Security News

Amazon Web Services, an Amazon Company, announced general availability of io2, the next generation Provisioned IOPS SSD volumes for Amazon Elastic Block Store. Io2 volumes are priced the same as io1 volumes, keeping the same predictable cost for EBS customers, but now support 10x higher IOPS-to-storage ratio and up to 500 IOPS for every provisioned GB, so that customers can get more performance without increasing their storage spend.

A series of recent phishing attacks tried to take advantage of organizations that use Amazon Web Services. In one phishing campaign reported to KnowBe4, the attackers created a basic, no-frills scam to harvest the credentials of AWS users.

Attention! If you use Amazon's voice assistant Alexa in you smart speakers, just opening an innocent-looking web-link could let attackers install hacking skills on it and spy on your activities remotely. According to a new report released by Check Point Research and shared with The Hacker News, the "Exploits could have allowed an attacker to remove/install skills on the targeted victim's Alexa account, access their voice history and acquire personal information through skill interaction when the user invokes the installed skill."

Zoom announced that Zoom for Home is expanding to smart displays including Amazon Echo Show, Portal from Facebook, and Google Nest Hub Max, bringing Zoom to widely-used devices and broadening their capabilities to the work environment. Zoom on Portal is expected to be available publicly in September; Zoom on Echo Show and Zoom on Assistant-enabled Smart Displays, including Google Nest Hub Max are expected to be available by the end of the year.

Amazon Web Services, an Amazon.com company, announced the general availability of Amazon Braket, a fully managed AWS service that provides a development environment to help customers explore and design quantum algorithms. Customers can use Amazon Braket to test and troubleshoot quantum algorithms on simulated quantum computers running on computing resources in AWS to help them verify their implementation.

The attacks involved a Cross-Origin Resource Sharing misconfiguration and Cross Site Scripting bugs identified on Amazon and Alexa subdomains, which eventually allowed the researchers to perform various actions on behalf of legitimate users. Successful exploitation of these vulnerabilities could allow an attacker to retrieve the personal information of an Alexa user, as well as their voice history with their Alexa, but also to install applications on the user's behalf, list installed skills, or remove them.

The flaws could also have helped attackers obtain usernames, phone numbers, voice history, and installed skills, says Check Point Research. Silently installed skills and apps on a user's Alexa account.

UPDATE. Vulnerabilities in Amazon's Alexa virtual assistant platform could allow attackers to access users' personal information, like home addresses - simply by persuading them to click on a malicious link. Researchers with Check Point found several web application flaws on Amazon Alexa subdomains, including a cross-site scripting flaw and cross-origin resource sharing misconfiguration.

Phishing attacks typically try to lure in victims by impersonating well-known companies, brands, and products. Released on Tuesday, Check Point's "Brand Phishing Report for Q2 2020" found that Google and Amazon were the most impersonated brands last quarter, each accounting for 13% of the brand phishing campaigns analyzed.

Using machine learning under the hood and based on over 20 years of fraud detection expertise from Amazon, Amazon Fraud Detector automatically identifies potentially fraudulent activity in milliseconds-with no machine learning expertise required. Amazon Fraud Detector provides a fully managed service that uses machine learning for detecting potential fraud in real time, based on the same technology used by Amazon.com-with no machine learning experience required.