Holiday gifts getting smarter, but creepier when it comes to privacy and security

A Hamilton Beach Smart Coffee Maker that could eavesdrop, an Amazon Halo fitness tracker that measures the tone of your voice, and a robot-building kit that puts your kid’s privacy at risk are among the 37 creepiest holiday gifts of 2020 according to Mozilla.

holiday gifts privacy

Researchers reviewed 136 popular connected gifts available for purchase in the United States across seven categories: toys & games; smart home; entertainment; wearables; health & exercise; pets; and home office.

They combed through privacy policies, pored over product and app features, and quizzed companies in order to answer questions like: Can this product’s camera, microphone, or GPS snoop on me? What data does the device collect and where does it go? What is the company’s known track record for protecting users’ data?”

The guide includes a “Best Of” category, which singles out products that get privacy and security right, while a “Privacy Not Included” warning icon alerts consumers when a product has especially problematic privacy practices.

Meeting minimum security standards

It also identifies which products meet Mozilla’s Minimum Security Standards, such as using encryption and requiring users to change the default password if a password is needed. For the first time, Mozilla also notes which products use AI to make decisions about consumers.

“Holiday gifts are getting ‘smarter’ each year: from watches that collect more and more health data, to drones with GPS, to home security cameras connected to the cloud,” said Ashley Boyd, Mozilla’s Vice President of Advocacy.

“Unfortunately, these gifts are often getting creepier, too. Poor security standards and privacy practices can mean that your connected gift isn’t bringing joy, but rather prying eyes and security vulnerabilities.”

Boyd added: “Privacy Not Included helps consumers prioritize privacy and security when shopping. The guide also keeps companies on their toes, calling out privacy flaws and applauding privacy features.”

What are the products?

37 products were branded with a “Privacy Not Included” warning label including: Amazon Halo, Dyson Pure Cool, Facebook Portal, Hamilton Beach Smart Coffee Maker, Livescribe Smartpens, NordicTrack T Series Treadmills, Oculus Quest 2 VR Sets, Schlage Encode Smart WiFi Deadbolt, Whistle Go Dog Trackers, Ubtech Jimu Robot Kits, Roku Streaming Sticks, and The Mirror

22 products were awarded “Best Of” for exceptional privacy and security practices, including: Apple Homepod, Apple iPad, Apple TV 4K, Apple Watch 6, Apple Air Pods & Air Pods Pro, Arlo Security Cams, Arlo Video Doorbell, Eufy Security Cams, Eufy Video Doorbell, iRobot Roomba i Series, iRobot Roomba s Series, Garmin Forerunner Series, Garmin Venu watch, Garmin Index Smart Scale, Garmin Vivo Series, Jabra Elite Active 85T, Kano Coding Kits, Withings Thermo, Withings Body Smart Scales, Petcube Play 2 & Bites 2, Sonos SL One, and Findster Duo+ GPS pet tracker

A handful of leading brands, like Apple, Garmin, and Eufy, are excelling at improving privacy across their product lines, while other top companies, like Amazon, Huawei, and Roku, are consistently failing to protect consumers.

Apple products don’t share or sell your data. They take special care to make sure your Siri requests aren’t associated with you. And after facing backlash in 2019, Apple doesn’t automatically opt-in users to human voice review.

Eufy Security Cameras are especially trustworthy. Footage is stored locally rather than in the cloud, and is protected by military-grade encryption. Further, Eufy doesn’t sell their customer lists.

Roku is a privacy nightmare. The company tracks just about everything you do — and then shares it widely. Roku shares your personal data with advertisers and other third parties, it targets you with ads, it builds profiles about you, and more.

Amazon’s Halo Fitness Tracker is especially troubling. It’s packed full of sensors and microphones. It uses machine learning to measure the tone, energy, and positivity of your voice. And it asks you to take pictures of yourself in your underwear so it can track your body fat.

Tech companies want a monopoly on your smart products

Big companies like Amazon and Google are offering a family of networked devices, pushing consumers to buy into one company. For instance: Nest users now have to migrate over to a Google-only platform. Google is acquiring Fitbit.

And Amazon recently announced it’s moving into the wearable technology space. These companies realize that the more data they have on people’s lives, the more lucrative their products can be.

Products are getting creepier, even as they get more secure

Many companies — especially big ones like Google and Facebook — are improving security. But that doesn’t mean those products aren’t invasive. Smart speakers, watches, and other devices are reaching farther into our lives, monitoring our homes, bodies, and travel. And often, consumers don’t have insight or control over the data that’s collected.

Connected toys and pet products are particularly creepy. Amazon’s KidKraft Kitchen & Market is made for kids as young as three — but there’s no transparency into what data it collects. Meanwhile, devices like the Dogness iPet Robot put a mobile, internet-connected camera and microphone in your house — without using encryption.

The pandemic is reshaping some data sharing for the better. Products like the Oura Ring and Kinsa smart thermometer can share anonymized data with researchers and scientists to help track public health and coronavirus outbreaks. This is a positive development — data sharing for the public interest, not just profit.

Windstream Enterprise adds Google Assistant and Amazon Alexa to its SD-WAN solution

Windstream Enterprise (WE) has added new Google Assistant and Amazon Alexa voice command features to its SD-WAN solution, enabling network administrators to work more efficiently.

WE already includes Google Assistant and Amazon Alexa integration in its award-winning OfficeSuite UC® solution. This integration with SD-WAN marks the second major voice command innovation, and further demonstrates Windstream Enterprise’s commitment to helping customers streamline their daily activities and simplify their work loads.

SD-WAN customers can now get a pulse on their SD-WAN environment with the following features:

  • SD-WAN daily summary: Provides site status, including the total number of disconnected, connected and impaired sites, as well as sites pending activation.
  • Ticket summary: Presents a high-level readout of total open and recently updated tickets.
  • Ticket activity: Delivers a more granular look at open tickets, including the ID number, opened date, trouble type and location for which the ticket was created.

Through a simple log in via WE Connect, Windstream Enterprise’s easy-to-use network management portal, customers gain the convenience of digital voice assistants across both SD-WAN and unified communications to stay apprised of their tasks, network health and workload.

With a simple voice command, customers will be able to say things like: “Ok Google, Ask Windstream to get my SD-WAN overview,” or “Alexa, Ask Windstream to get my ticket summary.” Many more voice commands are available for both SD-WAN and OfficeSuite UC functions.

“Digital voice assistants are becoming essential in everyday life, and use is increasing as work-from-home and hybrid working environments take hold; therefore, Windstream Enterprise is giving customers the same seamless, innovative and high-tech experience with their unified communications and SD-WAN management,” said Mike Frane, vice president of product management at Windstream Enterprise.

“Our philosophy is technology should make our customers’ lives easier and more efficient. We’re delivering on that goal by meeting our customers where they want to interact with us—on their portal, mobile device and now their digital assistant.”

Amazon introduces eero Pro 6 and eero 6, delivering Wi-Fi 6 performance

Amazon introduced the newest additions to the eero family—eero Pro 6 and eero 6. These all-new mesh wifi systems feature Wi-Fi 6, the latest technology delivering faster speeds, higher performance, and better support for simultaneously connected devices.

Getting fast, reliable coverage throughout your home is easy with the eero 6 series, which offers Wi-Fi 6 coverage for more than 75 devices simultaneously. Featuring a built-in Zigbee smart home hub, the eero 6 series connects compatible devices on your network so you don’t need a separate Zigbee hub.

Plus, eero Pro 6 and eero 6 work with your existing internet service, and are backward compatible with all eero generations, making it easy to expand or upgrade your network.

“Customers need reliable home wifi now more than ever. Many of us are working from home, helping kids with online learning, keeping in touch with friends and family, and streaming and gaming in 4K—often at the same time,” said Nick Weaver, Co-Founder and CEO of eero.

“The eero 6 series is the fastest eero series yet, giving our customers the speed and reliability of Wi-Fi 6 at an affordable price.”

Choose the right eero 6 system for you

With an elegant, compact design that blends into any décor, you can mix and match eero devices to create a custom system that’s right for your home. New options include:

  • eero Pro 6: Perfect for homes with Gigabit internet connections, a single eero Pro 6 is a tri-band, high-performance mesh Wi-Fi 6 router with two Ethernet ports and a built-in Zigbee smart home hub. A single eero Pro 6 covers up to 2,000 square feet. An eero Pro 6 two-pack includes two eero Pro 6 routers, covering up to 3,500 square feet. An eero Pro 6 three-pack includes three eero Pro 6 routers that connect wired or wirelessly to cover up to 6,000 square feet.
  • eero 6: Designed for homes with internet connections up to 500 Mbps, a single eero 6 is a dual-band mesh Wi-Fi 6 router with two Ethernet ports and a built-in Zigbee smart home hub. A single eero 6 covers up to 1,500 square feet. An eero 6 two-pack covers up to 3,000 square feet and includes an eero 6 mesh router and the all-new eero 6 mesh wifi extender. An eero 6 three-pack, which provides up to 5,000 square feet of coverage, includes an eero 6 and two eero 6 mesh wifi extenders.

All eero devices use TrueMesh technology to intelligently route network traffic to avoid congestion, buffering, and drop-offs so customers can stream in 4K, play games, and video conference with ease.

Simple setup

Setting up your eero 6 series takes just minutes using the in-app instructions. Simply unplug your old router, connect your eero 6 series router to your modem, sign in to the app, and you’re ready to go—no expertise required. And, once your new eero is up and running, you can also connect your smart home devices to your wifi network in fewer steps with Amazon’s Frustration Free Setup.

After linking your eero account with your Amazon account, compatible devices join the network instantly and stay connected when you change your network name or password. If you need help with your eero devices, access our free world-class customer support for the life of your eero products.

Seamlessly manage your smart home

With a built-in Zigbee smart home hub, the eero 6 series eliminates the need for additional Zigbee hubs. After you link your eero and Amazon accounts, Zigbee devices like smart lights, locks, plugs, and other compatible devices can connect directly to your eero network.

“You can use the eero app to manage your network, pause the internet, share your network with friends or guests, and more—whether you’re at home or on-the-go. With the eero skill for Alexa, customers can use an Alexa-enabled device or the Alexa app to manage features with their voice using commands like, “Alexa, turn on the guest network.”

Safe and secure Wifi

eero is constantly working in the background to keep your network safe and secure. Traditional routers require customers to proactively search for, download, and install security updates.

With eero, automatic software updates provide the latest security patches, bug fixes, and feature upgrades. For additional peace of mind, you can add advanced security and privacy features and parental controls with eero Secure.

Or sign up for eero Secure+, which provides the additional protection of top-rated security apps like 1Password for password management, Malwarebytes for malware protection, and Encrypt.me for VPN for all your devices.

Amazon Delivery Drivers Hacking Scheduling System

Amazon Delivery Drivers Hacking Scheduling System

Amazon drivers — all gig workers who don’t work for the company — are hanging cell phones in trees near Amazon delivery stations, fooling the system into thinking that they are closer than they actually are:

The phones in trees seem to serve as master devices that dispatch routes to multiple nearby drivers in on the plot, according to drivers who have observed the process. They believe an unidentified person or entity is acting as an intermediary between Amazon and the drivers and charging drivers to secure more routes, which is against Amazon’s policies.

The perpetrators likely dangle multiple phones in the trees to spread the work around to multiple Amazon Flex accounts and avoid detection by Amazon, said Chetan Sharma, a wireless industry consultant. If all the routes were fed through one device, it would be easy for Amazon to detect, he said.

“They’re gaming the system in a way that makes it harder for Amazon to figure it out,” Sharma said. “They’re just a step ahead of Amazon’s algorithm and its developers.”

Sidebar photo of Bruce Schneier by Joe MacInnis.

Former NSA Director Keith Alexander Joins Amazon’s Board of Directors

About Bruce Schneier

I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer at Harvard’s Kennedy School and a board member of EFF. This personal website expresses the opinions of neither of those organizations.

Amazon establishes Counterfeit Crimes Unit with dedicated global team

Amazon announced it has established a new Counterfeit Crimes Unit, dedicated to bringing counterfeiters that violate the law and Amazon’s policies by listing counterfeit products in its store to justice.

Amazon Counterfeit Crimes Unit

Amazon’s Counterfeit Crimes Unit is a global, multi-disciplinary team composed of former federal prosecutors, experienced investigators, and data analysts, and will join Amazon’s extensive work to drive counterfeit to zero.

Amazon’s first objective is to prevent a counterfeit from ever being listed in its store, and its comprehensive proactive anti-counterfeit programs have ensured that 99.9% of all Amazon products viewed by customers did not have a valid counterfeit complaint.

In 2019, Amazon invested over $500 million and had more than 8,000 employees fighting fraud, including counterfeit. Amazon’s efforts have blocked over 6 billion suspected bad listings in 2019 and blocked over 2.5 million suspected bad actor accounts before they were able to make a single product available for sale.

Amazon’s Counterfeit Crimes Unit will investigate cases where a bad actor has attempted to evade Amazon’s systems and listed a counterfeit in violation of Amazon’s policies.

The Counterfeit Crimes Unit will mine Amazon’s data, cull information from external resources such as payment service providers and open source intelligence, and leverage on-the-ground assets to connect the dots between targets.

The Counterfeit Crimes Unit enables Amazon to more effectively pursue civil litigation against bad actors, work with brands in joint or independent investigations, and aid law enforcement officials worldwide in criminal actions against counterfeiters.

“Every counterfeiter is on notice that they will be held accountable to the maximum extent possible under the law, regardless of where they attempt to sell their counterfeits or where they’re located,” said Dharmesh Mehta, Vice President, Customer Trust and Partner Support, Amazon.

“We are working hard to disrupt and dismantle these criminal networks, and we applaud the law enforcement authorities who are already part of this fight. We urge governments to give these authorities the investigative tools, funding, and resources they need to bring criminal counterfeiters to justice because criminal enforcement – through prosecution and other disruption measures such as freezing assets – is one of the most effective ways to stop them.”

The new unit builds on Amazon’s established history of collaboration with brands and law enforcement to hold counterfeiters accountable through financial penalties, civil litigation, and criminal prosecution.

Amazon actively engages with authorities like the National Intellectual Property Rights Center (US), Europol (EU), and relevant enforcement authorities in China and around the world.

In May, Amazon identified counterfeiters based in Canada, China, Dominican Republic, Germany, India, Italy, Japan, Korea, Spain, United Arab Emirates, United Kingdom, and United States and referred each to relevant national authorities.

New technique protects consumers from voice spoofing attacks

Researchers from CSIRO’s Data61 have developed a new technique to protect consumers from voice spoofing attacks.

voice spoofing attacks

Fraudsters can record a person’s voice for voice assistants like Amazon Alexa or Google Assistant and replay it to impersonate that individual. They can also stitch samples together to mimic a person’s voice in order to spoof, or trick third parties.

Detecting when hackers are attempting to spoof a system

The new solution, called Void (Voice liveness detection), can be embedded in a smartphone or voice assistant software and works by identifying the differences in spectral power between a live human voice and a voice replayed through a speaker, in order to detect when hackers are attempting to spoof a system.

Consumers use voice assistants to shop online, make phone calls, send messages, control smart home appliances and access banking services.

Muhammad Ejaz Ahmed, Cybersecurity Research Scientist at CSIRO’s Data61, said privacy preserving technologies are becoming increasingly important in enhancing consumer privacy and security as voice technologies become part of daily life.

“Voice spoofing attacks can be used to make purchases using a victim’s credit card details, control Internet of Things connected devices like smart appliances and give hackers unsolicited access to personal consumer data such as financial information, home addresses and more,” Mr Ahmed said.

“Although voice spoofing is known as one of the easiest attacks to perform as it simply involves a recording of the victim’s voice, it is incredibly difficult to detect because the recorded voice has similar characteristics to the victim’s live voice. Void is game-changing technology that allows for more efficient and accurate detection helping to prevent people’s voice commands from being misused”.

Relying on insights from spectrograms

Unlike existing voice spoofing techniques which typically use deep learning models, Void was designed relying on insights from spectrograms — a visual representation of the spectrum of frequencies of a signal as it varies with time to detect the ‘liveness’ of a voice.

This technique provides a highly accurate outcome, detecting attacks eight times faster than deep learning methods, and uses 153 times less memory, making it a viable and lightweight solution that could be incorporated into smart devices.

Void has been tested using datasets from Samsung and Automatic Speaker Verification Spoofing and Countermeasures challenges, achieving an accuracy of 99 per cent and 94 per cent for each dataset.

Research estimates that by 2023, as many as 275 million voice assistant devices will be used to control homes across the globe — a growth of 1000 percent since 2018.

How to protect data when using voice assistants

Dr Adnene Guabtni, Senior Research Scientist at CSIRO‘s Data61, shares tips for consumers on how to protect their data when using voice assistants:

  • Always change your voice assistant settings to only activate the assistant using a physical action, such as pressing a button.
  • On mobile devices, make sure the voice assistant can only activate when the device is unlocked.
  • Turn off all home voice assistants before you leave your house, to reduce the risk of successful voice spoofing while you are out of the house.
  • Voice spoofing requires hackers to get samples of your voice. Make sure you regularly delete any voice data that Google, Apple or Amazon store.
  • Try to limit the use of voice assistants to commands that do not involve online purchases or authorizations – hackers or people around you might record you issuing payment commands and replay them at a later stage.

Would you trust Amazon Alexa more if given the option to adjust privacy settings?

Giving users of smart assistants the option to adjust settings for privacy or content delivery, or both, doesn’t necessarily increase their trust in the platform, according to a team of Penn State researchers. In fact, for some users, it could have an unfavorable effect.

trust Amazon Alexa

Trust in Amazon Alexa

Trust in Amazon Alexa went up for regular users who were given the option to adjust their privacy and content settings, the researchers found in a recent study. However, for power users – individuals whose skills and expertise are more advanced than others – trust went down when they were given the opportunity to make privacy setting adjustments.

“That’s kind of counterintuitive,” said S. Shyam Sundar, James P. Jimirro Professor of Media Effects and co-director of the Media Effects Research Laboratory (MERL) at Penn State. “The mere presence of privacy settings seems to trigger thoughts of potential privacy problems among those who are aware of such loopholes in communication technologies”

He added, “Once you give power users these options and they realize [that privacy settings are] actually controllable, they tend to panic and see the between-the-lines message rather than see customization for what it is, which is really a benevolent effort to provide more user control.”

Content customization

Another major finding of the study showed that users who were sensitive about their privacy found content less credible when given the option to customize their privacy settings. However, trust in the content increased when these users were also given the opportunity to customize that content.

“It is really interesting to see that content customization, which is unrelated to privacy, alleviated the negative priming effects of adjusting privacy settings,” said Eugene Cho, doctoral student in mass communications and lead author on the team’s paper. “The empowering effect of customization noticed in our other studies extend to smart speaker interactions and to the context of privacy.”

But, the quality of content customization services could be impacted by privacy customization settings, said Saeed Abdullah, assistant professor in the College of Information Sciences and Technology and a collaborator on the project. This concept is similar to other artificial-intelligence algorithms that draw on user history to drive personalized content on well-known platforms, such as suggesting the next movie to watch on Netflix or products to buy on Amazon.

“For example, if you delete your user history or your audio recordings from Alexa, it might mean that the platform cannot personalize its offerings very well for you,” Abdullah said. “Some people might like them, as some people like to have the best recommendations from the systems. And in that case, they might not take advantage of the privacy options.”

He added, “So in other words, the differences between individuals and their perceived expectations of these systems mean that people will use privacy settings in a different way. That’s why providing control is so important.”

Smart speakers privacy infringement concerns

As smart speakers become more common, there’s increased concern about the degree to which the devices could be infringing on users’ privacy. The researchers hope that their work will inform designers and service providers to consider incorporating various content customization options to lower mistrust in content and relieve privacy concerns.

“If users want the devices to function the way they’re supposed to function, they are supposed to always be on,” Sundar said. “I feel like we’ve reached a point in our cultural conversation about the acceptability of having these kinds of devices in our homes, and to what extent we are comfortable.”

“Our findings can help us to better design smarter, more privacy-sensitive and more trustworthy smart speakers in the future,” added Abdullah.

In the study, 90 participants were recruited to interact with Amazon Alexa through an Amazon Echo device by asking several health-related questions. In the first part of the study, half of the users were randomly given the opportunity to customize their privacy settings – such as deleting their voice recordings – while the others were not. Then, another random half of the sample was able to customize their content – such as adjusting speed or content length, or selecting the source of information – while the other half was not afforded the opportunity.

Vulnerability allows attackers to register malicious lookalikes of legitimate web domains

Cybercriminals were able to register malicious generic top-level domains (gTLDs) and subdomains imitating legitimate, prominent sites due to Verisign and several IaaS services allowing the use of specific characters that look very much like Latin letters, according to Matt Hamilton, principal security researcher at Soluble.

register malicious domains

To demonstrate the danger of these policies, he registered 25+ domains that resemble a variety of popular domains by using a mix of Latin and Unicode Latin IPA homoglyph characters.

“This vulnerability is similar to an IDN Homograph attack and presents all the same risks. An attacker could register a domain or subdomain which appears visually identical to its legitimate counterpart and perform social-engineering or insider attacks against an organization,” he pointed out.

Some homograph domains had already been registered

During this research he also discovered that, since 2017, more than a dozen homograph domains that imitated prominent financial, internet shopping, technology, and other Fortune 100 sites, have had active HTTPS certificates – meaning: they’ve already been registered.

“There is no legitimate or non-fraudulent justification for this activity (excluding the research I conducted for this responsible disclosure),” Hamilton noted, and posited that this technique was used in highly targeted social-engineering campaigns.

He also discovered that Google, for example, also allows the registration of bucket names that use Unicode Latin IPA Extension homoglyph characters. In fact, it also allows the registration of subdomains which contain mixed-scripts (e.g., Latin and Cyrillic characters), which should also be a no-no.

Mitigation and remediation

Hamilton contacted Verisign (which runs the .com and .net domains) and Google, Amazon, Wasabi and DigitalOcean (IaaS providers) in late 2019 and shared his discovery.

Everyone confirmed the receipt of the responsible disclosure report, but only Amazon and Verisign (so far) did something about the problem.

“Safeguarding the stability, security and resiliency of the critical infrastructure we operate is our top priority. While the underlying issue described by Mr. Hamilton is well understood by the global Internet community – and is the subject of active policy development by ICANN – we appreciate him providing additional timely details about how this issue may be exploited,” a Verisign spokesperson noted.

“Although we understand that ICANN has been on a path to address these issues globally, we have also proactively updated our systems and obtained the necessary approval from ICANN to implement the changes to the .com and .net top-level domains required to prevent the specific types of confusable homograph registrations detailed in Mr. Hamilton’s report.

Amazon changed its S3 bucket name validation policy to prevent registration of bucket names beginning with the punycode prefix “xn--”, preventing the use of these and all other Unicode homoglyphs.

Hamilton also pointed out that any TLD which allows Latin IPA characters is likely affected by this vulnerability, but that the majority of the most popular sites on the internet use gTLDs (namely .com).

He advises users who discover that someone has registered a homograph of one of their domains to submit an abuse report to the appropriate organization.

He has also promised to soon make available a tool that will help organizations generate homographs for their domains and discover whether they’ve been registered in the last few years.

The 25 most impersonated brands in phishing attacks

PayPal remains the top brand impersonated in phishing attacks for the second quarter in a row, with Facebook taking the #2 spot and Microsoft coming in third, according to Vade Secure.

brand phishing attacks

Leveraging data from more than 600 million protected mailboxes worldwide, Vade’s machine learning algorithms identify the brands being impersonated as part of its real-time analysis of the URL and page content.

PayPal reigns supreme, again

For the second straight quarter, PayPal was the most impersonated brand in phishing attacks. While PayPal phishing was down 31% compared to Q3, the volume was up 23% year over year. With a daily average of 124 unique URLs, PayPal phishing is a prevalent threat targeting both consumers and SMB employees.

Illegitimate notes and file sharing keep Microsoft phishing in the spotlight

Microsoft remained the primary corporate target in Q4, coming in at #3 on this quarter’s Phishers’ Favorites list. With 200 million active business users and counting, Office 365 continues to be the primary driver for Microsoft phishing.

Cybercriminals seek O365 credentials in order to access sensitive corporate information and use compromised accounts to launch targeted spear phishing attacks on other employees or partners.

In Q4, large volumes of file-sharing phishing were still seen, including fake OneDrive/SharePoint notifications leading directly to a phishing page and legitimate notifications leading to files containing phishing URLs. There’s also the emergence of note phishing impersonating services like OneNote and Evernote.

While the campaigns are similar, the key difference is that OneNote or Evernote notes are not files, but rather HTML pages. Thus, the same technology that is used by email security vendors to scan the contents of files doesn’t work with HTML pages, which means these emails have a higher likelihood of reaching users’ inboxes.

Cybercriminals target your money, but impersonate smaller banks

For the second quarter, financial services companies accounted for the most brands and most URLs in the Phishers’ Favorites report. A difference in Q4, however, is that there was a shift towards phishing customers of smaller banks.

One reason for this could be that while large banks have invested in building out security operations centers, incident response and takedown procedures to limit phishing campaigns impersonating their brand, smaller banks may not have the same level of controls in place.

brand phishing attacks

Additional key findings

  • Netflix (#4), WhatsApp (#5), Bank of America (#6), CIBC (#7), Desjardins (#8), Apple (#9) and Amazon (#10) rounded out the top 10 most impersonated brands.
  • Despite having only three brands in the top 25, social media increased its share of phishing URLs from 13.1% in Q3 to 24.1% in Q4 2019. This growth was driven by WhatsApp, which shot up 63 spots to #5, and Instagram, which rose 16 spots to #13.
  • Netflix phishing had been a model of consistency, growing for six consecutive quarters, but that trend reversed abruptly in Q4, with a 50.2% drop in unique phishing URLs. In fact, the 6,758 Netflix phishing URLs detected in Q4 was the lowest total since Q2 2018.
  • For the first time in Phishers’ Favorites history, Friday was the top day overall for phishing emails, followed closely by Thursday. Tuesday, Wednesday and Monday took the middle three spots. As usual, Saturday and Sunday were at the bottom.

“When it comes to phishing in particular and cyberattacks in general, change is the only constant,” said Adrien Gendre, Chief Solution Architect at Vade Secure.

“Threats are evolving rapidly and they are becoming more and more credible to end users. This underscores the need for a comprehensive approach to email security combining threat detection, post-delivery remediation and on-the-fly user training as the last line of defense.”

Most impersonated brands in phishing attacks

The complete list of the 25 most impersonated brands in phishing attacks compiled by Vade Secure is available below:

brand phishing attacks

Amazon, Apple, Google and Zigbee Alliance to develop a royalty-free connectivity standard

Amazon, Apple, Google, and the Zigbee Alliance, announced a new working group that plans to develop and promote the adoption of a new, royalty-free connectivity standard to increase compatibility among smart home products, with security as a fundamental design tenet.

Zigbee Alliance board member companies such as IKEA, Legrand, NXP Semiconductors, Resideo, Samsung SmartThings, Schneider Electric, Signify (formerly Philips Lighting), Silicon Labs, Somfy, and Wulian are also on board to join the working group and contribute to the project.

The goal of the Connected Home over IP project is to simplify development for manufacturers and increase compatibility for consumers. The project is built around a shared belief that smart home devices should be secure, reliable, and seamless to use.

By building upon Internet Protocol (IP), the project aims to enable communication across smart home devices, mobile apps, and cloud services and to define a specific set of IP-based networking technologies for device certification.

The industry working group will take an open-source approach for the development and implementation of a new, unified connectivity protocol. The project intends to use contributions from market-tested smart home technologies from Amazon, Apple, Google, Zigbee Alliance, and others.

The decision to leverage these technologies is expected to accelerate the development of the protocol and deliver benefits to manufacturers and consumers faster.

The project aims to make it easier for device manufacturers to build devices that are compatible with smart home and voice services such as Amazon’s Alexa, Apple’s Siri, Google’s Assistant, and others.

The planned protocol will complement existing technologies, and working group members encourage device manufacturers to continue innovating using technologies available today.

Project Connected Home over IP welcomes device manufacturers, silicon providers, and other developers from across the smart home industry to participate in and contribute to the standard.

Some junk for sale on Amazon is very literally garbage, report finds

Exterior of large building during daytime.

Enlarge / The Amazon logo at the entrance of a logistics center in France, July 2019.

Some days it seems like searching for an item on Amazon just brings up endless pages of junk with no clear pattern. There’s a reason for that, it turns out: dumpster divers are, in fact, literally reselling discarded junk.

Resellers hunt through trash to find and repair treasures, the Wall Street Journal reported today. Those sellers, for understandable reasons, mostly didn’t want to talk to the WSJ, so reporters for the paper tried it themselves.

Writers went digging through the trash in New Jersey and came up with dozens of items to sell, such as “a stencil set, scrapbook paper, and a sealed jar of Trader Joe’s lemon curd.” Setting up a storefront and listing the items for sale was “easy,” the WSJ said.

Amazon’s screening process seemed to be haphazard, the paper added:

After a later dumpster dive, the Journal was able to go through almost all of the listing process with salvaged breath mints, sunflower seeds, marmalade, crispbread, fig fruit butter, olives, a headband and a Halloween mask—stopping just short of shipping them to the Amazon warehouse, which is required for an item to appear for purchase on the site.

To list a sunscreen lotion, Amazon asked for a safety-data sheet. Attempts to list a protein powder, a pea-powder dietary supplement and a face sheet mask—all from the dive—elicited a request from Amazon for proof of purchase.

Nothing in Amazon’s rules prevented “salvaged” items from being resold, at the time. The policies do require that most goods be new, but the rules also allow for certain product categories to be sold used, including books and electronics, as long as those listings are clear about those items being used.

Amazon updated its seller policies after the WSJ contacted the company about this story to include a prohibition on items “intended for destruction or disposal or otherwise designated as unsellable by the manufacturer or a supplier, vendor, or retailer.”

“Sellers are responsible for meeting Amazon’s high bar for product quality,” a company spokesperson told the WSJ, adding that the company was investigating and such stores were “isolated incidents.”

Not so high a bar

The Amazon sellers who find and repair or clean and sell usable goods from the trash are not a new phenomenon. Any flea market, secondhand shop, or closeout store features “found” items, some of which genuinely are surprisingly high-quality, like-new finds. These sellers are just taking the business model online.

But consumer expectations at a flea market are very different from consumer expectations at Amazon. Most shoppers are going to expect that an item “fulfilled by Amazon” (as many third-party items are) is delivered by an Amazon Prime-branded van, dispatched from an Amazon warehouse, and actually new—especially when it’s described that way on a product page.

Amazon consumers, though, are increasingly having to get used to shopping at their own risk. Counterfeit items, especially imported ones, are rampant on the site, as are listings for recalled, unsafe, or defective goods.

The WSJ analyzed about 45,000 shopper comments left on product listings in 2018 and 2019 and found 8,400 comments on 4,300 food, makeup, and over-the-counter drug items making reference to “unsealed, expired, moldy, unnaturally sticky, or problematic” goods. Of those 4,300 products, 544 had “Amazon’s Choice” flags promoting them to consumers in search results.

Update: Amazon contacted Ars to repeat the statements it issued to the WSJ. The company also added that any “negligent and potentially illegal activity” by some seller is “unfair to the vast majority” of sellers on the site. Additionally, the company says it has “expanded the scope of our existing supply-chain verification efforts including increased spot checks of source documentation to ensure seller compliance with our policies.”

Amazon also said, “sourcing items from the trash has always been inconsistent with Amazon’s high expectations of its sellers and prohibited by the Seller Code of Conduct on Amazon, which requires that sellers act fairly and honestly to ensure a safe buying and selling experience.”

Amazon bans third-party merchants from shipping with FedEx

Amazon's going to need some bigger boxes to ship those Outpost racks next year.

Enlarge / Amazon’s going to need some bigger boxes to ship those Outpost racks next year.

If you’re cramming last-minute Christmas or Hanukkah shopping online ahead of next week’s holidays, and it absolutely, positively has to be there overnight, don’t count on FedEx being the service to get it there for you. Not only is Amazon no longer working with the carrier, but now third-party merchants are banned from using the service, too.

The Wall Street Journal obtained a copy of a message Amazon sent to its third-party vendors Sunday night explaining the prohibition. Starting this week, marketplace vendors offering Prime shipments will not be allowed to use FedEx Ground or Home services. This ban will persist “until the delivery performance of these ship methods improves.”

Third-party retailers accounted for about 58% of Amazon’s retail activity in 2018, company CEO Jeff Bezos said earlier this year, and sold a cumulative $160 billion worth of goods. The vendor marketplace is on track to be at least as large a share of Amazon’s retail business in 2019.

FedEx ended its last domestic contract with Amazon in August in part due to that in-house business. “High-volume shippers such as Amazon “are developing and implementing in-house delivery capabilities and utilizing independent contractors for deliveries, and may be considered competitors,” FedEx wrote in an investor document earlier this year. The company added that Amazon in particular is “investing significant capital to establish a network of hubs, aircraft, and vehicles.”

A FedEx representative told the WSJ that the impact to the shipping firm is “minuscule,” while admitting that Amazon’s directive “limits the options for those small businesses on some of the highest shipping days in history.”

Marketplace sellers selling items marked for Amazon Prime delivery can use UPS services, FedEx’s Express service (which is pricey), or Amazon’s own in-house logistics business (which the company heavily encourages vendors to use). That encouragement is so heavy, in fact, that at least one merchant has complained to Congress that the shipping business should be considered one of Amazon’s many potential antitrust violations.

Wave of Ring surveillance camera hacks tied to podcast, report finds

A hand-sized black and white device on a wooden table.

Enlarge / An Amazon Ring security camera on display during an unveiling event on Thursday, Sept. 20, 2018.

A series of creepy Ring camera intrusions, including one where a stranger sang to an 8-year-old child and said he was Santa Claus, may be linked through a forum and associated livestream podcast, a new report finds.

The cluster of hacks, first reported by local media outlets, have become national news in the past few days. In all the cases, some bad actor accessed indoor Ring cameras (not doorbells) and used them to harass, intimidate, or attempt to extort the residents.

One family in Florida suddenly heard racist commentary about their teenage son coming from their Ring camera on Sunday night. On Monday, someone yelled at a couple in Georgia to “wake up.” Another family, in Tennessee, heard a voice taunting their daughter through a camera in their kids’ room on Tuesday. And in Texas yesterday, someone tried to demand a ransom to exit the household camera system, telling the homeowners to pay 50 bitcoin (roughly $360,000).

In all the cases, the residents stopped the intrusions by unplugging or removing the batteries from their devices, successfully cutting off access to them.

In response to the incidents, Ring said it had not suffered any kind of breach or intrusion and urged subscribers not to use account credentials that could have been stolen in one of the thousands of other data breaches that happen in any given year. That’s excellent advice for all services, as far as it goes, as is enabling two-factor authentication on any service that supports it (which Ring does), particularly as cameras have been easy targets for years. In at least one instance, however, the camera owner said her Ring account used a specific passphrase she has not associated with any previous accounts.

Nulled

Cheap tools for accessing Ring illicitly are plentiful and easy to get, reporters for Vice Motherboard found yesterday. The reporters also found a reason so many incidents using those tools are popping up all at once: the NulledCast.

The NulledCast is livestreamed on Discord, Motherboard explains, and it’s connected to the forum (also called Nulled) where the tools for accessing Ring cameras are sold and traded. Motherboard continues:

“Sit back and relax to over 45 minutes of entertainment,” an advertisement for the podcast posted to a hacking forum called Nulled reads. “Join us as we go on completely random tangents such as; Ring & Nest Trolling, telling shelter owners we killed a kitten, Nulled drama, and more ridiculous topics. Be sure to join our Discord to watch the shows live.”

Motherboard was able to see a message from a now-deleted thread saying, in part, “Hello everyone. As you probably have heard, I was featured on the news for a stunt I pulled,” apparently linked to one of the media reports. The national spotlight is, however, more attention than the Ring hackers apparently wanted to draw. Motherboard found that, since yesterday, posts in the forum relating to Ring hacking have apparently been deleted, as has some content from the Discord server.

As of Wednesday, members of the server insisted that the livestream would be continuing with another installment on Friday. Earlier this afternoon, however, Motherboard reporter Joseph Cox (no relation) said on Twitter that Discord banned the server and all its users. That said, the Internet being what it is, they are likely to pop up somewhere else before long.

Uploaded Ring footage reportedly provides location to the square inch

A Ring camera doorbell.

Enlarge / A Ring camera doorbell.

Amazon’s aggressive push to grow its surveillance-camera company Ring is working, and adoption has skyrocketed in the past two years thanks to deals with hundreds of police departments. A new set of reports highlights the ways Amazon convinces police to join those partnerships—and the amount of data that users can inadvertently reveal.

Integral to the Ring system is an app called Neighbors, kind of like an over-eager NextDoor with everything except the crime stripped out. Neighbors generates a map of your local area, based on your address, and then populates it with crime reports. Those reports include comments from other Neighbors users, as well as reports of burglaries, vehicle break-ins or theft, shots fired or shootings, stabbings, hostages taken, and arson imported from real-time 911 dispatcher data.

Anyone can install the app and create an account, but owners of Ring devices can also upload video snippets to the service, either when they have something they want to share or when police request it using the companion portal for law enforcement. Gizmodo this week published a new report delving into video data available on Neighbors to identify precisely how many Ring cameras are deployed, and where.

Too many to count

Gizmodo conducted its analysis in November, using videos posted to Neighbors in the previous 500 days—since right around July 1, 2018, give or take. The report managed to grab the precise locations of about 20,000 Ring cameras in nine-square-mile zones of 15 different US cities. Gizmodo adds that the reporters don’t actually know how many camera locations they could have obtained, because they stopped collecting the data once they had enough information to generate their report.

In a location selected at random in Washington, DC, for example, Gizmodo was able to identify at least 1,863 unique Ring cameras that had uploaded video to Neighbors during the 500-day window. In their 9-square-mile sample of Los Angeles, they found at least 5,016 Ring cameras; in Denver, 1,788.

Gizmodo writes:

Examining the network traffic of the Neighbors app produced unexpected data, including hidden geographic coordinates that are connected to each post—latitude and longitude with up to six decimal points of precision, accurate enough to pinpoint roughly a square inch of ground.

Many of those coordinates were indeed right in front of someone’s house, a few feet away from the location of the camera. Some were near intersections; the farthest Gizmodo identified was about 260 feet. However, they note, backtracking to find the camera that captured footage is “trivial” in person, when armed with the video and the coordinates, and reporters basically drove or walked up to people’s houses to prove it.

Ring did not refute Gizmodo’s location findings, the site reports. Instead, the company said, “Only content that a Neighbors user chooses to share on the Neighbors App is publicly accessible through the Neighbors App or by your local law enforcement.”

Gizmodo also spoke with a researcher at the Massachusetts Institute of Technology who has used several years’ worth of video posted to Neighbors to make a similar map. He has so far pinpointed the locations of about 440,000 Ring cameras.

Ring did not refute that it was possible for anyone, armed with the data Gizmodo acquired, to pinpoint the exact locations of users’ homes. Instead, the company reiterated that “Only content that a Neighbors user chooses to share on the Neighbors App is publicly accessible through the Neighbors App or by your local law enforcement.”

What privacy?

When neighborhoods are blanketed with surveillance cameras, the privacy implications are profound. And because these cameras belong to individuals, there are few if any restrictions on what footage can be captured or used.

In Washington, DC, for example, Gizmodo notes that at least 13 active Ring cameras line the path between one public charter school for grades 6-12 and the soccer field its students use. Gizmodo also found several dozen instances of DC residents using Neighbors to share videos of children. Some of the kids in question were reportedly doing such activities as riding bicycles and taking selfies. Not exactly striking threats to public safety—but in a densely urban environment such as the District of Columbia, perhaps the homeowners simply did not have lawns to tell the kids to get off of.

Security and surveillance experts voiced concerns to Gizmodo that such a web of cameras could easily track individuals going into or out of “sensitive buildings.” So the reporters looked and did indeed find at least one health clinic that provides abortion services within “unnerving proximity” to some Ring cameras, as well as a legal office handling immigration and refugee cases. Having footage showing individuals going to those sorts of facilities uploaded to a platform like Neighbors and becoming widespread could actually put individuals’ lives in danger.

State ignored worker death to lure Amazon business, report says

Exterior of large building during daytime.

Enlarge / The Amazon logo at the entrance of a logistics center in France, July 2019. (credit: Denis Charlet | AFP | Getty )

Reports of poor and unsafe working conditions within Amazon’s sprawling web of warehouses have been surfacing for years. A new report alleges that not only did conditions in one Indiana warehouse lead to a worker’s death in 2017 but also that state authorities manipulated a report on the matter in a futile attempt to bring Amazon’s much-vaunted “HQ2” to town.

Amazon worker Phillip Lee Terry was crushed and killed in September 2017 while performing maintenance on a forklift at Amazon’s Plainfield, Illinois, fulfillment center, according to a recent report from the Center for Investigative Reporting. While investigating Terry’s death, Indiana regulators found that he had never been given formal safety training that could have prevented the incident.

“The safety issues I’ve brought up have been dismissed and not dealt with,” another worker at the Plainfield facility told the safety inspector from Indiana’s OSHA department. “There’s no training, there’s no safety, it’s ‘Get ‘er done.'” Ultimately, the department issued four citations to Amazon, totaling $28,000 in penalties.

Read 13 remaining paragraphs | Comments