- Shared Security Podcast
- Posts
- New Episode Alert EP134
New Episode Alert EP134
More vulnerabilities found in Amazon Echo devices
In episode 134 for August 17th 2020: Details on new critical vulnerabilities found in Amazon Echo devices, what the end of the Privacy Shield framework means EU citizens personal data, and new data breach fines issued to Capital One and Twitter by the OCC and FTC.
In this new world of contact tracing, location based tracking through your Bluetooth and wireless devices, and other new threats we all need an extra something to protect our digital privacy. So now is the time to take back control of your smartphone with a
. A faraday sleeve blocks all wireless signal so simply drop your phone into a faraday sleeve for instant peace of mind. Visit
and pick one up today and don’t forget to use discount code "sharedsecurity" to take 15% off your order.
Just a quick announcement letting you know to check out our August monthly show that we'll be recording soon where we're starting a new monthly series on "targeted attacks". In this first episode, we'll be covering some of the most common Open Source Intelligence techniques that attackers use to hack individuals and corporations including a live demo of some of these techniques. This is one episode you don't want to miss so be on the lookout for this episode coming soon! Now, on to the news.
Amazon Alexa Bugs Allowed Hackers to Install Malicious Skills Remotely
which could allow an attacker to remove or install skills on a victim's Amazon Alexa account, access their voice history, and acquire personal information through skill interaction when the user invokes the maliciously installed skill. All of this could be done by clicking on a single Amazon link that has been specially crafted by the attacker. The issue was found in certain Amazon sub-domains that were misconfigured combined with a Cross-Site Scripting vulnerability to gather a token which could perform actions on behalf of the user. The two vulnerabilities, Cross-Origin Resource Sharing (or CORS) and Cross-Site Scripting (or XSS) are extremely common web application vulnerabilities. And when they are combined with a phishing attack, they can have a devastating effect as we see here with this recent Amazon Echo vulnerability. The good news is that this issue has been fixed by Amazon but as well all know with Internet of Things devices, this certainly won't be the last security issue we see with these devices. The best defense for an attack like this is to be careful what you click on, even if it looks like a valid link. This case in particular would have been very hard to detect outside of the phishing email itself.
Privacy Shield Is Dead, And Data Marketplaces Are Just Getting Going
In privacy news this week, the US Department of Commerce and the European Commission have announced that
which would be required to comply with the July 16th ruling from the Court of Justice of the European Union which has invalidated Privacy Shield, and has created more challenges for companies that need to transfer European citizens data to non-EU countries. If you're not familiar with Privacy Shield, well it was the framework for regulating data transfers of personal data between the EU and US corporations under EU privacy laws like GDPR. Privacy Shield replaced the former "Safe Harbor" which was also declared invalid by the same EU court system back in 2015. Approximately 5,000 companies were participating in said data transfers. So for example, for Facebook to transfer data from EU citizens to its US based systems it would have to agree to process this data according to the Privacy Shield framework. This means that there is potentially millions of dollars at stake for a company like Facebook that needs EU data to run its business. So why was Privacy Shield invalidated? Well the court focused its ruling on the fact that US surveillance programs were not limited in their data collection of EU citizen data, which by EU law, states that only data can be collected that is quote "necessary and proportional" and that EU citizens did not have actionable judicial redress in the US. Basically, US surveillance law is too intrusive. This news, of course, has caused a firestorm in the privacy community this past week because there are a lot of unknowns like do current data transfers stop, which could affect the business of over 5,000 companies. This is a developing story for sure and with economic implications for all of these companies, it will be interesting to see if anything changes with US surveillance law.
Capital One Fined $80 Million for 2019 Data Breach Affecting 106 Million Users
And in data breach news
for their 2019 data breach that affected 106 million of their users. The fine was issued by the Office of the Comptroller of the Currency (or OCC) which is an independent bureau within the US Department of Treasury that governs the execution of laws relating to banks in the US.
, Capital One failed to quote establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner. The OCC also stated that Capital One left numerous weaknesses in its cloud based storage and failed to patch security vulnerabilities. This, of course, led to the infamous hack last year in which former Amazon web services employee Paige Thompson was able to access credit card details of over 106 million customers as well as 140,000 Social Security numbers, 80,000 bank account numbers , and 1 million Canadian Social Insurance numbers. In addition to the fine, the OCC has ordered Capital One to enhance its cybersecurity defenses and submit a plan on how they intend to do so. And in related news,
for the way that Twitter used users phone numbers and email data (which was supposed to be used for safety and security purposes) for targeted advertising from 2013 - 2019. The fine is because the FTC states that Twitter violated their 2011 consent order that required them to stop misleading users regarding how they protect personal data. And to be clear, this fine has nothing to do with the recent big Twitter hack of high profile accounts. That's a totally different problem altogether.
Watch this episode on our YouTube Channel!
JulyMonthly ShowEpisode 102In episode 102 of our July monthly show Scott and Tom walk-through the recommended privacy settings for Amazon Echo and Google Home smart speakers. If you own one or several of these devices, this is one episode you don't want to miss!
Watch this episode on our YouTube Channel!
Please support our sponsors!
Take advantage of this exclusive offer and help support this podcast!
Visit
to shop Silent Pocket's great line of privacy focused products.