said last week that it had opened an investigation into Clubhouse.

Clubhouse updated the app this month, addressing some of the privacy concerns. It did not immediately respond to a request for comment.

There are kinder ways than sharing your address book to find out whether your friends are using a new service — like asking them directly.

All security experts agreed on one rule of thumb: Trust no one.

When you receive an email from someone asking for your personal information, don’t click on any links and contact the sender to ask if the message is legitimate. Fraudsters can easily embed emails with malware and impersonate your bank, said Adam Kujawa, a director of the security firm Malwarebytes.

When in doubt, opt out of sharing data. Businesses and banks have experimented with fraud-detection technologies that listen to your voice to verify your identity. At some point, you may even interact with customer service representatives on video calls. The most sophisticated fraudsters could eventually use the media you post online to create a deepfake, or a computer-generated video or audio clip impersonating you, Mr. Balasubramaniyan said.

While this could sound alarmist because deepfakes are not an immediate concern, a healthy dose of skepticism will help us survive the future.

“Think about all the different ways in which you’re leaving biometric identity in your online world,” he said.

View Source

Carmakers Strive to Stay Ahead of Hackers

“Human life is involved, so cybersecurity is our top priority,” said Kevin Tierney, General Motors’ vice president for global cybersecurity. The company, which has 90 engineers working full time on cybersecurity, practices what it calls “defense in depth,” removing unneeded software and creating rules that allow vehicle systems to communicate with one another only when necessary.

It’s a practice also followed by Volkswagen, said Maj-Britt Peters, a spokeswoman for the company’s software and technology group. She noted that Volkswagen’s sensitive vehicle control systems are kept in separate domains.

Continental, a major supplier of electronic parts to automakers, employs an intrusion detection and prevention system to thwart attacks. “If the throttle position sensor is talking to the airbag, that is not planned,” Mr. Smoly said. “We can stop this, but we wouldn’t do so while the vehicle was moving.”

Still, determined hackers will eventually find a way in. To date, vehicle cybersecurity has been a patchwork effort, with no international standards or regulations. But that is about to change.

This year, a United Nations regulation on vehicle cybersecurity came into force, obligating manufacturers to perform various risk assessments and report on intrusion attempts to certify cybersecurity readiness. The regulation will take effect for all vehicles sold in Europe from July 2024 and in Japan and South Korea in 2022.

While the United States is not among the 54 signatories, vehicles sold in America aren’t likely to be built to meet different cybersecurity standards from those in cars sold elsewhere, and vice versa.

“The U.N. regulation is a global standard, and we have to meet global standards,” Mr. Tierney of G.M. said.

View Source

Netflix Tests a Clampdown on Password Sharing

Want to watch “The Queen’s Gambit” or “Lupin”? If you’ve been borrowing a Netflix password from a family member or friend, you may now have to pay up.

Netflix has started testing a feature that could prod users who are borrowing a password from someone outside their household to buy a subscription.

The company said the feature was being tested with a limited number of users. It may signal a broader clampdown on the common practice of sharing passwords among relatives and friends to avoid paying for the popular streaming service.

“The test is designed to help ensure that people using Netflix accounts are authorized to do so,” the company said in a statement.

began to notice the feature recently when they logged onto a shared Netflix account and saw a message on their screen that read, “If you don’t live with the owner of this account, you need your own account to keep watching.”

To continue watching, these users were asked to either verify that it was their account by entering a code that was sent to them by text or email, or join with their own account to Netflix. They also had the option to complete the verification process later.

A basic Netflix subscription, which allows customers to watch on one screen at a time, costs $8.99 a month. Customers who pay more can watch on additional screens simultaneously.

Netflix declined to discuss its new feature, previously reported by The Streamable, an industry news site, in detail. But industry analysts said it might be part of an effort to enforce Netflix’s frequently overlooked terms of use, which state that its service and content “are for your personal and noncommercial use only and may not be shared with individuals beyond your household.”

The test also appears to be more of a nudge to buy a subscription than an iron-fisted crackdown. For example, someone who was borrowing a password from a friend or family member could ask for the verification code that had been sent by Netflix.

said in January that it had added 8.5 million customers in the fourth quarter, for a total of 203.6 million paying subscribers by the end of 2020. The company has about 66 million customers in the United States and anticipated adding six million total subscribers in the first three months of this year.

Netflix had earlier hinted that it was looking at ways to stop password sharing. Gregory K. Peters, the company’s chief product officer, said during a call to review the company’s earnings in October 2019 that Netflix was “looking at the situation.”

“We’ll see, again, those consumer-friendly ways to push on the edges of that,” Mr. Peters said, adding that the company had “no big plans to announce at this point.”

Professor Smith said the company clearly loses a significant amount of revenue through people using the service but not paying for it.

two-factor authentication that is used by many social media and banking apps — makes it harder for attackers to break in.

“I’m not sure it’s a huge benefit,” Professor Cranor said, “but there is some benefit.”

View Source

Thousands of Microsoft Customers May Have Been Victims of Hack Tied to China

Businesses and government agencies in the United States that use a Microsoft email service have been compromised in an aggressive hacking campaign that was probably sponsored by the Chinese government, Microsoft said.

The number of victims is estimated to be in the tens of thousands and could rise, some security experts believe, as the investigation into the breach continues. The hackers had stealthily attacked several targets in January, according to Volexity, the cybersecurity firm that discovered the hack, but escalated their efforts in recent weeks as Microsoft moved to repair the vulnerabilities exploited in the attack.

The U.S. government’s cybersecurity agency issued an emergency warning on Wednesday, amid concerns that the hacking campaign had affected a large number of targets. The warning urged federal agencies to immediately patch their systems. On Friday, the cybersecurity reporter Brian Krebs reported that the attack had hit at least 30,000 Microsoft customers.

“We’re concerned that there are a large number of victims,” the White House press secretary, Jen Psaki, said during a press briefing on Friday. The attack “could have far-reaching impacts,” she added.

Microsoft said in a blog post, but Microsoft said it had no sense of how extensive the theft was.

The campaign was detected in January, said Steven Adair, the founder of Volexity. The hackers quietly stole emails from several targets, exploiting a bug that allowed them to access email servers without a password.

“This is what we consider really stealth,” Mr. Adair said, adding that the discovery set off a frantic investigation. “It caused us to start ripping everything apart.” Volexity reported its findings to Microsoft and the U.S. government, he added.

But in late February, the attack escalated. The hackers began weaving multiple vulnerabilities together and attacking a broader group of victims. “We knew that what we had reported and seen used very stealthily was now being combined and chained with another exploit,” Mr. Adair said. “It just kept getting worse and worse.”

Jake Sullivan, the White House national security adviser.

“This is the real deal,” tweeted Christopher Krebs, the former director of the U.S. Cybersecurity and Infrastructure Agency. (Mr. Krebs is not related to the cybersecurity reporter who disclosed the number of victims.)

Mr. Krebs added that companies and organizations that use Microsoft’s Exchange program should assume that they had been hacked sometime between Feb. 26 and March 3, and work quickly to install the patches released this past week by Microsoft.

In a statement, Jeff Jones, a senior director at Microsoft, said, “We are working closely with the C.I.S.A., other government agencies and security companies to ensure we are providing the best possible guidance and mitigation for our customers.”

Microsoft said a Chinese hacking group known as Hafnium, “a group assessed to be state-sponsored and operating out of China,” was behind the hack.

Since the company disclosed the attack, other hackers not affiliated with Hafnium began to exploit the vulnerabilities to target organizations that had not patched their systems, Microsoft said. “Microsoft continues to see increased use of these vulnerabilities in attacks targeting unpatched systems by multiple malicious actors,” the company said.

Patching these systems is not a straightforward task. Email servers are difficult to maintain, even for security professionals, and many organizations lack the expertise to host their own servers safely. For years, Microsoft been pushing these customers to move to the cloud, where Microsoft can manage security for them. Industry experts said the security incidents could encourage customers to shift to the cloud and be a financial boon for Microsoft.

Because of the broad scope of the attack, many Exchange users are probably compromised, Mr. Adair said. “Even for people who patched this as fast as humanly possible, there’s an extremely high chance that they were already compromised.”

Nicole Perlroth contributed reporting.

View Source