This past month in cybersecurity:
- Amazon Alexa security bug allowed access to voice history
- New Crocodile Hunter tool can identify fake cell towers
- Election security takes center stage at Blackhat 2020
- NIST COVID-19 Cybersecurity Act introduced
- Twitter fined $250M for misusing 2FA phone numbers and emails in marketing
The cybersecurity firm, Check Point, discovered a vulnerability within Amazon Alexa that might allow attackers to eavesdrop on conversations between the victim and the Alexa enabled device.
Since individuals use Alexa for various tasks, data within these conversations could include banking information, health data, and more.
Amazon has patched the vulnerability and claims that it is unlikely that any personal data was breached as a result.
Users can modify options in the Alexa app to restrict the way Amazon handles recorded data. If you own an Alexa enabled device, now might be a good time to review the settings in your Alexa app and ensure they are to your liking.
Police and other law enforcement agencies have been utilizing fake cell towers called “stingrays” for years to intercept and collect data from a target user’s cell phone. Once the user’s phone connects to their fake cell tower, law enforcement can view data transmitted from a user’s device. In addition to collecting a target user’s data, these fake towers also collect data from innocent bystanders.
These fake cell towers work by jamming out the signal from nearby real towers and force affected devices to connect to their fake tower instead.
Now, the Electronic Frontier Foundation (EFF) has produced a tool called a “Crocodile Hunter,” which attempts to identify these fake cell towers and display them on a map. This tool takes the form of a hardware/software stack, which costs about $500 and is open source. While the device isn’t 100% reliable, it appears to be much more effective than previous attempts to address this issue.
Blackhat and Def Con are annual security conferences held in Las Vegas that draw some of the best in brightest in the security space. They were both held virtually this year.
Several speakers at this year’s Blackhat conference discussed questions surrounding the 2020 U.S. Presidential Election.
These discussions included questions surrounding the widespread use of political misinformation, including fake COVID-19 cures and manipulative videos about presidential candidates. There were also several questions presented about the security of the voting mechanisms themselves, such as absentee ballots.
You can access many of the presentation slide decks from Blackhat 2020 briefings here.
In last month’s cybersecurity roundup, we mentioned that Russia was attempting to steal COVID-19 research from other countries. Now, a bill is being introduced by U.S. Congressman Barr, which asks NIST to create a set of security standards to help universities and research organizations protect their research from Russian and China.
NIST’s Cybersecurity Framework is highly regarded, and modifying it to address these targeted attacks specifically could reduce the risk of China or Russia successfully exfiltrating COVID-19 research.
The Federal Trade Commission may fine twitter up to 250 million USD for misleading consumers. Twitter used 2-factor authentication phone numbers and email addresses meant to enhance user security to improve their marketing algorithms as well. Twitter claims this was an error and that they did not intend to use the data for marketing purposes, but acknowledges that the FTC will likely fine them anyway. Twitter says they will set aside 150 million USD, but do not know precisely how much the fine will end up costing.
Thanks for reading! We’ll be back next month with a quick roundup of topics we found interesting.
Did we miss a super important story? Let us know! We’ll do better next time.