Hello, Alexa. Amazon Makes Bold Move Into IoT

Amazon is among the technology companies trying to seize the IoT space, and voice activation technology is a key part of the puzzle – as is artificial intelligence.

With its newly enhanced product, Amazon Echo (with Alexa), the company may do the trick, based on rave reviews amidst its recent (July 14) roll-out, which included going beyond beta phase and adding services. The device is now available to anyone, not just Amazon Prime members, who were the first to give it a try.

Basically, Echo is designed around the user’s voice, and is a hands-free speaker system that connects you to the outside world. It gradually adapts to the user’s voice and inflection.

It has seven microphones and the device connects to Alexa, a cloud-based voice service, to provide information, answer questions, play music, read the news, check sports scores or the weather, and more. So think of it as a smartphone service without the smartphone and you begin to get the picture…

Echo plays music from Amazon Music, Prime Music, Pandora, iHeartRadio, TuneIn, and other systems. If you want to wake up in the morning to Eye of the Tiger, just say “Alexa” and ask.

But there is more. For example, it’s compatible with Philips Hue connected-devices so that you can control lights and switches with your voice. As industry analyst Tim Bajarin wrote in his review on PC Magazine: “You can expect Amazon to get light switches, door locks, appliances, and more connected to the Echo so it becomes the central control point for an eventual home information and automation system.

Amazon is throwing serious money behind its voice recognition plans in hopes to become a key player. It has put $100 million dollars into The Alexa Fund to “fuel voice technology innovation.” So, the race is on.

It’s fascinating to me how IoT, voice commands, technology, convenience, and modern ideas are all converging. It’s an exciting time to be in tech, to be sure.

Finally, on a side note: I find intriguing that Alexa is again molded in a woman’s voice, soothing like Siri. Is this because all the programmers (or marketers) are trying to reach the key decision makers in the smart home – or were so frightened by HAL in Stanley Kubrick’s Space Odyssey and his representation of an AI-based future? But I’ll save that as a topic for another day…

Google, Facebook and Yahoo join forces to fight against scammers who inflate the clicks on their ads

bots

The online advertising industry has witnessed the emergence of “invisible enemies” that pass themselves off as regular online users – the infamous bots. This network of zombie users has become a serious headache for businesses and this is reflected in recent data. According to a recent study, advertisers worldwide look set to lose $6.3 billion dollars per year (roughly €5.7 million) due to these scammers that try to imitate human behavior.

The investigation also signaled that 23% of all advertising video views and 11% of clicks on advertisements were carried out by botnets. This detail is harmful to the advertisers, as it implies that they are paying in order to artificially inflate page clicks and video views, which results in their campaigns losing credibility.

This worrying situation has forced leading technology companies to come together in the fight against the bots. Google, Facebook and Yahoo have recently joined forces with specialized digital marketing agencies such as Quantcast, Rubicon project and MediaMath. The Trustworthy Accountability Group, a group created by the American Advertising Association and the Interactive Advertising Bureau, has been the main diver behind this initiative to put an end to the fraudsters.

The agreement that they reached can be summed up as follows: there’s strength in numbers. Each of the businesses has its own internal blacklists – databases which contain information relating to suspicious IP addresses. Now, they will combine all of them to create one massive database which will allow them to block the bots.

“The industry is united in this fight and we are going to win the war against fraud”, stated Mike Zaneis, the executive director of the Trustworthy Accountability Group.

The DoubleClick blacklist, a platform for creating and managing the online advertising for Google, filtered 8.9% of web traffic in May. This database will be the most important for this information sharing program that will identify the bots that are designed to evade detection by the IAB/ABC International Spiders & Bots List.

bot

“By pooling our collective efforts and working with industry bodies, we can create strong defenses against those looking to take advantage of our ecosystem. We look forward to working with the TAG Anti-fraud working group to turn this pilot program into an industry-wide tool”, explained Vegard Johnsen, Product Manager Google Ad Traffic Quality, on the company’s online security blog.

A study carried out by Distil Networks estimated that, during 2014, malicious bots appeared in 22.78% of web traffic. This compared to 36.32% of “good” bots while humans only accounted for 40.90%. The harmless bots were able to be identified and this prevented them from carrying out any malicious activities.

Mountain View has detected fraudulent web traffic generated by platforms such as UrlSpirit, which uses Internet Explorer to visit a list of websites that generate up to 500,000 fraudulent requests per month, and HitLeap, a web-sharing service with 1,000 fraudulent advertising requests in the same period.

“By contributing our data-center blacklist to TAG, we hope to help others in the industry protect themselves,” claims Vegard Johnsen of Google. TAG will soon launch a pilot program which will collect a series of general principles, although the actual tool for detecting the online fraudsters isn’t available until the end of the year.

The post Google, Facebook and Yahoo join forces to fight against scammers who inflate the clicks on their ads appeared first on MediaCenter Panda Security.

SB15-215: Vulnerability Summary for the Week of July 27, 2015

Original release date: August 03, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
cisco — ios The TFTP server in Cisco IOS 12.2(44)SQ1, 12.2(33)XN1, 12.4(25e)JAM1, 12.4(25e)JAO5m, 12.4(23)JY, 15.0(2)ED1, 15.0(2)EY3, 15.1(3)SVF4a, and 15.2(2)JB1 and IOS XE 2.5.x, 2.6.x, 3.1.xS, 3.2.xS, 3.3.xS, 3.4.xS, and 3.5.xS before 3.6.0S; 3.1.xSG, 3.2.xSG, and 3.3.xSG before 3.4.0SG; 3.2.xSE before 3.3.0SE; 3.2.xXO before 3.3.0XO; 3.2.xSQ; 3.3.xSQ; and 3.4.xSQ allows remote attackers to cause a denial of service (device hang or reload) via multiple requests that trigger improper memory management, aka Bug ID CSCts66733. 2015-07-24 7.1 CVE-2015-0681
CONFIRM
CISCO
cisco — application_policy_infrastructure_controller_(apic) Cisco Application Policy Infrastructure Controller (APIC) devices with software before 1.0(3o) and 1.1 before 1.1(1j) and Nexus 9000 ACI devices with software before 11.0(4o) and 11.1 before 11.1(1j) do not properly restrict access to the APIC filesystem, which allows remote authenticated users to obtain root privileges via unspecified use of the APIC cluster-management configuration feature, aka Bug IDs CSCuu72094 and CSCuv11991. 2015-07-24 9.0 CVE-2015-4235
CISCO
cisco — unified_meetingplace_web_conferencing The password-change feature in Cisco Unified MeetingPlace Web Conferencing before 8.5(5) MR3 and 8.6 before 8.6(2) does not check the session ID or require entry of the current password, which allows remote attackers to reset arbitrary passwords via a crafted HTTP request, aka Bug ID CSCuu51839. 2015-07-24 10.0 CVE-2015-4262
CISCO
isc — bind named in ISC BIND 9.x before 9.9.7-P2 and 9.10.x before 9.10.2-P3 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via TKEY queries. 2015-07-29 7.8 CVE-2015-5477
CONFIRM
webservice-dic — yoyaku Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors. 2015-07-29 7.5 CVE-2015-2977
JVNDB
JVN
webservice-dic — yoyaku Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary OS commands via unspecified vectors. 2015-07-29 7.5 CVE-2015-2979
JVNDB
JVN

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
cisco — content_security_management_virtual_appliance Cross-site scripting (XSS) vulnerability in Cisco AsyncOS on the Web Security Appliance (WSA) 9.0.0-193; Email Security Appliance (ESA) 8.5.6-113, 9.1.0-032, 9.1.1-000, and 9.6.0-000; and Content Security Management Appliance (SMA) 9.1.0-033 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug IDs CSCuu37430, CSCuu37420, CSCut71981, and CSCuv50167. 2015-07-28 4.3 CVE-2015-0732
CISCO
cisco — unified_computing_system_central_software The web framework in Cisco UCS Central Software 1.3(0.99) allows remote attackers to read arbitrary files via a crafted HTTP request, aka Bug ID CSCuu41377. 2015-07-29 5.0 CVE-2015-4286
CISCO
cisco — firepower_extensible_operating_system Cisco Firepower Extensible Operating System 1.1(1.86) on Firepower 9000 devices allows remote attackers to bypass intended access restrictions and obtain sensitive device information by visiting an unspecified web page, aka Bug ID CSCuu82230. 2015-07-28 5.0 CVE-2015-4287
CISCO
cisco — content_security_management_appliance The LDAP implementation on the Cisco Web Security Appliance (WSA) 8.5.0-000, Email Security Appliance (ESA) 8.5.7-042, and Content Security Management Appliance (SMA) 8.3.6-048 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate, aka Bug IDs CSCuo29561, CSCuv40466, and CSCuv40470. 2015-07-28 4.3 CVE-2015-4288
CISCO
cisco — anyconnect_secure_mobility_client The kernel extension in Cisco AnyConnect Secure Mobility Client 4.0(2049) on OS X allows local users to cause a denial of service (panic) via vectors involving contiguous memory locations, aka Bug ID CSCut12255. 2015-07-29 4.9 CVE-2015-4290
CISCO
cisco — ios_xe The packet-reassembly implementation in Cisco IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (CPU consumption or packet loss) via fragmented (1) IPv4 or (2) IPv6 packets that trigger ATTN-3-SYNC_TIMEOUT errors after reassembly failures, aka Bug ID CSCuo37957. 2015-07-30 5.0 CVE-2015-4293
CISCO
dhcpcd_project — dhcpcd The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of data, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a large length value of an option in a DHCPACK message. 2015-07-29 6.8 CVE-2014-7912
CONFIRM
MISC
dhcpcd_project — dhcpcd The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function, which allows remote DHCP servers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted message. 2015-07-29 6.8 CVE-2014-7913
CONFIRM
ffmpeg — ffmpeg The ff_mjpeg_decode_sof function in libavcodec/mjpegdec.c in FFmpeg before 2.5.4 does not validate the number of components in a JPEG-LS Start Of Frame segment, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Motion JPEG data. 2015-07-26 6.8 CVE-2015-1872
CONFIRM
honeywell — tuxedo_touch Honeywell Tuxedo Touch before 5.2.19.0_VA relies on client-side authentication involving JavaScript, which allows remote attackers to bypass intended access restrictions by removing USERACCT requests from the client-server data stream. 2015-07-26 5.0 CVE-2015-2847
CERT-VN
honeywell — tuxedo_touch Cross-site request forgery (CSRF) vulnerability in Honeywell Tuxedo Touch before 5.2.19.0_VA allows remote attackers to hijack the authentication of arbitrary users for requests associated with home-automation commands, as demonstrated by a door-unlock command. 2015-07-26 6.8 CVE-2015-2848
CERT-VN
ibm — maximo_anywhere Unspecified vulnerability in the IBM Maximo Anywhere application 7.5.1 through 7.5.1.2 for Android allows attackers to bypass a passcode protection mechanism and obtain sensitive information via a crafted application. 2015-07-26 5.0 CVE-2015-4945
CONFIRM
lemon-s_php — gazou_bbs_plus LEMON-S PHP Gazou BBS plus before 2.36 allows remote attackers to upload arbitrary HTML documents via vectors involving a crafted image file. 2015-07-28 5.0 CVE-2015-2974
JVNDB
JVN
CONFIRM
linux — linux_kernel The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call. 2015-07-27 4.9 CVE-2015-4692
CONFIRM
CONFIRM
MLIST
CONFIRM
rack_project — rack lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. 2015-07-26 5.0 CVE-2015-3225
MLIST
CONFIRM
MLIST
research-artisan — research_artisan_lite Research Artisan Lite before 1.18 does not ensure that a user has authenticated, which allows remote attackers to perform unspecified actions via unknown vectors. 2015-07-26 5.0 CVE-2015-2975
CONFIRM
JVNDB
JVN
research-artisan — research_artisan_lite Multiple cross-site scripting (XSS) vulnerabilities in Research Artisan Lite before 1.18 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted HTML document or (2) a crafted URL that is mishandled during access-log analysis. 2015-07-25 4.3 CVE-2015-2976
CONFIRM
JVNDB
JVN
rubyonrails — jquery-rails jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value. 2015-07-26 5.0 CVE-2015-1840
MLIST
CONFIRM
CONFIRM
MLIST
rubyonrails — web_console request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client’s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request. 2015-07-26 4.3 CVE-2015-3224
MLIST
CONFIRM
MLIST
rubyonrails — ruby_on_rails Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding. 2015-07-26 4.3 CVE-2015-3226
MLIST
MLIST
rubyonrails — ruby_on_rails The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth. 2015-07-26 5.0 CVE-2015-3227
MLIST
MLIST
webservice-dic — yoyaku Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an “unintentional reservation.” 2015-07-29 5.0 CVE-2015-2978
JVNDB
JVN
welcart — welcart Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php. 2015-07-24 4.3 CVE-2015-2973
CONFIRM
CONFIRM
JVNDB
JVN

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Legit APPS or PUA? Keep your eyes wide open!

Nowadays, our Personal Computers are able to perform a huge amount of tasks as we can find Applications for mostly everything one can imagine. Not to mention, we often have more than one App installed for the same kind of task. When does it become too much?

The post Legit APPS or PUA? Keep your eyes wide open! appeared first on Avira Blog.