Send Link mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.anu.edu.au/mailman/listinfo/link
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Link digest..."
Today's Topics:
1. Robot vacuum hacked .. photos, camera, audio (Stephen Loosley)
2. IronNet Crashes (Stephen Loosley)
----------------------------------------------------------------------
Message: 1
Date: Sat, 5 Oct 2024 02:06:00 +0000
From: Stephen Loosley <[email protected]>
To: link <[email protected]>
Subject: [LINK] Robot vacuum hacked .. photos, camera, audio
Message-ID:
<sy5p282mb4409548fcf0dd8e6135bf696c2...@sy5p282mb4409.ausp282.prod.outlook.com>
Content-Type: text/plain; charset="Windows-1252"
We hacked a robot vacuum, and could watch live through its camera
The largest home robotics company in the world has failed to fix security
issues with its robot vacuums despite being warned about them last year.
Without even entering the building, we were able to silently take photos of the
(consenting) owner of a device made by Chinese giant Ecovacs.
And then things got even creepier.
By Julian Fell, Friday 4 October 2024
https://www.abc.net.au/news/2024-10-04/robot-vacuum-hacked-photos-camera-audio/104414020
Robot vacuums rove unchecked through countless households, both in Australia
and around the world.
Sean Kelly, who has twin toddlers and a five-month-old baby, bought one to make
life easier while he and his wife raised their family.
Like thousands of other Australians, he chose one made by the largest home
robotics company in the world: Ecovacs.
Sean went with the company?s flagship model, the Deebot X2, thinking it would
come with the best security money could buy.
He was wrong.
Sean Kelly purchased an Ecovacs robot vacuum in 2023.
His robot was vulnerable to being hacked from afar, and Ecovacs hadn?t done
anything about it, despite being warned back in December 2023.
?It?s like having a webcam that can roll around your house and look at your
family,? he said.
?I didn?t think that someone could just directly hack in and look through.?
Having called him up to deliver the bad news, I had a question to ask of Sean.
Did he mind if I hacked into his robot myself?
A confession: I don?t know how to hack.
That?s why I needed help from Dennis Giese, a security researcher who has spent
the best part of a decade pulling apart robot vacuums.
He?d recently found a way to take control of a long list of Ecovacs robots,
including lawnmowers and Deebot vacuum cleaners, armed with only a smartphone.
[Photo caption: Dennis Giese is an independent security and privacy researcher.
Supplied: Matthew Modoono/Northeastern University]
And he didn?t even have to touch them. He could do it entirely over Bluetooth,
from up to 140 metres away.
A few weeks after he announced his findings at a hacking conference in Las
Vegas back in August, I reached out to him over email, wondering if he could
help me do the same.
?I can build you a payload,? he wrote back, which would let me ?run anything?
on certain Bluetooth-enabled Ecovacs devices, including Sean?s top-of-the-line
X2, a model that retails for $2,500.
Once I?d connected to the device over Bluetooth, he told me, I?d have full
access to the onboard computer, and, by extension, any sensors that were
connected to it.
?You can access all logs, WiFi credentials and have full network access,? he
wrote via email. I would be able to access ?the camera and microphone nodes?.
On the fourth floor of a brutalist hulk of a building, with thick concrete
walls, Sean plugs in his robot vacuum.
Sean?s wife was a ?hard no? on allowing us to hack the device at their home,
for obvious privacy reasons. So we?d decided to test it in his work kitchen
instead.
Sean Kelly set up his robot vacuum on the fourth floor of an office building.
I?m sitting in a park just outside the window. From this far away, the
Bluetooth signal is weak; I have to edge closer to the fence to get a better
connection.
Sean?s office is on a busy street near the centre of Brisbane, with passers-by
giving me strange looks as I hold my phone to the sky.
Soon, his device, helpfully labelled ?ECOVACS? pops up on my phone.
And we?re in business.
Upstairs, Sean is making himself a cup of coffee.
These photos of him start being streamed to my laptop, in real time.
As his robot starts moving around the room to clean, Sean?s face is caught in
the shot.
It passes his ankles as he leans against the counter, doing its best to
navigate the unfamiliar office kitchen.
The robot fails to play its ?camera recording? warning sound, that only seems
to play if the camera is accessed through the Ecovacs app.
When we peer through after hacking in remotely, those in the room get no
warning they?re being watched.
Then again, Sean probably expects me to be watching him; he did consent to it
less than an hour ago.
But what he doesn?t know is we?d built in a secret function for our
demonstration. And when the moment feels right, we let it loose.
?Hello Sean,? says a robotic voice. ?I?m waaaatching you.?
Sean?s eyes widen as his robot says his name, his entire body frozen still. He
lets out two short sharp laughs and then lapses back into silence for a moment.
[Photo caption: Sean Kelly laughs in surprise as his robot says it's watching
him. ABC News: Esther Linder]
?That?s insane,? he gasps, still looking at it. It?s as if he doesn?t recognise
his own robot anymore.
It?s been roving around his house unchecked for the better part of a year,
potentially offering enterprising hackers a window to peer through.
?There?s me,? says Sean as I show him the photos on my laptop afterwards.
?That?s the view from the [robot?s] camera.
?I didn?t even realise Bluetooth went that far,? he says, glancing out the
window. ?We?re up on the fourth floor here.?
While I was connecting to Sean?s robot from the park outside that window, the
real hacking was happening from the other side of the planet.
In Germany, Giese had stayed up to an ungodly hour to help pull the strings.
There were a few false starts, but then, it worked.
Julian Fell
Ok sent [the payload]. Anything?
Dennis Giese
Haha I am in
Let me steal the data
He was kidding about stealing Sean?s data. But he was entirely serious about
having taken control of the robot?s onboard computer.
The photos were streaming to his server in the US, and he was seeing them, from
his apartment in Berlin, at the same time I was.
?Nice office,? he texted me.
?I was surprised to see the robot moving around and still have camera access,?
Giese said later.
Once I?d sent the initial command via Bluetooth to gain access, there was no
need for either of us to be anywhere near the robot in order to keep watching
through its camera.
Not all the vulnerabilities Giese has found have been equally problematic, both
for Ecovacs and other brands. Many required physically connecting to the
robots, or even pulling them apart to get at their insides.
He doesn?t report the low-risk threats. But this one was especially sensitive.
Giese quickly notified Ecovacs, saying he?d found a serious security flaw that
could be carried out remotely. (He omitted specific details as he didn?t want
to reveal them over an insecure channel and still has not published them
publicly).
That was in December 2023. Ten months ago.
?We never heard back,? he says.
Until he went public with his findings, that is.
?The company kind of woke up and were like, ?Oh yeah, yeah, we somehow missed
the e-mail like in December?.
?For a billion-dollar company, who is a market leader nowadays, that?s a little
bit worrisome.?
Giese?s interest lies in gaining access to the devices, not spying on people
with them.
Still, it only took him a ?couple of hours? to work out how to take the photos,
send them to his own server, and play a custom audio recording through its
speakers.
At one point in our experiment, Giese seemed to get impatient with his hastily
written script.
He jokingly suggested ?bricking? which means permanently disabling a computer,
Sean?s device, a sign of how much damage he could do without either of us
having laid eyes on the thing.
Dennis Giese
Okay, let me do something scary. Should I brick his robot?
Julian Fell
Hahaha no no. [We] need to do the hack right
And, in the end, we put things right. No trace was left on Sean?s device, and
he took his robot home, spooked as he was about what it all meant for his
family?s privacy.
?I?ve started just tossing a little dishcloth on it when it?s not in use,? he
said.
It was a wake-up call for Sean, but risks to privacy in the modern world go far
beyond a single product.
?People don?t think of their dishwasher as a robot,? says Dr Donald Dansereau,
senior lecturer at the Australian Centre for Robotics at the University of
Sydney.
We live in a ?camera-rich society?, he says. ?Robot vacuums get a lot of flak
because they?re so visible.
?When you go outside, you see cars driving around with all kinds of cameras on
them. The cameras are always on, always watching.?
And when there are cameras everywhere, it raises questions about how secure the
footage is.
Ecovacs initially said its users ?do not need to worry excessively? about
Giese?s findings.
After he first revealed the vulnerability in public, the company?s security
committee downplayed the issue, saying it requires ?specialised hacking tools
and physical access to the device?.
It?s hard to square their statement with the reality. All it had taken was my
$300 smartphone, and I hadn?t even laid eyes on Sean?s robot until after
hacking into it.
Ecovacs eventually said it would fix this security issue. At the time of
publication, only some models have been updated to prevent this attack.
Several models, including the latest flagship model released in July this year,
remain vulnerable.
[Photo caption: The Ecovacs X2 is vulnerable to hacking from over 100 metres
away. ABC News: Esther Linder]
Clearly, Sean?s robot is one of them. And yet, he hasn?t been warned by the
company about the security flaws affecting his device.
After I told Ecovacs about our experiment, a company spokesperson said an
update would be made available for the X2 in November 2024.
?Ecovacs has always prioritised product and data security, as well as the
protection of consumer privacy,? they said in a statement.
?We assure customers that our existing products offer a high level of security
in daily life, and that consumers can confidently use Ecovacs products.?
Know something about Ecovacs? security problems? Drop me a line at
[email protected]. (PGP Key is available on my author page).
One isolated vulnerability isn?t the ?scary part?
After completing the hack, I set out to answer an obvious question: Who?s in
charge of making sure these internet-connected devices are actually secure?
It turns out Australia has no mandatory rules for ensuring smart devices aren?t
able to be hacked.
Last year, the Department of Home Affairs released a voluntary code of practice
where compliance is ?encouraged but optional?.
This means that companies that make devices for sale in Australia, including
Ecovacs and other home robotics companies, aren?t required to test that their
products are safe from even the simplest of vulnerabilities.
However, Ecovacs did in fact have the X2 tested, and certified as secure, by a
German company called T?V Rheinland.
[Photo caption: Ecovacs advertises that its robots are certified by T?V
Rheinland. ABC News/Ecovacs]
It was tested against a cybersecurity standard with the catchy, technical title
of ETSI EN 303 645, which is being suggested for partial adoption as part of
Australia?s Cyber Security Strategy.
Most home robotics companies, including Ecovacs, Xiaomi, iRobot, and Roborock,
routinely have their products certified to this standard, and many countries
require it as a baseline requirement.
And this, says Giese, is the ?scary part?.
He found that Ecovacs devices were extremely vulnerable to hacking despite
being certified as secure.
?If their robots are broken like that,? he asks, ?how does their backend
[server] look??
Giese found these security flaws in his spare time. And so did Braelynn Luedtke
and Chris Anderson, two other independent researchers.
So, why didn?t the multinational company that was meant to be testing it?
I reached out to T?V Rheinland to find out.
In response to my queries about the testing processes, TUV Rheinland?s
Alexander Schneider directed me to a digital certificate, which contained an
almost complete absence of detail about how it was actually tested.
?We are confident that our tests met all aspects of the standard,? said
Schneider in a statement.
Giese disputes this. He claims that at least five of the standard 13 provisions
weren?t met by the Ecovacs X2 when he tested it.
The vulnerabilities that Giese found were not examined as part of the testing,
wrote Schneider, ?as it falls within the scope of professional hacking attacks?.
What he?s saying is that TUV Rheinland?s certification doesn?t promise to
prevent cyber attacks by serious hackers.
But isn?t that exactly who is most likely to carry them out?
Seeking a second opinion
Lim Yong Zhi, a former cybersecurity tester at rival certification company T?V
S?D, has hands-on experience certifying robot vacuums to the same standard.
He says the testing process is largely ?left open for interpretation? by
certification companies.
In his view, it does not require that testers cover ?in-depth or professional
attacks?.
[Photo caption: Lim Yong Zhi (third from right) was a cybersecurity tester at
T?V S?D for five years. Supplied: Lim Yong Zhi]
?These products face very tight timelines to launch onto the market,? Lim
explained.
While the standard specifies that common security features must be present, he
says, there is no explicit requirement that they are implemented correctly.
?It depends on the experience of the laboratory as well as the personnel who is
handling the device for cyber security testing.?
And it?s only meaningful at one snapshot in time. Often, testing is done before
the product is released, while new, unforeseen cyber threats are emerging all
the time.
The software that runs on smart devices needs to be updated regularly to keep
up with the latest known issues. And each new version of the software uploaded
to the robot can potentially introduce new vulnerabilities.
It would be impractical to independently test each new version, says Lim, as it
can take months to complete the process.
Given this, he believes product labelling that shows devices meet certification
standards may provide a ?false sense of security? to consumers.
?Of course, it is very difficult. There?s no way to tell if [the devices] are
secure.?
A spokesperson from Australia?s Department of Home Affairs says the government
plans to introduce mandatory security standards for smart devices, with
enforcement provisions planned to ?prevent non-compliant devices from being
sold in Australia?.
They did not comment on the effectiveness of the ETSI EN 303 645 standard,
which has been mentioned in public consultation materials as a potential
baseline for adoption.
?As the security needs of different types of smart devices evolve, so too will
the Australian government ensure the appropriate security standards apply to
them.?
The Ecovacs spokesperson noted that the company is ?proactively exploring more
comprehensive testing methods?.
For Dennis Giese, the most concerning aspect of the Bluetooth attack is how
hard it is to detect.
?If you do it in a very silent way, [the victim] would never figure it out,? he
says.
The warning sound does not play. The vacuum robot continues to clean as normal.
And it leaves no trace on the device afterwards.
All of this combines to mean there?s no way of knowing if shady organisations
are already using it for nefarious purposes.
Giese does this work in his spare time, spending his own money on robots to
test.
?Imagine you have a whole department of people who are kind of doing that stuff
like all day long,? he says.
And then, one day after going public with his findings, he didn?t have to
imagine anymore.
An employee of a notorious CIA contractor approached him, and asked a haunting
question.
?[He] said, ?hey, do you think we can use... the cameras and microphones to
find people???
Credits:
Reporting: Julian Fell
Editing: Matthew Liddy
Photography: Esther Linder
Share article: Odyssey format by ABC News Story Lab:
https://www.abc.net.au/news/2024-10-04/robot-vacuum-hacked-photos-camera-audio/104414020
--
------------------------------
Message: 2
Date: Sat, 5 Oct 2024 04:52:12 +0000
From: Stephen Loosley <[email protected]>
To: link <[email protected]>
Subject: [LINK] IronNet Crashes
Message-ID:
<sy5p282mb44091a876e0406e68820b9b1c2...@sy5p282mb4409.ausp282.prod.outlook.com>
Content-Type: text/plain; charset="Windows-1252"
Please Note: This email did not come from ANU, Be careful of any request to buy
gift cards or other items for senders outside of ANU. Learn why this is
important.
https://www.scamwatch.gov.au/types-of-scams/email-scams#toc-warning-signs-it-might-be-a-scam
Collapse of US national security elite cyber-firm leaves bitter wake
By ALAN SUDERMAN October 4, 2024
https://apnews.com/article/keith-alexander-ironnet-cybersecurity-nsa-bankruptcy-eddd67f3a1b312face21c29c59400e05
WASHINGTON (AP) The future was once dazzling for IronNet.
Founded by a former director of the National Security Agency and stacked with
elite members of the U.S. intelligence establishment, IronNet promised it was
going to revolutionize the way governments and corporations combat cyberattacks.
Its pitch, combining the prowess of ex-government hackers with cutting-edge
software, was initially a hit.
Shortly after going public in 2021, the company value shot past $3 billion.
Yet, as blazing as IronNet started, it burned out.
Last September the never-profitable company announced it was shutting down and
firing its employees after running out of money, providing yet another example
of a tech firm that faltered after failing to deliver on overhyped promises.
The crash has left behind a trail of bitter investors and former employees who
remain angry at the company and believe it misled them about its financial
health.
The rise and fall of IronNet also raises questions about the judgment of its
well-credentialed leaders, a whose who of the national security establishment.
National security experts, former employees and analysts told The Associated
Press that the firm collapsed, in part, because it engaged in questionable
business practices, produced subpar products and services, and entered into
associations that could have left the firm vulnerable to meddling by the
Kremlin.
?I am honestly ashamed that I was ever an executive at that company,? said Mark
Berly, a former IronNet vice president.
He said the company top leaders cultivated a culture of deceit ?just like
Theranos,? the once highly touted blood-testing firm that became a symbol of
corporate fraud.
The IronNet collapse ranks as one of the most high-profile flameouts in the
history of cybersecurity, said Richard Stiennon, a longtime industry analyst.
The main reason for its fall, he said: ?hubris.?
?The company got what was coming to? it, Stiennon said.
IronNet and top former company officials either declined to comment or did not
respond to requests for comment.
IronNet?s founder and former CEO Keith Alexander is a West Point graduate who
retired as a four-star Army general and was once one of the most powerful
figures in U.S. intelligence.
He oversaw an unprecedented expansion of the NSA digital spying around the
world when he led the largest U.S. intelligence agency for nearly a decade.
Alexander, who retired from the government in 2014, remains a prominent voice
on cybersecurity and intelligence matters and sits on the board of the tech
giant Amazon. Alexander did not respond to requests for comment.
The IronNet board has included Mike McConnell, a former director of both the
NSA and national intelligence; Jack Keane, a retired four-star general and Army
vice chief of staff, and Mike Rogers, the former Republican chairman of the
House Intelligence Committee who is running for the U.S. Senate in Michigan.
One of the first IronNet presidents and co-founder was Matt Olsen, who left the
company in 2018 and leads the Justice Department National Security Division.
The reputation of Alexander and the company all-star lineup ensured IronNet
stood out in a competitive market as it sought contracts in the finance and
energy sectors, as well as with the U.S. government and others in Asia and the
Middle East.
IronNet marketed itself as a kind of private version of the NSA. By scanning
the networks of multiple customers, the company claimed, IronNet advanced
software and skilled staff could spot signals and patterns of sophisticated
hackers that a single company could not do alone. The company dubbed the
approach the Collective Defense Platform.
The South African
Venture capital firms were eager to invest. Among IronNets biggest early
boosters was C5 Capital, an investment firm started and run by Andre Pienaar, a
South African who had spent years serving the needs of the ultra-rich while
cultivating business relationships with former top national security officials.
C5 operating partners ? essentially expert advisers ? include former Chairman
of the U.S. Joint Chiefs of Staff Mike Mullen and Sir Iain Lobban, who used to
lead the U.K.?s signals intelligence agency equivalent to the NSA. Former C5
operating partners include National Cyber Director Harry Coker Jr. and Ronald
Moultrie, who resigned earlier this year as undersecretary of defense for
intelligence and security.
Prior to going into venture capital, Pienaar was a private investigator and
started a firm called G3 Good Governance Group whose clients included blue chip
companies, wealthy individuals and the British royal family. Pienaar also
worked at the time to help Russian oligarch Viktor Vekselberg cement
relationships with the London rich and famous, according to William Lofgren, a
former CIA officer and G3 co-founder.
?The relationship was steady and frequent because both Andre and Vekselberg saw
merit in it,? said Lofgren.
Pienaar also helped Vekselberg win a share of a South African manganese mine in
2005 and then later served as one of the oligarch representatives on the mining
board of directors until early 2018, internal G3 records and South African
business records show.
Vekselberg has been sanctioned twice by the U.S. government, first in April
2018 and again in March 2022. The U.S. Treasury Department has accused him of
taking part in ?soft power activities on behalf of the Kremlin.?
In 2014, the FBI publicly warned in an op-ed that a Vekselberg-led foundation
may be ?a means for the Russian government to access our nation?s sensitive or
classified research.?
Pienaars long association with Vekselberg should have disqualified him from
investing in IronNet, which was seeking highly sensitive U.S. defense
contracts, former intelligence officials said.
The company?s leaders ?absolutely should have known better,? said Bob Baer, a
former CIA officer.
He added that Russian intelligence services would have had a strong interest in
a company like IronNet and have a history of using oligarchs like Vekselberg to
do their bidding, either directly or through witting or unwitting proxies.
Pienaar also sponsored a swanky Russian music festival that Vekselberg and a
close associate, Vladimir Kuznetsov, put on in Switzerland. Kuznetsov, who
served as a key investment adviser to Vekselberg, was also an investor in
Pienaar?s investment firm.
Alexander and others at IronNet either did not know the details of Pienaar?s
relationships with Vekselberg or did not find them troubling: A month after
Vekselberg was first sanctioned in 2018, Pienaar joined the IronNet board and
C5 announced it was putting in a $35 million investment.
C5 investment would grow to $60 million by the time IronNet went public, giving
the investment firm around a 7% stake in the company.
Vekselberg did not respond to requests for comment. Kuznetsov told the AP he
stopped speaking to Pienaar about five years ago but did not say why.
?I?m not commenting on that,? Kuznetsov said.
Pienaar attorneys said he has never had a relationship with Vekselberg. The
lawyers said the mine filings with the South African government regulatory
agency that listed Pienaar as a director were incorrect and should be ?viewed
as suspect? because news reports indicated the agency has been hacked.
Pienaar filed a defamation lawsuit last year against an Associated Press
reporter who sought interviews with Pienaar?s former associates. The AP said
the suit, which remains pending, was meritless and an attempt to stifle
legitimate reporting.
The fall
Not long after Alexander rang the opening bell at the New York Stock Exchange
in September 2021, the IronNet stock price soared, making its founders and
early investors extremely wealthy on paper.
Top officials were prohibited from unloading their stock for several months,
but Alexander was allowed to sell a small amount of his shares. He made about
$5 million in early stock sales and bought a Florida mansion worth the same
amount.
IronNet was projecting exponential growth that required the company to land a
handful of major contracts, according to confidential board documents obtained
by the AP.
Those prospective deals included one valued at up to $10 million to provide
cybersecurity for the U.S. Navy contractors and a more than $22 million deal
with the government of Kuwait.
It did not take long for IronNet promises to slam into a tough reality as it
failed to land large deals and meet revenue projections. Its products simply
did not live up to the hype, according to former employees, experts and
analysts.
Stiennon, the cybersecurity investing expert, said IronNet ideas about
gathering threat data from multiple clients were not unique and the biggest
company draw was Alexanders aura as a former NSA director.
The AP interviewed several former IronNet employees who said the company hired
well-qualified technicians to design products that showed promise, but
executives did not invest the time or resources to fully develop the technology.
When IronNet tried to land contracts with the NSA, officials dismissed the
company offerings as unserious, according to a former member of U.S. Cyber
Command who was at the meeting but not authorized to discuss government
procurement proceedings publicly.
The failure to win large contracts quickly derailed IronNet growth plans. In
December 2021, just a few months after going public, IronNet downgraded its
annual recurring revenue projections by 60%.
Another sign that things were not well: IronNet and C5 were engaging in a
questionable business practice in an apparent effort to juice the cybersecurity
firms revenues, according to C5 records and interviews with former employees at
both firms.
In addition to being a major investor, C5 was also one of IronNets biggest
customers, accounting for a significant part of the cybersecurity firms revenue
when it went public.
C5 had signed two multi-year customer contracts with IronNet for $5.2 million,
according to internal C5 records.
Contracts of that size were typical for large clients with thousands of
employees, not a small investment firm like C5 that had a couple dozen
employees and partners, former IronNet employees said.
?That is an inflated number,? said Eddie Potter, a former top sales executive
at IronNet, when told by the AP of the size of C5?s contracts with IronNet. He
added there was ?no way? that C5 required services ?worth $5 million.?
Indeed, one C5 internal record obtained by the AP shows it budgeted only about
$50,000 a year for IronNet?s services.
Pienaar?s attorneys said C5?s contracts with IronNet were to help protect the
U.K. government?s hospitals and other entities against ?escalating cyberattacks
during the COVID-19 pandemic.? His attorneys said the work was coordinated
through a charity Pienaar and C5 created in 2020.
Securities and Exchange Commission filings and C5 records show C5?s contracts
with IronNet were signed in the summer and fall of 2019 ? several months before
the onset of the coronavirus pandemic. The Pienaar attorneys said Alexander and
Pienaar were ?briefed on the shocking scale of hostile nation-state
cyberattacks on hospitals? in 2019, which created the ?foundation? for IronNets
work with C5.
Pienaar charity never registered with the IRS, as one of the Pienaar companies
claimed in U.K. business filings, and former C5 and IronNet officials said they
did not see it do any substantive work.
?It was marketing, fluffy crap,? said Rob Mathieson, a former IronNet vice
president.
The Pienaar attorneys said his charity was successful but there was
?insufficient time? for it to register with the IRS.
After reporting millions in revenue from C5 from 2020 to 2023, IronNet wrote
off $1.3 million from C5 in what the cybersecurity firm claimed was ?bad debt,?
IronNet filings with the SEC show. Pienaar attorneys said the write-off
represented a reduction in the cost of providing services to his charity and
denied that C5 had not fulfilled its financial obligations to IronNet.
IronNet was not alone in having trouble getting money from Pienaar and his
firms.
A group of nuns sued C5 in 2022, court records show, alleging it failed to
return their $2.5 million investment in a tech incubator that Pienaar had
promoted as a way to boost socially conscious start-ups. C5 agreed to refund
the nuns? investment, plus attorney fees and expenses, to settle the lawsuit,
records show. The nuns? financial adviser, Carolyn LaRocco, told the AP that
Pienaar used the nuns? investment to pay expenses she believed were unwarranted.
An affiliate of the United States Institute of Peace, a nonprofit established
by Congress, sued Pienaar in 2020 after he failed to pay a promised $1.5
million personal donation, federal court records show. The nonprofit affiliate
then took Pienaar back to court after he failed to make payments on time as
part of a settlement. Pienaar used $500,000 from a C5 bank account to meet a
court-ordered deadline for payment, court records show. C5 staff were concerned
about the Pienaar use of the firms funds to cover his personal debt, according
to C5 records.
In the last year, Pienaar-controlled entities have been sued by a top former
CIA executive who alleged C5 owed him back wages and a Washington landlord who
accused Pienaar firms of failing to pay more than $140,000 in rent and
associated costs. The suits were dismissed soon after they were filed,
indicating the parties likely settled, court records show. A lawsuit recently
filed by a financial services firm alleges C5 owes it more than $1 million in
unpaid debts.
The crash
After slashing revenue projections in December 2021, Alexander tried to project
confidence and said IronNet was still on track to see its revenue rise.
It did not work. IronNet stock went into a prolonged skid and the company
underwent multiple rounds of layoffs.
In April 2022, the company was hit with a class-action lawsuit from investors
who alleged IronNet had fraudulently inflated its revenue projections to boost
its stock price.
The company has denied any wrongdoing but recently agreed to pay $6.6 million
to settle the lawsuit, according to a proposed settlement filed in federal
court. Alexander told Bloomberg News this past January that IronNet troubles
stemmed in part from his naivety about how the business world worked.
C5 began loaning money to IronNet to keep it afloat starting at the end of 2022
while Pienaar continued to try and boost the company brand.
In September of last year, IronNet announced it had run out of money and was
closing its doors.
A Pienaar-controlled entity stepped in shortly afterwards with $10 million in
loans to allow the company to restructure via bankruptcy.
A dramatically scaled-down version of IronNet led by Pienaar allies went
private in February and announced Alexander had stepped down as chairman of the
board.
Pienaar remains bullish on the company, which he said continues to successfully
protect clients in the U.S. and Europe from cyber threats. More recent IronNet
activities have included looking to partner with the government of Ukraine.
?Any accusation that IronNet has been anything other than successful is
categorically false,? his attorneys told the AP.
Many C5 investors and former employees are baffled by Pienaars continued heavy
bets on IronNet after it has been soundly rejected by the market.
During bankruptcy proceedings earlier this year, an investment bank approached
114 prospective buyers for IronNet, federal court records show. None of them
made an offer.
By ALAN SUDERMAN. Suderman is an Associated Press investigative reporter
interested in national security, cybersecurity and other related topics.
--
------------------------------
Subject: Digest Footer
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
End of Link Digest, Vol 383, Issue 6
************************************
