Amazon

Manipulating Systems Using Remote Lasers

Many systems are vulnerable:

Researchers at the time said that they were able to launch inaudible commands by shining lasers — from as far as 360 feet — at the microphones on various popular voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant.

[…]

They broadened their research to show how light can be used to manipulate a wider range of digital assistants — including Amazon Echo 3 — but also sensing systems found in medical devices, autonomous vehicles, industrial systems and even space systems.

The researchers also delved into how the ecosystem of devices connected to voice-activated assistants — such as smart-locks, home switches and even cars — also fail under common security vulnerabilities that can make these attacks even more dangerous. The paper shows how using a digital assistant as the gateway can allow attackers to take control of other devices in the home: Once an attacker takes control of a digital assistant, he or she can have the run of any device connected to it that also responds to voice commands. Indeed, these attacks can get even more interesting if these devices are connected to other aspects of the smart home, such as smart door locks, garage doors, computers and even people’s cars, they said.

Another article. The researchers will present their findings at Black Hat Europe — which, of course, will be happening virtually — on December 10.

Amazon Delivery Drivers Hacking Scheduling System

Amazon Delivery Drivers Hacking Scheduling System

Amazon drivers — all gig workers who don’t work for the company — are hanging cell phones in trees near Amazon delivery stations, fooling the system into thinking that they are closer than they actually are:

The phones in trees seem to serve as master devices that dispatch routes to multiple nearby drivers in on the plot, according to drivers who have observed the process. They believe an unidentified person or entity is acting as an intermediary between Amazon and the drivers and charging drivers to secure more routes, which is against Amazon’s policies.

The perpetrators likely dangle multiple phones in the trees to spread the work around to multiple Amazon Flex accounts and avoid detection by Amazon, said Chetan Sharma, a wireless industry consultant. If all the routes were fed through one device, it would be easy for Amazon to detect, he said.

“They’re gaming the system in a way that makes it harder for Amazon to figure it out,” Sharma said. “They’re just a step ahead of Amazon’s algorithm and its developers.”

Sidebar photo of Bruce Schneier by Joe MacInnis.

Former NSA Director Keith Alexander Joins Amazon’s Board of Directors

About Bruce Schneier

I am a public-interest technologist, working at the intersection of security, technology, and people. I’ve been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I’m a fellow and lecturer at Harvard’s Kennedy School and a board member of EFF. This personal website expresses the opinions of neither of those organizations.

Some junk for sale on Amazon is very literally garbage, report finds

Exterior of large building during daytime.

Enlarge / The Amazon logo at the entrance of a logistics center in France, July 2019.

Some days it seems like searching for an item on Amazon just brings up endless pages of junk with no clear pattern. There’s a reason for that, it turns out: dumpster divers are, in fact, literally reselling discarded junk.

Resellers hunt through trash to find and repair treasures, the Wall Street Journal reported today. Those sellers, for understandable reasons, mostly didn’t want to talk to the WSJ, so reporters for the paper tried it themselves.

Writers went digging through the trash in New Jersey and came up with dozens of items to sell, such as “a stencil set, scrapbook paper, and a sealed jar of Trader Joe’s lemon curd.” Setting up a storefront and listing the items for sale was “easy,” the WSJ said.

Amazon’s screening process seemed to be haphazard, the paper added:

After a later dumpster dive, the Journal was able to go through almost all of the listing process with salvaged breath mints, sunflower seeds, marmalade, crispbread, fig fruit butter, olives, a headband and a Halloween mask—stopping just short of shipping them to the Amazon warehouse, which is required for an item to appear for purchase on the site.

To list a sunscreen lotion, Amazon asked for a safety-data sheet. Attempts to list a protein powder, a pea-powder dietary supplement and a face sheet mask—all from the dive—elicited a request from Amazon for proof of purchase.

Nothing in Amazon’s rules prevented “salvaged” items from being resold, at the time. The policies do require that most goods be new, but the rules also allow for certain product categories to be sold used, including books and electronics, as long as those listings are clear about those items being used.

Amazon updated its seller policies after the WSJ contacted the company about this story to include a prohibition on items “intended for destruction or disposal or otherwise designated as unsellable by the manufacturer or a supplier, vendor, or retailer.”

“Sellers are responsible for meeting Amazon’s high bar for product quality,” a company spokesperson told the WSJ, adding that the company was investigating and such stores were “isolated incidents.”

Not so high a bar

The Amazon sellers who find and repair or clean and sell usable goods from the trash are not a new phenomenon. Any flea market, secondhand shop, or closeout store features “found” items, some of which genuinely are surprisingly high-quality, like-new finds. These sellers are just taking the business model online.

But consumer expectations at a flea market are very different from consumer expectations at Amazon. Most shoppers are going to expect that an item “fulfilled by Amazon” (as many third-party items are) is delivered by an Amazon Prime-branded van, dispatched from an Amazon warehouse, and actually new—especially when it’s described that way on a product page.

Amazon consumers, though, are increasingly having to get used to shopping at their own risk. Counterfeit items, especially imported ones, are rampant on the site, as are listings for recalled, unsafe, or defective goods.

The WSJ analyzed about 45,000 shopper comments left on product listings in 2018 and 2019 and found 8,400 comments on 4,300 food, makeup, and over-the-counter drug items making reference to “unsealed, expired, moldy, unnaturally sticky, or problematic” goods. Of those 4,300 products, 544 had “Amazon’s Choice” flags promoting them to consumers in search results.

Update: Amazon contacted Ars to repeat the statements it issued to the WSJ. The company also added that any “negligent and potentially illegal activity” by some seller is “unfair to the vast majority” of sellers on the site. Additionally, the company says it has “expanded the scope of our existing supply-chain verification efforts including increased spot checks of source documentation to ensure seller compliance with our policies.”

Amazon also said, “sourcing items from the trash has always been inconsistent with Amazon’s high expectations of its sellers and prohibited by the Seller Code of Conduct on Amazon, which requires that sellers act fairly and honestly to ensure a safe buying and selling experience.”

Amazon bans third-party merchants from shipping with FedEx

Amazon's going to need some bigger boxes to ship those Outpost racks next year.

Enlarge / Amazon’s going to need some bigger boxes to ship those Outpost racks next year.

If you’re cramming last-minute Christmas or Hanukkah shopping online ahead of next week’s holidays, and it absolutely, positively has to be there overnight, don’t count on FedEx being the service to get it there for you. Not only is Amazon no longer working with the carrier, but now third-party merchants are banned from using the service, too.

The Wall Street Journal obtained a copy of a message Amazon sent to its third-party vendors Sunday night explaining the prohibition. Starting this week, marketplace vendors offering Prime shipments will not be allowed to use FedEx Ground or Home services. This ban will persist “until the delivery performance of these ship methods improves.”

Third-party retailers accounted for about 58% of Amazon’s retail activity in 2018, company CEO Jeff Bezos said earlier this year, and sold a cumulative $160 billion worth of goods. The vendor marketplace is on track to be at least as large a share of Amazon’s retail business in 2019.

FedEx ended its last domestic contract with Amazon in August in part due to that in-house business. “High-volume shippers such as Amazon “are developing and implementing in-house delivery capabilities and utilizing independent contractors for deliveries, and may be considered competitors,” FedEx wrote in an investor document earlier this year. The company added that Amazon in particular is “investing significant capital to establish a network of hubs, aircraft, and vehicles.”

A FedEx representative told the WSJ that the impact to the shipping firm is “minuscule,” while admitting that Amazon’s directive “limits the options for those small businesses on some of the highest shipping days in history.”

Marketplace sellers selling items marked for Amazon Prime delivery can use UPS services, FedEx’s Express service (which is pricey), or Amazon’s own in-house logistics business (which the company heavily encourages vendors to use). That encouragement is so heavy, in fact, that at least one merchant has complained to Congress that the shipping business should be considered one of Amazon’s many potential antitrust violations.

Wave of Ring surveillance camera hacks tied to podcast, report finds

A hand-sized black and white device on a wooden table.

Enlarge / An Amazon Ring security camera on display during an unveiling event on Thursday, Sept. 20, 2018.

A series of creepy Ring camera intrusions, including one where a stranger sang to an 8-year-old child and said he was Santa Claus, may be linked through a forum and associated livestream podcast, a new report finds.

The cluster of hacks, first reported by local media outlets, have become national news in the past few days. In all the cases, some bad actor accessed indoor Ring cameras (not doorbells) and used them to harass, intimidate, or attempt to extort the residents.

One family in Florida suddenly heard racist commentary about their teenage son coming from their Ring camera on Sunday night. On Monday, someone yelled at a couple in Georgia to “wake up.” Another family, in Tennessee, heard a voice taunting their daughter through a camera in their kids’ room on Tuesday. And in Texas yesterday, someone tried to demand a ransom to exit the household camera system, telling the homeowners to pay 50 bitcoin (roughly $360,000).

In all the cases, the residents stopped the intrusions by unplugging or removing the batteries from their devices, successfully cutting off access to them.

In response to the incidents, Ring said it had not suffered any kind of breach or intrusion and urged subscribers not to use account credentials that could have been stolen in one of the thousands of other data breaches that happen in any given year. That’s excellent advice for all services, as far as it goes, as is enabling two-factor authentication on any service that supports it (which Ring does), particularly as cameras have been easy targets for years. In at least one instance, however, the camera owner said her Ring account used a specific passphrase she has not associated with any previous accounts.

Nulled

Cheap tools for accessing Ring illicitly are plentiful and easy to get, reporters for Vice Motherboard found yesterday. The reporters also found a reason so many incidents using those tools are popping up all at once: the NulledCast.

The NulledCast is livestreamed on Discord, Motherboard explains, and it’s connected to the forum (also called Nulled) where the tools for accessing Ring cameras are sold and traded. Motherboard continues:

“Sit back and relax to over 45 minutes of entertainment,” an advertisement for the podcast posted to a hacking forum called Nulled reads. “Join us as we go on completely random tangents such as; Ring & Nest Trolling, telling shelter owners we killed a kitten, Nulled drama, and more ridiculous topics. Be sure to join our Discord to watch the shows live.”

Motherboard was able to see a message from a now-deleted thread saying, in part, “Hello everyone. As you probably have heard, I was featured on the news for a stunt I pulled,” apparently linked to one of the media reports. The national spotlight is, however, more attention than the Ring hackers apparently wanted to draw. Motherboard found that, since yesterday, posts in the forum relating to Ring hacking have apparently been deleted, as has some content from the Discord server.

As of Wednesday, members of the server insisted that the livestream would be continuing with another installment on Friday. Earlier this afternoon, however, Motherboard reporter Joseph Cox (no relation) said on Twitter that Discord banned the server and all its users. That said, the Internet being what it is, they are likely to pop up somewhere else before long.

Uploaded Ring footage reportedly provides location to the square inch

Services Name

Protecting your data responsibly

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Quam vulputate dignissim suspendisse in est ante in. Vitae congue eu consequat ac felis. Placerat duis ultricies lacus sed turpis. Diam ut venenatis tellus in metus. Pellentesque elit ullamcorper dignissim cras tincidunt lobortis feugiat vivamus. Interdum consectetur libero id faucibus nisl. Sit amet consectetur adipiscing elit duis tristique sollicitudin nibh. Morbi enim nunc faucibus a.

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. 

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. 

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. 

I am text block. Click edit button to change this text. Lorem ipsum dolor sit amet, consectetur adipiscing elit. 

Benefits

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

data protection officer

Features

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Our approach

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. 

Why clients choose us to help with their [service name]

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Professional & Courteous

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Highly Skilled Experts

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Timely Delivery

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

A deep understanding of IT Security

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

advice you can trust

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

In depth training & support

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

Interested in finding out more about this service? Get in touch now!
Don't just take our word for it, listen to our clients

State ignored worker death to lure Amazon business, report says

Mobile Security

Security on the move

Mobile devices have infiltrated our modern lifestyle. Our dependency on smart phones and tablets is not only limited to our homes. Businesses are dependent on these devices than ever before. Smart features along with excellent user experience assist businesses in every aspect. Emails, documents, slides, marketing and enhanced connectivity delivered by mobile devices is adding tremendous value to businesses across the globe.

additional security

Mobile confidence

This facility has a serious security cost. Mobile devices carried by employees are usually not governed by organizational policies or protected by security controls. These devices provide the weakest link to organization’s network and infrastructure. BYOD (Bring Your Own Devices), whitelisting and complete ban on mobile devices are some of the ways through which organizations reduce the risk pose by mobile devices. Security risks introduced by mobile devices cannot be mitigated by legacy security controls.

A solution for every business need

We offer a wide range of services within this category. Please contact us today to further explore the areas in which you can improve your IAM systems.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

Lorem ipsum

Lorem ipsum dolor sit amet, consectetur adipiscing elit.

About

IT Security.org are based in the UK, offering a range of IT security solutions ranging from compliance and risk management to testing, training and much more.

Follow Us

Contact Us

© Copyright ITSecurity.Org Ltd 2015-2019 All Rights Reserved. Company Registration Number:11208508. Registered office address: 27 Old Gloucester Street, Holborn, London, United Kingdom, WC1N 3AX. VAT Reg.299747227