Tag Archives: Alexa

Security News for the Week Ending November 8, 2019

Comcast Testing Encrypted DNS While Lobbing Against It

Encrypted DNS (either DoH or DoT) has become a political hotbutton.  Recently Vice reported that Comcast is spending hundreds of thousands of dollars lobbying against it.  Mozilla is writing to Congress saying that what Comcast is saying is not true and most interestingly, Comcast is testing its own DoT and DoH services.  Apparently, what is important is that they can continue to sell your data and not much else.  Source: Vice

Smart Speakers Can Be Hacked By Laser

Researchers have DEMONSTRATED the ability to talk to your Alexa or Siri by silently pointing a laser at the microphone and modulating the laser so that the microphone thinks you are talking to it.  This will work through a window.  In one test they were able to control an iPad from 33 feet,  In another test, they were able to control a device from over 300 feet away.

The amount of mischief this could potentially cause is large.

The temporary solution is to hide your smart speaker so that no one can point a laser at it from outside your home, for example, and tell it to buy stuff or unlock the door or whatver.  Source: Wired

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending August 9, 2019

Researchers Hack WPA 3 Again

The WiFi Alliance has always keep their documents secret.  The only way that you even get a copy of the specs is to become a member and that will cost you $5k-$20k a year, depending on your role.

The same team that reported the bugs called Dragonblood found these new bugs.  The WiFi Alliance fixed the first set of bugs – in secret – and those fixes actually opened up more security holes.

SECURITY BY OBSCURITY DOES NOT WORK.  PERIOD.  Source: The Hacker News.

 

IBM  Says Reports of Malware Attacks Up 200% in first 6 months of 2019

IBM’s security division X-Force says that reports of destructive malware in the first 6 months of 2019 are up 200% over the last 6 months of 2018.  Ransomware is also up – 116% they say.

This means that businesses need to up their game if they do not want to be the next company on the nightly news.  Source: Ars Technica.

 

 StockX Hides Data Breach, Calls Password Change a System Update

If you have been breached, it is best to come clean.  It is critical that you have a plan before hand (called an incident response plan).  Part of that plan should not say “lie to cover up the truth”.  It just doesn’t work.  StockX tried to convince people that their requirement that everyone change their password was a “system update”.  It wasn’t.  It was a breach and the truth got out.  Source: Tech Crunch.

 

US Southcom Tests High Altitude Surveillance Balloons

US Southern Command is testing high altitude balloons from vendors like Denver based Sierra Nevada Corp that can stay aloft for days if not weeks – way cheaper and more pervasive than spy planes.

The balloons, who’s details are likely classified, probably use techniques like we used in Iraq, only better.  In Iraq, Gorgon Stare could capture gigabytes of high resolution video in minutes, with a single drone covering an entire city.

The theory here is record everything that everyone does and if there is a crime, look at the data later to figure out who was in the target area to create a suspect list.  1984 has arrived.  Source: The Guardian.

 

Amazon Learns From Apple’s Pain

After Apple’s pain from the leak that humans listen to a sampling of the millions of Siri requests a day, Amazon now allows you to disable that feature if you want and if you can find the option.

Buried in the Alexa privacy page is an option that you can disable called “help improve Amazon services and develop new features”.  Of course you don’t want to be the one who disables it and doesn’t help Amazon make things better.  Source: The Guardian.

 

North Korea Has Interesting Funding Strategy

North Korea has a very active weapons of mass destruction program.  That program is very expensive.  Given that the economy of North Korea is not exactly thriving, one might wonder how they pay for this program.

They pay for it the old fashioned way – they steal it.

In their case, that doesn’t mean robbing banks.  It means cyberattacks.  Ransomware.  Cryptocurrency robberies.  Stuff like that.  The UN thinks that they have stolen around $2 billion to fund their economy.   And still going strong.  Source: Reuters.

Facebooktwitterredditlinkedinmailby feather

Security News for the Week Ending December 28, 2018

FCC to Investigate Centurylink

In an example of “can you believe this”,  Ajit Pai, who earlier this year said that the FCC can’t regulate Internet providers wants to investigate why Internet provider Centurylink had an outage today that affected 911 call centers across the country.

Centurylink, who told people earlier today that if they had an emergency they should drive to a nearby fire station, says it is all working (my Internet is not, so maybe there are being optimistic), has not said what happened to their Internet.

Many 911 call centers are now running on the Internet to save money.

Pai could be between a rock and hard place since he, earlier this year, said the FCC can’t regulate the Internet and this is an Internet problem, so maybe he doesn’t even have any authority to investigate something he doesn’t regulate.

Some hospitals had to declare emergencies since their electronic medical record systems are Internet based.

Stay tuned.  (Source: NBC) .

Yet, Another Bitcoin Hack – $750,000

Hackers made off with 200 Bitcoin – around $750,000 from Electrum digital wallet apps.

The hack is very basic and relies on a flaw in the Electrum software.

This is NOT an attack  on the encryption but rather an attack using a flaw in the software.

The hackers added some servers to the Electrum Wallet network that does the Bitcoin math.  If a user connects to one of those bogus servers, it sends the user a message to download an update.  The update, of course, is malicious and steals the user’s wallet credentials and then empties the user’s wallet.

Users, however, have an amazing ability to do dumb things.  After the attack started, the Electrum developers stopped servers from sending a message to wallets in rich text.  The result is if a user reached one of the attacker’s servers, the message they received looked jumbled and unformatted.  Some users still picked the URL out of the mess and downloaded the bogus patch.  The developers are still working on a long term solution, Electrum users need to beware.

But here is my complaint about digital currency.

People are out at least $750,000.  That is coming out of their pocket. Can you afford to lose three quarters of a million dollars?  I can’t and there is no insurance for this.  Source: ZDNet.

China Hacks EU Diplomatic Cables

Just so that the U.S. does not feel the pain of China’s hacking alone, various media have been sent copies of thousands of diplomatic cables stolen by hackers.

One describes Trump as a bully and another warned that Russia may have nukes in Crimea.  Others merely confirmed what people were thinking privately.  Another describes July’s meeting between Trump and Putin as “successful (at least for Putin)”.   One quoted China’s president as saying that China would not submit to bullying from the US, even if a trade war hurt everyone.

The hacking has been going on for at least three years  The hackers posted the cables online and when found, copies sent to the media.

The company that found them said that likely, tens of thousands of documents were stolen.  My guess is that it is way more than that.

For companies, this is another example of where inadequate security controls  can come back to bite you years later like it did to Marriott.  Whether the data is stolen by foreign governments, hackers or competitors, lack of appropriate tools  makes it unlikely to be detected – which is what the hackers want – until the hackers choose to make it public.  Source: The Guardian.

Alexa says Oops

Some people have said that if you have nothing to hide, why are you worried about your privacy?  Here is one reason.

Alexa, like other personal digital assistants, records a bucket of information.  Whether it is requests that you make or just conversations it records to see if you want it’s attention, Amazon, like the other players, keep everything.  But that is not always good.

The European privacy law GDPR allows a resident of the EU to ask a company for a copy of data that is storing about you.

Amazon complied with such a request recently.  Only problem is that the 1,700 recordings that someone made with their Alexa in their home, including in the bedroom and in the shower (that could be both intimate and embarrassing) were sent to the wrong person.

The German magazine Heise says that the details in the recordings of the person and his female companion revealed a lot about the victims’ “personal habits” and that it was easy to identify the people.

Amazon, possibly hoping not to get sued gave the victim a free Amazon Prime membership and, yes, if you can believe this, a free Echo Dot and Spot devices.  As if they hadn’t done enough damage already.

One point to think about here.  Possibly, the owner of the Echo understood the risks of having Alexa join him in the shower and bedroom, but did his female companion accept those risks also?

Maybe you should turn off your Echo when you are engaging in adult activities.  Just saying.  Source: Motherboard.

San Diego School District Hacked – 500,000 Students Affected Going Back to 2008

The school district sent a letter to students, teachers, staff and anyone else affiliated with the district saying that they had been hacked and the hackers stole data including names, socials, birth dates, payroll and benefits information along with other data.

The hackers also had the ability to change the data in the system.

The data stolen goes back to 2008 – a risk of online systems.  They tend to rarely get purged of old data.

The school district says it is sorry, but they were just duped by crafty hackers.  Not much responsibility there.  I wonder what they would say if their students tried that tactic when they got poor grades.

The school district set up a 24/7 hotline for victims, but when Newsweek called, they got a recorded apology and were referred to the web site.  Nice. They called back and did talk to a police officer who said they had gotten a “torrent” of phone calls.

The hackers were in there since January; they discovered it in October and told people about it last week.  Source: Newsweek.

 

Facebooktwitterredditlinkedinmailby feather

Friday News

FDA Begins Process to Change Patching of Medical Devices

The Food and Drug administration is beginning to understand that their 19th century strategy that requires manufacturers to recertify their products every time they apply a patch only leads to the devices being hacked – which they are being, regularly.  They have also asked Congress for more authority to manage the cyber security process including creating a cyber advisory board.  They are talking about requiring medical device makers to integrate patchability into device design.  Lastly, they are considering requiring manufacturers to provide the FDA with a software bill of materials at submission time.  Note that mostly, this is talk, so expect this process to take years.  In the meantime, medical device security will be right behind baby monitor security (Source: Health IT Security).

Hey Alexa, Are You Hacked?  Again?

Checkmarx researchers built a proof of concept attack using Amazon Echo “skills”, those extensions that allow third parties to add features to an Echo.  Until the exploits were patched earlier this month the attacker would have been able to capture and transcribe every word you said within range of an Echo.  Glad they are the good guys.   The moral is that with convenience comes risk.  You have to decide what your acceptable level of risk is.  (Source: Threatpost).

For Drupal Users is the Third Time a Charm?

For the third time in just a few weeks, Drupal has pushed out a critical patch for all versions.  This patch is a follow-on to Drupalgeddon 2, which allows a hacker to take over the server and if there are other servers on the network or other servers that the attacked server can talk to, use that compromised server as a launchpad to further attacks.  Just in case anyone has forgotten, this is exactly what allowed for the Equifax breach – a forgotten patch in the Apache Struts web framework.  If you have not applied this patch along with the other two, today is a good day to do that since there are active exploits for this vulnerability in the wild (source: The Register).

Ever Wonder if Hotel Keycard Locks are Safe?

Well wonder no more.  Researchers are scheduled to disclose a security vulnerability in older generation Vingcard locks, covering a million rooms in over a hundred thousand hotels later this month at a security conference.  The attack takes about a minute and creates a master key for the entire hotel.  The bad news is that there really is nothing that you, as a guest, can do about it.  Assa Abloy, who make the locks, has created a fix, but the fix has to be downloaded and manually deployed to each individual room lock, so likely many hotels have not done this labor intensive task (Source: Wired).

FISA Court Denies More Requests in Last Year than in Entire History

The secret FISA court that approves classified snooping requests for the FBI and NSA turned down 26 requests in full last year and 50 requests in part.  That is compared to 21 denials since the court was founded in 1976 through the end of the Obama presidency.  Out of 1,100+ requests last year that is still a small number, but still an indication of a higher level of review (Source: ZDNet).

 

Facebooktwitterredditlinkedinmailby feather

Alexa – What is My Credit Score?

WHAT. COULD. GO. WRONG???????????????????

Amazon is offering you a new feature;  you can ask Alexa what you credit score is.

Actually, it is not as bad as it sounds.  But it doesn’t seem like the most secure thing ever.

First, it is not really Amazon who is answering that question, it is Experian.  Alexa has what Amazon calls “skills”.  A skill, I gather, is a particular thing that Alexa can do, like, maybe, get you movie information.  Skills may be implemented by Amazon or they may be implemented by a third party.  In this case, the third party is Experian.

In order to use the credit score skill, you have to enable the Experian skill, then you have you enter the username and password for your Experian account (so if you don’t have an Experian account you are safe, I guess).  When you do this, the system creates a PIN for you.  I am guessing they create it rather than having you create it because they are scared people will use 1-2-3-4 or 1-1-1-1.  If the skill is inactive for 5 minutes you have to re-enter the PIN.

They also remind people that the information is sensitive so you might want to be alone when you ask Alexa.

If you have Experian’s credit lock product (for more $$$), you can also lock and unlock your credit file from your Alexa.  You can get other Experian services too.

Since most people very rarely check their credit score or even look at their credit file, I am not sure that this service will be super popular, but who knows; they could be on to something.

In fairness to Experian, it seems like they have tried to make it safe, but it also seems like it might be smarter to check your credit score on your tablet or phone (using your Wells, Capital One, Discover and other apps – which are free, unlike Experian). It’s not like you do this 3 times a day so it has to be super convenient.  If you check it a couple of times a year you would be above the average.

So just use your laptop. Or your phone or tablet.  Please.

Information for this post came from CNN.

Facebooktwitterredditlinkedinmailby feather