Archiv für den Monat Januar 2017

How Whatsapp spies on Your Messages – WhatsApp Retransmission Vulnerability

According to Tobias Boelter tobias@boelter.it

Download the Slides from Tobias here: Whatsapp Slides from Tobias Boelter

Setting: Three phones. Phone A is Alice’s phone. Phone B is Bob’s phone. Phone C is the attacker’s phone.

Alice starts by communication with bob and being a good human of course meets with Bob in person and they verify each other’s identities, i.e. that the key exchange was not compromised.

Remember, Alice encrypts her messages with the public key she has received from Bob. But this key is sent through the WhatsApp servers so she can not know for sure that it is actually Bob’s key. That’s why they use a secure channel (the physical channel) to verify this.

Now, Alice sends a message to Bob. And then another message. But this time this message does not get delivered. For example because Bob is offline, or the WhatsApp server just does not forward the message.

wa3

Now the attacker comes in. He registers Bob’s phone number with the WhatsApp server (by attacking the way to vulnerable GSM network, putting WhatsApp under pressure or by being WhatsApp itself).

Alice’s WhatsApp client will now automatically, without Alices‘ interaction, re-encrypt the second message with the attackers key and send it to the attacker, who receives it:

wa2

Only after the act, a warning is displayed to Alice (and also only if she explicitly chose to see warnings in here settings).

wa1

Conclusion

Proprietary closed-source crypto software is the wrong path. After all this – potentially mallicious code – handles all our decrypted messages. Next time the FBI will not ask Apple but WhatsApp to ship a version of their code that will send all decrypted messages directly to the FBI.

Signal is better

Signal is doing it right. Alice’s second message („Offline message“) was never sent to the attacker.

signal3 signal1 signal2

Signal is also open source and experimenting with reproducible builds. Have a look at it.

Update (May 31, 2016)

Facebook responded to my white-hat report

„[…] We were previously aware of the issue and might change it in the future, but for now it’s not something we’re actively working on changing.[…]“

https://tobi.rocks/2016/04/whats-app-retransmission-vulnerability/

Download the Presentation here: Whatsapp Slides from Tobias Boelter

Whatsapp spies on your encrypted messages

Exclusive: Privacy campaigners criticise WhatsApp vulnerability as a ‘huge threat to freedom of speech’ and warn it could be exploited by government agencies

Research shows that the company can read messages due to the way WhatsApp has implemented its end-to-end encryption protocol.
Research shows that WhatsApp can read messages due to the way the company has implemented its end-to-end encryption protocol. Photograph: Ritchie B Tongo/EPA

A security backdoor that can be used to allow Facebook and others to intercept and read encrypted messages has been found within its WhatsApp messaging service.

Facebook claims that no one can intercept WhatsApp messages, not even the company and its staff, ensuring privacy for its billion-plus users. But new research shows that the company could in fact read messages due to the way WhatsApphas implemented its end-to-end encryption protocol.

Privacy campaigners said the vulnerability is a “huge threat to freedom of speech” and warned it can be used by government agencies to snoop on users who believe their messages to be secure. WhatsApp has made privacy and security a primary selling point, and has become a go to communications tool of activists, dissidents and diplomats.

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman. However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been resent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.

The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Boelter reported the backdoor vulnerability to Facebook in April 2016, but was told that Facebook was aware of the issue, that it was “expected behaviour” and wasn’t being actively worked on. The Guardian has verified the backdoor still exists.

The WhatsApp vulnerability calls into question the privacy of messages sent across the service used around the world, including by people living in oppressive regimes.
Pinterest
The WhatsApp vulnerability calls into question the privacy of messages sent across the service used around the world, including by people living in oppressive regimes. Photograph: Marcelo Sayão/EPA

Steffen Tor Jensen, head of information security and digital counter-surveillance at the European-Bahraini Organisation for Human Rights, verified Boelter’s findings. He said: “WhatsApp can effectively continue flipping the security keys when devices are offline and re-sending the message, without letting users know of the change till after it has been made, providing an extremely insecure platform.”

Boelter said: “[Some] might say that this vulnerability could only be abused to snoop on ‘single’ targeted messages, not entire conversations. This is not true if you consider that the WhatsApp server can just forward messages without sending the ‘message was received by recipient’ notification (or the double tick), which users might not notice. Using the retransmission vulnerability, the WhatsApp server can then later get a transcript of the whole conversation, not just a single message.”

The vulnerability calls into question the privacy of messages sent across the service, which is used around the world, including by people living in oppressive regimes.

Professor Kirstie Ball, co-director and founder of the Centre for Research into Information, Surveillance and Privacy, called the existence of a backdoor within WhatsApp’s encryption “a gold mine for security agencies” and “a huge betrayal of user trust”. She added: “It is a huge threat to freedom of speech, for it to be able to look at what you’re saying if it wants to. Consumers will say, I’ve got nothing to hide, but you don’t know what information is looked for and what connections are being made.”

In the UK, the recently passed Investigatory Powers Act allows the government to intercept bulk data of users held by private companies, without suspicion of criminal activity, similar to the activity of the US National Security Agency uncovered by the Snowden revelations. The government also has the power to force companies to “maintain technical capabilities” that allow data collection through hacking and interception, and requires companies to remove “electronic protection” from data. Intentional or not, WhatsApp’s backdoor to the end-to-end encryption could be used in such a way to facilitate government interception.

Jim Killock, executive director of Open Rights Group, said: “If companies claim to offer end-to-end encryption, they should come clean if it is found to be compromised – whether through deliberately installed backdoors or security flaws. In the UK, the Investigatory Powers Act means that technical capability notices could be used to compel companies to introduce flaws – which could leave people’s data vulnerable.”

A WhatsApp spokesperson told the Guardian: “Over 1 billion people use WhatsApp today because it is simple, fast, reliable and secure. At WhatsApp, we’ve always believed that people’s conversations should be secure and private. Last year, we gave all our users a better level of security by making every message, photo, video, file and call end-to-end encrypted by default. As we introduce features like end-to-end encryption, we focus on keeping the product simple and take into consideration how it’s used every day around the world.

“In WhatsApp’s implementation of the Signal protocol, we have a “Show Security Notifications” setting (option under Settings > Account > Security) that notifies you when a contact’s security code has changed. We know the most common reasons this happens are because someone has switched phones or reinstalled WhatsApp. This is because in many parts of the world, people frequently change devices and Sim cards. In these situations, we want to make sure people’s messages are delivered, not lost in transit.”

Asked to comment specifically on whether Facebook/WhatApps had accessed users’ messages and whether it had done so at the request of government agencies or other third parties, it directed the Guardian to its site that details aggregate data on government requests by country.

Concerns over the privacy of WhatsApp users has been repeatedly highlighted since Facebook acquired the company for $22bn in 2014. In August 2015, Facebook announced a change to the privacy policy governing WhatsApp that allowed the social network to merge data from WhatsApp users and Facebook, including phone numbers and app usage, for advertising and development purposes.

Facebook halted the use of the shared user data for advertising purposes in November after pressure from the pan-European data protection agency groupArticle 29 Working Party in October. The European commission then filed charges against Facebook for providing “misleading” information in the run-up to the social network’s acquisition of messaging service WhatsApp, following its data-sharing change.

https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snooping-on-encrypted-messages

Obama gives CIA, FBI, DEA and 13 other agencies warrantless full raw DATA NSA surveillance access on Americans citizens

Obama gives CIA, FBI, DEA and 13 other agencies warrantless full raw DATA NSA surveillance access on Americans citizens.

Further Reading:

In its final days, the Obama administration has expanded the power of the National Security Agency to share globally intercepted personal communications with the government’s 16 other intelligence agencies before applying privacy protections.

The change means that far more officials will be searching through raw data.

Previously, the N.S.A. filtered information before sharing intercepted communications with another agency, like the C.I.A. or the intelligence branches of the F.B.I. and the Drug Enforcement Administration. The N.S.A.’s analysts passed on only information they deemed pertinent, screening out the identities of innocent people and irrelevant personal information.

Now, other intelligence agencies will be able to search directly through raw repositories of communications intercepted by the N.S.A. and then apply such rules for “minimizing” privacy intrusions.

“Rather than dramatically expanding government access to so much personal data, we need much stronger rules to protect the privacy of Americans,” Mr. Toomey said. “Seventeen different government agencies shouldn’t be rooting through Americans’ emails with family members, friends and colleagues, all without ever obtaining a warrant.”

“This development is very troubling for Americans’ privacy,” said John Napier Tye, a former state department official turned surveillance whistleblower. “Most people don’t realize this, but even our purely domestic email and text messages are often stored on servers outside the United States. And the NSA has written extremely permissive rules for itself to collect data outside US borders.

“So in operations overseas, the NSA is scooping up a lot of purely domestic communications. And now, with these new rules, many different federal agencies can search and read the domestic communications of normal Americans, without any warrant or oversight from Congress or the courts.”

They mean that NSA officials are no longer required to filter out information about innocent people whose identities have been scooped up before passing the intercepted communications to officials from other agencies, who will now be able to search through raw caches of data.

“This raises serious concerns that agencies that have responsibilities such as prosecuting domestic crimes, regulating our financial policy, and enforcing our immigration laws will now have access to a wealth of personal information that could be misused,” said Singh Guliani. “Congress needs to take action to regulate and provide oversight over these activities.”

https://www.theguardian.com/world/2017/jan/12/obama-us-intelligence-greater-access-warrantless-data-foreign-targets

Privacy advocates’ concerns center around loopholes in the rules that allow agencies like the FBI and DEA to search the NSA’s collected data for purposes such as investigating an “agent of a foreign power.” Any evidence of illegal behavior that a searcher stumbles on can be used in a criminal prosecution. That means the rule change, according to Cardozo, introduces new possibilities for law enforcement agencies like the DEA and FBI to carry out what’s known as “parallel construction.” That maneuver involves secretly using the NSA’s intelligence to identify or track a criminal suspect, and then fabricating a plausible trail of evidence to present to a court as an after-the-fact explanation of the investigation’s origin. The technique was the subject of an ACLU lawsuit against the Office of the Director of National Intelligence in 2012, and resulted in the Justice Department admitting to repeatedly using the technique to hide the NSA’s involvement in criminal investigations.

“It used to be that if NSA itself saw the evidence of a crime, they could give a tip to the FBI, and the FBI would engage in parallel construction,” says Cardozo. “Now FBI will be able to get into the raw data themselves and do what they will with it.”

https://www.wired.com/2017/01/just-time-trump-nsa-loosens-privacy-rules/

How NSA identifies you by just starting your windows PC

Thanks to the fine research paper found here http://www.icir.org/vern/papers/trackers-pets16.pdf  YOU ARE easiliy identified when you just start your windows PC and log onto the internet – not requiring you any user-inaction.

You are identified by either: HTTP Identifiers or NON-HTTP Identifiers

HTTP Identifiers

Application-specific: The first category is identifiers sent by applications other than browsers. For example, Skype sends a user identifier uhash in a URL of the format http://ui.skype.com/ui/2/2.1.0.81/ en/getlatestversion?ver=2.1.0.81&uhash= . The parameter uhash is a hash of the user ID, their password, and a salt, and remains constant for a given Skype user [12]. uhash can very well act as an identifier for a user; a monitor who observes the same value from two different clients/networks can infer that it reflects the same user on both. Another example in this category is a Dropbox user_id sent as a URL parameter. We discovered that since the Dropbox application regularly syncs with its server, it sends out this identifier—surprisingly, every minute—without requiring any user action.

Mobile devices: Our methodology enabled us to discover that the Apple weather app sends IMEI and IMSI numbers in POST requests to iphone-wu.apple.com. We can recognize these as such, because the parameter name in the context clearly names them as IMEI and IMSI; the value also matches the expected format for these identifiers. Other apps also send a number of device identifiers, such as phone make, advertising ID,4 SHA1 hashes of serial number, MAC address, and UDID (unique device identifier) across various domains, such as s.amazon-adsystem.com, jupiter.apads.com and ads.mp.mydas.mobi. The iOS and Android mobile SDKs provide access to these identifiers.

http-identifiers

NON-HTTP Identifiers

Device identifiers sent by iOS/OSX: We found instances of device identifiers sent on port 5223. Apple devices use this port to maintain a persistent connection with Apple’s Push Notification (APN) service, through which they receive push notifications for installed apps.

An app-provider sends to an APN server the push notification along with the device token of the recipient device. The APN server in turn forwards the notification to the device, identifiying it via the device token [2]. This device token is an opaque device identifier, which the APN service gives to the device when it first connects. The device sends this token (in clear text) to the APN server on every connection, and to each app-provider upon app installation. This identifier enabled us to identify 68 clients in our dataset as Apple devices. The devices sent their device token to a total of 407 IP addresses in two networks belonging to Apple (17.172.232/24, 17.149/16).

non-http-identifiers

The work http://www.icir.org/vern/papers/trackers-pets16.pdf was supported by the Intel Science and Technology Center for Secure Computing, the U.S. Army Research Office and by the National Science Foundation.

Copy of Publication here: trackers-pets16

Der Kreis derer, die als Chief Disruption Officer überhaupt nur annähernd in Betracht kommen, hat den Radius „null“

Ich bin eine eierlegende WollMilchSau – und der neue Chief Disruption Officer Deiner Firma!

Eierlegende Wollmilchsau

Eierlegende Wollmilchsau

Fotolia #83825279 | Urheber: jokatoons

Herausforderung: die Auftragsklärung

Ein neuer CDO soll bei den Konzernen oft den „Tanker bewegen und in Schnellboote verwandeln“, schließlich hört und liest man ja überall von Startups, Agil, Dynamik, Disruption und stetiger Veränderung. Da stellt sich doch die Frage (typischerweise an HR) wer erstellt den das JobProfil für einen Job, den es noch nie gab und dessen Ziele so faszinierend unterschiedlich, ja widersprüchlich sind. Schließlich wird jeder seine eigene Vorstellung davon haben, was der künftige CDO „endlich“ angehen soll – fragen Sie doch mal Kollegen aus unterschiedlichen Funktionen!

In der folgenden Liste habe ich einmal einige (Achtung Buzzword-Bingo) zusammengefasst:

Typische CDO Erwartungsperspektiven:

  • Neue(s) Business Modell(e) finden, entwickeln und bitte gleich den Return on Investment im ersten Jahr sicherstellen
  • Change Manager (Disruption, Innovation…) der die gesamte Organisation in die neue Arbeitswelt führt
  • Neue Vertriebs- und Finanzierungskanäle – vom Crowdfunding über Crowdstorming, Crowdworking und Social Marketing
  • Digital Mindset / Organisationsentwicklung – nachhaltige Veränderung der Unternehmenskultur
  • Board Coaching / Trainer für die anderen Vorstände
  • Smart Factory – die intelligente Fabrik, digitalisierte, automatisierte und vernetzte Produktionsumgebungen mit neuen agilen Werkzeugen bis zur Losgröße 1 (zugleich stetig wachsender Fokus auf Service-Orientierung stattfindet – also „nicht-produktion“)
  • BigData / Analytics / Predictive – alles was man mit Daten, deren Analyse und Vorhersagbarkeit so treiben kann
  • Rechtsanwalt – Arbeit 4.0, Zusammenarbeit mit Externen, Compliance… siehe unten „illegal“
  • Neues IT Framework – moderne Softwarearchitekturen, Werkzeuge und Apps einführen
  • Digitales Vorbild / Botschafter – Sichtbar werden für neuen Arbeitsstil, Führungskultur – am Besten auch nach außen werbewirksam
  • Digitale Prozesse / Digitale Effizienz – den systemischen Organisationsmotor generalsanieren
  • Social Media extern – von Arbeitnehmerattraktivität über Recruiting (von natürlich Digital Professionals) bis zu Wirkungsverbesserung durch virales Marketing
  • Interne Kommunikation und Zusammenarbeit (Enterprise Social Networking)… – die gesamte Belegschaft, inklusive Fabrikarbeiter mobil, vernetzt, zeit- und orts-unabhängig sowie skallierbar in Arbeit 4.0 führen

Diese Liste an Erwartungen ist sicher alles andere als vollständig, soll aber zeigen, dass es nicht einfach ist, das Profil für diese Position so zu definieren, dass der Inhaber überhaupt eine Chance hat Wirkung zu entfalten. Schließlich gilt es neben den fachlichen Aufgaben auch die bestehende Kultur, Politik, Seilschaften etc. kennen zu lernen und dann nachhaltig zu verändern.

Herausforderung: Woher nehmen, diese CDO – eierlegende WollMilchSau?

Wie einer der Headhunter mal so schön formulierte:

„der Kreis derer, die als CDO überhaupt nur annähernd in Betracht kommen, hat den Radius „null““

Es gibt keine Ausbildung zum CDO, typische Karrierewege erzeugen meist „system-stabilisierende“ Vertreter, wer will einem „jungen Wilden“ die Verantwortung über einen Konzern geben. Die Zahl derer, die in ähnlichen Rollen erfolgreich sind, ist äußerst überschaubar – Nachahmung schwierig- und oft auch nicht einfach übertragbar… auch die großen Consulting Riesen sind hier sicher keine Hilfe, da deren Reifegrad hier ähnlich jungfräulich ist (Es gibt keine Blaupausen, die man aus der Schublade ziehen könnte, keine Beweise, kaum Studien die als Handlungsanleitung taugen)

Also wird nach Kompromissen gesucht, das kann dann z.B. so aussehen:

  • wir nehmen eine(n), der schon Vorstand war/ist … dort findet man kaum Digital Natives (damit ist nicht vorrangig das Alter, vielmehr deren Haltung gegenüber neuen, disruptiven Entwicklungen gemeint, die noch nicht allgemein als erfolgreich, bleibend und wichtig/prägend anerkannt sind), aus Karrieregründen kaum jemanden, der mit Transparenz, Beteiligung und agilen Methoden risikofreudig umgeht
  • wir nehmen eine(n), der IT kann … wohl einer der häufigsten Fehler, Digitale Transformation mit IT zu verwechseln. Wohl ist ein guter Teil (ca. 20%) mit Software, Tools und IT KnowHow verbunden, der Großteil geht aber um völlig andere (oft sehr IT fremde) Themen – es geht sehr viel um Führung! siehe Liste oben
  • wir nehmen eine(n), der schon ein Startup erfolgreich gemacht hat … das führt auf beiden Seiten zu großen Enttäuschungen: Freiheit, Sicherheit, Vorgaben, Rahmenbedingungen, Größe, Internationalität… Assimilation garantiert
  • wir nehmen jemanden, der Karriere machen will und großes Potential zeigt … Wer Karriere machen will ist meist doch recht Regel-konform unterwegs. Wer traut es sich „alles“ in Frage zu stellen bei einem System, in dem er/sie groß werden will? Risikobereitschaft, Fehler machen (dürfen) sind nicht die üblichen Treiber einer erfolgreichen Karriere
  • wir suchen jemanden von Extern – klar, neue Besen kehren gut… wie sieht es aber mit der damit verbundenen sehr langen Anlaufzeit aus. Kann es sich z.B. ein Automobilkonzern in der heutigen Lage leisten jetzt mit jemandem bei null anzufangen, was die internen Kenntnisse, Netzwerke (oder besser Verstrickungen), Politik, Kultur angeht?

Den „fertigen“ CDO zu finden dürfte also ein schwieriges Unterfangen sein – eine Lösung wäre in meinen Augen mit der aktuellen Priorität zu beginnen und zu versuchen die fehlenden Merkmale zu intern zu entwickeln (ideal parallel mit allen anderen). Neben Kultur, Führung ist sicher „neues, konstantes Lernen“ auf allen Ebenen höchst relevant.

aus: https://www.linkedin.com/pulse/der-cdo-wirds-schon-richten-harald-schirmer

These 15 startups didn’t exist 5 years ago — now they’re worth billions

Silicon Valley can create immense value in just a short time. Just look at these 15 startups that didn’t even exist five years ago, which are now valued at $1 billion or more, according to venture capitalists.

zooxZoox’s cofoundersZoox

For the purposes of this list, Business Insider asked PitchBook Data to pull a list of US-based companies that were founded in 2012 or later — since we’re nearing the end of 2016 — and that are private tech companies with a valuation of north of $1 billion.

We then ranked them from least to most valuable based on their post-money valuations.

Here are the companies that achieved billion-dollar valuations in the last five years:

Cylance

Cylance

Cylance CEO Stuart McClureYouTube/Cylance

Founded: 2012

Valuation: $1 billion

Cylance built a product that uses artificial intelligence to analyze a file you’re about to open, determine if it’s malware, and then stop it from executing — all in less than a second. It solves the problem of email phishing scams, which are still a favorite method of hackers, and has over 1,000 customers, it says.

Cylance was founded by Stuart McClure and Ryan Permeh, two well-known names in security who are perhaps best known for their work at McAfee.

 

 

Compass

Compass

Compass

Founded: 2012

Valuation: $1 billion

While Compass functions like a traditional broker, the company’s promise is using technology to reduce the time and friction of buying and selling a house or apartment. In July, Compass released an app designed to replace „stale“ quarterly market reports with more dynamic information. In the app, buyers and sellers can search by standard things like neighborhood, number of bedrooms, price range, and so on. But they can also look at more advanced metrics, like year-over-year analysis of median price per square foot, days on the market, and negotiability.

 

 

Illumio

Illumio

Illumio CEO Andrew RubinIllumio

Founded: 2013

Valuation: $1 billion

In 2014, Illumio emerged from stealth. Six months later, it had already racked up a billion dollar valuation, thanks to its new approach to security.  The idea involves watching the applications themselves to make sure they aren’t doing anything they are not supposed to do, indicating a hacker or a virus. It places a tiny bit of code (called an agent) on every computer and operating system to watch all the apps. Companies can then install the software that watches the apps in their own data center, or they can hire Illumio’s cloud service to watch the apps for them. And then the security follows the app wherever it goes, even if an app moves from one server to another, or from the data center to a cloud computing service.

 

Carbon3D

Carbon3D

Carbon3D

Founded: 2013

Valuation: $1 billion

Carbon3D grabbed headlines and attention for its method of seemingly creating shapes out of a liquid resin soup.  It’s much more complicated than that, but Carbon3D has caught the eye of everyone from Ford to Johnson & Johnson. While Ford imagines a future of speedy customizable parts, like custom designed cup holders, healthcare operators are looking at Carbon3D for a fast way to create surgical parts.

The machines are already being tested less than a year after they launched. In April, it released its M1 printer.

 

 

Opendoor

Opendoor

Keith Rabois, chairman and cofounder of Opendoor

Founded: 2014

Valuation: $1.1 billion

Opendoor is betting that homeowners would take a guaranteed sale over a higher price. It calculates a fair market value and pays homeowners before re-selling the home with a 30-day satisfaction guarantee.

 

Uptake Technologies

Uptake Technologies

Getty Images/Bloomberg

Founded: 2014

Valuation: $1.1 billion

Former Groupon founder Brad Keywell started the secretive Chicago-based data analytics startup in 2014. Already it’s working with Caterpillar to be the analytics backbone of heavy industries like manufacturing, construction, rail, and more. Its sensors and data analysis should be able to help companies predict revenue and save money, according to Forbes.

Flatiron Health

Flatiron Health

Saskia Uppenkamp

Founded: 2012

Valuation: $1.2 billion

Flatiron Health is a software company that organizes the world’s oncology information and makes it accessible for doctors, patients, and researchers. In January 2016, Roche, one of the world’s leading pharmaceutical companies, made a $175 million investment in the company, which valued the company at $1.1 billion.

Zoox

Zoox

Tim Kentley-Klay and Jesse LevinsonZoox

Founded: 2014

Valuation: $1.55 billion

Despite remaining in stealth, Zoox has already raised $290 million for its unseen product. The only hint its founder Tim Kentley-Klay has given was at a conference in October when he described it as Disneyland on the streets:

“At Zoox what we’re creating…is not a self-driving car any more than the automobile is a horseless carriage. We’re not building a robo-taxi service, we’re actually creating an advanced mobility service,” Kentley-Klay said, according to the Wall Street Journal. “You can really think of it as Disneyland on the streets of perhaps San Francisco and that means a vehicle which is smart enough to understand its environment but it’s also importantly smart enough to understand you, where you need to be, what you want to do in the vehicle, and how you want to move around the city.”

 

 

Instacart

Instacart

Instacart

Founded: 2012

Valuation: $1.9 billion

Often dubbed „Uber for groceries,“ Instacart eliminates the need to ever set food in a grocery store. The service will deliver your full load of groceries, hand-picked by a personal shopper at local stores.

In 2016, the company deepened its relationship with Whole Foods after the grocery retailer invested in the company and signed a multi-year delivery contract.

 

 

Oscar

Oscar

Oscar CEO and co-founder Mario Schlosser, co-founders Kevin Nazemi and Joshua Kushner.Oscar

Founded: 2012

Valuation: $1.5 billion

Oscar founder Josh Kushner wants to transform the healthcare industry by creating a better user experience when it comes to health insurance. It launched publicly in 2013 to sell better insurance through Affordable Care Act marketplaces. Yet, the election of Donald Trump could spell trouble for the highly-valued startup, even though Kushner’s brother, Jared, is Trump’s son-in-law. According to Bloomberg, it’s still losing money as it looks to diversify away from Obamacare-only offerings — something Trump, a close family connection, seeks to repeal.

 

Quanergy

Quanergy

Quanergy

Founded: 2012

Valuation: $1.6 billion

Self-driving car startups aren’t the only billion-dollar bets around. Quanergy isn’t building its own car, but instead specializes in building LiDAR systems — the 3D sensing systems that self-driving cars use to the see the world. Already the startup has struck partnerships with vehicle-makers including Mercedes-Benz and Hyundai.

 

Blue Apron

Blue Apron

Blue Apron cofounders Matt Wadiak, Matt Salzberg, and Ilia PapasBlue Apron

Founded: 2012

Valuation: $2 billion

Blue Apron, a company that sends you portioned-out ingredients and recipes in a box, is a godsend for lazy cooks.

Though it’s only been around since 2012, Blue Apron has already generated more than $800 million in revenue in 2016, according to Bloomberg. However, it has put its IPO plans on hold as it works to decrease its customer acquisition costs and improve lifetime customer value, Bloomberg reported. Blue Apron’s potential is vast: The service appeals to millennials who want to expand their repertoire in the kitchen, as much as to busy moms straining for creativity and simplicity in their weeknight meals.

 

Avant

Avant

Avant CEO Al GoldsteinAvant

Founded: 2012

Valuation: $2 billion

One of two highly-valued Chicago startups, online lending company Avant targets subprime borrowers — people with lower credit scores. To date, the startup has given out more than 500,000 loans, totaling more than $3 billion.

 

Zenefits

Zenefits

Zenefits CEO David SacksREUTERS/Beck Diefenbach

Founded: 2012

Valuation: $2 billion

Zenefits‘ valuation took a haircut in 2016. The startup, once valued at $4.5 billion, experienced turmoil after it was discovered that its CEO had created a program designed to cheat state regulations. After installing a new CEO and launching Zenefits 2.0, the company also repriced its stock, shaving its valuation from $4.5 billion to a cool $2 billion — still a lot of money for a five-year-old company.

 

 

Pivotal Software

Pivotal Software

Pivotal CEO Rob MeeGlassdoor/Pivotal

Founded: 2013

Valuation: $2.8 billion

Pivotal sells a set of software tools and consulting services to help even the largest, most old-school companies build and develop software as if they were a tiny startup. Pivotal becomes their secret weapon as they turn to newfangled cloud computing and data-crunching technologies to stay competitive in a digital world. In May, Ford led a $253 million investmentin the company alongside Microsoft.

http://www.businessinsider.de/startups-didnt-exist-5-years-ago-worth-billions-2016-12?op=1

How to do the Right Moves in Small Business Owners Decisions

Owning and running a small business is a roller coaster ride with ups and downs as challenges and successes come your way. Most entrepreneurs march through uncharted waters and self-correct as they go along, knowing that mistakes are essentially inevitable. However, you don’t have to fall into all of the typical entrepreneur traps—here are five common mistakes and how to avoid them:

  • thinking big. Small business may start small, but that doesn’t mean they have to stay that way. According to experienced entrepreneurs and investors, the biggest challenge small businesses face is thinking big and being able to compete with larger, more established competitors. After all, a small business that is content to operate comfortably in its little sphere won’t achieve much success and could burn out eventually. To avoid this mistake, form strategic partnerships on a local level before moving to a larger stage. Find investors, mentors, or partners who share your passion and who have the drive and resources to help your business succeed on a larger scale.
  • Paying attention to the numbers. One of the most important aspects of running a small business is understanding the accounting and financial side of things. Investors won’t want to give you money if you don’t have accurate financials and guidance for upcoming growth. Everything your business does comes back to the numbers, so pay attention to them and make them an important part of your daily routine. Even if you are more focused on the big-picture strategy for the business, never stray from the numbers. If needed, find a trusted financial advisor or accountant who can keep you in the loop while being the one who does the daily number crunching.
  • knowing the customer. You might have a great product or service, but it won’t be successful if you can’t reach the right people. Start by doing research about your target audience to gain a better understanding of who will purchase your product and why. From there, look for ways to reach them and consider the messages to use that will best appeal to their self interests and make them interested in your product. Keeping an eye on your customer doesn’t stop after your business launches—stay up to date on who is entering your store or website with people counting software and pay attention to what they are saying online and via social media. Without customers, you won’t have a business, so pay attention to their habits and responses and adapt your business plan to meet their needs.
  • Staying cool. Running a small business has a way of humbling people, but it can be tempting to get a big-headed ego with your first bit of success. Making a big sale, landing a great investor, or signing a firm deal are all milestones for your business, but don’t let that be the high point of your entire endeavor. Use your success to drive your passion and hunger for further success. If needed, surround yourself with people who can bring you back down to earth after big moments and remind yourself that there are other small businesses that are having even greater success.
  • planning. Every entrepreneur knows the importance of a strong business plan, but that plan needs to be adaptable and not set in stone. Too many entrepreneurs get caught up in perfecting the details of their plans that they never actually put things into action, or by the time they do, it is too late to capitalize on a great opportunity. Setting goals for your business is a great way to drive motivation, but goals that are too solid and that can’t adapt as plans or situations change can lead to failure and be a big loss for the company. There are many things you don’t know when you start a small business, and learning them along the way is an important part of growth. If you are so tied to your original plans that you miss a learning opportunity, your business likely won’t have the flexibility to succeed in the long run.

Running a small business is full of learning as you go, but following these tips can help you doing the right things.

 

http://www.smallbizdaily.com/biggest-mistake