Language Selection

English French German Italian Portuguese Spanish

Security: Alexa Holes, Zemlin on CII, and Apache Struts Patches

Filed under
Security
  • Amazon Alexa Security Risk Allows Hackers to Take Over Voice Commands, Steal Private Information

    The world is changing and in the modern era, we are becoming reliant on our Internet of Things devices by the day. But this reliances could cost us everything, it could allow someone to steal our identity, bank information, medical history, and what not.

    Amazon Alexa has been criticised for having a number of security flaws but Amazon has been quick to deal with them. However, this new security flaw may not have a fix at all. And this could be the most dangerous security threat yet.

    According to research conducted by the University of Illinois at Urbana-Champaign (UIUC), Amazon Alexa’s idiosyncrasies can be exploited through voice-commands to route users to malicious websites. Hackers are targeting the loopholes in machine learning algorithms to access private information.

  • Researchers show Alexa “skill squatting” could hijack voice commands

    The success of Internet of Things devices such as Amazon's Echo and Google Home have created an opportunity for developers to build voice-activated applications that connect ever deeper—into customers' homes and personal lives. And—according to research by a team from the University of Illinois at Urbana-Champaign (UIUC)—the potential to exploit some of the idiosyncrasies of voice-recognition machine-learning systems for malicious purposes has grown as well.

    Called "skill squatting," the attack method (described in a paper presented at USENIX Security Symposium in Baltimore this month) is currently limited to the Amazon Alexa platform—but it reveals a weakness that other voice platforms will have to resolve as they widen support for third-party applications. Ars met with the UIUC team (which is comprised of Deepak Kumar, Riccardo Paccagnella, Paul Murley, Eric Hennenfent, Joshua Mason, Assistant Professor Adam Bates, and Professor Michael Bailey) at USENIX Security. We talked about their research and the potential for other threats posed by voice-based input to information systems.

  • The Linux Foundation Set to Improve Open-Source Code Security

    CII is now working on further trying to identify which projects matter to the security of the internet as a whole, rather than taking a broader approach of looking at every single open-source project, he said. In his view, by prioritizing the projects that are the most critical to the operation of the internet and modern IT infrastructure, the CII can be more effective in improving security.

    "You'll see in the next three months or so, additional activity coming out of CII," Zemlin said.

    Among the new activities coming from the CII, will be additional human resources as well as new funding. The Linux Foundation had raised $5.8 million from contributors to help fund CII efforts, which Zemlin said has now all been spent. Zemlin that CII's money was used to fund development work for OpenSSL, NTP (Network Time Protocol) and conducting audits.

  • Apache Struts 2.3.25 and 2.5.17 resolve Cryptojacking Exploit Vulnerability

    Information regarding a severe vulnerability found in Apache Struts was revealed last week. A proof of concept of the vulnerability was also published publicly along with the vulnerability’s details. Since then, it seems that malicious attackers have set out to repeatedly exploit the vulnerability to remotely install a cryptocurrency mining software on users’ devices and steal cryptocurrency through the exploit. The vulnerability has been allotted the CVE identification label CVE-2018-11776.

    This behavior was first spotted by the security and data protection IT company, Volexity, and since its discovery, the rate of exploits has been increasing rapidly, drawing attention to the critical severity of the Apache Struts vulnerability. The company released the following statement on the issue: “Volexity has observed at least one threat actor attempting to exploit CVE-2018-11776 en masse in order to install the CNRig cryptocurrency miner. The initial observed scanning originated from the Russian and French IP addresses 95.161.225.94 and 167.114.171.27.”

Windows Holes

  • Windows Task Scheduler Micropatch Released by 0patch

    Earlier this week, a user on Twitter who goes by the username SandboxEscaper posted on the social media platform’s feed with information regarding a zero-day local privilege escalation vulnerability plaguing Microsoft’s Windows operating system. The user, SandboxEscaper, also included a proof of concept along with his post which was linked through to via a GitHub website reference containing the proof of concept in detail.

    [...]

    Surprisingly, SandboxEscaper disappeared off of Twitter entirely with his account disappearing from the mainstream feeds soon after the information regarding the zero-day Windows exploit was posted. It seems that the user is now back on Twitter (or is fluctuating off and on the social media site), but no new information has been shared on the issue.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Video: Megi’s multi-boot image for the PinePhone (with 17 Linux distros)

The PinePhone is designed to make distro hopping easy. Whether you order a model that comes with Ubuntu Touch, postmarketOS, Manjaro, or KDE Neon pre-installed, the phone is designed to boot first from any properly prepared microSD card. That means you can install an alternate OS on a card, insert it, and turn on the phone to try a different operating system. If you like it, you can use JumpDrive to install it to the phone’s built-in eMMC storage, which should bring at least a modest boost in speed. Just want to try out a bunch of different operating systems without committing to one or constantly flashing microSD cards? That’s where Megi’s multi-distro demo image comes in. The developer offers a single image with a bunch of different operating systems pre-installed. Megi released a new version of November 23, 2020 and it has 17 different operating systems crammed into a 6GB disk image. Read more

Raspberry Pi CM3+ gets its own keyboard computer

Clockwork is pre-selling an $219 to $249, open-spec “DevTerm” retro AiO PC kit with a Raspberry Pi CM3+, a keyboard with gamepad, a 6.8-inch IPS screen, a thermal printer, and a battery holder. Future options will include RK3399 and Allwinner H6 models. Clockwork’s open source DevTerm Kit runs Linux on a Raspberry Pi Compute Module 3+ Lite (CM3+ Lite) housed inside a keyboard chassis. Unlike the Raspberry Pi 4-like, keyboard form-factor Raspberry Pi 400, the fully hackable, retro-game oriented DevTerm boasts an integrated display and even a thermal printer. Read more

Help in the fight against DMCA anti-circumvention rules by December 7th

The United States Copyright Office is now accepting comments in support of exemptions to the Digital Millennium Copyright Act's (DMCA) anti-circumvention provisions, and we need your help by December 7th to ensure that every new exemption is granted. The DMCA has been making headlines recently for all the wrong reasons. The Recording Industry Association of America (RIAA) recently was able to temporarily have youtube-dl removed from GitHub, via a poorly thought out take down notice. GitHub has now restored youtube-dl, but not before forcing some changes to the project. While the safe harbor provisions of the DMCA can have some use, it's clearly an abuse for the RIAA to interfere with such a project -- particularly given that part of their notice was a claim about some sort of violation of YouTube's rights, not the RIAA's, and was related to a different section of the DMCA, the section 1201 anti-circumvention provisions. Those provisions create legal penalties for avoiding Digital Restrictions Management (DRM), and even harsher penalties for sharing the tools to do so. This last point -- the separate penalties for sharing tools used to remove restrictions -- is especially important. Recently, Google demanded GitHub take down tools used to work around its Widevine DRM. This just underscores that users will be unable to take advantage of even approved exemptions, unless they are able to write their own tools from scratch to get the DRM out of their way. It's like saying everyone is free to cook what they want in their own kitchen, but buying and selling stoves is illegal. Read more Also: Software Freedom in Europe 2020

OSMC's November update is here with Kodi v18.9

Last month, we released Debian Buster with Kodi v18.8. While this version had the majority of fixes backported from Kodi v18.9 which was still in progress, we've decided to issue a final release of the Kodi Leia series in the form of an 18.9 point release. Our focus will now be on enabling OSMC support for Kodi v19 (codename Matrix) which is now in beta release. This new version of Kodi will bring a significant number of improvements. However -- it should be noted that this new Kodi release will also introduce some caveats, and this is why we've chosen to polish the Kodi v18.x series of OSMC as much as possible, particularly as some users may need to stay on this version if there device is no longer supported or their add-ons do not work with the new version. Kodi Matrix upgrades its Python implementation from Python 2.x to Python 3.x. While the majority of add-ons have already been updated to support this new version, you may find that some add-ons do not work. Furthermore, Raspberry Pi 0, 1 and Vero 2 will no longer be supported, meaning that this release will be the final supported version for these devices. Read more