Generative AI has vastly expanded the toolkit available to hackers and other bad actors. It’s now possible to do everything from deepfaking a CEO to creating fake receipts.
OpenAI, the biggest generative AI startup of them all, knows this better than anyone. And it has just invested in another AI startup that helps companies defend against these kinds of attacks.
New York-based Adaptive Security has raised a $43 million Series A co-led by OpenAI’s startup fund and Andreessen Horowitz, it announced Wednesday. This marks OpenAI’s first investment in a cybersecurity startup, OpenAI confirmed to TechCrunch.
Adaptive Security simulates AI-generated “hacks” to train employees to spot these threats. You might pick up the phone to listen to the voice of your CTO asking for a verification code. That wouldn’t be your actual CTO, but a spoof generated by Adaptive Security.
Adaptive Security’s platform doesn’t just spoof phone calls: It also covers texts and emails, while scoring which parts of a company might be most vulnerable and training staff to spot the risks.
The startup focuses on hacks that require a human employee to do something they’re not supposed to, like click on a bad link. These kinds of “social engineering” hacks, while basic, have led to huge losses — think of Axie Infinity, which lost over $600 million due to a fake job offer for one of its developers in 2022.
AI tools have made social engineering hacks easier than ever, co-founder and CEO Brian Long told TechCrunch. Launched in 2023, Adaptive now has over 100 customers, with Long saying positive feedback from them helped attract OpenAI to the cap table.
It doesn’t hurt that Long is a veteran entrepreneur with two previous successes: mobile ad startup TapCommerce, which he sold to Twitter in 2014 (reportedly for over $100 million) and ad-tech firm Attentive, which was last valued at over $10 billion in 2021 according to one of its investors.
Long told TechCrunch that Adaptive Security will use its latest funding mostly on hiring engineers to build out its product and keep up in the AI “arms race” against bad actors.
Adaptive Security joins a long list of other cyber startups working on the boom in AI threats. Cyberhaven just raised $100 million at a $1 billion valuation to help stop staff from putting sensitive info in tools like ChatGPT, Forbes reported. There’s also Snyk, which partly credits the rise of insecure AI-generated code for helping push its ARR north of $300 million. And deepfake detection startup GetReal just raised $17.5 million last month.
As AI threats become more sophisticated, Long has one simple tip for company employees worried about getting their voice cloned by hackers. “Delete your voicemail,” he recommends.
Keep reading the article on Tech Crunch
Ballistic Ventures, the VC firm co-founded by Ted Schlein (known for his years at Kleiner Perkins), is raising $100 million for a new fund, TechCrunch has learned through a regulatory filing.
This week, the San Francisco-based VC firm filed with the U.S. Securities and Exchange Commission to raise the new fund, just over a year after closing its second fund, sized at $360 million.
Founded in late 2021, Ballistic targets cybersecurity startups. In an earlier interview, Schlein (pictured above, fourth from left to right) told TechCrunch that the Ballistic crew, with its years of experience, is very hands-on. They take board seats, help with hiring and with landing the first 10 customers, talking to their portfolio founders “many times a week.” The team brings a large network of contacts to their portfolio companies, Schlein said.
Alongside Schlein, the firm has four other general partners: Kevin Mandia, Barmak Meftah, Jake Seid, and Roger Thornton. Last year, it appointed former USPS CISO Gregory Crabb as CISO-in-residence to fill the position of David Hahn, who was promoted to Ballistic’s CISO operating partner.
Ballistic has so far invested in 59 startups, per Crunchbase, with GetReal Labs’ $17.5 million Series A round being the latest — announced last week. The firm also made six exits.
Venture funding in cybersecurity grew 43% year-over-year to $11.6 billion in 2024, with 639 deals closed, compared to 821 in 2023, per a report by Crunchbase News.
Ballistic declined to comment on the fundraising.
Keep reading the article on Tech Crunch
Consumer-grade phone surveillance apps aren’t only intended to stay stealthy; some of these apps are also making it increasingly difficult to remove them.
TechCrunch has identified a stealthy phone monitoring app for Android that requires a password to uninstall, effectively blocking Android device owners from being able to remove the app.
The spyware app, which we’re not naming so as to not give it any publicity, relies on whoever is planting the app to enable a built-in feature in Android that allows apps to “overlay” content on top of all other apps. Once granted this permission, the spyware app uses this overlay access to forcibly display a password prompt whenever the user tries to uninstall or deactivate the app through Android’s settings.
Worse, the password to uninstall this spyware is set by whoever planted it.
There is a solution. TechCrunch’s own testing found that rebooting an affected Android device into “safe mode” temporarily prevents third-party apps from loading, including the spyware, allowing affected individuals to remove the app without the password prompt appearing.
This consumer-grade spyware app is part of a growing ecosystem of phone monitoring offerings, which promote and sell their apps under the guise of allowing parents to monitor their children’s phone activities or companies to track their employees. But these apps also go by the term “stalkerware” (or “spouseware”), as many also explicitly promote their apps as a way to snoop on their spouse or romantic partner without their consent, which is illegal.
These spyware apps are typically downloaded from outside of the official Android app store and planted by a person with physical access to a person’s phone, usually with knowledge of their passcode.
Once installed, these apps deliberately hide their app icons from the victims’ home screen to stay stealthy, all while continually uploading the person’s phone contents — including their text messages, photos, and real-time location — to a web dashboard that the abuser can access.
Often, the only way to identify the app is by looking through certain Android device settings that are commonly configured for facilitating covert device monitoring, and then identifying the specific app to remove.
But in the case of this particular spyware app, the password pop-up blocks the ability to uninstall unless the correct password is entered.
It’s quick and easy to check to see if your Android device is compromised by consumer-grade spyware. Remember that it’s important to have a safety plan in place before proceeding, as removing spyware will likely alert the person who planted it.
TechCrunch has a general Android spyware removal guide that can help to identify and remove common types of phone spyware and stalkerware, and switch on the correct settings to secure your Android device.
This particular spyware may not appear as a home screen icon, but it will still appear in your list of installed apps as a nondescript app called “System Settings,” featuring a default Android icon, likely in an effort to blend in with Android’s built-in apps.
The spyware app also takes advantage of another built-in Android feature called “device admin,” which allows companies to remotely manage their employees’ phones, but is also frequently abused by spyware apps to allow broad access to a victim’s device and data. If you see a device admin app enabled on your device that you don’t recognize, it may be a spyware app. Attempting to uninstall the app may also present a password prompt.
However, rebooting an Android device into “safe mode” permits only Android core system apps to run by default, allowing for users to troubleshoot or remove buggy or problematic apps. (A thread on Stack Exchange from 2016 confirms this technique.)
TechCrunch tested and checked this process on several virtual Android devices, which we planted with the spyware. The virtual devices allow us to run the apps in a protected sandbox without having to give any real-world data, such as our location.
Before you proceed: Note that entering safe mode, and the following steps to identify and remove spyware apps, may vary by Android device model and software version.
Generally, you can hold down the Android device’s power button until a set of options appear on your screen, then touch and hold the “power off” button, which will then display a prompt asking if you want to “reboot to safe mode.” Select OK, then wait until your device restarts.
Your Android device will display “safe mode” in the corner of your screen when your device successfully boots into safe mode.
From here, you can find the offending spyware app by looking in your Android settings for any installed “device admin” apps. If you have a device admin app that you don’t recognize, you can toggle the switch off, and then select “deactivate & uninstall” from the device admin app settings.
Once the spyware app is removed as a device admin, you can then uninstall the app completely from your device. You can do this by opening your Android settings and then “Apps.”
From here, you will be able to identify the named spyware app from the list of installed apps on your device. While looking at the app info screen in safe mode, you should be able to select “uninstall,” then hit “OK” once you are prompted to remove the app.
(As an aside, Android will not let you uninstall from this screen any system app that is critical to your device’s functioning.)
At this point, the spyware is now removed. Forcibly stopping and removing a spyware app will likely alert the person who planted the app that it no longer works.
To exit Android safe mode and return your device to its normal state, you can restart your device by holding down the power button and selecting “restart.”
You should also make immediate steps to secure your device, such as by setting a longer, unique passcode, or an alphanumeric password, to prevent physical access in the future. You may also want to secure any web accounts that you have on your device, including your Google account, to prevent any further misuse.
—
If you or someone you know needs help, the National Domestic Violence Hotline (1-800-799-7233) provides 24/7 free, confidential support to victims of domestic abuse and violence. If you are in an emergency situation, call 911. The Coalition Against Stalkerware has resources if you think your phone has been compromised by spyware.
Keep reading the article on Tech Crunch
The company claims the issue has been fully resolved.
A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.
The fediverse, also known as the open social web that includes Mastodon, Meta’s Threads, Pixelfed, and other apps, is ramping up its security. On Wednesday, a nonprofit focused on bringing governance to open source projects, the Nivenly Foundation, announced the launch of a new security fund that will pay those who responsibly disclose security vulnerabilities that affect fediverse apps and services.
While all software can have security issues, Mastodon — an open source and decentralized alternative to X — has fixed numerous bugs over the years, leading to the need for such a program. Another issue found in the fediverse is that many servers are run by independent operators who don’t necessarily have a security background or understand best practices.
Already, the Nivenly Foundation has helped a few fediverse projects set up their basic security vulnerability reporting process, and now it’s looking to distribute small payouts to anyone who responsibly discloses other security vulnerabilities that may still be in the wild.
The payouts will total $250 for vulnerabilities with a vulnerability severity score (known as CVSS) of 7.0-8.9 and $500 for more critical vulnerabilities with a CVSS score of 9.0 or greater. The funds for the payouts come from the foundation, which is supported directly by members that includes individuals as well as other trade organizations.
The vulnerabilities themselves are validated by acceptance from the fediverse project leads as well as public records in vulnerability disclosure (CVE) databases.
The fund is currently in a limited trial after the discovery of a security vulnerability in the decentralized Instagram alternative, Pixelfed. Open source contributor Emelia Smith came across the issue, and the Nivenly Foundation paid her to fix it, she explains.
A more recent issue came about when Pixelfed’s creator, Daniel Supernault made the details of a vulnerability public before server operators had a chance to update, which would have left the fediverse vulnerable to bad actors, she says. (Supernault has already apologized publicly for his handling of the issue that had affected private accounts.)
“Part of the program is…education for project leads, helping them understand why responsible disclosure practices for security vulnerabilities are important,” Smith told TechCrunch. “We came across several projects that just said ‘file security vulnerabilities in our public issue tracker,’ which absolutely isn’t safe, as any malicious actor watching that repository would now be able to attack instances of that software,” she added.
Typically, the common practice is to disclose minimal information about a vulnerability, giving server operators time to upgrade, Smith said. However, this requires that project leads understand security best practices.
In the case of the Pixelfed issue, for instance, the Hachyderm Mastodon server, which has over 9,500 members, decided it needed to defederate (or disconnect from) other Pixelfed servers that hadn’t been updated in order to protect their users.
With this new program designed to follow best practices around the disclosure of vulnerabilities, the need to defederate to protect users may become less common.
Keep reading the article on Tech Crunch