Security News

The US Justice Department on Friday announced the arrest of Seth Aaron Pendley, 28, for allegedly planning to blow up a single Amazon data center in Ashburn, Virginia, which he thought would knock out around 70 per cent of the internet. The tipser who turned Pendley in is said to have provided authorities with the poster's email address, which was registered by Pendley.

Researchers have spotted malicious packages targeting internal applications for Amazon, Lyft, Slack and Zillow inside the npm public code repository - all of which exfiltrate sensitive information. The packages weaponize a proof-of-concept code dependency-confusion exploit that was recently devised by security researcher Alex Birsan to inject rogue code into developer projects.

Threat actors are targeting Amazon, Zillow, Lyft, and Slack NodeJS apps using a new 'Dependency Confusion' vulnerability to steal Linux/Unix password files and open reverse shells back to the attackers. When hosted on public repositories, including npm, PyPI, and RubyGems, dependency managers would use the packages on the public repo rather than the company's internal packages when building the application.

Researchers have uncovered gaps in Amazon's skill vetting process for the Alexa voice assistant ecosystem that could allow a malicious actor to publish a deceptive skill under any arbitrary developer name and even make backend code changes after approval to trick users into giving up sensitive information. Amazon Alexa allows third-party developers to create additional functionality for devices such as Echo smart speakers by configuring "Skills" that run on top of the voice assistant, thereby making it easy for users to initiate a conversation with the skill and complete a specific task.

An Amazon spokesperson told Threatpost that the company conducts security reviews as part of skill certification, and has systems in place to continually monitor live skills for potentially malicious behavior. Finally, before the skills can be actively made public to Alexa users, developers must submit their skills to be vetted and verified by Amazon.

In research presented on Wednesday at the Network and Distributed System Security Symposium conference, researchers describe flaws in the process Amazon uses to review third-party Alexa applications known as Skills. "We show that not only can a malicious user publish a Skill under any arbitrary developer/company name, but she can also make backend code changes after approval to coax users into revealing unwanted information," the academics explain in their paper, titled "Hey Alexa, is this Skill Safe?: Taking a Closer Look at the Alexa Skill Ecosystem." [PDF].

Baffle announced that its Data Protection Services supports data de-identification, dynamic data masking and adaptive data security controls for Amazon Redshift. Baffle DPS is the only solution that provides seamless integration with AWS Database Migration Services, AWS Glue, AWS S3 and Redshift without any code changes to provide end-to-end protection of the modern data pipeline.

Three vulnerabilities in the Amazon Kindle e-reader would have allowed a remote attacker to execute code and run it as root - paving the way for siphoning money from unsuspecting users. Yogev Bar-On, researcher at Realmode Labs, found that it was possible to email malicious e-books to the devices via the "Send to Kindle" feature to start a chain of attack - a discovery that earned him $18,000 from the Amazon bug-bounty program.

Amazon has awarded an $18,000 bug bounty for an exploit chain that could have allowed an attacker to take complete control of a Kindle e-reader simply by knowing the targeted user's email address. The first vulnerability in the exploit chain was related to the "Send to Kindle" feature, which allows users to send an e-book in MOBI format to their Kindle device via email as an attachment.

Baffle announced that its Data Protection Services on AWS dramatically simplifies tokenization and encryption of data stored in Amazon Relational Database Service environments without any application code modifications while supporting a Bring Your Own Key or Hold Your Own Key model. As an AWS Select Technology Partner, Baffle DPS gives enterprises the ability to instantly apply data-centric security for data stored in AWS without any application changes.