Security News
Amazon AWS has withdrawn its association with open source project Moq after the project drew sharp criticism for its quiet addition of data collection features, as first reported by BleepingComputer. The inclusion of closed-source SponsorLink package caused Moq to harvest SHA-256 hashes of developer email addresses from local Git configs, and upload these to SponsorLink's CDN. In reaction, several developers either discontinued use of Moq [1, 2] in favor of alternatives, or suggested building tools that would detect and block any projects that run SponsorLink.
Amazon AWS has dropped sponsorship support for open source project Moq after the project drew sharp criticism for its quiet addition of data collection features, as first reported by BleepingComputer. The inclusion of closed-source SponsorLink package caused Moq to harvest SHA-256 hashes of developer email addresses from local Git configs, and upload these to SponsorLink's CDN. In reaction, several developers either discontinued use of Moq [1, 2] in favor of alternatives, or suggested building tools that would detect and block any projects that run SponsorLink.
Qualys report looks at how misconfiguration issues on cloud service providers help attackers gain access. Cloud misconfiguration - incorrect control settings applied to both hardware and software elements in the cloud - are threat vectors that amplify the risk of data breaches.
Abusing AWS SSM Agent as a RAT. AWS Systems Manager is an Amazon-signed binary and comprehensive endpoint management system used by administrators for configuration, patching, and monitoring AWS ecosystems comprising EC2 instances, on-premise servers, or virtual machines. Mitiga's discovery is that the SSM agent can be configured to run in "Hybrid" mode even from within the limits of an EC2 instance, allowing access to assets and servers from attacker-controlled AWS accounts.
The U.S. Justice Department and the Federal Trade Commission announced that Amazon has agreed to pay a $25 million fine to settle alleged children's privacy laws violations related to the company's Alexa voice assistant service. Amazon also faces a $5 million fine for privacy violations associated with its Ring video doorbell service.
In collaboration with Microsoft, Amazon has announced the general availability of its AppStore on Windows 11 for all developers. This means more apps and games are coming to Windows 11 as Amazon developers can now easily access the AppStore for Windows and bring their Amazon Store apps to Microsoft's platform.
A former Amazon manager described by prosecutors as the "Mastermind" behind a nearly $10 million scheme to steal money from the online megaretailer using fake invoices has been sentenced to 16 years behind bars in federal prison. Amazon Warehouse ops manager Kayricka Wortham - also known as "Kayricka Dupree" and "Kayricka Young" - pleaded guilty to fraud charges in the US on November 30, and allegedly committed more crimes while on release after posting bond.
The Federal Trade Commission says Amazon allegedly used dark patterns to trick millions of users into enrolling in its Prime program and trapping them by making it as difficult as possible to cancel the automatically-renewing subscriptions. In the complaint, the FTC says Amazon's deceptive techniques manipulated consumers into signing up for Prime subscriptions without even knowing it, violating both the Restore Online Shoppers' Confidence Act and the FTC Act.
The U.S. Federal Trade Commission has fined Amazon a cumulative $30.8 million over a series of privacy lapses regarding its Alexa assistant and Ring security cameras. Amazon has also agreed to fork out an additional $5.8 million in consumer refunds for breaching users' privacy by permitting any employee or contractor to gain broad and unfettered access to private videos recorded using Ring cameras.
The e-tail giant's Ring home security cam subsidiary was accused of "Compromising its customers' privacy by allowing any employee or contractor to access consumers' private videos and by failing to implement basic privacy and security protections, enabling hackers to take control of consumers' accounts, cameras, and videos." The FTC complaint also alleges Ring knew its cloud services were susceptible to credential stuffing and brute-force attacks but did little to stymie such efforts.