Search This Blog

Showing posts with label Amazon. Show all posts

Hackers Attack Amazon Web Services Server


A group of sophisticated hackers slammed Amazon Web Services (AWS) servers. The hackers established a rootkit that let them manually command the servers and directed sensitive stolen corporate date to its home servers C2 (command and control). The attackers breached a variety of Windows and Linux OS within the AWS data center. A recent report published by Sophos (from Britain) last week has raised doubts and suspicions among the cybersecurity industry.


According to Sophos reports, the hackers were able to avoid Amazon Web Services SG (security groups) easily. Security Groups are supposed to work as a security check to ensure that no malicious actor ever breaches the EC2 instance (it is a virtual server used by AWS to run the application). The anonymous victim of this attack had already set up a perfectly tuned SG. But due to the rootkit installed in AWS servers, the hackers obtained remote access meanwhile the Linux OS was still looking for inbound connections, and that is when Sophos intervened. Sophos said that the victim could have been anyone, not just the AWS.

The problem was not with AWS, this piggybacking method could have breached any firewall, if not all. According to cybersecurity experts' conclusion, the hackers are likely to be state-sponsored. The incident is named as "Cloud Snooper." A cybersecurity expert even termed it as a beautiful piece of work (from a technical POV). These things happen all the time, it only came to notice because it happened with a fancy organization, he says. There are still unanswered questions about the hack, but the most important one that how the hackers were able to manage this attack is cleared.

About the attack 

“An analysis of this system revealed the presence of a rootkit that granted the malware’s operators the ability to remotely control the server through the AWS SGs. But this rootkit’s capabilities are not limited to doing this in the Amazon cloud: It also could be used to communicate with, and remotely control, malware on any server behind any boundary firewall, even an on-premises server. By unwinding other elements of this attack, we further identified other Linux hosts, infected with the same or a similar rootkit," said Sophos.

Amazon Transcribe Can Automatically Shroud the User's Personal Information from Call Transcripts?


Amazon Transcribe, the AWS-based 'speech-to-text service, recently came up with a significant new feature which, if executed effectively, can spontaneously shroud the user's personal information from call transcripts. 

This new feature permits Transcript to consequently recognize data like a Social Security number, Credit card number, bank account number, name, email address, phone number and mailing address and redact that. The apparatus consequently replaces this data with '[PII]' in the transcript. 

There are, obviously, different apparatuses/tools that can expel PII from existing reports. Regularly these are cantered around data loss prevention tools and intend to shield the information from spilling out of the organization when you share records and documents with outsiders. With the Transcript tool probably a portion of this information will never be accessible for sharing (except if, a copy of the audio is maintained)


One of the most mainstream use cases for Transcript is to make a record of customer calls. By default, that includes exchanging information like the user's name, address or a credit card number. In some cases there are even call centres which stop the recording when the user is about to exchange credit card numbers, for instance, but that’s may not always be the case. 

Transcribe in total, currently supports 31 dialects which of those, it can transcribe six 'in real time' for subtitling and other use cases.

Corona Impacts Amazon; More Than One Million Products Banned


The e-commerce giant has finally started taking steps to secure against the corona epidemic by banning more than one million products and furthermore by removing "tens of thousands" of overrated health products from unethical vendors.

A quest for "coronavirus" on Amazon raised results for face masks, disinfectant wipes and recently published books on viral infections, revealing how a few merchants are taking advantage of the health crisis. It additionally offered results for vitamin C boosters as well - a fake remedy for the virus that has been broadly disseminated on the web.

The World Health Organisation (WHO) expresses its worry about some deceptive Amazon postings prior this month, including counterfeit medications. The organization said fake coronavirus claims online were creating mass turmoil and asked tech giants to battle this spread of misinformation.

Amazon is yet to provide a rundown of those items it says it has expelled, but a BBC search for "coronavirus" on the online site proposes that numerous items are as yet being sold at strangely high prices. A portion of those items is not by any means fit for purpose, like the dispensable dust or surgical masks, as opposed to the recommended protective gear.

In one such example, a 50-piece heap of surgical masks from one seller cost more than £170, while a well-known alternative of a similar item is at a sale for around £36. Indeed, even that less expensive item has still risen drastically in price since early January, when it cost under £10.


Alluding to the act of "hiking up prices of goods" to unreasonably high levels in light of an expansion in demand, a spokesperson said, "There is no place for price gouging on Amazon," She referred to the company policy which permits Amazon to bring down items/products that "hurt customer trust", including when pricing "is significantly higher than recent prices offered on or off Amazon".

And further on added that the company will keep on monitoring the site for price spikes.

Amazon Chief’s Phone Hacked by the Saudi Arab Crown Prince



Referring to anonymous sources, a British daily newspaper came up with reports on details regarding Amazon Chief Jeff Bezos' cell phone being hacked in the wake of accepting a message from the Saudi Arabian crown.

Theft of information from Bezo's cell phone, however, is said to have been started in 2018 with a contaminated video file sent by means of WhatsApp from the personal account of Mohammed bin Salman, according to the previously mentioned British daily.

The report apparently comes about a year after the unexpected announcement that Bezos and his wife, MacKenzie, would separate following 25 years of marriage. The National Enquirer along these lines uncovered an extramarital affair between Bezos and Lauren Sanchez, a former TV anchor, in a progression of reports that depended, to some degree, on some intimate text messages sent by Bezos.

Bezos in this way distributed an extraordinary blog entry blaming the newspaper for taking steps to distribute all the more humiliating text messages and photographs except if he freely attested that there was no political motivation or outside force behind the newspaper's coverage.

Gavin de Becker, a security consultant for Bezos, later said he believed the Saudi Arabian government had gained access to Bezos' phone before the Enquirer uncovered the whole affair. He didn't give any immediate evidence to back up his claims, which he said originated from "our investigators and a few experts." De Becker referred to the Enquirer's business association with the Saudis, just as the intense coverage of the homicide of a critic of the Saudi regime by the Bezos-owned Washington Post, as reasons why bin Salman may look to harm the Amazon founder.

The newspaper reported a year ago that the Central Intelligence Agency connected the crown prince to the 2018 murder of Post Columnist Jamal Khashoggi. De Becker declined to remark past the rather lengthy statement a year ago, which was posted on the news site The Daily Beast.

The Saudi embassy didn't quickly react to a message looking for more inputs. In spite of the fact, it's still extremely unclear whether the supposed hack of Bezos' phone got to any sensitive Amazon corporate information.

While the company is yet to remark on the issue in the nine months since de Becker's allegation, the company representatives haven’t yet returned the messages seeking comment on the 21st of January.

Amazon, Rings Sued by a Man Claiming that the Camera was Hacked and used to Harass his Kids


A class-action lawsuit has been filed against Amazon-owned Rings by Alabama resident John Orange. The company has been accused mainly of negligence and invasion of privacy amid other side claims namely breach of an implied warranty, breach of implied contract and violation of California’s Unfair Competition Law against false advertising as it failed to provide enough protection against hacks.

Orange claimed that his internet-connected Ring camera which he bought in July 2019 was hacked and used to harass his three children aged seven, nine and ten, as per the lawsuit. Reportedly, the hacker spoke to the kids as they were playing basketball.

The argument for a class-action was supported by seven other similar incidents reported by media wherein these devices were hacked as the two-way talk function was used by hackers to talk to unsuspecting children.

A mother shared one such disturbing incident which made rounds on social media, it took place in Mississippi wherein the hacker attempted to engage with her eight-year-old daughter. While, another one which took place in Texas, witnessed a couple being threatened to pay a ransom of $350,000 in bitcoin.

According to the lawsuit, "An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera."

“Although Ring is in the business of home security and was certainly aware that its Wi-Fi-enabled product, was vulnerable to attack, it took no steps to ‘require camera owners to use two-factor authentication, which could help prevent these types of attacks…,’” the lawsuit stated.

“Moreover, it knew, or should have known, in an era of pervasive data breaches, that logging in with user emails instead of unique account names, and not requiring at least 2FA [two-factor authentication], put its Wi-Fi-enabled product at an unreasonable risk of being compromised.”

“Unfortunately, Ring did not fulfill its core promise of providing privacy and security for its customers as its camera systems are fatally flawed,” the lawsuit further claimed.

On being asked by Gizmodo, a spokesman from Ring declined to comment as he told that the company "does not comment on legal matters."

If the matter qualifies for gaining the status of class action, Amazon and Ring would be asked to provide compensation for the affected parties and implement better security measures.

"Smart Spies"- Amazon Alexa and Google Home's Voice Assistant Were Vulnerable to a Security Flaw


Alexa and Google Home smart speakers have been vulnerable to a security threat that made eavesdropping, voice phishing and using people's voice cues to deduce passwords possible for hackers. The hack also allowed hackers to befool users in handing out their private data without any knowledge of the same being happening.

In October, security researchers who discovered "Smart Spies" hack and new ways in which Alexa and Google Home smart speakers can be exploited, are now warning about the need to formulate new and effective methods to guard against the eavesdropping hack, reports Threatpost. Notably, no major steps were been taken to ensure protection against these hacks.

SRLabs, a Berlin-based hacking research company, told about the discovery of the vulnerability being made by them earlier this year, they went on reporting it to the concerned organizations, Amazon and Google. Furthermore, in an attempt to demonstrate the exploitation of the flaw, the firm shared a series of videos on Sunday.

As per the reports by CNN Business, Amazon and Google told that the vulnerabilities have been taken care of and likewise the issues have been fixed.

The company "quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified," a spokesperson from Amazon told CNN Business.

Addressing the issue, SRLabs states in a blog post, "Alexa and Google Home are powerful, and often useful, listening devices in private environments. The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood."

Experts recommended users to be more mindful of the potentially malignant voice apps that can infect smart speakers, "Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone."

"To prevent ‘Smart Spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents. Unpronounceable characters like “�. “ and silent SSML messages should be removed to prevent arbitrary long pauses in the speakers’ output. Suspicious output texts including “password“ deserve particular attention or should be disallowed completely." The blog reads. 

Amazon, Sony, Xiaomi, Samsung Devices Hacked at Pwn2Own Hacking Contest at Tokyo


In a hacking contest held at Tokyo, a duo of white-hat hackers known as Fluoroacetate breached pass devices of some of the most popular tech companies namely Amazon, Samsung, Sony, Xiaomi and others. On the first day itself, the team won prize money of $145,000 (around 1.02 crore) and 15 Master of Pwn points which secured them a dominant lead ahead of others in the competition. The contestants receive a bounty for each successful breach and points that add on to the total ranking. However, the overall winner obtains the grand title 'Master of Pwn'.

The leading team, Fluoroacetate which comprises Hacker Amat Cama and Richard Zhu, amassed a lot of success early on as they managed to bypass five devices. Making history, the duo cracked down Sony X800G, first-ever Television exploited in the contesting history of Pwn2Own. Moving onto their next targets, Amazon Echo Show and Samsung Q60 television, the hackers employed an integer overflow in JavaScript to compromise both the devices. While hacking Xiaomi Mi 9, the duo used a JavaScript exploit to extract a picture from the smartphone. Next up on their list was Samsung Galaxy S10, which the remarkable duo slashed down by pushing a file on the phone via a stock overflow. The last contributor for the team's winning streak was Netgear Nighthawk Smart Wi-Fi Router R6700 (LAN interface).

Points and bounty distribution 

Team Fluoroacetate piled up a total bounty of $145,000 and 15 Master of Pwn points at the end of the first day at Pwn2Own, in the following order.

Sony X800G smart TV: $15,000 and 2 Master of Pwn points.
Amazon Echo Show 5: $60,000 and 6 Master of Pwn points.
Samsung Q60 smart TV: $15,000 and 2 Master of Pwn points.
Xiaomi Mi9 smartphone: $20,000 and 2 Master of Pwn points.
Samsung Galaxy S10: $30,000 and 3 Master of Pwn points.

Pwn2Own is the top computer hacking contest that was first conducted in 2007 with the purpose of demonstrating the security flaws present in widely used software and devices. The hackers gather at the contest to demonstrate vulnerabilities for a pre-set list of software and devices, to earn points on successful discoveries the hackers must ensure that all the exploits put forth at the contest are new. After the contest, the event organizers take charge of all the bugs and vulnerabilities discovered throughout the competition and subsequently hand them over to the respective companies.

After the final day of the tournament, Fluoroacetate, accumulating total prize money of $195,000, 18.5 Master of Pwn points along with a shining trophy and other goodies, has emerged victorious and as the rightful owner of the title 'Master of Pwn'. Notably, the team's most striking accomplishment has to be the bypassing of Samsung Galaxy S10 that won the duo a whopping sum of $50,000 and 5 valuable Master of Pwn points.

Researchers Found a Way to Take over Google Home, Amazon’s Alexa or Apple’s Siri Devices through Laser Pointers


Researchers in Japan and at the University of Michigan recently said that they had figured out how to take control over Google Home, Amazon's Alexa or Apple's Siri devices from several feet away by shining laser pointers, and even flashlights, at the devices' mouthpieces.

What brought this one was the ascent of the voice-controlled digital assistants, introduced a couple of years back and the security experts have expressed their worries that systems like Apple's Siri and Amazon's Alexa were a privacy danger and could be effectively and easily hacked.

Kevin Fu, an associate professor of electrical engineering and computer science at the University of Michigan with respect to the usage of laser pointers said that “This opens up an entirely new class of vulnerabilities, it’s difficult to know how many products are affected because this is so basic.”

The computer science and electrical engineering researchers — Takeshi Sugawara at the College of Electro-Interchanges in Japan and Mr. Fu, Daniel Genkin, Sara Rampazzi, and Benjamin Cyr at the College of Michigan — all of them released their findings regarding the same issue in a paper on the 4th of November.

The researchers said they had informed Tesla, Portage, Amazon, Apple, and Google to the light vulnerability and the companies all responded saying that they were 'studying' the conclusions in the paper that was released.

Despite the fact that there is no clear indication that the light vulnerability defined on the 4th has been utilized by hackers, however, with a torrent of internet-connected devices rising in the market, the researchers said the revelation was a reminder to the consumers to be on the lookout in areas concerning security in the coming future.

Israeli spyware firm NSO can mine data from social media accounts









An Israeli spyware firm has claimed that they can scoop  user data from the world’s top social media, the Financial Times report. 

The powerful malware Pegasus from NSO Group is the same spyware that breached WhatsApp data earlier this year. 

The firm said that this time their malware can scrap data from the servers of Apple, Google, Amazon, Facebook, and Microsoft. 

According to the reports of the Times, the NSO group had “told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch”.

However, the companies spokesperson denied the allegation in a in written statement to AFP’s request for comment. 
“There is a fundamental misunderstanding of NSO, its services and technology,” it said.

“NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure as listed and suggested in today’s FT article.”

In the mean time, Amazon and Google told AFP that they have started an investigation on the basis of report, but so far found no evidence that the software had breached their systems or customer accounts.




Amazon Prime Day A Cyber Attack Target?




Researchers discover that the upcoming Amazon Prime Day sale is said to bring about hackers setting up a variety of Prime Day-related tricks intended to fool users into giving up their sensitive data.

Utilizing an 'Amazon Phishing Kit' the hackers can ship out malignant emails that have all the earmarks of being sent from Amazon, consisting of links that direct the victims to a fake Amazon login page.

As reported by Wired, shopping occasions like Prime Day stand for an easy-to-access opportunity for scamsters hoping to hoodwink victims into forking over their own information.

Crane Hassold, threat intelligence manager at the digital fraud defense firm Agari told Wired, 'Cybercriminals take advantage of popular, highly visible events when consumers are expecting an increased frequency of emails, when their malicious emails can hide more easily in the clutter,'

As indicated by security researchers from McAfee, scammers can make an email that seems like it's originating from a real organization, while utilizing a pack called 16Shop.

The biggest risk for the users is their credit card information, birthdays, addresses, and even social security numbers. The kit was initially intended to target Apple users, however as indicated by researchers, Prime Day appears, by all accounts, to be hackers' current target.

To avoid from being misled, analysts suggest investigating emails sent by Amazon with additional thoroughness and ceasing from following links to enter login data sent through email.

Just making a decision about an email by whether the address it's sent from is never again adequate state security analysts, since even emails can be faked. Instead, it's ideal to go legitimately to an organization's page by entering a URL into your address bar and afterward continue from that point.

Amazon Prime Day takes will take place on July 15 and 16.

More than 17,000 Domains Affected with Code which Steals Card Data



Cybercriminals running Magecart operations have added payment card skimming code to more than 17,000 domains with JavaScript files in misconfigured Amazon S3 buckets.

Cybercriminals exploited the lack of access control in Amazon's cloud storage services and affected over 17,000 domains via automated attacks which reconstructed JavaScript code randomly, without monitoring if the code could load a payment page.

The exploit came as a part of Megacart operations, originated in the month of April; attackers injected payment card skimming code to a high number of domains with JavaScript files in poorly configured Amazon S3 buckets which granted writing permissions to the person finding them.

According to the security researchers at RiskIQ, the discovery of these S3 buckets had been automated by the authors of the campaign.

Referencing from the findings made by Yonathan Klijnsma, RiskIQ's head of threat research, "Once the attackers find a misconfigured bucket, they scan it for any JavaScript file (ending in .js). They then download these JavaScript files, append their skimming code to the bottom, and overwrite the script on the bucket."

"Even if your bucket has information that anyone can access, it does not mean everyone should be able to modify the content," he added.

The fact that a large number of websites employing Amazon's cloud storage services fell short in fortifying access to the corresponding assets played a major role for Magecart campaign in realizing its malicious objectives.

Google’s Language Experts Listen to Users’ Private Recordings





The technology superpower Google recently avowed that its employees listen to customers' personal audio recordings on Google Home smart speakers.


For allegedly improving the voice recognition quality, language experts analyze "snippets" of users' recordings.


Those recordings are used to further develop the Google assistant's artificial intelligence system which is used in the Android phones and Google Home smart speakers.


According to sources the company is a statement cited their experts did transcribe a few of the anonymous recordings.


An investigation had been launched after it was found out that some Dutch audio data had been leaked.


Per sources the technology giant also said that in the process of developing technology of its AI products, transcribing a small set of queries is critical for which they collaborate with language experts around the world.


And it was one of these reviewers who allegedly leaked the Dutch audio data hence violating Google's security policies.


Actually, only 0.2% of all audio snippets are reviewed by the language experts, which especially are never associated with user accounts.



The investigation launched by the Security and Privacy Response teams is Soon to reach some result and all possible actions are being taken to deduct all chances of repetition.


Amazon also indulges in similar actions of listening to recordings of customers in relation with Alexa, its voice based assistant, mentioned a report.


Later Amazon admitted to the process and mentioned that the number of recordings was pretty small and imperative to train AI's responses.


There's a special provision for users though. They can always delete their recordings linked to their account by way of the Alexa Companion App.


Amazon Sued Over Illegal Retention of Child Recordings Through Alexa



Amazon is being sued by a Massachusetts woman for unlawfully recording and storing the voices of children with its Alexa-enabled devices; the lawsuit filed in Seattle this week, claims that Amazon is contributing to a massive database by harnessing private details of millions of Americans via voice recordings.
Children, as a matter of fact, don’t fully understand the “potentially invasive uses of big data by a company the size of Amazon” and they “use Alexa without any understanding or warning that Amazon is recording and voice-printing them”, according to the lawsuit.
Criticizing Amazon’s methodologies, the two law firms, Quinn Emanuel Urquhart & Sullivan and Keller Lenkner alleged that the company decides to retain the actual voice recordings in spite of having an option to encrypt user voices. According to the complaint filed by these firms on behalf of an anonymous minor, Amazon stores the voices to examine it in the future and deploy the same for commercial profit.
Referencing from the Lawsuit, “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,
The company is “allowing workers around the world to listen to the voice recordings and creating voiceprints of the users, which can be used to identify them when they speak to other devices in other locations,” the lawsuit reads.
Referenced from the statements given by a spokeswoman to BBC, “Amazon has a longstanding commitment to preserving the trust of our customers and their families, and we have strict measures and protocols in place to protect their security and privacy.”
Commenting on the matter during his conversation with Yahoo Finance,” Travis Lenkner, one of the plaintiffs’ attorneys, said,
“The legal theory is very straightforward. These kids themselves never consented, if they even could. No one such as a parent ever consented on their behalf,”
“Amazon purports to obtain consent to record individuals who set up an Alexa-enabled device,” the complaint states. “But there is a large group of individuals who do not consent to be recorded when using an Alexa-enabled device and who use Alexa without any understanding or warning that Amazon is recording and voice printing them: children.”
“Every recording that is made of a child, by Amazon through the Alexa software in one of these nine states is ... a per se violation of the privacy laws of those states and carries statutory penalties along with it,”
Delving further into the matter, Lenkar explains “It builds voiceprints of individual users”, “so if a child uses an Alexa device in California, and then uses another one in Washington, Amazon theoretically knows it’s the same person.” The device creates a unique identity for each person based on their voice.”
The fact that Amazon could potentially overwrite the voice recordings and yet chose not to, given that doing so would not hinder the performance of the assistant, further worsens the matter on which the company is expected to provide answers in greater detail very soon.




Amazon granted patent for Bitcoin-style system

Cryptocurrency rumor mongers are likely to be dancing today as Amazon has successfully filed a patent for a Bitcoin-styled Proof-of-Work system. But don’t get ahead of yourself, it doesn’t look like the Seattle-based ecommerce giant will be accepting Bitcoin for payments.

Despite first being filed in December 2016, Amazon’s patent application was granted earlier this week and appears to outline a system that uses Proof-of-Work to prevent distributed denial-of-service (DDoS) attacks.

“One way to mitigate against such attacks is to configure a service such that requests to the service incur some sort of expense, thereby providing a disincentive to participating in the attack,” the application reads.

Planting a Merkle Tree

Amazon proposes to use Merkle Trees to present a Proof-of-Work challenge and make it too costly for a series of computers to perform a DDoS attack.

But what’s a Merkle Tree? In short, Merkle Trees are cryptographic tools where blocks of data are manipulated to give them a unique identifier also known as a hash.

These hashes are then manipulated again to create a parent hash. Parent hashes are always a combination of two or more child hashes. It’s layers on layers of hashed data.

Since computing power is required to build a Merkle Tree, performing such hashes could get very costly in terms of time, electricity, and resources. In turn, this makes DDoS attacks economically unfeasible.

In the case of Amazon’s patent, imagine having to construct a Merkle Tree before you’re allowed to access a website hosted on one of its servers. To an individual the cost might be insignificant, but to an organization trying to carry out a DDoS attack – which might involve many hundreds of computers – it could become prohibitively expensive.

Merkle Trees are also used in Proof-of-Work blockchains like Bitcoin as part of its consensus mechanism. But for now that’s as close as Amazon will get to Bitcoin.

Amazon's Alexa storing all the voice recordings





Amazon’s Alexa may delete your voice recordings but it keeps the automatically produced transcripts in the company's cloud, according to reports.

According to CNET report, all the voice commands said to the virtual assistant should be deleted from the server, but the company saves all the text logs. 

The company stores all its data on its cloud servers, which could not be deleted by the users. Meanwhile, the company claims that they are working to make the data inaccessible. 

"When a customer deletes a voice recording, we also delete the corresponding text transcript associated with their account from our main Alexa systems and many subsystems, and have work underway to delete it from remaining subsystems," an Amazon spokesperson said in an email.

After revelation of the report, more than a dozen consumer advocacy groups plan to file a complaint against the company with the Federal Trade Commission.

The company is violating federal laws as they are not seeking parental consent before collecting data on children through Echo devices. 

Amazon Hit by an “Extensive” Fraud; Reveals That Unidentified Hackers Were Able To Siphon Funds from Merchant Accounts




Amazon.com Inc. reveals that unidentified hackers were able to siphon assets from merchant’s accounts for over six months just the last year from the MNC.

The company believes that it was hit by quite an extensive fraud attack, this serious  attack which occurred between May 2018 and October 2018, had the attackers break into around 100 seller accounts and channel money from either loans or sales into their own respective bank accounts, as indicated by a U.K. legal document.

A redacted filing has been made by Amazon's legal advisors from November which was now made public.

While the MNC was still "investigating the compromised accounts" and trusted that hackers figured out how to change subtleties of the accounts on the Seller Central Platform to their very own at Barclays Plc and Prepay Technologies Ltd., which is mostly claimed by MasterCard Inc., as indicated by the filing. Amazon found that the accounts were likely undermined by phishing strategies that fooled the sellers into surrendering the confidential login data.

Since the attorneys for Amazon have asked a London judge to favour pursuits of account statements at Barclays and Prepay, which "have become innocently mixed up in the wrongdoing," the case is progressively being featured as the one where the world's greatest online retail platform is being abused and how troublesome it is for Amazon to locate the real culprits.

While Barclays declined to remark explicitly on the case and delegates for Prepay didn't return emails looking for their comments for the same. Amazon expressed its requirement for the documents “to investigate the fraud, identify and pursue the wrongdoers, locate the whereabouts of misappropriated funds, bring the fraud to an end and deter future wrongdoing," the company's legal counsellors said in the court filing.

The first fraudulent transfer is said to have been occurred on May 16, as indicated by the filing and Amazon said Tuesday that it issued more than $1 billion in loans to merchants in 2018.

Regardless it's unclear how much the hackers stole.

Hundreds of millions of Facebook users data exposed on Amazon cloud servers




Security researchers have found a large data trove exposed  to public on Amazon's cloud computing servers.

The security experts at a cybersecurity firm, UpGuard found two separate sets of Facebook user data on public Amazon cloud servers, the firm wrote a detail blogpost. 

One of the dataset that was exposed belonged to the Mexican media company Cultura Colectiva, which contained more than 540m records, including likes, comments, reactions, Facebook IDs, account names, etc. While, the other set belonged to a defunct Facebook app named ‘At the Pool’, which was significantly smaller, but contained plaintext passwords for 22,000 users.

‘’The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers,’’ the blogpost.

‘’Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak,’’ it further added.

However, Facebook has launched an investigation into the matter, but they do not the nature of the data, how it was collected or why it was stored on public servers. The company said it will inform users once they will find evidence that the data was misused.



Saudi Arabia behind Jeff Bezos' phone hack




The investigators of Amazon chief’s release of intimate images believes that Saudi Arabian authorities were behind it.

According to the security officer of Amazon boss Jeff Bezos 
the Saudi Arabian authorities hacked into his phone, and obtained private data from it. 

Gavin De Becker, a longtime security consultant, launched the investigation after the National Enquirer published intimate texts between Bezos and his mistress, a television anchor Lauren Sanchez.

Last month, Bezos accused the newspaper’s owner of trying to blackmail him with the threat of publishing 'intimate photos' he allegedly sent to Sanchez unless he said in public that the tabloid’s reporting on him was not politically motivated.

"Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos' phone, and gained private information," de Becker wrote on The Daily Beast website.

Last month,  the incident came into light when Mr Bezos acccused the owner of the tabloid of threatening him to publishing the ”intimate photos" that he allegedly sent to Ms Sanchez unless he did not publicly state that the tabloid's coverage of him was not politically motivated.




"US’ Giant Military Contract Has a Hitch", Says Deap Ubhi, an Entrepreneur of Indian Descent.





The founder of a local search site “Burrp!”, Deap Ubhi is a lesser known entrepreneur.

He joined Amazon in 2014 and motivated start-ups and other organizations to embrace cloud computing products.

He in less than a couple of years left, on a journey to start a company that furnished technology to restaurants.

Later on, he joined a Pentagon effort to employ techies. He wished to make a super effective search engine and according to what he said, also to help American people.

But as it turns out, Ubhi’s part in the Pentagon has landed him right in midst of one of the most prominent federal IT contracts.

A $10 billion deal of getting cloud computing to Pentagon, attracted the top tech companies when the project was announced in 2017.

Microsoft, Amazon, IBM, Oracle and Google, all wanted to seal the deal in their own ways.



But there was a catch to it all; the contract would go to only ‘one’ cloud vendor. And Amazon happened to close the deal with the capability of fulfilling Pentagon’s demands.

This is where Ubhi came in, especially his ties with Amazon, a place where he now works again.

Oracle, who under no circumstances could have landed the deal, vehemently criticized the one-vendor attitude.

The organization is now fighting in a federal court about Ubhi’s alleged inclination towards Amazon and its effect on the said deal.

Before the suit was filed, Pentagon had no found no suspicious influence of Ubhi and hence kept evaluating the deal despite Oracle’s lawsuit.

Further on, more information about Ubhi was discovered and Pentagon declined a request for disclosing it.

The winner of the deal was to be announced in April. When contacted by Amazon, both Ubhi and Pentagon refused to comment.

Oracle didn’t comment on the issue outside the court but during the proceedings it mentioned Ubhi’s outspoken inclination towards Amazon by providing the proof of a tweet via Ubhi’s handle.

According to the White house press secretary, the president of the US is not a part of this war of the vendors.



President Trump has never been involved in a government contract before so if he as much as even points at something regarding this situation it would be a first.

The cloud contract is being overseen by a Defense Department Procurement Official, commonly known as the Joint Enterprise Defense Infrastructure (JEDI).

The detection of the officials who’s actually chose the winner has not been made yet.

The Pentagon’s transition to cloud computing is being seen to by a team directed by the chief information officer, Dana Deasy.

Cloud computing would contribute a lot in the battlefield and hence the American government is keen on giving the contract to the best.

Reportedly, for some time Ubhi worked on a market research for JEDI while he was working at Pentagon.

Oracle in the court cited the internal documents where Ubhi articulated support towards a single cloud approach.

Oracle also thinks Ubhi had something to do with the decision to select a single cloud provider.



In return, Amazon said that Ubhi worked on JEDI only for seven weeks that too at the early stages and that there were over 70 people involved in the development.

Amazon and Ubhi’s ‘Tablehero’ were to engage in a partnership of which there is no proof as yet. Ubhi hasn’t been replying to the emails of investors either.

Pentagon mentioned that the single cloud would let the movement be faster and ensure more security. This statement was later asserted by the Government Accountability Office.

Both IBM and oracle filed heavy protests against the Government accountability Office which was later denied in Oracle’s case and rejected for IBM.

Oracle, which has a small cloud market shares, then took the issue to the federal courts of the US.

The Oracle lawsuit stands to profit Microsoft as it now has improved capabilities and hence could be a strong competitor to Amazon.

It doesn’t matter whether Ubhi molded the contract. Pentagon’s justifications support its decision to use a single cloud approach.

The major motivation behind the decision has always been helping the defense make better data driven decisions.

Amazon, Microsoft calls for Regulation on Face Recognition




Amazon is batting in favor of regulating and legislating the use of facial recognition technology and has written a  long, detailed blog post detailing its stand on the issue.

In the blog post written by the Vice-President of Global Public Policy at Amazon Web Services (AWS),  Michael Punke, the company revealed its "proposed guidelines" for the use of the technology by the companies, so that it cannot be used to discriminate. 

Punke wrote that the company “supports the creation of a national legislative framework covering facial recognition through video and photographic monitoring on public or commercial premises.”

Amazon has faced criticism after tests by civil rights groups and ACLU found out that Amazon's face Rekognition functions are less accurate for black people. In January, two researchers reported an Amazon Web  Services that determine the gender of the people in photos is also less accurate in the case of black women. 

However, Amazon refuted the claims of the studies saying that the Rekognition was “not used properly"  by the researchers.
Amazon wants legislation “that protects individual civil rights and ensures that governments are transparent in their use of facial recognition technology,” Punke wrote. 
The blog post is seen as the move to counter the facial recognition backlash.