Security research firm Rhino Security Labs found a vulnerability in the Amazon Key in-home delivery service's security procedures that could allow either the courier or even a savvy and malicious bystander to enter your home undetected after the delivery is completed.
Amazon has promised to change how Key works in order to make it easier for you to tell when something unusual is happening in this event, but the changes proposed by Amazon don't necessarily resolve the vulnerability. Amazon Key is available to Amazon customers who have bought and installed Amazon's own Cloud Cam security camera and installed it at their front door.Read more
Money may not grow on trees, but apparently, it can grow in Amazon Web Services (AWS).
A report from the security intelligence group RedLock found at least two companies which had their AWS cloud services compromised by hackers who wanted nothing more than to use the computer power to mine the cryptocurrency bitcoin. The hackers ultimately got access to Amazon's cloud servers after discovering that their administration consoles weren't password protected. "Upon deeper analysis, the team discovered that hackers were executing a bitcoin mining command from one of the Kubernetes containers," reads the RedLock report.Read more
A security company has found an Amazon server that was stuffed with thousands of pieces of personal information about military types with little or no protection on it. The security company is called UpGuard, and it says that it found the collection of resumes and applications for a position at a place called TigerSwan.
TigerSwan told UpGuard that these resumes included some from people applying for top secret jobs, which makes their storing on an unsecured cloud-based server sound a bit odd. The UpGuard Cyber Risk Team can now disclose that a publicly accessible cloud-based data repository of resumes and applications for employment submitted for positions with TigerSwan.Read more
Android phone maker Blu Products was dealt a blow when Amazon said it would no longer sell its phones, citing security and privacy issues. The phone maker came under scrutiny last week by researchers at Kryptowire during a Black Hat session where they criticized the company for collecting personal identifiable information without user consent.
“Because security and privacy of our customers is of the utmost importance, all Blu phone models have been made unavailable for purchase on Amazon.com until the issue is resolved,” Amazon said. Blu Product phones are Amazon’s top unlocked Android phone seller and known for their affordable prices.Read more
A vulnerability in older Amazon Echo devices can be used to make the home assistant relay conversations to eavesdroppers while the owner remains none the wiser. Research by MWR InfoSecurity found it's possible to turn an Amazon Echo into a covert listening device without affecting its overall functionality.
One big limiting factor: the process does involve the attacker being able to gain access to the physical unit, but it's possible to tamper with the Echo without leaving any evidence. The vulnerability comes as a result of two design choices: exposed debug pads on the base of the device and a hardware configuration setting.Read more
On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services' S3 storage service that contained highly classified intelligence data. The cache was posted to an account linked to defense and intelligence contractor Booz Allen Hamilton.
And the files within were connected to the US National Geospatial-Intelligence Agency (NGA), the US military's provider of battlefield satellite and drone surveillance imagery. Based on domain-registration data tied to the servers linked to the S3 "bucket," the data was apparently tied to Booz Allen and another contractor, Metronome.Read more
Hackers have zeroed in on the growing number of third-party sellers on Amazon Marketplace, reportedly using stolen logins to swipe thousands of dollars from some merchants.
In recent weeks, hackers have ramped up their attacks by taking over dormant accounts and changing the bank account information. They'll then post nonexistent merchandise at bargain prices, make the sell and collect the cash. Buyers can get a refund, but the scam hits sellers hard, since they're on the hook for reimbursing customers who never received their merchandise. Hackers then likely used a method called "credential stuffing."Read more
For decades, grocery stores have dreamed of fully automated technology that would allow them to dispense with cashiers altogether. But self-checkout systems introduced so far have been clunky and wound up just shifting a lot of work from store employees onto the customer.
Amazon introduced a new self-checkout technology that could totally transform the retail sector. Called “Amazon Go,” the technology literally allows people to walk into a store, select items they want to purchase, and walk out. There’s no checkout process at all. Amazon is opening an 1,800-square-foot convenience store in Seattle to test out the technology.Read more
Malicious advertisements have popped up on websites such as YouTube, Amazon and Yahoo, part of a sophisticated campaign to spread malware, Cisco said Monday.
When encountered, the malicious advertisements cause a person to be redirected to a different website, which triggers a download based on whether the computer is running Windows or Apple’s OS X, wrote Armin Pelkmann, a threat researcher. The network has been nicknamed Kyle and Stan due to those names appearing in subdomains of more than 700 websites the attackers have set up to distribute the malware, Pelkmann wrote.Read more
Security researcher Will Dormann of the US Computer Emergency Response Team (CERT) has reported this week that over 350 apps from the Google Play and Amazon App stores have been compromised due to a flaw that fails to validate certificates over a secure socket layer.
The bug, which opens up many popular mobile applications such as the eBay mobile shopper and the Microsoft Tech Companion to fairly rudimentary man-in-the-middle attacks, has been tracked and logged by the CERT team for only about a week now. But instead of waiting the standard 45-days to silently communicate the problem to the affected companies in order to give them a chance to get out in front of the issue with appropriate patches.Read more