Category Archives: Amazon

Amazon launches 4K Fire TV Cube with integrated Alexa Echo

Amazon’s Fire TV Cube has hands-free Alexa voice controls

Amazon, the e-commerce giant on Thursday announced a new cube-shaped device that is a combination of combination of an Echo, streaming box and universal remote in one.

Dubbed as the Amazon Fire TV Cube, it allows you to control your TV and other home-entertainment devices by using just your voice. Thanks to a built-in speaker and far-field voice detection, the Fire TV Cube can do just about everything.

“Power your TV on and off, change the volume, switch to different inputs and change the cable channel — all with just your voice,” Amazon said in a statement.

The Fire TV Cube is powered by a 1.5 GHz quad-core ARM Cortex-A53 processor, 2GB of RAM, 16GB of storage, Dolby Atmos 7.1 channel sound and support for 4K and HDR-10 content. It has an HDMI 2.0a port, an Ethernet jack, an IR (infrared) port, and a micro-USB port and supports 802.11ac Wi-Fi.

The Fire TV Cube connects to your TV and acts as a 4K Ultra HD streaming media player that allows access to content from Amazon Prime services, Hulu, Netflix and other apps. It also serves as an Echo speaker, which means you can ask it to show weather forecasts on the TV, or order things from Amazon, or make a phone call or show footage from your smart home camera or control smart appliances inside your home.

“Even with the tv off, say “Alexa, play Billions on Showtime” and Fire TV Cube powers on your TV and starts playback right where you left off,” Amazon added.

Similar to Amazon Echo, the Fire TV Cube uses far-field voice recognition and eight microphones, to ensure that the device can hear a user’s commands even from across the room.

“It ‘suppresses’ noise and competing for speech to make sure ‘Alexa clearly hears your request, even next to your TV,’” Amazon said.

Thanks to a combination of infrared technology and HDMI CEC, the Fire TV Cube can be used to control your TV, sound bar, cable box, or other audio and video gear using voice commands.

The Fire TV Cube is compatible with set-top providers including Comcast, Dish, and DirecTV. It also allows access to thousands of apps from the Amazon App Store, such as streaming services HBO, Showtime, and Starz — through Amazon’s a la carte Amazon Channels service.

“We believe voice makes it easier for customers to control their entertainment systems and watch the TV and movies they care about,” Marc Whitten, vice president of Amazon’s Fire TV division, said in a statement. “And it’s just the beginning. Amazon Fire TV Cube will only get better over time, with the Alexa service always getting smarter.”

The Fire TV Cube is available for pre-orders costing $119.99, and will begin shipping June 21. Currently, it’s available only in the U.S. However, Prime members can grab the streaming device for a limited price of $89.99, if the order is placed through June 8th. Also, customers who buy and register their Fire TV Cube by July 1st will receive a $10 credit for Prime Video.

The post Amazon launches 4K Fire TV Cube with integrated Alexa Echo appeared first on TechWorm.

Facebook shared its users’ data with 60 Companies

Facebook shared users’ personal data with 60 companies including Apple, Samsung, and Amazon

While Facebook is still reeling under the heat of the Cambridge Analytica scandal, a new report in The New York Times has raised fresh concerns about Facebook’s privacy protection policies. The Times has claimed that the social networking giant has been sharing users’ personal information with at least 60 device makers including Apple, Samsung, Amazon, Blackberry, and Microsoft based on the data-sharing partnerships between them.

According to The Times, bigwigs like Apple, Amazon, Samsung, and Microsoft are said to have a data-sharing partnership with Facebook over the last 10 years, many of which are still in effect. Under the data-sharing agreement, while the device makers are allowed to offer popular Facebook features, such as messaging, address books and the like button to their customers, it helped Facebook to expand its reach. Further, the agreement allowed outside companies to access user data like relationship status, religious and political affiliations, work history and birthdays. It also allowed outside companies access to information of users’ Facebook friends without their explicit consent, despite data sharing being turned off.

Apparently, the data sharing was allegedly an issue as early as 2012.

“This was flagged internally as a privacy issue,” Sandy Parakilas, who then led Facebook’s privacy compliance, told The Times. “It is shocking that this practice may still continue six years later, and it appears to contradict Facebook’s testimony to Congress that all friend permissions were disabled.”

However, Ime Archibong, Facebook’s vice president of product partnerships, responded to The Times’ article with a blog post titled, “Why We Disagree with The New York Times” and stated that these data agreements were a matter of necessity.

“In the early days of mobile, the demand for Facebook outpaced our ability to build versions of the product that worked on every phone or operating system. It’s hard to remember now but back then there were no app stores. So companies like Facebook, Google, Twitter and YouTube had to work directly with the operating system and device manufacturers to get their products into people’s hands. This took a lot of time — and Facebook was not able to get to everyone.

“To bridge this gap, we built a set of device-integrated APIs that allowed companies to recreate Facebook-like experiences for their individual devices or operating systems. Over the last decade, around 60 companies have used them — including many household names such as Amazon, Apple, Blackberry, HTC, Microsoft, and Samsung.

“These partners signed agreements that prevented people’s Facebook information from being used for any other purpose than to recreate Facebook-like experiences. Partners could not integrate the user’s Facebook features with their devices without the user’s permission. And our partnership and engineering teams approved the Facebook experiences these companies built. Contrary to claims by the New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends. We are not aware of any abuse by these companies.”

Archibong also said that with the rise of iOS and Android, only very few people depend on these APIs to create bespoke Facebook experiences. As a result, Facebook started “winding down” the partnerships in April, and has ended 22 of them until now.

Source: Business Insider

The post Facebook shared its users’ data with 60 Companies appeared first on TechWorm.

Researchers discover vulnerabilities in smart assistants’ voice commands

Virtual personal assistants (VPA), also known as smart assistants like Amazon’s Alexa and Google’s Assistant, are in the spotlight for vulnerabilities to attack. Take, for example, that incident about an Oregon couple’s Echo smart speaker inadvertently recording their conversation and sending it to a random contact. Or that time when the Alexa started laughing out of the blue. Indeed, something has to be done about these hacks, whether they’re by accident or not.

Earlier this month, researchers from Indiana University, the Chinese Academy of Sciences, and the University of Virginia found exploitable weaknesses in the VPAs above. Researchers dubbed the techniques they used to reveal these weaknesses as voice squatting and voice masquerading. Both take advantage of the way smart assistants process voice commands. Unsurprisingly, these also exploit users’ misconceptions about how such devices work.

How smart assistants work

VPA services used in smart speakers can do what they’re created to do with the use of apps called “skills” (by Amazon) or “actions” (by Google). A skill or an action provides a VPA additional features. Users can interact with a smart assistant via a virtual user interface (VUI), allowing them to run a skill or action using their voice.

Entrepreneurs, with the help of developers, are already taking advantage of creating their own voice assistant (VA) apps to cater to client needs, making their services accessible in the voice platform, or merely introducing an enjoyable experience to users.

As of this writing, the smart assistant apps market is booming. Alexa skills alone already has tens of thousands, thanks to the Alexa Skill Kit. Furthermore, Amazon has recently released Alexa Skill Blueprints, making skills creation easy for the person who has little to no knowledge of coding.

Unfortunately, the availability of such a kit to the public has made abuse by potential threat actors possible, making the VPA realm an entirely new attack vector. If an attack is successful—and the study researchers conducted proved that it can be—a significant number of users could be affected. They concluded that remote, large-scale attacks are “indeed realistic.”

Squatters and masqueraders

Voice squatting is a method wherein a threat actor takes advantage or abuses the way a skill or action is invoked. Let’s take an example used from the researchers’ white paper. If a user says, “Alexa, open Capital One” to run the Capital One skill, a threat actor can potentially create a malicious app with a similarly pronounced name, such as Capital Won. The command meant for the Capital One skill is then hijacked to run the malicious Capital Won skill instead. Also, as Amazon is now rewarding kids for saying “please” when commanding Alexa, a similar hijacking can occur if a threat actor uses a paraphrased name like Capital One please or Capital One Police.

“Please” and “police” may mean two totally different things to us, but for current smart assistants, these words are the same, as they cannot correctly recognize one invocation name over another similar-sounding one.

Suffice to say, VPAs are not great at handling homophones.


Read: Out of character: Homograph attacks explained


Voice masquerading, on the other hand, is a method wherein a malicious skill impersonates a legitimate one to either trick users into giving out their personal information and account credentials or eavesdrop on conversations without user awareness.

Researchers identified two ways this attack can be made: in-communication skill switch and faking termination. The former takes advantage of the false assumption that smart assistants readily switch from one skill to another once users invoke a new one. Going back to our previous example, if Capital Won is already running and the user decides to ask “Alexa, what’ll the weather be like today?”, Capital Won then pretends to hand over control to the Weather skill in response to the invocation when, in fact, it is still Capital Won running but this time impersonating the Weather skill.

As for the latter, faking termination abuses volunteer skill termination, a feature wherein skills can self-terminate after delivering a voice response such as “Goodbye!” to users. A malicious skill can be programmed to say “Goodbye!” but remain running and listening in the background for a given length of time.

But…I like my smart assistant!

No need to box up your smart speakers and send them back if these vulnerabilities worry you. But it is essential for users to really get to know how their voice assistant works. We believe that doing so can make a significant difference in maintaining one’s privacy and protecting from attack.

“Making devices, such as Alexa, responsible for important systems and controls around the house is concerning, especially when evidence emerges that it’s able to turn a simple mistake into a potentially serious consequence,” our very own Malware Intelligence Analyst Chris Boyd said in an interview with Forbes.

Smart assistants and IoT, in general, are still fairly new tech, so we expect improvements in the AI, and the security and privacy efforts within this sector. Both Amazon and Google have claimed they already have protections against voice squatting and voice masquerading.

While it is true that the researchers had already met with both firms to help them understand these threats further and offer them mitigating steps, they remain skeptical about whether the protections put in place are indeed adequate. Only time will tell.

The post Researchers discover vulnerabilities in smart assistants’ voice commands appeared first on Malwarebytes Labs.

Amazon is banning shoppers who frequently return items

Customers claiming their accounts were closed without any notice by the e-commerce giant

It seems the consumer-friendly 30 days return policy has began to fret Amazon, hence the e-commerce giant has started working against its self-proclaimed mission i.e. “to be Earth’s most customer-centric company”!

Yes! The company has banned some of its users for abusing their return policy. As per The Wall Street Journal’s report, one of the company’s representatives confirmed it and said “We want everyone to be able to use Amazon, but there are rare occasions where someone abuses our service over an extended period of time,” he also added “We never take these decisions lightly, but with over 300 million customers around the world, we take action when appropriate to protect the experience for all our customers.”

The surprise element in the whole story is that the buyers, more specifically the ‘returners’ are directly been blocked without any prior notification. Even Amazon’s return policy doesn’t have any clause stating that how many numbers/ percentage of returns will get you banned. However, it does enunciate that the company reserves the right to terminate accounts at its discretion.

Many of the Customers have chosen social media to air their grievances about Amazon closing their accounts without warning or an explanation. Paul Fidalgo tweeted about being “exiled” from Amazon for “excessive returns.” One of the users reported that he was unable to download e-books for his kindle, as was banned from Amazon. Another customer shared a screenshot of an email from the company asking her to explain why she returned her orders, on Twitter:

According to Amazon Ex-employee the company kick out buyers who request too many refunds, return dodgy items or often violate policies, including paid reviews. He also mentioned that all the dubious activities are being flagged by a computer algorithm and then those accounts are reviewed manually.

Undoubtedly, Amazon has built a reputation on easy return policy but with current step the company clearly signaled that it won’t withstand any fallacy from even its customers. “If your behaviour is consistently outside the norm, you’re not really the kind of customer they want,” said former Amazon senior manager James Thomson.

The account closure is causing havoc among the Amazon customers including both Prime members & occasional buyers. And it doesn’t seems that they have any plan to rethink their verdict so to all the buyers just think twice before placing your order!

The post Amazon is banning shoppers who frequently return items appeared first on TechWorm.

Sending Inaudible Commands to Voice Assistants

Researchers have demonstrated the ability to send inaudible commands to voice assistants like Alexa, Siri, and Google Assistant.

Over the last two years, researchers in China and the United States have begun demonstrating that they can send hidden commands that are undetectable to the human ear to Apple's Siri, Amazon's Alexa and Google's Assistant. Inside university labs, the researchers have been able to secretly activate the artificial intelligence systems on smartphones and smart speakers, making them dial phone numbers or open websites. In the wrong hands, the technology could be used to unlock doors, wire money or buy stuff online ­-- simply with music playing over the radio.

A group of students from University of California, Berkeley, and Georgetown University showed in 2016 that they could hide commands in white noise played over loudspeakers and through YouTube videos to get smart devices to turn on airplane mode or open a website.

This month, some of those Berkeley researchers published a research paper that went further, saying they could embed commands directly into recordings of music or spoken text. So while a human listener hears someone talking or an orchestra playing, Amazon's Echo speaker might hear an instruction to add something to your shopping list.

Blockchain-powered e-commerce startup leaks personal information of 25,000 early investors

A misconfigured MongoDB database has led to the leak of names, email and physical addresses, wallet information, encrypted passwords, and driver’s license and passport numbers of 25,000 early investors in Bezop. The leak deals a second security-related blow in months to the e-commerce startup, which hopes to give retail giant Amazon a run for its money by fashioning its business around digital currency.

Bezop is a decentralized blockchain-powered commerce platform, similar in some ways to Amazon, that hopes to be “the future of global trade,” according to its creators.

“No monthly fees, Build professional amazon-like stores and start accepting cryptocurrency in minutes,” reads a marketing tagline on the firm’s website.

The business is based on its own Bezop cryptocurrency, which trades under the name BEZ. Users are promised several sure-fire ways to generate profits, not just by selling goods in exchange for crypto coins, but also by participating in “mining” programs for an extra incentive.

However, things went awry for Bezop when researchers at Kromtech (a developer of popular macOS utilities) found a misconfigured MongoDB database that was showing the personal information of 25,000 Bezop investors in plain text – publicly, for anyone with access to the Internet to see.

When alerted to the breach in March, Bezop fixed the problem but made no public admission that it messed up so badly – if there’s one thing a startup needs like air, it’s the trust of its early backers.

Sadly for Bezop, it’s not the first time the company has made headlines for insecure handling of user data. As reported by hackread.com, only a few months ago the company sent usernames and passwords in cleartext format.

John McAffee (the founder of the security firm with the same name) sits on Bezop’s board of directors, but his expertise has apparently yet to rub off on the company he is backing.

IcedID – New Banking Trojan targets US-based companies with web injects

The malware research team in the UAB Computer Forensics Research Lab is widening its horizon and is always on the look out for new malware families. While researching new malware families, Arsh Arora, Ph.D. Candidate at UAB, found some chatter about the new banking trojan IcedId.  Although ransomware is the most discussed malware in the press for many financial institutions the most feared malware type is the Banking Trojan. The objective of most banking trojans is to steal banking credentials and eventually steal the money from account holders.

IcedID Banking Trojan 

IBM X-Force discovered a new banking trojan IcedID that was first detected in September 2017. It is known as modified version of the Zeus Trojan. The following trojan spreads by Emotet worm which is able to spread from machine to machine inside a network via weak administrator passwords.

One of our malware research team members, Shawn Sharp,  decided to dig into this malware. IBM had already provided a detailed explanation of the infection part, so we decided to take a different approach and focused on analyzing the web injects on a number of websites.

The sample used to test was:

MD5 - a6531184ea84bb5388d7c76557ff618d59f951c393a797950b2eb3e1d6307013

Virus Total Detection - 49/67. The sad part is that only 1 of the 49 detection named it IcedID, which commonly happens when marketing departments name malware. (The only company to call it IcedID was ALYac, the anti-virus product from ESTSecurity Corp in Seoul, Korea.  ESET, Microsoft, and TrendMicro all call this a sample of Fareit malware.)

When Shawn launched the process, it didn't trigger on its own but a browser had to be launched to activate the banking trojan. 

Fig. 1: Activation of Banking Trojan IcedID
Once the trojan was activated, following financial institution strings were found in the memory of the running sample when checked through Process Hacker.

bbt
jpmorgan
americanexpress
bankofamerica
tdbank
chase
citigroup
discover
ebanking-services
etrade
citi
adp
usaa
wellsfargo

When we visited a few of these websites and provided them fake credentials, the webinject process modifies the user experience by asking the website visitor for extra details. It is noteworthy that these changes to the page happen in browser memory, meaning that the "https:" and "Secure" labels are still present, even though the page has been altered.   

Amazon - 

Fig. 2: Amazon Web-Inject asking for card number

Although we really are at Amazon.com, the malware is causing our browser to ask us for the details of our credit card!

Chase

Fig. 3: Chase Web-Inject asking for additional details
The malware makes Chase's website appear to ask us for not only our Card Number and Expiration Date, but also our CVV and PIN!

Citi

Fig. 4: Citi Web-Inject asking for additional details
Machines infected with IcedID will also ask for these details after a login attempt at Citi.com!

Discover

Fig. 5: Discover Web-Inject asking for additional details
The Discover.com website asks for card details, but also our Date of Birth and the last four digits of our Social Security Number!

Researchers will be diving in deep and try to reverse engineer the binary for additional information. Stay tuned for more updates.  In the meantime, if you hear of a friend complaining that their bank is asking them for too much information -- it may mean that they are infected with malware!




Malware spam: "Invoice RE-2017-09-21-00xxx" from "Amazon Marketplace"

This fake Amazon spam comes with a malicious attachment: Subject:       Invoice RE-2017-09-21-00794 From:       "Amazon Marketplace" [yAhbPDAoufvZE@marketplace.amazon.co.uk] Date:       Thu, September 21, 2017 9:21 am Priority:       Normal ------------- Begin message ------------- Dear customer, We want to use this opportunity to first say "Thank you very much for your purchase!"