Security News
Amazon Web Services announced the general availability of AQUA for Amazon Redshift, an innovative new distributed and hardware-accelerated cache that delivers up to ten times better query performance than other enterprise cloud data warehouses. AQUA brings compute to the storage layer, helping customers avoid networking bandwidth limitations by eliminating unnecessary data movement between where data is stored and compute clusters.
This month, Mozilla has announced plans to phase out support for the Firefox web browser app on the Amazon Fire TV product line. Although Firefox will be no longer supported on Fire TV effective at the end of this month, Amazon Silk web browser app remains available to Fire TV users.
This month, Mozilla has announced plans to phase out support for the Firefox web browser app on the Amazon Fire TV product line. Although Firefox will be no longer supported on Fire TV effective at the end of this month, Amazon Silk web browser app remains available to Fire TV users.
The US Justice Department on Friday announced the arrest of Seth Aaron Pendley, 28, for allegedly planning to blow up a single Amazon data center in Ashburn, Virginia, which he thought would knock out around 70 per cent of the internet. The tipser who turned Pendley in is said to have provided authorities with the poster's email address, which was registered by Pendley.
Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow inside the npm public code repository - all of which exfiltrate sensitive information. The packages weaponize a proof-of-concept code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.
Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a new 'Dependency Confusion' vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers. When hosted on public repositories, including npm, PyPI, and RubyGems, dependency managers would use the packages on the public repo rather than the company's internal packages when building the application.
Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. Amazon Alexa allows third-party developers to create additional functionality for devices such as Echo smart speakers by configuring "Skills" that run on top of the voice assistant, thereby making it easy for users to initiate a conversation with the skill and complete a specific task.
An Amazon spokesperson told Threatpost that the company conducts security reviews as part of skill certification, and has systems in place to continually monitor live skills for potentially malicious behavior. Finally, before the skills can be actively made public to Alexa users, developers must submit their skills to be vetted and verified by Amazon.
In research presented on Wednesday at the Network and Distributed System Security Symposium conference, researchers describe flaws in the process Amazon uses to review third-party Alexa applications known as Skills. "We show that not only can a malicious user publish a Skill under any arbitrary developer/company name, but she can also make backend code changes after approval to coax users into revealing unwanted information," the academics explain in their paper, titled "Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem." [PDF].
Baffle announced that its Data Protection Services supports data de-identification, dynamic data masking and adaptive data security controls for Amazon Redshift. Baffle DPS is the only solution that provides seamless integration with AWS Database Migration Services, AWS Glue, AWS S3 and Redshift without any code changes to provide end-to-end protection of the modern data pipeline.