Network

Amazon Alexa Vulnerabilities

Amazon Alexa Vulnerabilities Patched

Amazon leads the marketplace with its smart speakers powered by Alexa. In 2019, they controlled 70% of the marketplace with their virtual assistant. Homeowners are using Amazon smart speakers to connect to lights, thermostats, and security cameras at an exponential rate. It’s no surprise then why hackers would want to take advantage of this growing market.

Last week, the IT research firm Check Point released details of vulnerabilities they found in the Alexa software. Alexa has the ability to install “skills,” basically third party applications to enable features the smart speaker does not perform natively. Check Point found these skills applications could be used maliciously to view user’s voice history and personal information.

“Smart speakers and virtual assistants are so commonplace that it’s easy to overlook just how much personal data they hold, and their role in controlling other smart devices in our homes. But hackers see them as entry points into peoples’ lives, giving them the opportunity to access data, eavesdrop on conversations or conduct other malicious actions without the owner being aware,” said Oded Vanunu, Head of Products Vulnerabilities Research at Check Point.

Amazon is very interested in getting these smart speakers into consumers’ homes. For a period of time they were offering an Echo Dot for 99 cents with the purchase of one month of Amazon music. They have also offered free smart speakers with the purchase of Ring cameras, and other smart home devices. The vulnerability was pointed out to Amazon earlier in the summer, and they say it was patched in June. Check Point only released the details late last week. It sounds like this research has prompted Amazon to pay more attention to securing these devices, but any new piece of third party software introduces a vulnerability. We have seen issues recently with Chrome browser extensions. Any avenue a hacker can use to install an add-on, or a third party extension, they will use it take advantage of consumers.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Recent Posts

Password Management

Back to Basics – Password Management

Passwords are a necessary evil of modern life. Today on Back-to-Basics we will cover some best practices of password selection and management. Quanexus recommends a 25 character password that does not contain words found in dictionaries. We also don’t use names, birthdays, or anniversary dates, because these can be easily found on social media. On top of these parameters, passwords should not be used for more than one service.

We understand this is cumbersome, and studies have shown that extreme password policies reduce productivity in business. So where is the middle ground between an absolutely uncrackable password for each individual login, and reality?

  1. Password Mangers:

    There are tools on the market that create long and complex passwords for each individual login, and then manage these passwords for you. LastPass, and 1Password are two trusted services, and both provide browser and mobile services. The issue with these, of course, is if the hacker social engineers, or guesses your password to get into the password manager, then they have access to all of your passwords. However, with a strong password to log into the service, this is a very secure option.

  1. Password Reuse:

    At the very least a user should not use the same passwords for personal logins that they do for business logins. Of course, the business has no way of checking this, but it should be outlined strongly in the orientation material, as well as the annual security awareness training. As we always say, your users can be your biggest asset or your biggest liability. Password reuse is a point that needs continual emphasis.

  1. Stolen Passwords:

    The dark web knows what your MySpace password was at this point. Find out what passwords you use have been compromised and stop using them. Google Password Checkup is a trusted resource. Financial companies are starting to send users known compromised passwords as well. We know many people are not going to come up with a stelar 25 character password for that jogging site they’re checking out, but be aware of what passwords are compromised, and don’t use them at work.

  1. Multi-Factor Authentication:

    Many more critical services like financial or system logins now offer Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA). We did a whole blog post on this topic you can read Here, but the long and the short of it is, if the service is available, use it. SMS authentication is not without flaws, but it’s still better than a simple password. Services like Google Authenticator are better but have not been incorporated into all businesses yet.

Passwords are not perfect, but they are also not going away. Password security involves making users aware of the risks that are out there and continuing to stress best practices. Continued education, and annual security awareness training is the best defense against password compromise.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Recent Posts

IT Security in the News

IT SecurityWe are following three IT Security news stories that have gained mainstream attention. Today on the blog we are going to re-cap all three stories, and talk about what they mean for the IT world

Garmin pays up

Garmin is still recovering from the ransomware attack we talked about on last week’s blog, you can read it here. The company reportedly received a decryption key, meaning some sort of ransom was paid. The original ransom demanded by the hackers was 10 million dollars, but Garmin has not acknowledged the ransom publicly. A week and a half since the attack, device users are still having issues related to the services taken offline.

This attack is an example of why it’s important to have a quality backup solution, and an incident response plan. When Garmin was attacked, they had to take all services offline, which included phone, email, and chat support. Not only did they have to disrupt the service they provide, but they also had no way to communicate with customers other than statements on Twitter.

Follow-up on massive Twitter hack

Twitter released more information about the hack that compromised many high profile accounts. They are citing a mobile spearphishing attack on employees as the cause. Twitter says employees were compromised, allowing hackers to access internal company tools. Twitter made a point to say, the employees who were compromised were not in a position to access the tools needed for the attack. Criminals used the information they had on some employees to attack more technical employees and gain access to the tools needed. In part of their statement Twitter said, “This was a striking reminder of how important each person on our team is in protecting our service.”

We couldn’t have said it better. As Jack always says, your employees can be your biggest asset, or your biggest liability. This is also a reminder that it’s not just the employees who are working in the IT department who are important. Any infiltration of the company systems can lead to an attack on the database or system tools.

Microsoft to buy TikTok

TikTok has been under increased scrutiny since Amazon “mistakenly” told all of its employees to delete the app. You can read our blog post , ‘Is TikTok Safe?’ Here. The US government has continued to talk about banning the app in the US since this new publicity. Over the weekend it was reported Microsoft is looking into buying TikTok for the US, Canada, Australia, and New Zealand markets. Microsoft has vowed to make data security their number one priority. They have until September 15th to complete the deal. Investment organizations are predicting the deal could be in the 50 billion dollar range.

Quanexus IT Support Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Recent Posts

July Newsletter

Quanexus Q-News

The July Newsletter is now available on the website. This month, the newsletter is interactive! After you download click around to explore additional media from a given article. If you’d like to receive the newsletter before we feature it on the blog, sign up for our mailing list. We also send out security alerts and other news in the IT world.

July Newsletter Front Cover

Click Here for the July Newsletter!

Quanexus IT Services for Dayton and Cincinnati

Request your free network assessment today. There is no hassle, or obligation.

If you would like more information, contact us here or call 937.885.7272.

Follow us on FacebookTwitter and LinkedIn and stay up to date on by subscribing to our email list.

Posted by Charles Wright in Cybersecurity, Information Security, Recent Posts, Small Business