Tag Archive for: detail

Hey Alexa Go Hack Yourself: Researchers Detail Wild Self-Issued Smart Speaker Hijacks

/in


dot table

Did you ever get an Amazon delivery and not remember placing an order for the item? There are plenty of stories of this all over the internet, and sometimes those boil down to one too many cocktails in your attitude adjustment hour. What if we told you that maybe one of those times it wasn’t related to brain fog or blackouts, but some random person decided to order something for you through your own Amazon Echo device?

That’s what researchers from the University of London’s Royal Holloway, and Catania University in Italy discovered is entirely possible. Through a few different methods of either social engineering or just being nearby an Echo device, Alex can be activated and used fairly easily. Tested on the third generation of the Echo Dot, though believed to be exploitable via fourth gen devices as well, the researchers found that playing audio files with the right wake words will activate the Alexa Voice-enabled device it is playing from. Dubbed “Alexa Versus Alexa” by the researchers, the exploit can be used to order products, make modifications to settings, install skills, and a whole host of other functionality that the Echo device product line allows Amazon Echo Dot owners to take advantage of.

fixed social radio
Diagram Of Alexa Vs Alexa Exploit

An social engineering exploit example would be having someone activate an internet radio station that intentionally utilizes common activation terms. So pre-existing skills, like Echo’s Music and Radio skill, may play one of these stations that then let that device activate itself. Part of the reason this can be a really big problem is that Amazon’s Echo devices typically only validate account activity and actions during the initial setup of the device. Skill installation is a big deal for this because these are small apps that run directly on the device, and with the right malicious code they can potentially be a security threat. That creates a situation where once the vulnerability is activated, the attacker can issue any command that is at the disposal of the Echo device.

Amazon has issued a patch (check your software version here), which you can force by asking the device to ‘check for updates’. However, the issue remains if the attacker is in…

Source…

A CISO and a hacker detail how they’d respond to the Exchange breach – TechCrunch

/in


Aaron Fosdick
Contributor

Aaron Fosdick is CISO at Randori, a cybersecurity firm that provides offensive security services.

David Wolpoff
Contributor

A career hacker, David “Moose” Wolpoff is CTO and co-founder of Randori, a company building a continuous red-teaming platform.
More posts by this contributor

  • After the FireEye and SolarWinds breaches, what’s your failsafe?

The cyber world has entered a new era in which attacks are becoming more frequent and happening on a larger scale than ever before. Massive hacks affecting thousands of high-level American companies and agencies have dominated the news recently. Chief among these are the December SolarWinds/FireEye breach and the more recent Microsoft Exchange server breach. Everyone wants to know: If you’ve been hit with the Exchange breach, what should you do?

To answer this question, and compare security philosophies, we outlined what we’d do — side by side. One of us is a career attacker (David Wolpoff), and the other a CISO with experience securing companies in the healthcare and security spaces (Aaron Fosdick).

Don’t wait for your incident response team to take the brunt of a cyberattack on your organization.

CISO Aaron Fosdick

1. Back up your system.

A hacker’s likely going to throw some ransomware attacks at you after breaking into your mail server. So rely on your backups, configurations, etc. Back up everything you can. But back up to an instance before the breach. Design your backups with the assumption that an attacker will try to delete them. Don’t use your normal admin credentials to encrypt your backups, and make sure your admin accounts can’t delete or modify backups once they’ve been created. Your backup target should not be part of your domain.

2. Assume compromise and stop connectivity if necessary.

Identify if and where you have been compromised. Inspect your systems forensically to see if any systems are using your surface as a launch point and attempting to move laterally from there. If your Exchange server is indeed compromised, you want it off your network as soon as…

Source…

FBI, Homeland Security detail how Iranian hackers stole US voter data

/in


They made at least some attempt to cover their tracks. Many of the linked IP addresses come from NordVPN’s service as well as other VPN providers.

The attackers obtained voter registration info for “at least one” state, officials said, although they unsurprisingly weren’t specific about the nature of that breach or the volume of data taken.

CISA and the FBI made several recommendations that, unfortunately, would be givens for many other organizations. They advised keeping systems updated with security patches, to scan for common web flaws like SQL injections, and to protect against web shells. Administrators should have two-step verification, too. Like it or not, election systems still have basic failings — it may be a long while before your voting info is truly secure.

Source…

Cyber Security Today – A new version of Android ransomware, ransomware hits international law firm and cruise line gives more detail about cyberattack – IT World Canada

/in

Cyber Security Today – A new version of Android ransomware, ransomware hits international law firm and cruise line gives more detail about cyberattack  IT World Canada
“android security news” – read more