Search This Blog

Showing posts with label Amazon. Show all posts

Houdini Malware is Back, and Amazon Sidewalk has Affected Enterprise Risk Assessments

 

A secure access service edge (SASE) platform's nature allows it to see a significant number of internet data flows, and the larger the platform, the more dataflows can be evaluated. A review of over 263 billion network flows from Q2 2021 reveals rising dangers, new uses for old malware, and the expanding use of consumer devices in the workplace. 

According to the Cato Networks SASE Threat Research Report, a new version of the old Houdini malware is now being used to steal device information in order to circumvent access rules that looks at both the device and the user. Attackers have prioritized spoofing device IDs, which have evolved from simple point solutions to cloud-based services. As a result, verifying device identity has become critical for strong user authentication. 

The report also shows how Amazon Sidewalk and other consumer services run on many enterprise networks, making risk assessment difficult. “Cybersecurity risk assessment is based on visibility to threats as much as visibility to what is happening in the organization’s network,” says Etay Maor, senior director of security strategy at Cato Networks. 

Maor doubts that many firms would be comfortable with on-site networks that include a variety of home gadgets, including those that are automatically signed in by Sidewalk and belong to employees' neighbours. Just as concerning, he said, "How many companies are even aware that home devices have been brought into the corporate network and are sharing the corporate infrastructure." 

“With lines blurring between the home office and the corporate network – more devices and applications find their way to the organization’s network but not necessarily to the organization’s risk assessment,” Maor added. 

9.5 billion network scans were discovered across Cato's platforms in Q2. Maor is certain that the company's combination of AI-based danger identification and human help assures that these aren't researcher scans. Cato also discovered about 817 million security events caused by malware, as well as over 475 million events caused by incoming or outbound contact with domains with a negative reputation.  

There were nearly 400 million policy breaches, including 241 million vulnerability scans from scanners like OpenVAS, Nessus, and others that violated Cato's security policy or common best practices for network security. The most common exploit attempt (7,957,186 attempts) was against the CVE-2020-29047 vulnerability, a WordPress wp-hotel-booking vulnerability.

Kindle's E-book Vulnerability Could Have Been Exploited to Hijack a User's Device

 

Amazon patched a significant vulnerability in its Kindle e-book reader platform earlier this April, which could have been used to gain complete control of a user's device and steal sensitive data by simply deploying a malicious e-book. "By sending Kindle users a single malicious e-book, a threat actor could have stolen any information stored on the device, from Amazon account credentials to billing information," Yaniv Balmas, head of cyber research at Check Point, said in an emailed statement. "The security vulnerabilities allow an attacker to target a very specific audience."

In other words, if a threat actor wanted to target a certain group of individuals or demographic, the adversary could tailor and coordinate a highly targeted cyber-attack using a popular e-book in a language or dialect widely spoken among the group.

Threat actors might readily target speakers of a specific language, according to Balmas. To target Romanians, for example, they would only need to publish a bestselling book in that language as an e-book. Because the majority of people who download that book will almost certainly speak Romanian, a hacker may be confident that nearly all of the victims will be Romanian. 

“That degree of specificity in offensive attack capabilities is very sought after in the cybercrime and cyber-espionage world. In the wrong hands, those offensive capabilities could do some serious damage, which concerned us immensely,” Balmas said. 

Following a responsible disclosure of the problem to Amazon in February 2021, the retail and entertainment behemoth released a patch in April 2021 as part of its 5.13.5 edition of Kindle software. The flaw is exploited by sending a malicious e-book to an intended victim, who, upon opening the book, triggers the infection sequence without any interaction from the user, allowing the threat actor to delete the user's library, gain full access to the Amazon account, or turn the Kindle into a bot for striking other devices in the target's local network. 

The flaw is in the firmware's e-book parsing architecture, notably in the implementation of how PDF documents are opened, which allows a malicious payload to be executed on the device. 

"Kindle, like other IoT devices, are often thought of as innocuous and disregarded as security risks," Balmas said. "These IoT devices are vulnerable to the same attacks as computers. Everyone should be aware of the cyber risks in using anything connected to the computer, especially something as ubiquitous as Amazon's Kindle."

New DNS Flaw Enables 'Nation-State Level Spying' on Companies

 

Researchers discovered a new category of DNS vulnerabilities hitting major DNS-as-a-Service (DNSaaS) providers, which may enable attackers to get access to sensitive data of company networks. 

DNSaaS providers (also referred to as managed DNS providers) rent DNS to other businesses who don't want to maintain and protect yet additional network resources on their own. 

These DNS vulnerabilities, as disclosed by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak at the Black Hat security conference, grant threat actors nation-state intelligence harvesting powers with simple domain registration. 

As per the description, they simply created a domain and utilized it to hijack a DNSaaS provider's nameserver (in this instance, Amazon Route 53), permitting them to eavesdrop on dynamic DNS traffic streaming from Route 53 users' networks. 

The Wiz researchers stated, "We found a simple loophole that allowed us to intercept a portion of worldwide dynamic DNS traffic going through managed DNS providers like Amazon and Google," 

"The dynamic DNS traffic we 'wiretapped' came from over 15,000 organizations, including Fortune 500 companies, 45 U.S. government agencies, and 85 international government agencies." 

Employee/computer identities and locations and extremely sensitive data about organizations' infrastructure, such as Internet-exposed network equipment, were among the data they acquired this way. 

In one instance, the researchers used network data from 40,000 corporate endpoints to trace the office locations of one of the world's major services companies. The information gathered in this manner would make it much simpler for threat actors to compromise an organization's network since it would offer them a bird's eye perspective of what's going on within corporations and governments and provide them with "nation-state level surveillance capacity." 

The researchers haven't found any indication that the DNS flaw they identified has ever been exploited in the open, but they do warn that anybody with the expertise of the vulnerabilities and the abilities to exploit it might have gathered data undiscovered for over a decade. 

"The impact is huge. Out of six major DNSaaS providers we examined, three were vulnerable to nameserver registration. Any cloud provider, domain registrar, and website host who provides DNSaaS could be vulnerable," they added at Black Hat. 

Patched by some, likely to affect others: 

Although two significant DNS providers (Google and Amazon) have already patched these DNS vulnerabilities, others are still likely prone, potentially exposing millions of devices to attacks. 

Moreover, it is unclear who is responsible for fixing this serious DNS flaw. Microsoft has previously informed Wiz that this is not a vulnerability since it could alter the dynamic DNS mechanism that permits Windows endpoints to leak internal network traffic to rogue DNS servers. 

Microsoft explained, this flaw as "a known misconfiguration that occurs when an organization works with external DNS resolvers." 

To minimize DNS conflicts and network difficulties, Redmond recommends utilizing distinct DNS names and zones for internal and external hosts and provides extensive guidance on how to correctly handle DNS dynamic updates in Windows. 

Maintained DNS providers can mitigate nameserver hijacking by adhering to the RFC's "reserved names" specification and checking and confirming domain ownership and validity before enabling their customers to register them. Companies renting DNS servers can also modify the default Start-of-Authority (SOA) record to stop internal network traffic from leaking via dynamic DNS updates.

CISA Partners with Leading Technology Providers for New Cybersecurity Initiative

 

As part of a new campaign aimed at improving the country's cyber defences, the US government has announced partnerships with Amazon, Microsoft, Google, and other major corporations. According to CISA Director Jen Easterly, the Joint Cyber Defense Collaborative, or JCDC, would strive to take a proactive approach to cyber defense in the wake of multiple high-profile breaches that damaged the federal government and the general public. 

The JCDC would initially focus on battling ransomware and other cyberattacks against cloud computing providers, according to a Wall Street Journal report, in order to avoid situations like the recent Kaseya supply-chain ransomware incident that occurred earlier this summer. 

“The industry partners that have agreed to work side-by-side with CISA and our interagency teammates share the same commitment to defending our country’s national critical functions from cyber intrusions, and the imagination to spark new solutions,” Easterly said in the statement. 

CISA will be able to integrate unique cyber capabilities across numerous federal departments, state and local governments, and private sector firms to achieve shared objectives due to the establishment of the JCDC. The new programme will also enable the public and commercial sectors to share information, coordinate defensive cyber operations, and participate in joint exercises to improve cyber defense operations in the United States. 

 Aside from AWS, Microsoft, and Google Cloud, the JCDC will collaborate with AT&T, Crowdstrike, FireEye Mandiant, Lumen, Palo Alto Networks, and Verizon. Meanwhile, the Department of Defense (DoD), US Cyber Command, the National Security Agency (NSA), the Department of Justice (DoJ), the FBI, and the Office of the Director of National Intelligence are among the government's partners. 

 Rep. Jim Langevin, D-RI, is a member of the Cyberspace Solarium Commission and a senior member of the House Committee on Homeland Security, said the JCDC is “exactly the kind of aggressive, forward-thinking we need to combat the ever-growing cyber threats that face our nation.” In a statement, Langevin said the JCDC “brings together our [Cyberspace Solarium Commission] recommendations about planning, intelligence fusion and cybersecurity operations in a visionary way.” 

 According to a Langevin aide, the Joint Cyber Defense Collaborative will house the Joint Planning Office, which Congress has authorised, as well as the Joint Collaborative Environment, if passed this year as politicians like Langevin hope.

Amazon Fined With EUR 746 Million By Luxembourg Over Data Protection

 

Amazon has been fined 746 million ($880 million) Euros by the Luxembourg government over data protection rules. Despite its powerful presence across the globe, the American multinational technology company that focuses on e-commerce, digital streaming, cloud computing, and artificial intelligence, has continued to make headlines for various reasons, at times even serious allegations. Interestingly, it also falls under the category of "frightful five" which is a name given to the five most valuable tech giants that collectively influence almost everything that happens in the tech world. Amazon has undoubtedly become an integral part of most households, not only just American but worldwide. In terms of power, Amazon is a leading player both economically and socially. 

According to authorities, Amazon broke the EU’s data protection rules. It is assumed that the fine that has been charged for a data protection violation is the largest since the passage of the regulation. 

The Luxembourg National Commission for Data Protection had issued a notice on July 16. In the wake of which, Amazon said in a securities filing, "Amazon’s processing of personal data did not comply with the EU General Data Protection Regulation."

"We believe the CNPD's decision to be without merit and intend to defend ourselves vigorously in this matter," the company added, using the organization's French acronym. 

The Securities and Exchange Commission (SEC) document did not disclose any further technical details, but Amazon was sued by a European consumer group for using personal credentials for marketing purposes without authorization. Also, the Luxembourg agency declined to comment on further inquiries by saying that its investigations are confidential. 

Following the allegations, Amazon was already fined by French authorities 35 million Euros last year for not following laws on browser "cookies" that track users. Meanwhile, Google (another of "frightful five") had also been charged with a fine of 100 million Euros for similar data protection rules. Alongside, Facebook, yet another giant firm labeled under "frightful five" is also under investigation in Ireland for leaked data.

BEC Attacks have Stolen $1.8 Billion from Businesses

 

Business email compromise (BEC) attacks increased drastically in 2020, with more than $1.8 billion stolen from businesses in just one year. BEC attacks are carried out by hackers who impersonate someone inside a company or pose as a partner or vendor in order to defraud the company. 

The tactics of some of the most dangerous BEC attacks observed in the wild in 2020 were examined in a new report from Cisco's Talos Intelligence, which reminded the security community that smart users armed with a healthy skepticism of outside communications and the right questions to ask are the best line of defense, in addition to technology. 

According to the FBI, BEC assaults are getting more dangerous. They discovered a 136 % increase in the number of successful BEC attacks (reported) around the world between December 2016 and May 2018. Between October 2013 and May 2018, it is estimated that Business Email Compromise cost businesses over $12 billion. Analysts predict that these attacks will grow more regular and that the financial costs connected with them will continue to rise. 

The report stated, “The reality is, these types of emails and requests happen legitimately all over the world every day, which is what makes this such a challenge to stop.” It's tempting to get hooked up on huge global corporations' high-profile data breaches. The genuine revenue, however, is made via smaller BEC attacks, according to the report. 

“Although a lot of attention gets paid to more destructive and aggressive threats like big-game hunting, it’s BEC that generates astronomical revenue without much of the law-enforcement attention these other groups have to contend with,” the report explained. “If anything, the likelihood of this has only increased in the pandemic, with people relying more and more on digital communication." 

According to Cisco Talos, gift card lures are by far the most popular in BEC assaults. Most of the time, these emails will appear to be from someone prominent within the organization and will come from a free provider like Gmail, Yahoo, or Outlook. The solicitations will frequently include a sad narrative of hardship and will attempt to persuade the victim to purchase an Amazon, Google Play, iTunes, PlayStation, or other common types of gift card. 

“The amount of and types of businesses that get targeted with these attacks is truly staggering, ranging from huge multinational corporations down to small mom-and-pop restaurants in U.S. cities,” Talos said. “We found examples of small restaurants that are being targeted by impersonating the owners since the information was available on their website.”

Scammers Employ 'Vishing' Technique to Steal Personal Details of Online Shoppers

 

Scammers are using a unique methodology called ‘vishing’ to trick online customers. In a vishing attack, the fraudster impersonates someone from Amazon but uses a phone call as the weapon of choice. Another tactic employed by the cybercriminal is via email with a contact number and requesting the receiver to call that number. 

Recently, cybersecurity firm Armorblox discovered two distinct email campaigns posing as Amazon. Both emails were identical with a similar Amazon branding and followed a pattern similar to real order confirmation emails from Amazon but, if one knows where to look, there are many indications that the emails are fraudulent.

The first indication is that the emails are sent from a Gmail address or one that looks like it “might” belong to Amazon (no-reply@amzeinfo[.]com) and the recipient is not addressed by their name (a piece of information Amazon would know).

Armorblox researchers noted that scammers are not using the old taction of including a malicious attachment or URL / link, which allowed them to bypass any detection controls that block known bad links. They also made other choices that allowed them to slip past any deterministic filters or blocklists that check for brand names being impersonated (e.g., by writing AMAZ0N – with a zero instead of an “O”). 

What you can do to prevent yourself from these fraudulent schemes? 

With online shopping becoming the new normal, fraudsters will continue targeting this global and immense pool of potential victims. Scammers are using a combination of social engineering, brand imitation, and emotive trigger to lure victims into their trap. If successful, victims could end up handing over their personal data and credit card details, leading to consequences such as identity theft or fraudulent payments made on their behalf. 

The first thing you have to learn is not to open attachments and follow links from unknown emails, and not to call on included phone numbers which may cost you thousands of rupees. If you’re worried that you might be billed for an order you did not make, go to the shop’s website and find the correct phone number yourself.

Secondly, do not share your personal details on a phone call. If you feel the urgency to call back, don't contact the person through any phone number listed in the message. Instead, run a search for a publicly available number for the company.

Lastly, but most importantly use multi-factor authentication (MFA) on all accounts and for all sites. Don't use the same password across multiple accounts and use a password manager to store your passwords.

Amazon Fake Reviews Scam Exposed in Data Breach

The identities of over 200,000 people who appear to be participating in Amazon fraudulent product review schemes have been exposed by an open database. 

There is an ongoing struggle between the e-commerce giant and shady traders all over the world who want to hamstring rivals and gain an advantage by creating fake product feedback. The ways in which they function and remain under Amazon's radar differ, but an open ElasticSearch server has revealed some of their inner workings. 

Researchers from Safety Detectives reported on Thursday that the server, which was open to the public and accessible online, held 7GB of data and over 13 million documents appeared to be connected to a widespread fake review scam. It is unknown who owns the server, but due to messages written in Chinese that were leaked during the incident, there are indications that the company might be based in China. 

The database includes the user names, email addresses, PayPal addresses, links to Amazon accounts, and both WhatsApp and Telegram numbers, which also included records of direct messages between consumers willing to provide false reviews and traders willing to pay them. The leak may implicate "more than 200,000 people in unethical activities," according to the team. 

The database, as well as the messages it included, exposed the strategies used by suspicious sellers. One approach involves sending a customer a connection to the goods or products for which they want 5-star ratings, and the customer then makes a purchase. After a few days, the customer leaves a positive review and sends a message to the vendor, which will result in payment via PayPal — which could be a 'refund,' while the item is kept for free. It's more difficult to spot fraudulent, paid reviews because refund payments are held off the Amazon website. 

On March 1, an open ElasticSearch server was discovered, but the owner could not be identified. On March 6, however, the leak was detected and the server was secured. 

"The server could be owned by a third-party that reaches out to potential reviewers on behalf of the vendors [or] the server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors," the researchers speculated. "What's clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon's terms of service." 

Vendors are not allowed to review their own goods or receive a "cash incentive, discount, free products, or other compensation" in exchange for positive reviews, according to Amazon's spokesperson and review policy which includes third-party organizations. However, since Amazon is such a popular online marketplace, it's likely that some vendors will continue to try to take advantage of review systems in order to increase their profits. 

"We want Amazon customers to shop with confidence, trusting that the reviews they read are genuine and appropriate," a spokesperson for the company said. "We have clear policies for both reviewers and selling partners that forbid the misuse of our community features, and we suspend, ban, and taint people who break them," states the company.

Unidentified Cyberattackers Has Put Alaska Court System Offline

 

A recent cyberattack has forced The Alaska Court System (ACS) to temporarily discontinue its online services to the public including electronic court filings, online payments, and also prevented hearings that take place via videoconference till the cybersecurity unit removes malware from its network including its working website. Due to the ongoing world pandemic, court matters were being dealt with by an online service. However, now services will be given through phone calls. 

On Saturday, a statement has been put out by the court in which the court said that its website will be inactive and people will not be able to search cases while its research unit fixes the malware that has been executed on its network, in order to prevent a further cyber attack. 

"Today, we were advised that there did appear to be some attempts to infiltrate the court system's computer system. And so we figured out a way to disconnect from the internet to stop the problem to prevent anyone from continuing to try to tinker with our network”, Alaska Supreme Court Chief Justice Joel Bolger. 

Additionally, the court told that all currently scheduled cases and other emergency hearings on critical matters will be heard on their time. 

“I think for a few days, there may be some inconveniences, there may be some hearings that are canceled or some judges who decide to shift from videoconference to teleconference proceedings or the like. We don’t have all of that figured out yet,” Alaska Supreme Court Chief Justice Joel Bolger, the court system’s top administrative officer, told the press. 

This cyberattack is just another example of cyber threats against governmental organizations. There is no doubt that because of the pandemic, cyberattacks against government organizations have been increased. Along with Government organizations, the state and local level governments, with private firms and schools, hospitals, are also being targeted massively. 

In the light of the cyber threat, the newly formed Ransomware Task Force, which works under Microsoft and Amazon experts: aims at fixing ransomware and finding solutions to combat these cyberattacks. 

In the latest report, the task force has provided some haunting statistics of ransomware attacks: 

The average downtime due to ransomware attacks is 21 days, the average number of days it takes an organization to fully recover is 287, victims paid $350 million in ransom in 2020, a 311% increase from 2019, and the average ransom payment was $312,493, a 171% increase from 2019.

Alexa Skills can Easily Bypass Vetting Process

 

Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could permit a threat actor to publish a misleading skill under any arbitrary developer name and even make backend code changes after approval to fool clients into surrendering sensitive data. The discoveries were introduced on Wednesday at the Network and Distributed System Security Symposium (NDSS) meeting by a group of scholastics from Ruhr-Universität Bochum and the North Carolina State University, who examined 90,194 skills accessible in seven nations, including the US, the UK, Australia, Canada, Germany, Japan, and France.

 “While skills expand Alexa’s capabilities and functionalities, it also creates new security and privacy risks,” said a group of researchers from North Carolina State University, the Ruhr-University Bochum and Google, in a research paper. 

Amazon Alexa permits third-party developers to make additional functionality for gadgets, for example, Echo smart speakers by configuring "skills" that run on top of the voice assistant, along these lines making it simple for clients to start a conversation with the skill and complete a particular task. Chief among the discoveries is the worry that a client can actuate a wrong skill, which can have serious results if the skill that is set off is designed with a treacherous aim. 

Given that the actual criteria Amazon uses to auto-enable a particular skill among several skills with the same invocation names stay obscure, the researchers advised it's conceivable to actuate some wrong skill and that an adversary can get away with publishing skills utilizing notable organization names. "This primarily happens because Amazon currently does not employ any automated approach to detect infringements for the use of third-party trademarks, and depends on manual vetting to catch such malevolent attempts which are prone to human error," the researchers explained. "As a result users might become exposed to phishing attacks launched by an attacker." 

Far more terrible, an attacker can make code changes following a skills approval to persuade a client into uncovering sensitive data like telephone numbers and addresses by setting off a torpid purpose.

Data of 14 Million Amazon and eBay Accounts Leaked on Hacking Websites

 

An anonymous user offered 14 million data from Amazon and eBay accounts on a prominent hacking website for dissemination. The details seem to have been obtained from customers of Amazon or eBay having accounts from 18 countries between 2014-2021.

In Seattle, USA- focused on e-commerce, cloud computing, internet streaming, and artificial intelligence, Amazon.com Inc. is an international corporation based in Washington. Founded in 1994, the business was named "one of the most influential economic and cultural forces in the world" as well as the most valuable brand in the world. Whereas eBay Inc. is also a U.S. international e-commerce company headquartered in San Jose, California that allows transactions and sales to customers and companies through its website. eBay was founded in 1995 by Pierre Omidyar and became a remarkable success story for the dot-com bubble. 

The database acquired by the hacker was sold for 800 dollars where the accounts were divided through each country. The details leaked contain the entire customer name, mailing code, shipping address and store name, and a telephone number list of 1.6 million users. Although two copies had already been sold, the blog publisher has now closed the deal. 

The way the blog-publisher has acquired data is at present- unclear. Though the firm researching this incidence did not independently check or validate that Amazon or eBay data were certainly from the 2014-2021 period. A representative of Amazon said that the allegations had been reviewed with no evidence of any data violation. 

Also, it is more probable that Amazon or eBay have not experienced any infringements. Instead, a common form of password spraying was presumably used by the threat actor to get the passwords. Spraying passwords is an attack attempting to enter a wide number of accounts with a few popular passwords (usernames). Standard attacks by brute forces seek to enter a single account by guessing the password.

Fortunately, highly confidential material, including billing records, national ID numbers, or even e-mail addresses, does not exist on the server. However, the data being sold at this time is also potentially vulnerable and can be used for a range of reasons, such as doxing users by public dissemination of private data (e.g. sensitive things that nobody needs to hear about). The data may also be exploited by cybercriminals for purposes of creating a spam list or business intelligence.

"Not Amazon" Canadian Website Takes on the Online Giant

The e-commerce giants, with their evidently endless collection and drive to deliver convenience along with affordable prices, have become an all-too-familiar and essential service for many consumers at the height of the ongoing global pandemic. 

While small businesses and local retailers have been ending up with nothing in this pandemic, the worldwide lockdowns, and restrictions, have been fruitful for the e-commerce market, especially for the Seattle-based e-commerce giant Amazon, which has made humongous profits in billions. 

The pandemic has proved as mounting inequity between people and markets, and it was brought into focus by Ali Haberstroh. As the pandemic deepened, offline markets were closed but online shopping continued which consequently created inequality that was highlighted by one Canadian woman who expressed her disapproval as she fought back for the cause. 

“I just hate how much Jeff Bezos and Amazon are making billions off the backs of working-class people,” said Ali Haberstroh. “It seems to me they’re putting money over the wellbeing of people.” 

It was in late November 2020 when the snow was painting Ali Haberstroh’s apartment into a white house when the idea occurred to her. At the time, Canada was about to shut the market again as the second wave of lockdown hit the Canadian lanes in an attempt to curb rising COVID-19 cases. 
In anticipation, Toronto’s vintage clothing owner who is a friend of Ms. Haberstroh’s had put together names of other local vintage shops offering product curbside pickup and deliveries instead of shutting doors. 

“It was a wake-up call,” Ms. Haberstroh, 27, said of the list, which reminded her how large retailers like Walmart, Costco, and Amazon had thrived during the pandemic while much smaller, local businesses had been increasingly forced to discontinue their operations. “I thought if there is one tiny thing I can do to help, then I should get on it.” 

Being as inspired as she was by this idea, Haberstroh readied herself to build a more comprehensive list; following up, she has created an Instagram post, tagging independent businesses, and shopkeepers across Toronto. Moreover, she came up with a new website by the name “Not-Amazon.ca” — a URL that she had bought for $2.99. 

Introduced as a local list to help keep small businesses alive, 'Not Amazon' was created “so you don’t have to give any money to Amazon this year!” her Instagram post read. 

“At first it started off as a bit of a joke, with the name, but soon I really wanted to make it like Amazon, having everything in one place,” she said. “I didn’t want people to have an excuse not to shop local.” 

So far, the website “Not-Amazon.com” has accumulated more than half a million page views and is witnessing the participation from 4,000 businesses across Toronto, Halifax Calgary, and Vancouver. 
Furthermore, the cause is seen to have gained worldwide acceptance as thousands of stores owner await their submission to this site along with Ms. Haberstroh’s approval. 

“In a big city like Toronto, where it feels like most businesses are local, I think it’s so easy to think these things will be here forever,” said Ms. Haberstroh, who works as a social media manager at a marketing firm and plans to expand her rebellious project 'Not Amazon' to even more cities. “You don’t think that they’re going to go anywhere.” 

 “Small businesses have always made Toronto magical. They’re what makes this city what it is. And so I think we owe it to them to keep them alive.” She added.

Amazons gets FAA's approval for Drone Delivery Trails



Retail giant Amazon got the approval to deliver their products from the sky (like your package dropped straight from the skies, well the thought is good but not really); that is to say, the online retail behemoth got USA's Federal Aviation Administration approval to start trials for drone airlines for delivery.

The Federal Aviation Administration approved Amazon Prime as an "air carrier" allowing it to begin deliveries by air with their drone tech, probably with the MK27 drone released last year. These will be under a trial program. Other companies that already had this approval are Wing, the Alphabet.Inc (Google) and United Parcel Service Inc. (UPS).

In recent years, companies in retail have been evolving and developing Drone Delivery to quite an extent and have achieved major leaps. Wing and UPS both fly their products to a limited distance via drones and Amazon has stated they would start their own trials through the exact data that was not mentioned. 

During the pandemic, Amazon made extensive profits and grew exponentially and their autonomous air delivery if applied globally with success could change the way for ecommerce forever. 

"This certification is an important step forward for Prime Air and indicates the FAA's confidence in Amazon's operating and safety procedures for an autonomous drone delivery service that will one day deliver packages to our customers around the world," said David Carbon, vice president of Prime Air, in a statement. "We will continue to develop and refine our technology to fully integrate delivery drones into the airspace, and work closely with the FAA and other regulators around the world to realize our vision of 30-minute delivery." 

The FAA said it has granted the approval to support innovation and development in Drone flights. But the approval was difficult and still has some issues as FAA's regulations are for humans aboard and not sans humans. Thus the agency is planning on making a new set of regulations for Drone flights. 

But routine Drone Deliveries still have a long way to go like something like this would require some standards for flight, machine, and mechanism along with proper air traffic control and route settings without a pilot - all of which would take years to set up.

Apple Plans to Expand Cloud-Based Services, Enters Cloud Computing Space


Apple is planning to invest more in streamlines and increasing its cloud-based and software services like iCloud, Newsplus, and Apple Music. The expansion will go along with devices like iPads, MacBooks, and iPhones. To be entirely sure about the reliability of the cloud-based service on all the Apple devices, the company has decided to rely on AWS (Amazon Web Services) and the cloud division. AWS, as you might know, is a subunit of Amazon that offers cloud-space solutions. According to CNBC's findings, Apple is said to pay Amazon $30 Million monthly for its cloud-based services. It also means that Apple is one of the biggest customers of AWS.


Nevertheless, Apple hasn't confirmed whether it uses Amazon's cloud services besides its iCloud. According to experts, Apple also has some of its cloud services on Google. Amazon transformed the management of the data center and hosting of the applications when it brought the AWS. Being the first one to offer services like these, AWS is currently ranked top in the world of cloud hosting. Since recent times, Google Cloud and MS Azure are also trying to increase their presence in cloud-space services.

"As a matter of fact, AWS crossed the $10 billion quarterly revenue mark in Q1 2020, bringing in revenue of $10.2 billion with a growth rate of 33%. AWS accounted for about 13.5% of Amazon's total revenue for the quarter, which is on the higher end. Google Cloud, which includes Google Cloud Project (GCP) and G-Suite, generated $2.78 billion in revenue in the first quarter this year, which marked as a 52% increase over the same quarter a year ago. Microsoft does not reveal Azure revenue, but it announced that its Azure revenue grew by 59% in Q1 2020 over the same quarter a year ago," says Taarini Kaur Dang from Forbes.

As it seems, Apple knows the importance of the high-end cloud support needed for offering the best services to its customers. Similar to other tech biggies, Apple has its cloud space team called ACI (Apple Cloud Infrastructure). Noticing Apple's recent advancements, it is fair to believe that Apple might revolutionize the cloud-space world.

Hackers Attack Amazon Web Services Server


A group of sophisticated hackers slammed Amazon Web Services (AWS) servers. The hackers established a rootkit that let them manually command the servers and directed sensitive stolen corporate date to its home servers C2 (command and control). The attackers breached a variety of Windows and Linux OS within the AWS data center. A recent report published by Sophos (from Britain) last week has raised doubts and suspicions among the cybersecurity industry.


According to Sophos reports, the hackers were able to avoid Amazon Web Services SG (security groups) easily. Security Groups are supposed to work as a security check to ensure that no malicious actor ever breaches the EC2 instance (it is a virtual server used by AWS to run the application). The anonymous victim of this attack had already set up a perfectly tuned SG. But due to the rootkit installed in AWS servers, the hackers obtained remote access meanwhile the Linux OS was still looking for inbound connections, and that is when Sophos intervened. Sophos said that the victim could have been anyone, not just the AWS.

The problem was not with AWS, this piggybacking method could have breached any firewall, if not all. According to cybersecurity experts' conclusion, the hackers are likely to be state-sponsored. The incident is named as "Cloud Snooper." A cybersecurity expert even termed it as a beautiful piece of work (from a technical POV). These things happen all the time, it only came to notice because it happened with a fancy organization, he says. There are still unanswered questions about the hack, but the most important one that how the hackers were able to manage this attack is cleared.

About the attack 

“An analysis of this system revealed the presence of a rootkit that granted the malware’s operators the ability to remotely control the server through the AWS SGs. But this rootkit’s capabilities are not limited to doing this in the Amazon cloud: It also could be used to communicate with, and remotely control, malware on any server behind any boundary firewall, even an on-premises server. By unwinding other elements of this attack, we further identified other Linux hosts, infected with the same or a similar rootkit," said Sophos.

Amazon Transcribe Can Automatically Shroud the User's Personal Information from Call Transcripts?


Amazon Transcribe, the AWS-based 'speech-to-text service, recently came up with a significant new feature which, if executed effectively, can spontaneously shroud the user's personal information from call transcripts. 

This new feature permits Transcript to consequently recognize data like a Social Security number, Credit card number, bank account number, name, email address, phone number and mailing address and redact that. The apparatus consequently replaces this data with '[PII]' in the transcript. 

There are, obviously, different apparatuses/tools that can expel PII from existing reports. Regularly these are cantered around data loss prevention tools and intend to shield the information from spilling out of the organization when you share records and documents with outsiders. With the Transcript tool probably a portion of this information will never be accessible for sharing (except if, a copy of the audio is maintained)


One of the most mainstream use cases for Transcript is to make a record of customer calls. By default, that includes exchanging information like the user's name, address or a credit card number. In some cases there are even call centres which stop the recording when the user is about to exchange credit card numbers, for instance, but that’s may not always be the case. 

Transcribe in total, currently supports 31 dialects which of those, it can transcribe six 'in real time' for subtitling and other use cases.

Corona Impacts Amazon; More Than One Million Products Banned


The e-commerce giant has finally started taking steps to secure against the corona epidemic by banning more than one million products and furthermore by removing "tens of thousands" of overrated health products from unethical vendors.

A quest for "coronavirus" on Amazon raised results for face masks, disinfectant wipes and recently published books on viral infections, revealing how a few merchants are taking advantage of the health crisis. It additionally offered results for vitamin C boosters as well - a fake remedy for the virus that has been broadly disseminated on the web.

The World Health Organisation (WHO) expresses its worry about some deceptive Amazon postings prior this month, including counterfeit medications. The organization said fake coronavirus claims online were creating mass turmoil and asked tech giants to battle this spread of misinformation.

Amazon is yet to provide a rundown of those items it says it has expelled, but a BBC search for "coronavirus" on the online site proposes that numerous items are as yet being sold at strangely high prices. A portion of those items is not by any means fit for purpose, like the dispensable dust or surgical masks, as opposed to the recommended protective gear.

In one such example, a 50-piece heap of surgical masks from one seller cost more than £170, while a well-known alternative of a similar item is at a sale for around £36. Indeed, even that less expensive item has still risen drastically in price since early January, when it cost under £10.


Alluding to the act of "hiking up prices of goods" to unreasonably high levels in light of an expansion in demand, a spokesperson said, "There is no place for price gouging on Amazon," She referred to the company policy which permits Amazon to bring down items/products that "hurt customer trust", including when pricing "is significantly higher than recent prices offered on or off Amazon".

And further on added that the company will keep on monitoring the site for price spikes.

Amazon Chief’s Phone Hacked by the Saudi Arab Crown Prince



Referring to anonymous sources, a British daily newspaper came up with reports on details regarding Amazon Chief Jeff Bezos' cell phone being hacked in the wake of accepting a message from the Saudi Arabian crown.

Theft of information from Bezo's cell phone, however, is said to have been started in 2018 with a contaminated video file sent by means of WhatsApp from the personal account of Mohammed bin Salman, according to the previously mentioned British daily.

The report apparently comes about a year after the unexpected announcement that Bezos and his wife, MacKenzie, would separate following 25 years of marriage. The National Enquirer along these lines uncovered an extramarital affair between Bezos and Lauren Sanchez, a former TV anchor, in a progression of reports that depended, to some degree, on some intimate text messages sent by Bezos.

Bezos in this way distributed an extraordinary blog entry blaming the newspaper for taking steps to distribute all the more humiliating text messages and photographs except if he freely attested that there was no political motivation or outside force behind the newspaper's coverage.

Gavin de Becker, a security consultant for Bezos, later said he believed the Saudi Arabian government had gained access to Bezos' phone before the Enquirer uncovered the whole affair. He didn't give any immediate evidence to back up his claims, which he said originated from "our investigators and a few experts." De Becker referred to the Enquirer's business association with the Saudis, just as the intense coverage of the homicide of a critic of the Saudi regime by the Bezos-owned Washington Post, as reasons why bin Salman may look to harm the Amazon founder.

The newspaper reported a year ago that the Central Intelligence Agency connected the crown prince to the 2018 murder of Post Columnist Jamal Khashoggi. De Becker declined to remark past the rather lengthy statement a year ago, which was posted on the news site The Daily Beast.

The Saudi embassy didn't quickly react to a message looking for more inputs. In spite of the fact, it's still extremely unclear whether the supposed hack of Bezos' phone got to any sensitive Amazon corporate information.

While the company is yet to remark on the issue in the nine months since de Becker's allegation, the company representatives haven’t yet returned the messages seeking comment on the 21st of January.

Amazon, Rings Sued by a Man Claiming that the Camera was Hacked and used to Harass his Kids


A class-action lawsuit has been filed against Amazon-owned Rings by Alabama resident John Orange. The company has been accused mainly of negligence and invasion of privacy amid other side claims namely breach of an implied warranty, breach of implied contract and violation of California’s Unfair Competition Law against false advertising as it failed to provide enough protection against hacks.

Orange claimed that his internet-connected Ring camera which he bought in July 2019 was hacked and used to harass his three children aged seven, nine and ten, as per the lawsuit. Reportedly, the hacker spoke to the kids as they were playing basketball.

The argument for a class-action was supported by seven other similar incidents reported by media wherein these devices were hacked as the two-way talk function was used by hackers to talk to unsuspecting children.

A mother shared one such disturbing incident which made rounds on social media, it took place in Mississippi wherein the hacker attempted to engage with her eight-year-old daughter. While, another one which took place in Texas, witnessed a couple being threatened to pay a ransom of $350,000 in bitcoin.

According to the lawsuit, "An unknown person engaged with Mr. Orange’s children commenting on their basketball play and encouraging them to get closer to the camera."

“Although Ring is in the business of home security and was certainly aware that its Wi-Fi-enabled product, was vulnerable to attack, it took no steps to ‘require camera owners to use two-factor authentication, which could help prevent these types of attacks…,’” the lawsuit stated.

“Moreover, it knew, or should have known, in an era of pervasive data breaches, that logging in with user emails instead of unique account names, and not requiring at least 2FA [two-factor authentication], put its Wi-Fi-enabled product at an unreasonable risk of being compromised.”

“Unfortunately, Ring did not fulfill its core promise of providing privacy and security for its customers as its camera systems are fatally flawed,” the lawsuit further claimed.

On being asked by Gizmodo, a spokesman from Ring declined to comment as he told that the company "does not comment on legal matters."

If the matter qualifies for gaining the status of class action, Amazon and Ring would be asked to provide compensation for the affected parties and implement better security measures.

"Smart Spies"- Amazon Alexa and Google Home's Voice Assistant Were Vulnerable to a Security Flaw


Alexa and Google Home smart speakers have been vulnerable to a security threat that made eavesdropping, voice phishing and using people's voice cues to deduce passwords possible for hackers. The hack also allowed hackers to befool users in handing out their private data without any knowledge of the same being happening.

In October, security researchers who discovered "Smart Spies" hack and new ways in which Alexa and Google Home smart speakers can be exploited, are now warning about the need to formulate new and effective methods to guard against the eavesdropping hack, reports Threatpost. Notably, no major steps were been taken to ensure protection against these hacks.

SRLabs, a Berlin-based hacking research company, told about the discovery of the vulnerability being made by them earlier this year, they went on reporting it to the concerned organizations, Amazon and Google. Furthermore, in an attempt to demonstrate the exploitation of the flaw, the firm shared a series of videos on Sunday.

As per the reports by CNN Business, Amazon and Google told that the vulnerabilities have been taken care of and likewise the issues have been fixed.

The company "quickly blocked the skill in question and put mitigations in place to prevent and detect this type of skill behavior and reject or take them down when identified," a spokesperson from Amazon told CNN Business.

Addressing the issue, SRLabs states in a blog post, "Alexa and Google Home are powerful, and often useful, listening devices in private environments. The privacy implications of an internet-connected microphone listening in to what you say are further reaching than previously understood."

Experts recommended users to be more mindful of the potentially malignant voice apps that can infect smart speakers, "Using a new voice app should be approached with a similar level of caution as installing a new app on your smartphone."

"To prevent ‘Smart Spies’ attacks, Amazon and Google need to implement better protection, starting with a more thorough review process of third-party Skills and Actions made available in their voice app stores. The voice app review needs to check explicitly for copies of built-in intents. Unpronounceable characters like “�. “ and silent SSML messages should be removed to prevent arbitrary long pauses in the speakers’ output. Suspicious output texts including “password“ deserve particular attention or should be disallowed completely." The blog reads.