Tag

IOT

Browsing

Amazon.com Inc. is developing a voice-activated wearable device that can recognize human emotions.

The wrist-worn gadget is described as a health and wellness product in internal documents reviewed by Bloomberg. It’s a collaboration between Lab126, the hardware development group behind Amazon’s Fire phone and Echo smart speaker, and the Alexa voice software team.

Designed to work with a smartphone app, the device has microphones paired with software that can discern the wearer’s emotional state from the sound of his or her voice, according to the documents and a person familiar with the program. Eventually the technology could be able to advise the wearer how to interact more effectively with others, the documents show.

It’s unclear how far along the project is, or if it will ever become a commercial device. Amazon gives teams wide latitude to experiment with products, some of which will never come to market. Work on the project, code-named Dylan, was ongoing recently, according to the documents and the person, who requested anonymity to discuss an internal matter. A beta testing program is underway, this person said, though it’s unclear whether the trial includes prototype hardware, the emotion-detecting software or both. Amazon declined to comment.

The notion of building machines that can understand human emotions has long been a staple of science fiction, from stories by Isaac Asimov to Star Trek’s android Data. Amid advances in machine learning and voice and image recognition, the concept has recently marched toward reality. Companies including Microsoft Corp., Alphabet Inc.’s Google and IBM Corp., among a host of other firms, are developing technologies designed to derive emotional states from images, audio data and other inputs. Amazon has discussed publicly its desire to build a more lifelike voice assistant.

The technology could help the company gain insights for potential health products or be used to better target advertising or product recommendations. The concept is likely to add fuel to the debate about the amount and type of personal data scooped up by technology giants, which already collect reams of information about their customers. Earlier this year, Bloomberg reported that Amazon has a team listening to and annotating audio clips captured by the company’s Echo line of voice-activated speakers.

A U.S. patent filed in 2017 describes a system in which voice software uses analysis of vocal patterns to determine how a user is feeling, discerning among “joy, anger, sorrow, sadness, fear, disgust, boredom, stress, or other emotional states.” The patent, made public last year, suggests Amazon could use knowledge of a user’s emotions to recommend products or otherwise tailor responses.

A diagram in the patent filing says the technology can detect an abnormal emotional condition and shows a sniffling woman telling Alexa she’s hungry. The digital assistant, picking up that she has a cold, asks the woman if she would like a recipe for chicken soup.

A second patent awarded to Amazon mentions a system that uses techniques to distinguish the wearer’s speech from background noises. Amazon documents reviewed by Bloomberg say the wearable device will take advantage of such technology.

Amazon’s work on a wearable device underscores its ambitions of becoming a leading maker of both cutting-edge speech recognition software and consumer electronics. The Echo smart speaker line and embedded Alexa voice software have popularized the use of voice commands in the home. The company has also added voice control to Fire-branded video streaming devices for television, as well as tablets.

But Amazon’s efforts to create smartphone software to rival Apple Inc. or Google have failed. So the company is trying to make Alexa ubiquitous in other ways. Bloomberg reported earlier this year that Amazon was developing wireless earbuds, similar to Apple AirPods, that are expected to include the Alexa voice software. The company has begun distributing Echo Auto, a dashboard-mounted speaker and microphone array designed to pair with a smartphone, and says it received 1 million pre-orders.

Amazon has also been working on a domestic robot, Bloomberg reported last year. Codenamed “Vesta,” after the Roman goddess of the hearth, home and family, the bot could be a kind of mobile Alexa, according to people familiar with the project. Prototypes of the robot can navigate through homes like a self-driving car.

Source: Bloomberg

In the cybersecurity world today, with cybercriminals operating like a penetration tester in the way they scope out the network looking for vulnerabilities and weak entry points, those responsible for IT security will once again need to adjust their strategy and defenses. The Sophos 2019 Threat Report detailed how criminals are now “staking out” victims, moving laterally throughout the network, manipulating internal controls to reach their objectives with stealth. As endpoint protection has improved, so criminals are on the lookout for the next weak entry point. The focus can no longer be on protection and detection, but also intelligent and automated response that provides lateral movement protection to isolate an attack moving through the network. Sophos CISO Ross McKercher outlines the Top 5 Cybersecurity Predictions for 2019.
With cyber criminals constantly on the lookout for weak entry points, the cybersecurity focus needs to shift from protection and detection to intelligent and automated responses that isolate a cyberattack.
  1. Security teams will need more development and engineering skills

Security teams used to focus on firewalls and endpoints and many security professionals cut their teeth as system and network administrators. Nowadays infrastructure is defined by code, breaches are increasingly caused by weak applications and automation is essential for under-staffed teams. This is changing the skillset required by security pros. We now also need to have a deep understanding of applications and an ability to build automation into our tools and processes.

  1. Organisations will up their focus on software supply chains

Everyone relies a huge amount nowadays on Open-source libraries that are often maintained very informally by loose-knit communities that are easy to infiltrate. This used to be the domain of nation states but the criminals are getting in on the action.

  1. AppSec will continue to grow

We are getting better at protecting Endpoints and attackers are shifting their focus. Legacy applications will continue to be a fertile hunting ground!

  1. Threat Hunting really will be driven by ML

Bit of a cliché but ML will no longer be something that you just buy. Tools & techniques that were previously the domain of data science experts are getting easier to use. Won’t be long before larger SOC teams are using the tools directly rather than via models that are embedded in products.

  1. Zero-trust starts to become achievable

The tools, knowledge and technologies for achieving a true Zero-trust architecture are rapidly maturing. Maybe like nuclear fusion – 15 years away and always will be but 14 years after the Jericho forum declared the end of the network perimeter we are getting close the point where many enterprises have a realistic chance of keeping their clients off “trusted” networks, particularly non-technical employees.

Source: DataQuest

Let me guess. From a young age, you were attracted to spy movies. You are someone who wasn’t necessarily interested in school subjects, but probably did okay regardless. You learn concepts easily and quickly compared to others. You had a natural affinity for computers at a young age. Something about you is excited by the subversive blackhat hacking community, but actually, you’re a good person who doesn’t like the idea of ruining people’s lives or spending your life doing chin-ups with your morally questionable mate “Steve” in a high security prison.

So what’s the solution? Become an ethical hacker, so that you can do these illegal things without risk of jailtime, and get paid for it!

I should start with a disclaimer — I’m not an expert. I’ve only ever landed one hacking job, which is my current one — and I haven’t even been here long! But I did spend a lot of time in other sectors of IT wishing I was in security. As a result, I’ve read a lot of stuff and spoken to a lot of people. Basically, it all boils down to this:

There is no one-size-fits-all approach to getting your first infosec role. There was a recent Twitter hashtag that did the rounds, #MyWeirdPathToInfosec, where a whole bunch of infosec professionals revealed the paths they took to an eventual infosec role. They varied widely, some spent time in federal prison (not recommended), some were musicians, some scored an infosec role straight out of college, some were offered jobs after illegally hacking a company and then telling the company how they did it (also not recommended). This technique may have worked for some people in the 90s, now it will probably land you in jail.

The point is, don’t have tunnel-vision. Career opportunities often arise where you least expect.

A Little About My Path to Infosec

I remember my first experience with “hacking.” I was about 10 years old, and I discovered the ability to save webpages locally. I headed straight to Google, downloaded the home page, and edited my local copy in notepad.exe to contain the words “Luke was ‘ere!”. When I opened up the edited page, my stomach dropped. I thought I had defaced Google. How long until the FBI kick in my door? Should I tell my parents before they find out?

Back in myyy daaaay, there were no hacking challenge sites. In fact, there was barely any information out there, at least that I could find. My first resource was a website by Carolyn Meinel, titled “The Guides to (mostly) Harmless Hacking.” The guides were written in Comic Sans, the token font of that bad design genre that can only be found in the 90s and early 00s. These guides included such classics as “Telnet: the Number One Hacking Tool” and “How to Hack with Windows XP part I: The Magic of DOS.” They can still be found here.

Upon finishing school I scored my first job in IT and started a computer science degree, almost finished, dropped out, got made redundant, moved out of home, acquired Bachelor of Music, became a full-time musician, spent a couple of years performing on cruise ships, met my wife, lived in the UK, got married, moved back to Australia, and started working as a full-time web developer.

Throughout all this, my passion for hacking never really subsided, and development was never something I loved. I had a wonderful job with great people, but the actual tasks of my job weren’t sparking me. As it turns out, I was on a project which involved e-commerce and sensitive data, so my boss offered for me to take a security related course. I emailed the CEO of a local penetration testing firm and asked what the best security course was, and he recommended OSCP. So I did it!

Completing my OSCP was a turning point for me. I spent every spare moment of those 60 days learning as much as possible about the art of hacking. Even when I was exhausted, I had trouble sleeping because my brain wouldn’t stop thinking about the challenge boxes in the labs. That’s how I knew it should probably be my job, instead of development, which I had grown tired of. (I wrote a three-part blog series about the OSCP too, if you’re into that.)

Only a month or two after completing OSCP, I landed my first penetration testing job through a great infosec recruiter after solving a hacking challenge they posted online. You can read more about that story here.

Enough about me! Finally, we are at the bit you all came here to read. Some actionable tips on how to get your first job as a hacker:

Get Active in the White Hat Community

Contribute to open source tools, write your own, blog, start a podcast, go to hacker cons, connect with people on Twitter. You will learn a lot and it will introduce you to a whole network of lovely people who can help you. The infosec community on the whole are a friendly, tight-knit pack of smart, passionate people. If you’re reading this, there’s a good chance you will feel at home.

Email People You Respect

Are there people out there in your dream role? Email them and ask about your career path. The worst that will happen is that they don’t reply, the best that can happen is that you gain a mentor and some life-changing advice.

Be Trustworthy

You can have every hacking certification under the sun, but if you walk into the interview gloating about some illegal stunt you pulled, nobody will risk hiring you. The white hat community often deal with highly sensitive data — your employer and your clients need to be able to trust you.

On that note, when you’re in an interview and you don’t know the answer to a technical question, it’s better to say “sorry, I don’t know, but I will be sure to research that later!” than to try to bluff your way through an answer. The person interviewing you will be able to tell, and they are probably more interested in you being honest and genuine than correct. At this point in time, experienced security professionals are rare, so many companies are hiring less experienced staff with the right mindset and attitude, then putting them through training to learn the technical skills.

Get Certifications

Frankly, many certifications in this field aren’t a good indicator of someone’s technical ability. Having said that — you’re more likely to get a job if you have them. It shows that you’re invested in the craft, you have spent time/money skilling up, and you are interested. There are a few great certifications out there, and some that aren’t so good. If you’re not sure which ones are good, ask someone who knows!

Bug Bounties, CTFs and Challenge Sites

Have you been in a HackerOne/BugCrowd hall of fame? Found a RCE in a bug bounty? Did you do well in a CTF at a hacking conference? Are you highly ranked on hackthebox.eu? Put it on your CV! These things might seem like games, but they’re also proof that you’re passionate about the craft, and have some skills.

Don’t Be Afraid of Recruiters

Recruiters get a bad name for relentlessly calling you and using dodgy tactics to get the right contacts, but they’re not all like that. Finding a quality recruiter with good connections can make all the difference. When you are looking for a recruiter for a hacking gig, find one that specialises in infosec. A standard IT recruiter probably won’t know the right people.

Make Your Current Role a Security Role

Are you a developer? Find a bug in the application you develop, show it to your boss, ask permission to conduct more in depth security testing. Are you a sysadmin? Find a security hole in your network (you probably already know where to look), communicate the risk to your boss and ask for permission to conduct further testing. Whatever role you’re in — there’s a good chance you can make a name for yourself as the in-house security expert.

Now in your infosec interview/CV, you can say you were the in-house security expert, even though your official title was just “developer.” You can also fill out the “responsibilities” section of your role with some security related tasks.

Source: Medium

Researchers playing with Twinkly IoT lights found security weaknesses that allowed them to display custom lighting effects and to remotely turn off their Christmas brilliance. They estimate that about 20,000 devices are reachable over the internet.

The LEDs in Twinkly lights can be controlled individually. Exploiting inherent security weaknesses related to authentication and the communication of commands, the researchers were able to use the curtain of lights to play Snake, the game made so popular by Nokia phones in the late 1990s.

Users can manage their Twinkly smart decoration via a mobile app that sends unencrypted communication over the local network; this makes trivial analyzing the traffic from a man-in-the-middle position.

To talk to the lights, the app discovers them by running a UDP broadcast to port 5555 and receives in return an IP address and the name of the device.

“Once the application knows the IP address of the lights, it authenticates with them, receives an authentication token and retrieves information about the device. The authentication process, although a good idea, is flawed,” said the researchers from MWR InfoSecurity, a company recently acquired by F-Secure.

After analyzing the hardware internals and the mobile app, the researchers had a clear view of how the entire communication and authentication process worked.

They found the calls to the API endpoints, the algorithms used for creating the authentication challenge-responses.

Another discovery relates to the firmware update process, which does not use signatures to check the authenticity of the files received; this allows installing an arbitrary firmware “to the device over the local network without any real authentication or authorization, making it straightforward to gain arbitrary code execution.”

Hardcoded in the firmware is a username/password, used to connect to a private broker through the Message Queuing Telemetry Transport (MQTT) protocol for exchanging messages with remote IoT boards and sensors.

MQTT allows subscribing to a topic using wildcards using the symbol ‘#’ and doing so to the root means access to all topics and, implicitly, the information published by the lights.

“Monitoring the root for unique mac addresses we estimate there are almost 20,000 devices out there,” MWR Labs says.

Remote tampering with the lights is not difficult

Considering these security faults, it would be easy for an attacker on the network to intercept the communication between the Twinkly lights and the mobile app and use them to manipulate the LEDs into custom patterns or turn them off.

“As any MQTT node can publish to any topic, it is thus possible for anyone to issue commands to any set of lights and turn them off. We tested this remotely from AWS against the lights in the office and it worked perfectly,” MWR Labs experts note in a technical blog post.

To demonstrate remote management of the Twinkly lights across the world, the researchers turned to the DNS rebinding attack technique, known in the infosec industry for over a decade.

An attacker can use DNS rebinding to bypass the same-origin policy (SOP) in web browsers and turn them into a proxy for communicating with devices on the network. All the user would have to do for this to happen is access the wrong link.

MWR Labs created a malicious website specifically for this purpose. When the victim loads it, all the devices on the local network are enumerated. If Twinkly lights are available, they will be configured to show the message ‘Hack the Planet!’ as you can see in the video below.

The vulnerabilities found in Twinkly lights are the exact opposite for the IoT space. In this case, there is little damage an attacker can do by hacking the lights, but other targets may be more valuable, the researchers say.

Source: Bleeping Computer