Seattle cybersecurity startup Critical Informatics raises $9.6M and gets a new name — CI Security

Seattle cybersecurity startup Critical Informatics raises $9.6M and gets a new name — CI Security

2:30pm, 22nd April, 2019
CI Security’s Kraken Signal on the wall of its office. (CI Security Photo) A cybersecurity startup that pairs software with analysts who review and investigate attacks raised $9.6 million to continue battling intrusions against companies of all sizes, as well as healthcare and government organizations. CI Security CEO Garrett Silver. (CI Security Photo) In addition to the cash infusion, the company has changed its name from to . CEO Garrett Silver said the new name doesn’t mean a major shift in the business is on the way. It’s more about simplicity and reflecting the company’s core priorities and Critical Insight platform. “It gives customers critical insight into the threats they’re facing so we can help them manage, detect and respond,” Silver said of the company’s offerings. The new Series B round, led by a previous investor in Alan Frazier’s , brings the company to nearly $16 million in lifetime funding. The company has 68 employees, with its home office in Seattle and security operations centers in Bremerton and Ellensburg, Wash. The company is planning to expand the security centers, and the new funding round will help with that. Security and tech giants like ADT and Cisco Systems are in the “Managed detection and response” market that includes CI Security. One place where CI Security stands out, Silver says, is its offerings for healthcare and government organizations. The company’s office in Bremerton, Wash. (CI Security Photo) “Core to our mission is defending organizations that protect the health of our communities,” Silver said. “We’re seeing growth in our healthcare customer base as well as growth in our public sector customer base. We’re honored to be defending hospitals, clinics, cities, ports, and school districts. We want to help those organizations keep patients alive, keep the lights on, and keep our water clean.” Citing predictions from Silver said companies spent $96 billion on cybersecurity technology in 2018, yet attacks continue to impact organizations of all kinds. One big problem is a major shortage of qualified cybersecurity experts in the field, Silver said. CI Security’s technology is meant to amplify its human talent, not solve every problem on its own. Silver claims CI Security experts can spot attacks and help remove them much faster than the competitors: “in hours or minutes instead of months.” “There are threats everyday like phishing, crypto-mining, and malicious intruders,” Silver said. “When those threat actors get into a system, the industry standard is that it often takes months or years to detect them — the average is about 200 days. That’s not acceptable.”
Lenovo Watch X was riddled with security bugs, researcher says

Lenovo Watch X was riddled with security bugs, researcher says

4:15pm, 11th February, 2019
Lenovo’s Watch X was widely panned as As it turns out, so was its security. The low-end $50 smart watch was one of Lenovo’s cheapest smart watches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky for Erez Yalon, head of security research at Checkmarx, an application security testing company, he was given one from a friend. But it didn’t take him long to find several vulnerabilities that allowed him to change user’s passwords, hijack accounts, and spoof phone calls. Because the smart watch wasn’t using any encryption to send data from the app to the server, Yalon said he was able to see his registered email address and password sent in plain text, as well as data about how he was using the watch, like how many steps he was taking. “The entire API was unencrypted,” said Yalon in an email to TechCrunch. “All data was transferred in plain-text.” The API that helps power the watch was easily abused, he found, allowing him to reset anyone’s password simply by knowing a person’s username. That could’ve given him access to anyone’s account, he said. Not only that, he found that the watch was sharing his precise geolocation with a server in China. Given the watch’s exclusivity to China, it might not be a red flag to natives. But Yalon said the watch had “already pinpointed my location” before he had even registered his account. Yalon’s research wasn’t just limited to the leaky API. He found that the Bluetooth-enabled smart watch could also be manipulated from nearby, by sending crafted Bluetooth requests. Using a small script, he demonstrated how easy it was to spoof a phone call on the watch. Using a similar malicious Bluetooth command, he could also set the alarm to go off — again and again. “The function allows adding multiple alarms, as often as every minute,” he said. Lenovo didn’t have much to say about the vulnerabilities, besides confirming their existence. “The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China,” said spokesperson Andrew Barron. “Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.” Yalon said that encrypting the traffic between the watch, the Android app, and its web server would prevent snooping and help reduce manipulation. “Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms,” he said.