STE WILLIAMS

Palo Alto Networks to Buy CloudGenix for $420M

Palo Alto Networks plans to integrate CloudGenix’s SD-WAN technology into its Prisma SASE platform following the deal.

Palo Alto Networks has agreed to acquire cloud-based SD-WAN provider CloudGenix for about $420 million in cash. Its goal is to build out the capabilities of its Prisma Access SASE platform.

Secure Access Service Edge (SASE) is becoming a common term as applications move from data centers to the cloud and businesses struggle to manage access for distributed employees. SASE aims to provide cloud-based support and security for different applications accessed from different locations. It combines WAN capabilities with network security functions like a secure web gateway, cloud access security broker, firewall-as-a-service, and zero-trust network access.

Palo Alto Networks plans to integrate CloudGenix’s cloud-based SD-WAN products to improve onboarding for remote branches and stores into Prisma Access. “This combination will extend the breadth of the Prisma Access SASE platform, address network and security transformation requirements, and accelerate the shift from SD-WAN to SASE,” officials write in a statement.

San Jose-based CloudGenix was founded in 2013 to transform legacy WANs into a simpler and more secure application-defined structure. The company has raised a total of $99 million over four rounds of funding, CrunchBase reports. CloudGenix has about 250 customers across the healthcare, retail, manufacturing, finance, banking, tech, and hospitality industries. 

The acquisition is expected to close during Palo Alto Networks’ fiscal fourth quarter, pending regulatory and customary closing conditions.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Untangling Third-Party Risk (and Fourth, and Fifth…).

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/palo-alto-networks-to-buy-cloudgenix-for-$420m/d/d-id/1337449?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Has Houseparty really hacked your phone and stolen your bank details?

If you’re at home right now – and who isn’t? – then you’ve probably heard of Houseparty.

It’s a social networking app that came out back in 2015 and was bought by Epic Games – famous for Unreal and Fortnite – in the middle of 2019.

The name gives you a good idea of what is does: simply put, you go online, hang out and other members (players?) can join you in your “room” and engage in face-to-face chat, or as close to face-to-face as you can get in a virtual world.

Think of it as a multiuser video call that friends and family – or, indeed, anyone, if that’s your thing – can wander in and say, “Hi.”

As the app makers themselves put it early last year:

We’re the face-to-face social network bringing friends together for live video hangouts. Now, with the Heads Up! game available in app, we’re introducing a new way for users to spend time together.

[…]

Houseparty only works when people are online together. There’s no liking, commenting, or scrolling. Instead, the Houseparty experience brings empathy to online communication by requiring in-the-moment conversations and facilitating casual “drop-ins” from friends.

Imagine a video calling service, like Zoom or Skype, but without calls and conferences and meetings – it’s like arriving at the pub to see who’s there, rather than booking a table at a bistro and meeting a specific group who have all agreed to the time and place.

And, as Houseparty noted in the same article, given that the North American winter was in full swing at the time:

Whether snowed in, away from home, or just too cozy to leave bed, here’s another way to bond with your closest friends when you can’t be together!

For “snow” read “coronavirus lockdown” and you can understand why the app has become hugely popular in the last few weeks, as people try to maintain a social life of sorts when they aren’t allowed out to meet other people at all.

Has the party gone wrong?

Well, the Houseparty team have suddenly been turned into the bad guys, with breathless comments on other social networks warning you to stop using the app right away:

If anyone is using that house 
party app 
DELETE IT 
My friends email account
been hacked into by it 
And managed to get bank 
account details too and has 
hacked that.
I've seen a few other people 
saying this too on twitter.
I also keep getting dodgey 
emails.
Just a warning x

Is there any truth in this?

To be honest, we can’t tell you that the Houseparty app is bug-free, because we haven’t decompiled or analysed it, and even if we had, working out that an app is totally free of vulnerabilities is a close-to-impossible exercise, as are many tasks where you are expected to prove a negative.

But the claim in the post above is not that there’s a bug that’s being exploited in the app.

Instead, to us the post seems very clearly to imply that that Houseparty is a rogue app that is actively breaking into every part of your digital life and plundering it in a determined burst of criminality.

And as unlikely as that sounds, and for all that Houseparty itself has stated this…

..there are pages of counter-tweets insisting that…

BOYCOTT HOUSEPARTY, just found out that's how my Spotify was hacked 
and how many others are being hacked on various things

DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!! 

Didn’t realise what was happening when i got these emails but is 100% that houseparty app!! 
Three new logins to my spotify and someone tried to reset my password for netflix!! 
Not worth it the risk

Well, here’s the thing.

There’s one thing missing in all of these aggressive!!! and SHOUTY!!!!! claims, and that is evidence.

What to do?

A few calm voices on Twitter are asking the obvious question, which is:

where's the evidence it was from houseparty?

How do you know this had happened because of house party tho?

That’s a vital point to consider, and not just because it’s the ethically correct thing to do.

After all, if any of this “hacking” behaviour is not down to Houseparty, which is a mainstream app published by a well-known software company in Apple’s and Google’s official online stores…

…then deleting the app and feeling virtuous about closing your account is not going to help you, because you will still be at risk but will think you aren’t.

Our advice is simple:

  • Don’t accuse Houseparty or Epic Games of malfeasance without strong evidence. The fact that lots of people repeated the same condemnatory text on Twitter proves nothing. If you aren’t part of the solution then you are part of the problem.
  • Don’t assume that deleting Houseparty will fix your problems. The idea that all the listed symptoms above might suddenly appear on account of a single app has to be considered extremely unlikely, in which case removing the app will leave you at risk when you think you are safe.
  • Do visit the Houseparty settings and decide how open you want to be. Do you want your rooms to be “locked” so you meet new people by invitation only? If not, or if you are scared of the app because trolls have been wandering into your online life, consider dialling back your openness rather than deleting the app but not changing your behaviour. Go through the same exercise for all your social media accounts.
  • Do turn on 2FA (two-factor authentication) for any online accounts that support it. Don’t make it easy for someone who steals your password – which is more likely to happen via phishing that in any other way – to login to all your accounts and take them over.
  • Do change passwords and watch financial statements carefully if you think your accounts have been hacked. Whether you think a specific product is to blame or not, just removing one app from your phone is not enough to “unhack” accounts that have already been taken over.

We’ll update this article if we learn any more genuine information – until then, please don’t blindly repeat other people’s unsubstantiated claims, because you can’t make something true simply by saying it over and over again.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qph4kSWHwKE/

“Instant bank fraud” warning spread on WhatsApp is a hoax

Last week we wrote about a WhatsApp hoax that was spreading widely, warning people to look out for a cybersecurity catastrophe that simply wasn’t going to happen.

That was known as the Martinelli/Dance of the Pope hoax, and it claimed that two dangerous videos are about to come out that will hack or wipe out your phone so it can’t be fixed.

This week, there’s another WhatsApp hoax that suddenly started spreading, apparently forwarded in good faith by lots of worried users:

Straight from the City of London Police fraud team – Extremely sophisticated scam going about this morning. Definitely Danske bank customers but possibly all banks. You get a message saying a payment hasn’t been taken eg O2,Vodafone or EE [UK mobile providers] and to click here. As soon as you touch it the money is gone. They already have all your details and it’s the most advance scam the bank has ever seen. Pass this on to everyone. Please. This is from work this morning – they are being inundated with calls – thousands flying out of peoples accounts! Spread the word!

Before we look at the plausibility of this – spoiler alert: it’s somewhere between implausible and impossible, and it didn’t happen – let’s check the very first claim in the message.

Hoaxes of this sort often include what we call “claims to authority” – Martinelli/Dance of the Pope claimed that its story had been announced on BBC Radio, for example – that are there to add a veneer of credibility.

But here’s what the City of London Police tweeted a few hours ago:

Please be aware of false message currently being circulated

The City of London Police in turn link you to UK National Fraud and Cyber Crime Reporting Centre’s ActionFraud website, where you will see that the “City of London Police hasn’t issued any alerts about fake messages from Danske Bank.”

So, please don’t spread this hoax – you’re just creating fear and uncertainty among any of your friends and family who might have received a text message recently.

Could it happen?

The brazenly bogus start to the text in this hoax – an outright lie about a law enforcement team – suggests that it didn’t evolve from scraps of fact but was put together deliberately, though it’s anyone’s guess why.

As for the rest of the message, there’s a tiny ring of truth throughout, but so-called “unpaid mobile bill” text message scams don’t work quite as directly as the hoax claims.

Typically, the link in the SMS takes you to a website where a fake login page appears and that’s where the password stealing happens.

Indeed, we wrote about a very similar scam, albeit in a slightly different guise, late last week, where crooks texted you a “failed home delivery” message where you allegedly needed to pay in a $3 shortfall before the delivery could be completed.

Mobile phone billing scams use a different pretext but typically follow a similar sequence.

A URL (web link) in the SMS takes you to your broswer; your browser expands on the details of the scam and gives you a “payment” link; and that link in turn takes you to a page that is designed to resemble a typical credit card payment portal.

All the data you put into the bogus payment form goes not to your bank but directly to the crooks, and that’s how they attack your credit card later on – or sell the data on so someone else can do so.

Browser exploits

In theory, a booby-trapped web page that was rigged up to crash your browser might be able to launch malware on your phone without warning and without asking for permission, even if all you did was tap on the link in the SMS to take you there.

But that sort of attack is very rare these days, and almost certainly wouldn’t lead to the crooks getting hold of your banking password immediately and instantly withdrawing money.

If nothing else, the crooks would still have to persuade you to type in your banking password or card number while their malware was running, just as they would do via a fake website, so the attack wouldn’t happen “as soon as you touch[ed]” the link in the text message.

The big giveaway, however, is the part about how “this is from work this morning”.

How likely is that, in the middle of coronavirus lockdown?

What to do?

  • Don’t spread discredited stories online via any messaging app or social network. Do your homework. There’s enough fake news at the moment without adding to it.
  • Don’t be tricked by claims to authority. Anyone can write “the police announced this”, but that doesn’t tell you anything useful. In this case, what came from the police was an announcement that it was false.
  • Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, but you can’t make someone safer by “protecting” them from something that doesn’t exist. All you are doing is wasting everyone’s time.

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gA0Nunyrbzs/

Houseparty – is it really trying to hack into your digital life?

If you’re at home right now – and who isn’t? – then you’ve probably heard of Houseparty.

It’s a social networking app that came out back in 2015 and was bought by Epic Games – famous for Unreal and Fortnite – in the middle of 2019.

The name gives you a good idea of what is does: simply put, you go online, hang out and other members (players?) can join you in your “room” and engage in face-to-face chat, or as close to face-to-face as you can get in a virtual world.

Think of it as a multiuser video call that friends and family – or, indeed, anyone, if that’s your thing – can wander in and say, “Hi.”

As the app makers themselves put it early last year:

We’re the face-to-face social network bringing friends together for live video hangouts. Now, with the Heads Up! game available in app, we’re introducing a new way for users to spend time together.

[…]

Houseparty only works when people are online together. There’s no liking, commenting, or scrolling. Instead, the Houseparty experience brings empathy to online communication by requiring in-the-moment conversations and facilitating casual “drop-ins” from friends.

Imagine a video calling service, like Zoom or Skype, but without calls and conferences and meetings – it’s like arriving at the pub to see who’s there, rather than booking a table at a bistro and meeting a specific group who have all agreed to the time and place.

And, as Houseparty noted in the same article, given that the North American winter was in full swing at the time:

Whether snowed in, away from home, or just too cozy to leave bed, here’s another way to bond with your closest friends when you can’t be together!

For “snow” read “coronavirus lockdown” and you can understand why the app has become hugely popular in the last few weeks, as people try to maintain a social life of sorts when they aren’t allowed out to meet other people at all.

Has the party gone wrong?

Well, the Houseparty team have suddenly been turned into the bad guys, with breathless comments on other social networks warning you to stop using the app right away:

If anyone is using that house 
party app 
DELETE IT 
My friends email account
been hacked into by it 
And managed to get bank 
account details too and has 
hacked that.
I've seen a few other people 
saying this too on twitter.
I also keep getting dodgey 
emails.
Just a warning x

Is there any truth in this?

To be honest, we can’t tell you that the Houseparty app is bug-free, because we haven’t decompiled or analysed it, and even if we had, working out that an app is totally free of vulnerabilities is a close-to-impossible exercise, as are many tasks where you are expected to prove a negative.

But the claim in the post above is not that there’s a bug that’s being exploited in the app.

Instead, to us the post seems very clearly to imply that that Houseparty is a rogue app that is actively breaking into every part of your digital life and plundering it in a determined burst of criminality.

And as unlikely as that sounds, and for all that Houseparty itself has stated this…

..there are pages of counter-tweets insisting that…

BOYCOTT HOUSEPARTY, just found out that's how my Spotify was hacked 
and how many others are being hacked on various things

DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!! 

Didn’t realise what was happening when i got these emails but is 100% that houseparty app!! 
Three new logins to my spotify and someone tried to reset my password for netflix!! 
Not worth it the risk

Well, here’s the thing.

There’s one thing missing in all of these aggressive!!! and SHOUTY!!!!! claims, and that is evidence.

What to do?

A few calm voices on Twitter are asking the obvious question, which is:

where's the evidence it was from houseparty?

How do you know this had happened because of house party tho?

That’s a vital point to consider, and not just because it’s the ethically correct thing to do.

After all, if any of this “hacking” behaviour is not down to Houseparty, which is a mainstream app published by a well-known software company in Apple’s and Google’s official online stores…

…then deleting the app and feeling virtuous about closing your account is not going to help you, because you will still be at risk but will think you aren’t.

Our advice is simple:

  • Don’t accuse Houseparty or Epic Games of malfeasance without strong evidence. The fact that lots of people repeated the same condemnatory text on Twitter proves nothing. If you aren’t part of the solution then you are part of the problem.
  • Don’t assume that deleting Houseparty will fix your problems. The idea that all the listed symptoms above might suddenly appear on account of a single app has to be considered extremely unlikely, in which case removing the app will leave you at risk when you think you are safe.
  • Do visit the Houseparty settings and decide how open you want to be. Do you want your rooms to be “locked” so you meet new people by invitation only? If not, or if you are scared of the app because trolls have been wandering into your online life, consider dialling back your openness rather than deleting the app but not changing your behaviour. Go through the same exercise for all your social media accounts.
  • Do turn on 2FA (two-factor authentication) for any online accounts that support it. Don’t make it easy for someone who steals your password – which is more likely to happen via phishing that in any other way – to login to all your accounts and take them over.
  • Do change passwords and watch financial statements carefully if you think your accounts have been hacked. Whether you think a specific product is to blame or not, just removing one app from your phone is not enough to “unhack” accounts that have already been taken over.

We’ll update this article if we learn any more genuine information – until then, please don’t blindly repeat other people’s unsubstantiated claims, because you can’t make something true simply by saying it over and over again.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qph4kSWHwKE/

5 tips for keeping your data safe this World Backup Day

Today is, wait for it, drum roll, please…

World Backup Day.

You knew that already, didn’t you?

So you’re way ahead of us here, with your backups neatly done and safely stored away.

Or perhaps not, because sorting out your backups is a bit like taking the garbage out or washing the dog – you know it needs doing, and you might as well do it now, but it can probably wait until tomorrow.

Depending on what happens today, of course.

Well, the bad news is, now that so many of us are working from home, we can’t rely on IT to do it all for us, or to show up at our desks with a smile and a USB drive filled with all those precious files that we just deleted by mistake.

But the good news is, now that so many of us are working from home, that backup isn’t that hard to do right – the hardest part is just getting round to doing it properly, or even at all.

Here are some simple tips that will help you to keep both your work and your home data safe.

1. Don’t treat backing up simply as “something you do in case of ransomware”

In the early days of personal computers, the main reason people made backups, even if it was just a few important files saved on a special floppy disk, was the sheer unreliability of hardware and software.

If you ever used DOS, you’ll remember very clearly how one buggy program usually crashed everything, and that any crash could leave the hard disk corrupted so badly that you couldn’t reboot at all.

Malware was also a serious concern, not least because the crooks hadn’t yet figured out how to make money out of viruses, but nevertheless often used them to wipe out all your data for no clear reason at all.

Fast forward to 2020 and we have a lot less to worry about on the reliability front, but we still face a clear and present danger from data loss due to malware, notably ransomware.

For that reason, backups are a hot topic again, especially during the coronavirus pandemic, where IT can’t go round the office and give hands-on attention to afflicted computers.

Nevertheless, even though backups are a fantastic defensive tool against ransomware, we’re wary of IT procedures that are driven specifically by individual fears rather than by general good practice.

A regular and reliable backup process will protect you from unexpected data loss of any sort, including cases – as many people will have experienced when coronavirus lockdowns started and they couldn’t get back into the office – where your data isn’t lost, but you can’t get at it anyway.

Condensed into a easily-remembered saying: Backups are a job worth doing, and a job worth doing is worth doing well.

2. Don’t leave backups where crooks can find them

Even though we’ve just urged you to do backups for general reasons that go above and beyond the specific risk of ransomware, there are important risks posed by contemporary cybercriminals that you need to keep in mind.

In many recent attacks we’ve investigated, the crooks have had days or even weeks to poke around the victim’s network before initiating their final actions – such as firing up ransomware on hundreds of computers at the same time.

Therefore you need to assume, if your backups are accessible online, that the crooks will find them and wipe them out (or steal them and then wipe them out) as part of their attack.

If ransomware strikes your entire network, or a power surge takes out your laptop where you keep your backup drive plugged in all the time, then you no longer have a backup.

So, think of live snapshots and real-time backups that you keep online as secondary copies, and make sure you also keep true backup copies offline.

Whether you’re at home or at work, you can often do that simply by unplugging backup devices or explicitly logging out from cloud backup accounts.

We also recommend that you add 2FA (two-factor authentication) to your cloud backup accounts for two important reasons.

Firstly, it helps to keeps the crooks out, so they can’t use your cloud backup to breach your data; secondly, it means you can’t log in accidentally using cached passwords when you didn’t mean to.

3. Don’t make backups that everyone can read

As you probably know, most backup advice includes something about keeping “offsite” backups so that they’re not just offline, they’re stored in a different physical location to the master copy.

A removable drive stored in a safe-deposit box at your bank is an excellent way to protect your most vital backups, but that’s impossible if you’re in coronavirus lockdown.

Therefore you are almost certainly going to have to rely on cloud storage – where your data travels offsite via the internet rather than in your backpack.

However, we often hear people asking if they really need offsite backups, because they are understandably concerned that storing their data in two different ways in two different places simply doubles down on their risk of a data breach

Even high-security safe deposits can get burgled, and cloud storage services could suffer an intrusion that isn’t your fault and you couldn’t have prevented.

Fortunately, there’s an reliable way to protect your offsite data, whether it’s in the cloud or on a removable device, and that’s to encrypt it before it leaves your own laptop or network.

To help you out, Windows has BitLocker, Macs have FileVault, and Linux has LUKS and cryptsetup, which can be used to create encrypted drives and partitions. (You can create a disk partition out of a file, and then use cryptsetup on that, if you want.)

There are also numerous free and open source encryption tools that aren’t part of any operating system.

You can use one of these to encrypt both devices and folders on all your computers, if that’s what you prefer – remember that BitLocker and FileVault are proprietary and aren’t officially supported on other operating systems.

4. Don’t neglect the “restore” part of the process

Remember that you haven’t really backed anything up unless you can restore it.

We’ve helped numerous people over the years who made backups regularly and carefully, but weren’t able to get back the files they wanted when they needed to.

Ironically, perhaps, none of these cases happened because the user forgot or lost their decryption password – they simply weren’t well-practised enough in using the restore process to do it reliably, or even at all.

We also know of ransomware victims who ended up paying the ransom, even though they had working backups, because the restore process they’d created for themselves was just too slow and cumbersome for them to recover in time.

Treat restoring backups like a fire drill: you’re going down the fire escape, out into the street and getting clear of the building when there isn’t an actual fire so that if the real thing ever happens, you aren’t fighting against both fear and unfamiliarity at the same time.

Test yourself: work out how long it takes to get the backup ready for restoring, how long it takes extract everything, and how reliably and quickly you can restore just a single file without restoring everything else, which you might not want.

5. Don’t put it off until tomorrow

The only backup you will ever regret…

…is the one you didn’t make.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/9sknMyIjTNU/

No, Houseparty hasn’t hacked your phone and stolen your bank details

If you’re at home right now – and who isn’t? – then you’ve probably heard of Houseparty.

It’s a social networking app that came out back in 2015 and was bought by Epic Games – famous for Unreal and Fortnite – in the middle of 2019.

The name gives you a good idea of what is does: simply put, you go online, hang out and other members (players?) can join you in your “room” and engage in face-to-face chat, or as close to face-to-face as you can get in a virtual world.

Think of it as a multiuser video call that friends and family – or, indeed, anyone, if that’s your thing – can wander in and say, “Hi.”

As the app makers themselves put it early last year:

We’re the face-to-face social network bringing friends together for live video hangouts. Now, with the Heads Up! game available in app, we’re introducing a new way for users to spend time together.

[…]

Houseparty only works when people are online together. There’s no liking, commenting, or scrolling. Instead, the Houseparty experience brings empathy to online communication by requiring in-the-moment conversations and facilitating casual “drop-ins” from friends.

Imagine a video calling service, like Zoom or Skype, but without calls and conferences and meetings – it’s like arriving at the pub to see who’s there, rather than booking a table at a bistro and meeting a specific group who have all agreed to the time and place.

And, as Houseparty noted in the same article, given that the North American winter was in full swing at the time:

Whether snowed in, away from home, or just too cozy to leave bed, here’s another way to bond with your closest friends when you can’t be together!

For “snow” read “coronavirus lockdown” and you can understand why the app has become hugely popular in the last few weeks, as people try to maintain a social life of sorts when they aren’t allowed out to meet other people at all.

Has the party gone wrong?

Well, the Houseparty team have suddenly been turned into the bad guys, with breathless comments on other social networks warning you to stop using the app right away:

If anyone is using that house 
party app 
DELETE IT 
My friends email account
been hacked into by it 
And managed to get bank 
account details too and has 
hacked that.
I've seen a few other people 
saying this too on twitter.
I also keep getting dodgey 
emails.
Just a warning x

Is there any truth in this?

To be honest, we can’t tell you that the Houseparty app is bug-free, because we haven’t decompiled or analysed it, and even if we had, working out that an app is totally free of vulnerabilities is a close-to-impossible exercise, as are many tasks where you are expected to prove a negative.

But the claim in the post above is not that there’s a bug that’s being exploited in the app.

Instead, to us the post seems very clearly to imply that that Houseparty is a rogue app that is actively breaking into every part of your digital life and plundering it in a determined burst of criminality.

And as unlikely as that sounds, and for all that Houseparty itself has stated this…

..there are pages of counter-tweets insisting that…

BOYCOTT HOUSEPARTY, just found out that's how my Spotify was hacked 
and how many others are being hacked on various things

DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!! 

Didn’t realise what was happening when i got these emails but is 100% that houseparty app!! 
Three new logins to my spotify and someone tried to reset my password for netflix!! 
Not worth it the risk

Well, here’s the thing.

There’s one thing missing in all of these aggressive!!! and SHOUTY!!!!! claims, and that is evidence.

What to do?

A few calm voices on Twitter are asking the obvious question, which is:

where's the evidence it was from houseparty?

How do you know this had happened because of house party tho?

That’s a vital point to consider, and not just because it’s the ethically correct thing to do.

After all, if any of this “hacking” behaviour is not down to Houseparty, which is a mainstream app published by a well-known software company in Apple’s and Google’s official online stores…

…then deleting the app and feeling virtuous about closing your account is not going to help you, because you will still be at risk but will think you aren’t.

Our advice is simple:

  • Don’t accuse Houseparty or Epic Games of malfeasance without strong evidence. The fact that lots of people repeated the same condemnatory text on Twitter proves nothing. If you aren’t part of the solution then you are part of the problem.
  • Don’t assume that deleting Houseparty will fix your problems. The idea that all the listed symptoms above might suddenly appear on account of a single app has to be considered extremely unlikely, in which case removing the app will leave you at risk when you think you are safe.
  • Do visit the Houseparty settings and decide how open you want to be. Do you want your rooms to be “locked” so you meet new people by invitation only? If not, or if you are scared of the app because trolls have been wandering into your online life, consider dialling back your openness rather than deleting the app but not changing your behaviour. Go through the same exercise for all your social media accounts.
  • Do turn on 2FA (two-factor authentication) for any online accounts that support it. Don’t make it easy for someone who steals your password – which is more likely to happen via phishing that in any other way – to login to all your accounts and take them over.
  • Do change passwords and watch financial statements carefully if you think your accounts have been hacked. Whether you think a specific product is to blame or not, just removing one app from your phone is not enough to “unhack” accounts that have already been taken over.

We’ll update this article if we learn any more genuine information – until then, please don’t blindly repeat other people’s unsubstantiated claims, because you can’t make something true simply by saying it over and over again.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qph4kSWHwKE/

Untangling Third-Party Risk (and Fourth, and Fifth…)

Third parties bring critical products and services to your organization. They also bring risk that must be understood and managed.

(image by frog, via Adobe Stock)

If it hadn’t been already, the risk posed by third parties has become top-of-mind for many of us in recent weeks. Both organizations and individuals have given more than usual levels of thought to questions about the risks carried by those around us — including the suppliers, partners, providers, and others who make up the third-party ecosystem in which every company exists.

Evaluating an organization’s risk means, at some level, understanding the risk of all the third parties on which the organization’s products, services, and operations are based. And making that evaluation useful means putting the results into quantitative metrics.

“The industry more and more is saying that risk management has to be quantitative,” says Nick Sanna, CEO of RiskLens. “If you want to sit at a table with the business and have a meaningful discussion on the impact that actions in security have, it’s got to be quantitative.”

There are, of course, difficulties with accurately establishing this third-party risk. One of the most important factors that can have an impact on complexity is understanding just how many layers of relationships the security team has to examine. It’s a given that a company has to evaluate the risks of their suppliers, but what about their suppliers? And theirs? How many levels down does the responsibility to evaluate extend?

“Where we see our customers really going to is they look at and examine their third party. They’re also identifying the fourth-party dependencies, the vendor to the vendor,” says Kelly White, CEO of RiskRecon.

While he sees companies that would like to go through more layers, White says that the reality of the modern IT ecosystem means that relationships start circling back on one another, leading to a tangled web of dependencies that can be almost impossible to unravel.

Maley then asks a critical question: “How do you wrap your arms around that and focus your resources on the areas that might need some attention?”

Ann* is an executive in the risk management group at a healthcare company. [*Editor’s Note: To protect her identity and that of her company, Ann’s real name and certain identifying details have been changed.] “Typically, we try to put it to our third party —  the first point down the chain,” Ann says. “What we would do in that scenario is assess the third party to see if they have a similar program in place to what we’re using to assess them. And that’s the expectation.”

It’s an expectation that her organization codifies in a contract as often as possible. In the best case, Ann explains, each company in the ecosystem will have a similar third-party risk program in place and each will reinforce the protection offered by all the others.

Getting the various organizations to agree on what risk and its management mean is made easier when there is a standard model to follow. “It’s a little bit of Wild West right now,” Sanna says in describing the world of cyber risk management. “Everybody’s making up their own model and FAIR has emerged as the standard model for assessing risk.”

Sanna says that many companies are only beginning to understand how to evaluate and quantify risk. The first stage in the process, he says, is being able to articulate risk. “What are my top risks and areas in in numeric terms, in financial terms? Just understand that,” he says.

Being able to articulate the risk is critical in communicating concerns about risk and its management with other companies in the third-party ecosystem and finding benefit in mutual protection. That protection is critical in a common situation; the organization doesn’t really know the entirety of their third-party ecosystem.

Look beyond cyber risk teams for help

One of the important points executives made regarding third-party risk, is that risk management requires thinking about more than just cybersecurity. One of the things made clear by the coronavirus pandemic is that supply chain and third-party service availability are just as critical as the question of malware and breach resistance.

Fortunately, the groups responsible for each of those can work together to manage total risk.

“Organizations have different groups inside that can help each other in unexpected ways through these types of scenarios,” says White. “Cybersecurity has data that can help the supply chain or the third-party management team in ways that you wouldn’t expect.”

And that unexpected impact can extend across market boundaries.

“Many people think risk really pertains largely to finance and health care. I think I would tell them, if you’re outside of one of those industries, it still matters to you,” says Ann. “There have been plenty of things that have happened in the past, not counting COVID-19 or anything like that, that really illustrate the need for a strong third-party risk program across all industries.”

Ann emphasizes that the risk program has to be flexible and able to be modified to suit the changing challenges of the marketplace. “Just when we think we have everything covered – we have known cyber risk covered or financial risk or other things – – there’s geopolitical risk that’s in here, there’s an infectious disease risk that we had never really thought of, or hurricanes,” she says.

“It’s a continually evolving process that has to look at new things; you can’t outsource the risk,” she says. “Once the risk is there, it may change into new forms. And you have to tackle those as they come.”

Related content:

 

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/untangling-third-party-risk-(and-fourth-and-fifth)/b/d-id/1337439?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

HackerOne Drops Mobile Voting App Vendor Voatz

Bug bounty platform provider cited “Voatz’s pattern of interactions with the research community” in its decision to halt the app vendor’s vuln disclosure program on HackerOne.

Mobile voting application vendor Voatz has been dismissed from HackerOne’s bug bounty program platform, according to a report on CyberScoop.

Voatz — whose mobile voting app used in limited elections in a handful of states, including West Virginia and Colorado — has been under intense scrutiny over security concerns, and recently published studies by MIT and Trail of Bits uncovered significant security weaknesses in the app.

While security experts long have dismissed mobile voting as inherently risky, proponents of mobile-voting have maintained that the apps and process are more secure and private, for example, than the standard practice of sending PDF-based ballots via unencrypted email to military personnel overseas.

Voatz recently had updated its bug bounty policy on HackerOne to say that it could not “guarantee safe harbor” for researchers who discover flaws in its software under the program, CyberScoop said in its report.

“After evaluating Voatz’s pattern of interactions with the research community, we decided to terminate the program on the HackerOne platform,” a HackerOne spokesperson said in the CyberScoop report. “We partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing.”

Voatz plans to kick off a new bug bounty program, it said.

See the full article here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Evict Attackers Living Off Your Land.” 

 

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/hackerone-drops-mobile-voting-app-vendor-voatz/d/d-id/1337440?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft Edge Will Tell You If Credentials Are Compromised

Password Monitor, InPrivate mode, and ad-tracking prevention are three new additions to Microsoft Edge.

Microsoft today announced several new additions to its Edge browser, including three intended to strengthen security and privacy: Password Monitor, InPrivate mode, and tracking prevention.

Password Monitor, when enabled, will let you know when credentials saved to autofill are detected on the Dark Web. When the browser finds a match for saved username and password combinations, it sends an alert so the affected person can change their password. A dashboard in Settings streamlines this process with a list of all leaked credentials and links to respective websites. Password Monitor will arrive on Insider channels within the next few months.

InPrivate mode, available now, automatically deletes history, cookies, and site data when a browsing session ends. Edge will soon offer built-in InPrivate search with Bing so when someone is browsing in InPrivate mode, searches are not tied to the person or their account. InPrivate search is now available in Insider channels and will soon roll out to the Stable channel.

Ad tracking prevention gives people greater control over how they are tracked by websites they don’t directly access. On mobile or desktop they can select the Basic, Balanced, or Strict setting to adjust the types of third-party trackers blocked in the browser. It’s meant to help people better understand and manage who is tracking them online. The feature is available now.  

Check out the full list of new additions here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “ How to Evict Attackers Living Off Your Land.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-edge-will-tell-you-if-credentials-are-compromised/d/d-id/1337442?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers Spot Sharp Increase in Zoom-Themed Domain Registrations

Attackers are attempting to take advantage of the surge in teleworking prompted by COVID-19, Check Point says.

Cybercriminals are setting up numerous fake Zoom domains to try and take advantage of users who want to use the videoconferencing tool to connect with friends, family, and colleagues during the ongoing COVID-19 crisis.

Researchers from Check Point said they have observed a sharp increase in domains with the name “Zoom” in them over the past several weeks. Since January, more than 1,700 new Zoom-themed domains have been registered worldwide. More than 400 of them were registered just in the past week alone. Many of them were legitimately registered by companies with similar names or were used in domains with relevant content.

But of the Zoom domains that have been registered since January, at least 70 appear suspicious. That conclusion is based on when and who registered it, the IP address on which it resides, the files it is related to, how many accesses it has, and other factors, says Omer Dembinsky, data research team leader at Check Point. “In certain cases we have visibility to the actual attacks, but we can know about a suspicious website even before it is used in an active attack,” Dembinsky says.

Zoom is among the most targeted apps, but it is not the only videoconferencing or communications app that attackers have targeted in COVID-19 related phishing and other scams in recent weeks. According to Check Point, new phishing websites have been detected for virtually every other leading communications apps as well including classroom.google.com.

The goal in creating these spoofed sites typically is to trick users who are lured there into parting with account credentials or into getting them to share payment card details and other sensitive data, Dembinsky says.

Multiple security vendors have reported a surge in COVID-19 themed attacks since the beginning of the year. Many of the attacks are being driven by the sharp increase in the number of people working from home because of social distancing and stay-at-home rules in effect throughout the country. Threat actors hoping to exploit the situation have launched numerous phishing, business email compromise, account takeover, and other attacks in recent weeks.

Frequent Ploys
One frequently used ploy has been to try and get people working from home to download and install fake VPN installers that end up connecting users to malicious websites. Attackers have also been attempting to trick users into visiting malicious websites, downloading malware, or sharing sensitive data using COVID-19 themed phishing emails purporting to be from the US Centers for Disease Control and Prevention (CDC), Department of Homeland Security (DHS), and the World Health Organization (WHO). Earlier this month Check Point reported it had found more than 2,200 Coronavirus-themed domains registered this year that appeared suspicious in nature and another 93 similar ones that were being used to serve malware.

The sudden increase in the use of videoconferencing and communications tools appears to have heightened privacy concerns in other ways as well. Over the weekend Zoom announced it has revoked a “Login with Facebook” feature that allowed iOS users to access Zoom via their Facebook accounts. In a note, the company announced it had taken the step after learning the Facebook software development kit, which enabled the login, was collecting too much information from users.

“Our customers’ privacy is incredibly important to us, and therefore we decided to remove the Facebook SDK in our iOS client and have reconfigured the feature so that users will still be able to log in with Facebook via their browser,” Zoom said.

In another development, Armor said it had observed cybercriminals attempting to exploit concerns around the COVID-19 pandemic in other ways as well. According to the security vendor, its researchers found cybercrime sites that typically specialize in selling illegal drugs now attempting to profit off COVID-19 concerns by offering chloroquine, surgical masks, and N95 masks at sharply inflated prices.

“Cybercriminals don’t miss the opportunity to take advantage of any event, good or bad, in order to carry out scams and attacks,” Dembinsky says. With COVID-19, they have plenty of opportunities to exploit the huge concerns and interest around the virus itself, protection measures, tests, cures and vaccines, government guidelines, distance working, and learning. “In this aspect it has more impact than a usual event we see during the year,” he says.

Related Content:

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “How to Evict Attackers Living Off Your Land.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/researchers-spot-sharp-increase-in-zoom-themed-domain-registrations/d/d-id/1337443?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple