Posts tagged " Hacking "

Amazon files for Alexa patent that means she’s listening all the time

April 17th, 2018 Posted by News No Comment yet

The Amazon Alexa of the future could be listening to you all the time – and building up a detailed picture of what you want to buy.

That’s the suggestion of a patent filed by the company that details the idea of ‘voice-sniffing’ technology. Such software would allow the device to eavesdrop on conversations and analyse them, feeding that into a database for ads.

At the moment, Amazon’s Echo products are hardwired so they will only listen to users when they say the “Alexa” wake word. Amazon has denied that it uses voice recordings for advertising at the moment, and said that the patent might never actually come to the market. 

Alexa’s voice capabilities are currently used for playing music, controlling smart home devices and ordering things on Amazon, though only if the user asks for it. The recordings of people’s voices are stored on Amazon’s servers, but they can listen to those files and delete them.

However, the patent gets to a widespread fear about not only Amazon’s voice assistant but other technology too. A range of conspiracy theories – particularly about Facebook – suggest that companies are using their kit to secretly listen in on their customers, and then using that to show ads. 

The patent suggests that the Alexa of the future could listen out for specific words such as “love” or “hate”. The device could then listen to what people like or don’t like – and suggest they buy things, presumably through Amazon, on that basis.

If someone mentions they want to go on a journey to Paris, for instance, an ad might pop up suggesting the travel site they could book it from. If they say that they are looking to go to a particular restaurant on a particular day, it might ‘whisper’ that there is a table available. 

Amazon could even do the same for friends or relatives of the customer, the patent suggests. So, for instance, if someone says their parents are interested in a certain topic, it could associate that information with the person and use it to build up advertising data.

The company made clear that it does and is not able to collect such data at the moment, and might never use the technology described in the patent.

“We take privacy seriously and have built multiple layers of privacy into our Echo devices,” said an Amazon spokesperson. “We do not use customers’ voice recordings for targeted advertising. Like many companies, we file a number of forward-looking patent applications that explore the full possibilities of new technology. Patents take multiple years to receive and do not necessarily reflect current developments to products and services.

Amazon Echo uses on-device keyword spotting to detect the wake word. When these devices detect the wake word, they stream audio to the Cloud. You can review voice interactions with Alexa by visiting History in Settings in the Alexa App.

 

 
 
 

GDPR: how to email data securely to comply with the new regulations

April 5th, 2018 Posted by Industry Focus, IT Services No Comment yet

The European Union’s General Data Protection Regulation (GDPR), which comes into force on May 25, will govern the storage and processing of data rather than its collection. It also includes some very important consumer rights. The most important are the right to be informed, the right of access, the right to correct errors, the right to erase data, the right to restrict processing, and the right take it elsewhere (data portability). How useful these will be in practice remains to be seen.

Emails are like plain text postcards because they can, in theory, be read at any of the many servers through which they pass, or by someone tapping a line. Of course, “read by” is unlikely to mean “read by a human being.” However, software can look for things like passwords and credit card numbers.

A more likely problem is sending emails to the wrong address, either because users have got their own email addresses wrong (this happens surprisingly often), or through human error. Pick the wrong address from a list of auto-complete suggestions and you could send personal data to the wrong recipient. This would be a data breach that might have to be reported.

It would obviously be good thing if all emails were encrypted by default so that only the intended recipient could read them. Three decades of history says this isn’t going to happen soon, if at all. Public key encryption is too hard for people who just want to send normal emails.

Some large organisations do have encrypted email services, such as the NHS, but that doesn’t help the rest of us.

Some people do choose secure email services, such as ProtonMail in Switzerland and Tutanota in Germany. However, you also have to send external recipients a password – for example, in an SMS text message – to decrypt the email.

Tutanota users get an email that says “you have an encrypted email” and you click a link to read it, and reply to it, in a browser. You have to export the email if you want to keep a copy.

There are also plug-ins for Gmail and the Microsoft Outlook email program that provide secure email services. If one of your employers is using a secure system, they might let you join in.

If there’s no other alternative, you should encrypt and password-protect your images and documents before sending them as email attachments. Again, you must send the password separately, either via a different messaging service or in the post.

Fotolia_40957727_XS1

Online storage locations

It’s a good idea to upload attachments and then send people a link. However, bear in mind that you are uploading documents to the company that probably runs the biggest surveillance operation on the planet. Encrypt your documents before you upload them.

Encryption protects data if an online storage service is compromised – it has happened – or if your email is hacked.

Unfortunately, using Google Drive brings up an extra complication. If you are using Gmail, then you can assume that your data is being held in, or passing through by arizona bus company, or accessible from the USA.

GDPR does not oblige users to store data on servers inside the EU. However, there are extra requirements if servers are outside the EU. First, you need to have a legitimate reason for transferring personal data outside the EU. Second, you must have the consent of the person whose data is being exported. Third, you must give that person the option to opt out.

In another post, the aforementioned Liz Henderson explains how to create a GDPR Privacy Notice, and you could adapt her sample to cover Gmail storage outside the EU.

You could switch to using an email service that operates wholly within the EU (see above), if only for any people who opt out, or you could upgrade to Google’s paid-for service.

Google claims that its G Suite and Google Cloud Platform (GCP) services are fully compliant with GDPR, because it offers to sign EU Model Contract Clauses and a Data Processing Amendment. The fine print notes that “the parties acknowledge and agree that Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data” and that “Google will not process Customer Personal Data for Advertising purposes or serve Advertising in the Services”.

 

Four ways to avoid being a victim of Russian cyberwarfare

January 22nd, 2018 Posted by News No Comment yet

Russian cyberwarfare is the new threat to the nation, according to Nick Carter, the head of the British army, which means that the new frontline is, well, you. So it’s now more than just simple self-care to be smart about your online security – it’s your patriotic duty.

Update your devices – and upgrade the ones you can’t

Some of the most damaging cyber-attacks in recent years haven’t come through elite hackers crafting one-of-a-kind viruses to break into secure government devices, but from exploiting the old and out-of-date hardware that normal people use every day.

Take the Mirai botnet: a swarm of millions of hacked devices, it was used to overload servers by bombarding them with traffic requests. But the basic elements of the botnet were simple, cheap, “internet of things” devices such as security cameras or smart lightbulbs, which had glaring security flaws that no one ever bothered to fix.

Don’t be a John Podesta

“Fancy Bear” is the organisation behind the hacking of Hillary Clinton’s campaign chairman, John Podesta. He fell prey to a phishing campaign, well-executed but simplistic, that allowed the attackers to download – and leak – every email he had sent or received.

At its heart, the hack used a fake warning from Google, asking Podesta to click a link and log in to respond to a security alert. After an aide mistakenly told him the link looked legitimate (he meant to type “illegitimate”), he did – but the link didn’t go to Google, and so he ended up sharing his username and password with the attackers.

The easy-to-say, hard-to-do advice is “always make sure links are from who they say they are”. A more useful recommendation may be to join the 10% who have “two-factor authentication” turned on their email.

Avoid paying the ransom

The WannaCry ransomware attack has been credibly linked to North Korea, which has apparently been stepping up its use of cybercrime as a method of fundraising – a technological improvement from recent history, when the nation was one of the largest forgers of US currency.

Keeping a backup of your critical data is a good idea anyway (who knows when a stray cup of coffee will fry your treasured photos?), but it is twice as useful if you can avoid paying a bitcoin ransom to a pariah state.

Think twice before retweeting and sharing

According to new figures from Twitter, more than 50,000 accounts on the site were created for the express purpose of spreading Russian misinformation during the US election. Of course, the point of the misinformation accounts was to blend in with conventional US political activists, so … maybe just log off altogether?

Thanks to Alex Hern at The Guardian for this article.

Hakers using Starbucks cafe’s wi-fi made computers mine crypto-currency

December 14th, 2017 Posted by News No Comment yet

Starbucks has acknowledged that visitors to one of its branches were unwittingly recruited into a crypto-currency mining operation.

The wi-fi service provided by one of the coffee chain’s Buenos Aires outlets surreptitiously hijacked connected computers to use their processing power to create digital cash.

Starbucks said that it had taken “swift action” to address the problem.

But one expert said it highlighted the risks of using public wi-fi.

It is not clear how long the malware involved was active or how many customers were affected.

The issue was identified only when the chief executive of a New York-based technology company logged into the service and noticed the problem.

Noah Dinkin was alerted to the issue by a delay he experienced before being able to start using the net, and posted his discovery to Twitter.

Although he initially believed the code had been designed to force his laptop to try to create bitcoins, other users noted that it had in fact been designed to mine another digital currency, Monero.

Mining involves solving complicated mathematical equations to verify crypto-currency transactions.

Those involved are attracted by the promise of being rewarded with newly minted “coins” if their computer is first to solve a challenge.

But because lots of processing power is required to have a good chance of success, some people have tried to infect other people’s computers with mining code to boost their chances.

Victims’ computers are normally targeted via infected websites, but it is relatively unusual for a wi-fi hotspot to be involved.

“As soon as we were alerted of the situation in this specific store last week, we took swift action to ensure our third-party support provider resolved the issue and made the changes needed in order to ensure our customers could use wi-fi in our store safely,” a spokeswoman for Starbucks told the BBC.

The company had earlier told the Motherboard news website that it did not “have any concern that this is widespread” across its other stores.

Richard Howard, Microcomms Cyber-Security expert said “people need to be careful when using public WiFi. When connecting ensure you have up to date security software and be on the lookout for suspicious activity. Public WiFi does offer a useful service  and the abuse is definitely the exception not the rule. Also, as applications and websites move towards encryption by default – overall security improves and makes life much harder for hackers.”

Uber concealed huge data breach

November 22nd, 2017 Posted by News No Comment yet

Uber concealed a hack that affected 57 million customers and drivers, the company has confirmed.

The 2016 breach was hidden by the ride-sharing firm which paid hackers $100,000 (£75,000) to delete the data.

The company’s former chief executive Travis Kalanick knew about the breach over a year ago. The hackers found 57 million names, email addresses and mobile phone numbers, Uber said.

Within that number, 600,000 drivers had their names and licence details exposed.

Drivers have been offered free credit monitoring protection, but according to Uber’s statement, affected customers will not be given the same.

‘None of this should have happened’

“While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection,” Uber’s chief executive Dara Khosrowshahi said.

“None of this should have happened, and I will not make excuses for it,” he added.

“While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”

In the wake of the news, Uber’s chief security officer Joe Sullivan has left the company.

Uber did not confirm precise details of the hack – and it is not known which countries were affected – but according to Bloomberg’s report, two hackers were able to access a private area of Github, an online resource for developers.

From there it is understood they found Uber’s log-in credentials to Amazon Web Services. AWS is a cloud computing service used by companies to store data.

As is often the case, it will likely be the cover up that proves more bothersome for Uber than the hack itself.

Companies are required to disclose significant data breaches to regulators, something it has by its own admission failed to do in this case.

Uber has form. In January it was fined $20,000 for failing to disclose a considerably less serious breach in 2014.

With the impending legislation of GDPR coming in to place in May 2018 – the firm could have been liable for fines of £20m or 4% of it’s worldwide turnover. It’s time companies started taking data security seriously.

‘Dolphin’ attacks fool Amazon, Google voice assistants

September 8th, 2017 Posted by Latest News No Comment yet

Voice-controlled assistants by Amazon, Apple and Google could be hijacked by ultrasonic audio commands that humans cannot hear, research suggests.

Two teams said the assistants responded to commands broadcast at high frequencies that can be heard by dolphins but are inaudible to humans. They were able to make smartphones dial phone numbers and visit rogue websites. Many smartphones feature a voice-controlled assistant that can be set up to constantly listen for a “wake word”.

Google’s assistant starts taking orders when a person says “ok Google”, while Apple’s responds to “hey Siri” and Amazon’s to “Alexa”.

Researchers in China set up a loudspeaker to broadcast voice commands that had been shifted into ultrasonic frequencies. They said they were able to activate the voice-controlled assistant on a range of Apple and Android devices and smart home speakers from several feet away. A US team was also able to activate the Amazon Echo smart speaker in the same way. The US researchers said the attack worked because the target microphone processed the audio and interpreted it as human speech.

“After processing this ultrasound, the microphone’s recording… is quite similar to the normal voice,” they said.

The Chinese researchers suggested an attacker could embed hidden ultrasonic commands in online videos, or broadcast them in public while near a victim.

In tests they were able to make calls, visit websites, take photographs and activate a phone’s airplane mode. However, the attack would not work on systems that had been trained to respond to only one person’s voice, which Google offers on its assistant.

Apple’s Siri requires a smartphone to be unlocked by the user before allowing any sensitive activity such as visiting a website.

Apple and Google both allow their “wake words” to be switched off so the assistants cannot be activated without permission.

“Although the devices are not designed to handle ultrasound, if you put something just outside the range of human hearing, the assistant can still receive it so it’s certainly possible,” said Dr Steven Murdoch, a cyber-security researcher at University College London.

“Whether it’s realistic is another question. At the moment there’s not a great deal of harm that could be caused by the attack. Smart speakers are designed not to do harmful things. “I would expect the smart speaker vendors will be able to do something about it and ignore the higher frequencies.”

The Chinese team said smart speakers could use microphones designed to filter out sounds above 20 kilohertz to prevent the attack.

A Google spokesman said: “We take user privacy and security very seriously at Google, and we’re reviewing the claims made.”

Amazon said in a statement: “We take privacy and security very seriously at Amazon and are reviewing the paper issued by the researchers.”

WannaCry ‘link’ to North Korean hackers

May 24th, 2017 Posted by News No Comment yet

A hacking group closely tied to North Korea was behind the massive WannaCry attack earlier this month, security company Symantec says.

The way the attack was set up made it “highly likely” that the Lazarus group was responsible, it said.

Lazarus has been blamed for a 2014 attack on Sony and the theft of $81m (£62m) from Bangladesh’s central bank.

In those attacks, the group is believed to have worked on behalf of North Korea’s government.

In a blog, Symantec said “substantial commonalities in the tools, techniques, and infrastructure used by the attackers” led it to conclude that the Lazarus group had instigated the WannaCry attack.

However, Symantec added that the character of the attack suggested it had not been carried out on behalf of North Korea.

Rather than being a nation-state campaign, it said, it looked more like a “typical” cyber-crime campaign that sought to enrich its operators.

North Korea has denied any involvement with WannaCry, branding any claims it was behind it “ridiculous”.

wannapic

‘Error prone’

The virulent WannaCry worm is believed to have infected computers at more than 200,000 companies.

Victims included more than 60 NHS trusts in the UK as well as Fedex, Renault and Telefonica.

On compromised computers, the worm encrypted files and demanded a ransom of $300 (£231) in bitcoins to unlock them.

Symantec pointed to small-scale attacks carried out prior to the massive May event that used the same basic malware but also employed other technical tricks Lazarus is known to use.

The earlier attacks did not exploit the vulnerability that helped WannaCry spread so far, so fast but instead used six other malicious programs favoured by Lazarus.

Two of these are known to have been used in the Sony attack.

In addition, Symantec said, code inside WannaCry was shared with a separate program also linked to Lazarus. Symantec’s analysis builds on work by other researchers who have studied WannaCry and found evidence that some of its core code is shared with other malicious programs Lazarus is believed to have used.

Despite Symantec’s lengthy analysis, some experts remained cautious about blaming Lazarus.

“Attributing hacking operations and malware to specific groups is an imprecise undertaking that’s frequently fraught with errors,” wrote Dan Goodin, security editor at Ars Technica.

So far, 300 victims are believed to have paid to have their files unlocked, generating a total ransom payment of $109,245.

The money is being paid into three separate bitcoin wallets that are being closely scrutinised for activity to see if they can help identify the criminals.

‘Firewall prevented infection’

Luckily for Microcomms customers with WatchGuard Firewalls in place, their Firebox with Total Security Suite Blocked WannaCry 2.0 so they were safe from the attack. Are you confident in your Security measures? If not, please get in touch for a chat – a conversation costs nothing and might save you a whole heap of cash!

 

Hacked Printers

Hacker briefly hijacks insecure printers

February 7th, 2017 Posted by News No Comment yet

A hacker has briefly hijacked more than 150,000 printers accidentally left accessible via the web.

The attacker made the devices print a warning urging their owners to cut off remote access.

Large printers in offices, domestic devices and tiny receipt printers in restaurants were all caught up in the hack.

The attack came soon after a German academic study found vulnerabilities in a wide range of printers.

Fixing problems

Over the weekend, a hacker using the alias Stackoverflowin ran an automated program that scoured the internet for printers that did not have basic security controls switched on.

Once it discovered a vulnerable device, the program made them print a page announcing the invasion and telling the owner to close the “port” used to hijack it.

“For the love of God, please close this port, skid [script kiddie, ie novice coder],” said the message.

Early versions of the program also added ASCII art depicting different robots or a computer.

Also included were an email address and a Twitter handle for Stackoverflowin.

Many people posted pictures of the printed messages to social media and asked questions about what was happening on technical support forums and social networks such as Reddit.

Printers made by HP, Brother, Epson, Canon, Lexmark, Minolta and many others were hit by Stackoverflowin’s program.

The hacker said he did not intend to abuse the access he had gained to the printers.

“I’m about helping people to fix their problem, but having a bit of fun at the same time,” he told the Bleeping Computer tech news website.

“Everyone’s been cool about it and thanked me to be honest.”

Last week, computer security researchers Jens Muller, Vladislav Mladenov and Juraj Somorovsky, from the Ruhr University, in Germany, released an academic paper summarising work they had done on printer security.

The trio tested 20 separate printers and found that all of them were vulnerable to at least one type of attack.

They found ways to put the printers in to an endless loop so they were never available to users, or to hijack the devices so they could be used as an entry point to the computer networks on which they sat.