WP Pro Online

The U.S. National Security Agency is warning that Chinese government-backed hackers are exploiting a zero-day vulnerability in two widely used Citrix networking products to gain access to targeted networks.

The flaw, tracked as CVE-2022-27518, affects Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool, and are both popular in enterprise networks. The critical-rated vulnerability allows an unauthenticated attacker to remotely run malicious code on vulnerable devices — no passwords needed. Citrix also says the flaw is being actively exploited by threat actors.

“We are aware of a small number of targeted attacks in the wild using this vulnerability,” Peter Lefkowitz, chief security and trust officer at Citrix, said in ablog post. “Limited exploits of this vulnerability have been reported.” Citrix hasn’t specified what industries the targeted organizations are in or how many have been compromised. A Citrix spokesperson did not immediately respond to TechCrunch’s questions.

Citrix rushed out an emergency patch for the vulnerability on Monday and is urging customers using affected builds of Citrix ADC and Citrix Gateway to install the updates immediately.

Citrix didn’t share any further details about the in-the-wild attacks. However, in a separate advisory, the NSA said that APT5, a notorious Chinese hacking group, has been actively targeting Citrix ADCs in order to break into organizations without having to first steal credentials. The agency also provided threat-hunting guidance [PDF] for security teams and asked for intelligence sharing among the public and private sectors.

APT5, which has been active since at least 2007, largely conducts cyber espionage campaigns, and has a history of targeting tech companies including those building military applications, and regional telecommunication providers. Cybersecurity firm FireEye has previously described APT5 as “a large threat group that consists of several subgroups, often with distinct tactics and infrastructure.”

Last year, APT5 exploited a zero-day vulnerability in Pulse Secure VPN — another networking product often targeted by hackers — to breach U.S. networks involved in defense research and development.

NSA says Chinese hackers are exploiting a zero-day bug in popular networking gear by Carly Page originally published on TechCrunch

Back in March, at Verizon’s Investor Event, the company announced +Play, a free web-based platform exclusive to Verizon customers that aggregates subscription services across entertainment, music, gaming, fitness, lifestyle and more.

Today, Verizon launched +Play in open beta, allowing Verizon wireless, 5G Home and LTE Home customers to purchase and manage accounts for over 20 services, including Netflix, Disney+, Hulu, HBO Max, ESPN+, discovery+, AMC+, NFL+, NBA League Pass, NBA TV, as well as Live Nation’s live streaming concert service Veeps, Peloton, Calm, and Duolingo, among others.

Alongside the launch, Verizon is giving +Play users a Netflix Premium subscription for 12 months, which normally costs around $240 per year. The exclusive offer is only available for a limited time, the company wrote in today’s announcement.

Verizon customers can get +Play at no additional cost. To get early access to the beta, go to plusplay.verizon.com and log into the platform with your existing Verizon account info. Once a user subscribes to a service through +Play, they can use the service directly through the providers’ app or online portal.

Like many other subscription hubs, +Play includes a Discover tab for users to find content, a Shop tab, and a Manage tab where users can have all their account payments in one central place. Also, users will get +Play notifications every time a free trial period ends or if there are price changes to any subscription.

Verizon noted that the initial beta launch is only just the beginning as the platform will evolve over time, with plans to add new services, exclusive offers and features.

“As the network America relies on and one of the largest direct-to-consumer distributors in the U.S., Verizon is the partner of choice for content and subscriptions services, and we’re positioned to move the industry forward by offering customers more choice and enabling a seamless billing and management experience,” Erin McPherson, Chief Content Officer for Verizon, said in a statement. “We’re partnering with Netflix to offer customers all of their favorite content and a special offer only available in +Play.”

Verizon is likely betting that its millions of customers will want +Play, as the rise of streaming service aggregators increases. YouTube recently launched “Primetime Channels,” allowing users to subscribe and watch content from 30+ services. Other competitors include Amazon, Roku and Apple.

“This is a huge milestone for Verizon and the industry as a whole, and we’re incredibly proud to continue to be trailblazers in the new era of content and subscription services,” McPherson added.

Verizon launches subscription service aggregator, +Play, in open beta by Lauren Forristal originally published on TechCrunch

Twitter’s lead privacy regulator in the European Union is being kept very busy indeed by Elon Musk’s erratic piloting of the bird site.

Following a report by Platformer, which suggests Musk is planning to force users to accept personalized advertising unless they pay for a subscription service that will include an opt-out for ads, the Irish Data Protection Commission (DPC) told us it is reviewing the matter.

This adds to a growing pile of data protection concerns piling up on its desk — let’s call these the real ‘Twitter Files’ — such as Musk providing access to Twitter systems to non-staff reporters (um, security and privacy anyone?); the status of Twitter’s main establishment in Ireland (and, therefore, the streamlined situation it currently enjoys with the DPC leading oversight of its compliance with the EU’s General Data Protection Regulation, aka the GDPR); and whether Twitter has adequate compliance staff and appropriate resources to deal with all the inbound enquiries from regulators and users (such as requests for deletion of data) since Musk took an axe to halve company headcount, to name a small portion of the regulatory chaos he’s kicked up in very short order.

Under the GDPR Twitter needs a valid legal basis to process personal data, such as tracking and profiling users to target them with ads.

Consent is one of the legal bases that can be possible under the GDPR — but you can’t force users to consent; consent must be freely given if it’s to meet the legal bar. Ergo, forcing users to pay up or else be tracked and targeted looks unlikely to pass muster with EU regulators.

Another legal bases permitted in the GDPR is contractual necessity. And it’s worth noting that this is the legal basis currently claimed by Facebook-owner Meta for the ‘personalized’ ads it forces on users of its social networking services.

However in a blow to Musk’s ambitions to follow Zuck and force microtargeted ads into Europeans eyeballs whether they like it or not (or else, in Musk’s case, force Europeans to pay him not to profile them for ad targeting), the European Data Protection Board recently issued a decision on a long running complaint against Meta’s controversial choice of legal basis — which, per press reports, appears to rule out using a claim of performance of a contract to run behavioral advertising.

There is also legitimate interest (LI) — another legal basis that exists in the GDPR. But, again, it’s a sad trombone for Musk on this front as TikTok was forced to abort a planned switch of legal basis for its personalized ads, from consent to LI, this summer — after warnings from Italy’s DPA that this would not be legit.

The DPC also stepped in to ‘engage’ with TikTok on the matter — in its capacity as TikTok’s lead supervisor for GDPR. But it’s not just the GDPR that’s likely to apply here if Twitter similarly tries to force tracking ads on users in Europe: The EU’s ePrivacy Directive, which governs online tracking, also likely comes into play — and, as Italy’s DPA warned TikTok a few months ago, you can’t do tracking without asking for consent. Ergo LI won’t fly for Twitter tracking ads.

Additionally, and unhappily for Musk — who is famously not a fan of regulators — the ePrivacy Directive does not have a one-stop-shop mechanism streamlining regulatory oversight (and oftentimes shrinking risk) via a lead DPA, as is the case with the GDPR. So if he tries to force tracking ads on EU users he’s opening the company up to enforcement by privacy watchdogs across the bloc, from Italy to France, and on through as many of the 27 EU Member States that have DPAs with an appetite for enforcement.

France’s privacy watchdog, the CNIL, has been very active on enforcing ePrivacy against tech giants in recent years — fining Google $120M two years ago for dropping tracking cookies without consent, for instance, and hitting the adtech giant a second time with a further $170M penalty this January over cookie consent dark patterns. It has also spanked Amazon and Facebook with multimillion dollar penalties for ePrivacy breaches over the same time frame. So there’s little reason to think the French would turn a blind eye to a swashbuckling Muskian forced-tracking-ads adventure.

It’s worth noting there are examples in some EU Member States (notably Germany) of certain news media websites putting up paywalls that offer users a choice between subscribing to view their content (i.e. journalism) or getting free access to it but with the stipulation that they agree to be tracked as the ‘price’ for this freebie.

Their approach remains controversial with data protection law experts and may not survive legal challenges. But, in the meanwhile, it doesn’t necessarily offer much succour to Musk’s ambitions to force ads on unwilling Europeans, either, since there is a clear difference between pay-or-be-tracked-gating of journalism (i.e. profession content that the paywalling company is paying to produce) vs pay-or-be-tracked-gating of user generated content which Musk is getting for free for some crazy reason, even as he yells at Twitter users to pay him ~$8pm or else.

So a pay-me-or-else paywall in the microblogging platform case doesn’t look like it would be smooth sailing either.

So what penalties might Musk face if he goes ahead and tries to force ads on European users?

Under the GDPR, penalties can scale up to 4% of global annual turnover — so, on paper, the cost of breaking the law can certainly get expensive (though Twitter has escaped major sanction to date). But GDPR penalties against tech giants have been getting bigger in recent years (even if the bill may take years to arrive). And flagrant/wilful breaches typically invite bigger fines than one-off incidents like a security slip up.

ePrivacy also allows EU regulators to levy dissuasive sanctions for breaches — and these can, demonstrably, exceed a hundred million dollars apiece (i.e. from a single regulator), so costs could stack up quickly here too if multiple watchdogs wade in.

ePrivacy enforcement is also not slowed down by a one-stop-shop mechanism funnelling cross-border complaints through a single lead regulator (as happens with the GDPR). So fines could arrive in fairly short order if Musk pushes ahead with forced tracking despite the lack of a legal path for such processing.

Both privacy laws also enable EU regulators to issue corrective orders against infringing practices. And failure to comply with such orders invites — you guessed it! — further sanction. So if Musk refuses to correct course he is walking into an ongoing world of costly regulatory pain in Europe.

He has more regulatory trouble brewing in the region, too.

Looming on the horizon is application of the EU’s new Digital Services Act (DSA), the bloc’s rebooted Internet rulebook, which concerns itself with content governance issues, so how platforms tackle problems like terrorism, hate speech, disinformation etc. Here again Musk’s ‘free the bird’ approach has quickly thrown regulatory expectations into a spin that has led (already) to closer scrutiny by EU lawmakers than would likely have occurred without the Tesla CEO at the helm of Twitter.

The European Commission itself will oversee larger platforms’ compliance with the DSA, rather than national authorities. And just last month it warned Twitter over the need to have adequate resourcing for compliance in place — saying it would carry out a stress test of its approach at its Dublin HQ early next year. So it’s already putting Twitter on DSA watch.

It remains to be seen whether or not the Commission will classify Twitter as a so-called VLOP — meaning it would take on the burden of regulating Musk’s erratic rule itself. But he is essentially inviting that increased level of EU scrutiny (and regulatory risk) by playing so fast and loose with existing governance and compliance structures. Ergo, Twitter’s DSA compliance being regulated by the Commission looks rather more possible than it probably should, based on an assessment of the platform’s size alone. And that’s all down to Musk’s hard work ripping up existing governance structures and driving out compliance expertise.

Penalties under the DSA can scale up to 6% of global annual turnover. The regulation also contains powers for regulators to ban infringing services if they repeatedly fail to correct governance — so if Musk keeps on trolling the region’s regulators a complete loss of Twitter’s EU revenue cannot be entirely ruled out… Buckle up!

Reports of Musk forcing tracking ads on Twitter put him on a costly collision course with EU privacy laws by Natasha Lomas originally published on TechCrunch

During an economic downturn, it’s easy to focus on negative headlines about layoffs and declining business performance. But revenue teams still have targets to meet. Now is the time to get creative.

So how do you drive accountability at a time when every sale matters?

Sales managers: It’s time to get methodical and strategic if you want your reps to hit quota. While there are a multitude of different approaches out there, I’d like to talk about two of my favorite sales methodologies — MEDDPICC and design thinking — and explore why they’re particularly effective when times get tough.

Get curious about your customer with MEDDPICC

It’s difficult for a seller to be creative without truly knowing their customer first.

Proper discovery is a foundational step in the sales cycle and should never be skipped. Your sellers may want to jump right into a selling motion without taking the time to research, but it’s critical to ask the right questions and understand why prospects need solutions like yours instead of simply selling features.

Regardless of whether you’re connecting with buyers online or in person, sales has always been about building and maintaining relationships. If this is something your sellers struggle with, gaining a better understanding of your prospects may require a more structured approach.

I’m a big fan of the MEDDPICC sales methodology, which breaks down into a series of questions sellers must ask themselves during a B2B deal:

Metrics: How will your prospect measure success? What goals do they need to achieve?
Economic buyer: Are you talking to the real decision-maker within the prospect’s organization?
Decision criteria: What’s driving their decision to partner with us? Are there certain technical, budget or ROI requirements we need to meet?
Decision process: Who are the key stakeholders? What steps will they take before making a purchase decision?
Paper process: What steps or actions have to be taken before the contracts are signed?
Implicate the pain: What problem is the prospect trying to solve? What’s at risk if they don’t solve it?
Champion: Who does this problem impact the most within the prospect’s organization? Will they go to bat for your solution to fix it?
Competition: What people, vendors or initiatives are competing for the same funds and resources we are?

Getting back to the basics and conceptualizing your deals through the lens of MEDDPICC will create a more holistic approach to sales, a better understanding of your customers and a sales team that’s well researched and well prepared to win more deals. It fosters connection and conversations about the things buyers actually care about by focusing on the pain of their current issue and how your solution can solve it.

In a turbulent market, it’s time to get methodical about sales by Ram Iyer originally published on TechCrunch