Language Selection

English French German Italian Portuguese Spanish

Security: Alexa Holes, Zemlin on CII, and Apache Struts Patches

Filed under
Security
  • Amazon Alexa Security Risk Allows Hackers to Take Over Voice Commands, Steal Private Information

    The world is changing and in the modern era, we are becoming reliant on our Internet of Things devices by the day. But this reliances could cost us everything, it could allow someone to steal our identity, bank information, medical history, and what not.

    Amazon Alexa has been criticised for having a number of security flaws but Amazon has been quick to deal with them. However, this new security flaw may not have a fix at all. And this could be the most dangerous security threat yet.

    According to research conducted by the University of Illinois at Urbana-Champaign (UIUC), Amazon Alexa’s idiosyncrasies can be exploited through voice-commands to route users to malicious websites. Hackers are targeting the loopholes in machine learning algorithms to access private information.

  • Researchers show Alexa “skill squatting” could hijack voice commands

    The success of Internet of Things devices such as Amazon's Echo and Google Home have created an opportunity for developers to build voice-activated applications that connect ever deeper—into customers' homes and personal lives. And—according to research by a team from the University of Illinois at Urbana-Champaign (UIUC)—the potential to exploit some of the idiosyncrasies of voice-recognition machine-learning systems for malicious purposes has grown as well.

    Called "skill squatting," the attack method (described in a paper presented at USENIX Security Symposium in Baltimore this month) is currently limited to the Amazon Alexa platform—but it reveals a weakness that other voice platforms will have to resolve as they widen support for third-party applications. Ars met with the UIUC team (which is comprised of Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Assistant Professor Adam Bates, and Professor Michael Bailey) at USENIX Security. We talked about their research and the potential for other threats posed by voice-based input to information systems.

  • The Linux Foundation Set to Improve Open-Source Code Security

    CII is now working on further trying to identify which projects matter to the security of the internet as a whole, rather than taking a broader approach of looking at every single open-source project, he said. In his view, by prioritizing the projects that are the most critical to the operation of the internet and modern IT infrastructure, the CII can be more effective in improving security.

    "You'll see in the next three months or so, additional activity coming out of CII," Zemlin said.

    Among the new activities coming from the CII, will be additional human resources as well as new funding. The Linux Foundation had raised $5.8 million from contributors to help fund CII efforts, which Zemlin said has now all been spent. Zemlin that CII's money was used to fund development work for OpenSSL, NTP (Network Time Protocol) and conducting audits.

  • Apache Struts 2.3.25 and 2.5.17 resolve Cryptojacking Exploit Vulnerability

    Information regarding a severe vulnerability found in Apache Struts was revealed last week. A proof of concept of the vulnerability was also published publicly along with the vulnerability’s details. Since then, it seems that malicious attackers have set out to repeatedly exploit the vulnerability to remotely install a cryptocurrency mining software on users’ devices and steal cryptocurrency through the exploit. The vulnerability has been allotted the CVE identification label CVE-2018-11776.

    This behavior was first spotted by the security and data protection IT company, Volexity, and since its discovery, the rate of exploits has been increasing rapidly, drawing attention to the critical severity of the Apache Struts vulnerability. The company released the following statement on the issue: “Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27.”

Windows Holes

  • Windows Task Scheduler Micropatch Released by 0patch

    Earlier this week, a user on Twitter who goes by the username SandboxEscaper posted on the social media platform’s feed with information regarding a zero-day local privilege escalation vulnerability plaguing Microsoft’s Windows operating system. The user, SandboxEscaper, also included a proof of concept along with his post which was linked through to via a GitHub website reference containing the proof of concept in detail.

    [...]

    Surprisingly, SandboxEscaper disappeared off of Twitter entirely with his account disappearing from the mainstream feeds soon after the information regarding the zero-day Windows exploit was posted. It seems that the user is now back on Twitter (or is fluctuating off and on the social media site), but no new information has been shared on the issue.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Today in Techrights

Deepin 20 Review: The Gorgeous Linux Distro Becomes Even More Beautiful (and Featureful)

Deepin is already a beautiful Linux distribution. Deepin version 20 puts in a different league altogether with all those visual and feature improvements. Read more

PinePhone Manjaro Edition Pre-Orders Go Live

The moment you’ve all been waiting for is here, you can now pre-order the PinePhone Manjaro Edition Linux phone from PINE64’s online store for as low as $149 USD for the 2GB RAM model or $199 USD for the so-called Convergence Package variant, which comes with 3GB RAM and a USB-C dock to turn the phone into a PC when connected to a monitor, keyboard and mouse. The PinePhone Manjaro Community Edition was announced last month. It comes pre-installed with Manjaro Linux ARM, which is based on the Arch Linux ARM operating system. Three variants of Manjaro Linux ARM for PinePhone are available for you to try with UBports’ Lomiri, Purism’s Phosh or KDE’s Plasma Mobile. Read more

today's howtos