launches into beta

Spotify is opening up its Canvas feature to more artists, the company announced this morning, which means you’ll see a lot more of those looping videos on the app starting soon. The feature has been in limited testing before today with select artists. When available, you don’t just see the album artwork behind the player controls — you see a moving, visual experience that plays in a short loop.

So far, Canvas has had mixed reviews from Spotify users. Some find the looping imagery distracting, while others simply prefer seeing the album art. Some people seem to like the feature. But others only like it with certain content and artists.

The challenge is in designing a video loop that works well. That means it shouldn’t be an attempt to try to lip sync to a part of a song. It shouldn’t include intense flashing graphics or text, nor should it distract people from being able to see the player controls and track information.

Screen Shot 2019 10 10 at 12.07.54 PM

Spotify also suggests trying to tell a full story in the loop rather than just drastically trimming a music video down to the time allotted (three to eight-second clips). Other recommended Canvas experiences are those that help develop the artists’ persona across their profile and tracks, or those that are updated frequently. Billie Eilish, for example, uses the feature to share animated versions of fan art.

Since launching, Canvas has been seen by millions of users, Spotify says. But the company seems to acknowledge the impact varies, based on how the Canvas is designed. When it works, it can “significantly increase” track streams, shares and artists page visits. But Spotify didn’t say what happens when the feature fails to engage fans.

However, based on social media discussions about the feature and how-to guides detailing how to turn the thing off, it would seem that some users choose to opt out of the experience entirely.

Today, Spotify says Canvas will no longer be limited to select artists, as it’s opening more broadly to artists in an expanded beta. With the beta, Spotify hopes artists will treat Canvas as a critical part of their release strategy, and will continue to use it across their catalog.

“It’s a way to get noticed and build a vision — and an excellent way to share more of who you are with your listeners, hopefully turning them into fans,” the company writes in an announcement. “The goal is for you to have richer ways to express yourself and to allow listeners to engage with you and your music even more deeply. We’re continuing to work on additional features, as well as more tools and metrics to help you better understand how your art is reaching your audience,” the company says.

It’s hard not to comment on the timing of this launch. At the end of September, Google announced that YouTube Music would not be preinstalled on new Android devices, taking the place of Google Play Music. With YouTube Music, streamers gain access to a visually immersive experience where they can watch the music videos, not just listen to the audio, if they prefer.

Spotify, however, has traditionally been a place to listen — not to watch. That’s not to say there aren’t music videos on Spotify, they’re just not well-highlighted by the app nor a core part of the Spotify experience.

The company says it’s now sending artists their invites to join the beta. Those who haven’t received the invite can instead make a request to be added here.

Powered by WPeMatico

Google takes AMP to the OpenJS Foundation

AMP, Google’s somewhat controversial project for speeding up the mobile web, has always been open-source, but it also always felt like a Google project first. Today, however, Google announced that the AMP framework will join the OpenJS Foundation, the Linux Foundation-based group that launched last year after the merger of the Node.js and JS foundations. The OpenJS Foundation is currently the home of projects like jQuery, Node.js and webpack, and AMP will join the Foundation’s incubation program.

Large companies like Google tend to donate open-source projects to foundations once they become stable — and that’s definitely the case with the four-year-old AMP project, which developers have now used to create billions of pages on more than 30 million domains, according to Google. Late last year, Google introduced a Technical Steering Committee to help oversee the development of AMP and it was this committee that also agreed to bring the project to the OpenJS Foundation.

“Now in our fourth year, AMP is excited for the next step on our journey,” said Malte Ubl, member of the AMP Project Technical Steering Committee, in today’s announcement. “We’ve been considering the best home for AMP for some time. We decided on the OpenJS Foundation because we feel it’s the best place for us to help us to cater to our diverse group of constituencies. This step builds on previous moves we’ve made toward open governance and helps us focus on transparency and openness.”

Google also notes that the OpenJS Foundation’s goal of promoting JavaScript and related technologies is a good fit for AMP’s mission of providing “a user-first format for web content.” The company also notes that the Foundation allows projects to maintain their identities and technical focus and stresses that AMP’s governance model was already influenced by the JS Foundation and Node.js Foundation.

Google is currently a top-level platinum member of the OpenJS Foundation and will continue to support the project and employ a number of engineers that will work on AMP full-time.

Powered by WPeMatico

App revenue climbs 23% year-over-year to $21.9B in Q3

Global app revenue continues to climb, thanks to the growth in mobile gaming and the subscription economy. In the third quarter of 2019, consumer revenue grew 22.9% year-over-year from $17.9 billion to reach an estimated $21.9 billion across both the App Store and Google Play worldwide, according to new data from Sensor Tower.

Notably, the App Store continues to account for the large majority of this revenue, the report found, making up 65% of total spending compared with just 35% on Google Play.

App Store users spent $14.2 billion, up 22.3% from the $11.6 billion they spent in Q3 2018. Google Play generated $7.7 billion in revenue, up 24% from the $6.2 billion spent in the year-ago quarter.

q3 2019 app revenue worldwide

Sensor Tower’s revenue estimates are a bit lower than those provided by App Annie’s recent report, which said the quarter saw $23 billion in consumer spending, not ~$22 billion.

App Annie also estimated nearly 31 billion downloads in Q3, while Sensor Tower claimed 29.6 billion.

In both cases, Google Play is still said to be the main source for downloads, with nearly three times more first-time installs than the App Store. In Q3, the total number of downloads was up 9.7% year-over-year to 29.6 billion, said Sensor Tower, with Google Play accounting for 21.6 billion of those.

Despite the overall growth, one big app market — China — saw a slight decline, Sensor Tower found. Its installs dropped 6% year-over-year to 2.2 billion in the quarter. But its revenue grew by 26.9% to $4.1 billion, up from $3.2 billion the year prior. This could be attributed to the nine-month game license freeze in China which, though now lifted, had slowed momentum.

Sensor Tower’s charts don’t include third-party app stores, so it’s not a full picture of the Chinese app market, it’s worth noting.

q3 2019 top apps worldwide

The top money-making (non-game) app in the quarter was again Tinder, which generated $233 million in consumer spending, up 7% over the prior quarter. Netflix was No. 2 and YouTube clocked in at No. 3, at $164 million in Q3.

App Annie has a slightly different ranking. It has Tinder and Netflix leading the top-grossing charts, but puts IQIYI ahead of YouTube. This could be because App Annie has a bigger window into the Chinese app market.

In terms of downloads, TikTok is continuing to disrupt Facebook-owned apps’ dominance over the top of the charts. In Sensor Tower’s rankings, WhatsApp was No. 1 and Messenger was No. 3, but Facebook and Instagram dropped to No. 4 and No. 5, respectively. And TikTok reached No. 2.

q3 2019 app downloads worldwide

This isn’t the first time TikTok has passed Facebook, Sensor Tower said — it did so back in Q4 2018 and in Q1 2019, before dropping to No. 4 again last quarter. But with 177 million downloads in Q3, it’s inching its way up to the top.

App Annie, on the other hand, sees TikTok having just a bit more of climb, sticking it at No. 3 in the quarter, behind Messenger and Facebook. It also called out some Q3 break-out hits, like the return of FaceApp’s popularity (No. 9 in downloads) and the growing subscription revenue of Google One (No. 7 in non-game revenue). Sensor Tower put FaceApp at No. 6 instead, but agreed on Google One.

Mobile gaming continues to generate most of the cash, and did so again in Q3 with $16.3 billion in mobile game gross revenue — or 74% of the total in-app spending, the new report said. The App Store accounted for $9.8 billion of that figure, with Google Play users spending $6.5 billion.

Game downloads across both Google Play and the App Store increased by 17.6% in Q3 from 9.5 billion last year to 11.1 billion.

q3 2019 game revenue worldwide

The top three games in the quarter by downloads were Fun Race 3D (123 million downloads), PUBG Mobile (94 million) and newcomer Mario Kart Tour, which hit 86 million downloads despite only launching in late September.

q3 2019 top games worldwide

PUBG Mobile was the top-grossing game with $496 million in revenue, up 652% over last year. The No. 2 title, Tencent’s Honor of Kings, and No. 3 Aniplex’s Fate/Grand Order generated $377 million and $354 million, respectively.

q3 2019 game downloads worldwide

Image credits: Sensor Tower

Correction: App Annie estimated nearly 31 billion downloads in Q3, not 23 billion as first written. We corrected this. Apologies for the error. 

Powered by WPeMatico

Xage now supports hierarchical blockchains for complex implementations

Xage is working with utilities, energy companies and manufacturers to secure their massive systems, and today it announced some significant updates to deal with the scale and complexity of these customers’ requirements, including a new hierarchical blockchain.

Xage enables customers to set security policy, then enforce that policy on the blockchain. Company CEO Duncan Greatwood says as customers deploy his company’s solutions more widely, it has created a set of problems around scaling that they had to address inside the product, including the use of blockchain.

As you have multiple sites involved in a system, there needed to be a way for these individual entities to operate, whether they are connected to the main system or not. The answer was to provide each site with its own local blockchain, then have a global blockchain that acts as the ultimate enforcer of the rules once the systems reconnected.

“What we’ve done is by creating independent blockchains for each location, you can continue to write even if you are separated or the latency is too high for a global write. But when the reconnect happens with the global system, we replay the writes into the global blockchain,” Greatwood explained.

While classical blockchain doesn’t allow these kinds of separations, Xage felt it was necessary to deal with its particular kind of use case. When there is a separation, a resynchronization happens where the global blockchain checks the local chains for any kinds of changes, and if they are not consistent with the global rules, it will overwrite those entries.

Greatwood says these changes can be malicious if someone managed to take over a node or they could be non-malicious, such as a password change that wasn’t communicated to the global chain until it reconnected. Whatever the reason, the global blockchain has this power to fix the record when it’s required.

Another issue that has come up for Xage customers is the idea that majority rules on a blockchain, but that’s not always a good idea when you have multiple entities working together. As Greatwood explains, if one entity has 600 nodes and the other has 400, the larger entity can always enforce its rules on the smaller one. To fix that, they have created what they are calling a supermajority.

“The supermajority allows us to impose impose rules such as, after you have the majority of 600 nodes, you also have to have the majority of the 400 nodes. Obviously, that will give you an overall majority. But the important point is that the company with 400 nodes is protected now because the write to the ledger account can’t happen unless a majority of the 400 node customers also agrees and participates in the write,” Greatwood explained.

Finally, the company also announced scaling improvements, which reduce computing requirements to run Xage by 10x, according to the company.

Powered by WPeMatico

Salesforce adds integrated order management system to its arsenal

Salesforce certainly has a lot of tools crossing the sales, service and marketing categories, but until today when it announced Lightning Order Management, it lacked an integration layer that allowed companies to work across these systems to manage orders in a seamless way.

“This is a new product built from the ground up on the Salesforce Lightning Platform to allow our customers to fulfill, manage and service their orders at scale,” Luke Ball, VP of product management at Salesforce told TechCrunch.

He says that order management is an often-overlooked part of the sales process, but it’s one that’s really key to the whole experience you’re trying to provide for your customers. “We think about advertising and acquisition and awareness. We think about creating amazing, compelling commerce experiences on the storefront or on your website or in your app. But I think a lot of brands don’t necessarily think about the delivery experience as part of that customer experience,” he said.

The problem is that order management involves so many different systems along with internal and external stakeholders. Trying to pull them together into a coherent system is harder than it looks, especially when it could also involve older legacy technology. As Ball pointed out, the process includes shipping carriers, warehouse management systems, ERP systems and payment and tax and fraud tools.

The Salesforce solution involves a few key pieces. For starters there is order life cycle management, what Ball calls the brains of the operation. “This is the core logic of an order management system. Everything that extends commerce beyond the Buy button — supply chain management, order fulfillment, payment capture, invoice creation, inventory availability and custom business logic. This is the bread and butter of an order management system,” he said.

Lightning Order Management 7 LOM AppPicker bezel

Salesforce Lightning Order Management App Picker (Image: Salesforce)

Customers start by building visual order workflows. They can move between systems in an App Picker, and the information is shared between Commerce Cloud and Service Cloud, so that as customers move from sales to service, the information moves with them and it makes it easier to process inquiries from customers about an order, including returns.

Ball says that Salesforce recognizes that not every customer will be an all-Salesforce shop and the system is designed to work with tools from other vendors, although these external tools won’t show up in the App Picker. It also knows that this process involves external vendors like shipping companies, so they will be offering specific integration apps for Lightning Order Management in the Salesforce AppExchange.

The company is announcing the product today and will be making it generally available in February.

Powered by WPeMatico

Clari snags $60M Series D on valuation of around $500M

Clari uses AI to help companies find key information like the customers most likely to convert, the state of orders in the sales process or the next big sources of revenue. As its revenue management system continues to flourish, the company announced a $60 million Series D investment today.

Sapphire Ventures led the round with help from newcomer Madrona Venture Group and existing investors Sequoia Capital, Bain Capital Ventures and Tenaya Capital. Today’s investment brings the total raised to $135 million, according to the company.

The valuation, which CEO and co-founder Andy Byrne pegged at around a half a billion, appears to be a hefty raise from what the company was likely valued at in 2018 after its $35 million Series C. As TechCrunch’s Ingrid Lunden wrote at the time:

For some context, Clari, according to Pitchbook, had a relatively modest post-money valuation of $83.5 million in its last round in 2014, so my guess is that it’s now comfortably into hundred-million territory, once you add in this latest $35 million.

Byrne says the company wasn’t even really looking for a new round, but when investors came knocking, he couldn’t refuse. “On the fundraise side, what’s really interesting is how this whole thing went down. We weren’t out looking, but we had a massive amount of interest from a lot of firms. We decided to engage, and we got it done in less than three weeks, which the board was kind of blown away by,” Byrne told TechCrunch.

What’s motivating these companies to invest is that Clari is helping to define this revenue operations category, and has attracted companies like Okta, Zoom and Qualtrics as customers. What they are providing is this AI-fueled way to see where the best sales opportunities are to drive revenue, and that’s what every company is looking for. At the same time, Byrne says that he’s moving companies away from a spreadsheet-driven record keeping system, enabling them to see all of the data in one place.

“Clari is allowing a rep to really understand where they should spend time, automating a lot of things for them to close deals faster, while giving managers new insights they’ve never had before to allow them to drive more revenue. And then we’re getting them out of ‘Excel hell.’ They’re no longer in these spreadsheets. They’re in Clari, and have more predictability in their forecasting,” he said.

Clari was founded in 2012 and is headquartered in Sunnyvale, Calif. It has more than 300 customers and just passed the 200 employee mark, a number that should increase as the company uses this money to begin to accelerate growth and expand the product’s capabilities.

Powered by WPeMatico

Okta wants to make every user a security ally

End users tend to get a bad rap in the security business because they are often the weakest security link. They fall for phishing schemes, use weak passwords and often unknowingly are the conduit for malicious actors getting into your company’s systems. Okta wants to change that by giving end users information about suspicious activity involving their login, while letting them share information with the company’s security apparatus when it makes sense.

Okta actually developed a couple of new products under the umbrella SecurityInsights. The end user product is called UserInsights. The other new product, called HealthInsights, is designed for administrators and makes suggestions on how to improve the overall identity posture of a company.

UserInsights lets users know when there is suspicious activity associated with their accounts, such as a login from an unrecognized device. If it appears to involve a stolen password, he or she would click the Report button to report the incident to the company’s security apparatus where it would trigger an automated workflow to start an investigation. The person should also obviously change that compromised password.

HealthInsights operates in a similar fashion, except for administrators at the system level. It checks the configuration parameters and makes sure the administrator has set up Okta according to industry best practices. When there is a gap between the company’s settings and a best practice, the system alerts the administrator and allows them to fix the problem. This could involve implementing a stricter password policy, creating a block list for known rogue IP addresses or forcing users to use a second factor for certain sensitive operations.

HealthInsight Completed tasks

Health Insights Report. Image: Okta

Okta is first and foremost an identity company. Organizations, large and small, can tap into Okta to have a single sign-on interface where you can access all of your cloud applications in one place. “If you’re a CIO and you have a bunch of SaaS applications, you have a [bunch of] identity systems to deal with. With Okta, you narrow it down to one system,” CEO Todd McKinnon told TechCrunch.

That means, if your system does get spoofed, you can detect anomalous behavior much more easily because you’re dealing with one logon instead of many. The company developed these new products to take advantage of that, and provide these groups of employees with the information they need to help protect the company’s systems.

The SecurityInsights tools are available starting today.

Powered by WPeMatico

Looking for a job selling weed? EpicHint pitches training for cannabis dispensary ‘budtenders’

Adriana Herrera first came up with the idea for EpicHint, a training and staffing service for cannabis dispensaries, while she was surfing off the coast of Oaxaca, Mexico.

Decompressing after the dissolution of her last startup venture — her second attempt at running her own business — Herrera realized quickly that surfing and #vanlife wasn’t her ultimate calling.

The serial entrepreneur had previously founded FashioningChange, a recommendation engine for sustainable shopping, back in 2011. The company was gaining traction and had some initial support, but it ran into the buzzsaw of Amazon’s product development group, which Herrera claims copied their platform to build a competing product.

Undeterred, Herrera took some of the tools that FashioningChange had developed and morphed them into a business focused on online marketing to shoppers at the point of sale — helping sites like Cooking.com pitch products to people based on what their browsing history revealed about their intent.

By 2017, that business had also run into problems, and Herrera had to shut down the company. She sold her stuff and had headed down to Oaxaca, but kept thinking about the emergent cannabis industry that was taking off back in the U.S.

Herrera had a friend who’d been diagnosed with colon cancer and was taking medicinal marijuana to address side effects from the operation that removed his colon.

“When recovering from the removal of his colon, he’d run out of his homegrown medicine and go to dispensaries where he got the worst service,” Herrera wrote in an email. “He would ask for something for pain, nausea and sleep, and was always recommended the most expensive product or a product that was being promoted. He never got what he needed and had to self advocate for the right product while barely being able to stand.”

Herrera buckled down and did research throughout the course of 2018. She hit up pharmacies first as a customer, asking different “budtenders” for information about the product they were selling. Their answers were… underwhelming, according to Herrera. The next step was to talk to dispensary managers and research the weed industry.

By her own calculations, cannabis companies (including dispensaries and growers) will add roughly 300,000 jobs — most of them starting out at near-minimum-wage salaries of $16 per hour. Meanwhile, current training programs cost between $250 and $7,000.

That disconnect led Herrera to hit on her current business model — selling an annual subscription software for brands and dispensaries that would offer a training program for would-be job applicants. The training would give dispensaries a leg up for experienced hires, increasing sales and ideally reducing turnover that costs the industry as much as $438 million.

“The data is showing an average of a 30% turnover rate in 21 months,” says Herrera. “Looking at turnover and a lot of that comes down to bad hiring.”

The company is on its first eight customers, but counts one undisclosed, large, multi-state dispensary along with a few mom and pop shops.

Herrera also says that the service can reduce bias in hiring. Because dispensaries only hire candidates after they’ve completed the program, any unconscious bias won’t creep into the hiring process, she says.

Applicants interested in a dispensary can enroll in the dispensary “university” and once they complete the curriculum go through a standardized form to apply for the job.

Our  recommendation to run and get the best results is to pre-train, pre-screen and have the graduates unlock the ability to apply.”

Powered by WPeMatico

Daily Crunch: China pressures Apple

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. China attacks Apple for allowing Hong Kong crowdsourced police activity app

Apple’s decision to greenlight an app called HKmaps, which is being used by pro-democracy protestors in Hong Kong to crowdsource information about street closures and police presence, is attracting the ire of the Chinese government.

Specifically, an article in Chinese state mouthpiece China Daily attacks the iPhone maker for reversing an earlier decision not to allow the app to be listed on the iOS App Store.

2. What the hell is up with this Essential device?

Essential CEO Andy Rubin tweeted photos of what he called a “radically different formfactor” — basically, it’s a long, skinny phone.

3. Uber’s newest feature alerts drivers that pets will be joining the ride

With Uber Pet, riders will pay a “small surcharge” for the privilege of taking their pets with them. And drivers will have the option of avoiding trips with non-service animals by opting out of Uber Pet trips.

4. Twitter admits it used two-factor phone numbers and emails for serving targeted ads

Twitter finds itself in the same boat as Facebook, which last year was caught using phone numbers and email addresses — given to Facebook to secure users’ accounts — for targeted advertising.

5. Google’s Grasshopper coding class for beginners comes to the desktop

A larger screen and access to a keyboard makes learning to code on the desktop significantly easier than on mobile. For example, in the desktop app Google is able to put columns for the instructions, the code editor and the results next to each other.

6. Amazon, Walmart confront India’s slowing economy as holiday season growth stalls

Even India’s biggest festive season, featuring blinding marketing blitzkrieg and heavy discounts from Amazon India and Walmart’s Flipkart, has failed to escape the pains of a slowing economy.

7. With $15M round and 100K tablets sold, reMarkable CEO wants to make tech ‘more human’

The reMarkable tablet is a strange device in this era of ultra-smart gadgets, with a black and white screen meant for reading, writing and sketching — and nothing more. (Extra Crunch membership required.)

Powered by WPeMatico