Cyber Security News Update 4/27/2018

The Amazon Echo has been turned into an eavesdropping device that has been taught a “skill” that lets the Echo listen in on its owners without them knowing. This skill was taught to the Echo without any hacking or malicious actions by the programmers. The Amazon Echo is already passively listening to its owners at any given time, and it does so by waiting until it hears a certain phrase to activate. Once it hears that phrase it begins actively recording what the user says and transmits it to an Amazon server for analysis. The eavesdropping skill makes the Echo listen all the time and record it all on an external website. This is used by repurposing a pre-existing calculator skill that’s already on the Amazon Echo. This skill requires the Echo to be active the whole time however, which means that the blue ring on top of the Echo remains lit while it is listening. It is possible that there’s a malicious exploit that allows the Echo to listen without the blue ring however, as this “skill” was created by researchers to show the vulnerabilities in the Echo. There are already concerned that Amazon is listening to people without their permission, as there have been attempts by the courts to gain access to the transcripts of conversations recorded by the Echos. Previous tests have showed that other devices that use “passive listening” to wait for a command phrase are active most of the time, because they mishear the command phrase and have to send what they hear to their server for analysis. Anything that’s sent is recorded and these recording are used by companies to sells ads. This is why when you talk about something near your phone, you start seeing ads for it. The passive listening picked up something it thought was a command, sent it to be analyzed, realized it wasn’t but because it had been recorded already it get used by marketing algorithms.
Source: Amazon Echo made to eavesdrop without exploit or manipulation

WebAuthn is in the news again because it has almost received the green-light from the World Wide Web Consortium to go into use. WebAuthn seeks to replace insecure passwords with more robust user verification methods that would be harder for malicious actors to exploit. Google, Microsoft, and Mozilla have all announced that they will use WebAuthn on their respective browsers, but whether or not the new standard will receive widespread recognition remains to be seen. WebAuthn will require users to spend time switching over to the new security method, something that could drive acceptance down. Websites will have to be designed, or re-designed, to favor the new security standard if it is going to succeed. There may be significant security issues from long-tail users who will not switch until forced to.
Source: Standards Milestone Could Mark Beginning of End for Passwords