Sherman's Security Blog

Microsoft announced a new security research challenge that encourages white hat hackers to find and responsibly disclose vulnerabilities in the company’s Azure Sphere solution.

Azure Sphere is an IoT security solution designed to provide end-to-end security across hardware, operating system and the cloud.

In an effort to identify potentially serious vulnerabilities in Azure Sphere, Microsoft has decided to run a three-month application-only challenge.

Hackers can apply for the Azure Sphere Research Challenge until May 15, and the challenge will run between June 1 and August 31. Researchers whose applications have been accepted will receive an email from Microsoft.

This new initiative, an expansion of the Azure Security Lab project announced last year, invites researchers to find vulnerabilities that would allow them to execute code on the Pluton security subsystem, which is the hardware-based secured root of trust for Azure Sphere, or in the Secure World operating environment of the Azure Sphere application platform. Microsoft is prepared to pay out up to $100,000 for these types of exploits.

While this research focuses on the Azure Sphere OS, vulnerabilities in other components could still receive a reward through the public Azure bug bounty program.

For the Azure Sphere Research Challenge, Microsoft has teamed up with several cybersecurity solutions providers, including Avira, Baidu, Bitdefender, Bugcrowd, Cisco, ESET, FireEye, F-Secure, HackerOne, K7 Computing, McAfee, Palo Alto Networks and Zscaler.

“While Azure Sphere implements security upfront and by default, Microsoft recognizes security is not a one-and-done event. Risks need to be mitigated consistently over the lifetime of a constantly growing array of devices and services. Engaging the security research community to research for high-impact vulnerabilities before the bad guys do is part of the holistic approach Azure Sphere is taking to minimize the risk,” Microsoft said.

via:  securityweek

Whether you’re new to the IT field or deep in the technology trenches, knowing what is hot and, sometimes more importantly, what is not, can be critical to the next step in your career path. That’s why we’ve got you covered with the latest and greatest certifications that should be on your radar, based on sales trends and unshakeable predictions from a team of experts. So, let’s dive in on what you should be looking to get certified in for 2020!

10. CompTIA Linux+ (XK0-004)

What is new is old again! With the resurgence of Linux distros in the security and cloud realms, it is little surprise that brushing up on your bash scripting and command-line troubleshooting is what employers want to see these days. CompTIA released a new version of their Linux+ certification in October, streamlining their previous two exams into one and adding in security ninja skills to XK0-004.

9. Microsoft MCSA SQL Development (70-76x)

Cloud databases may be all of the rage, but the basics are still in style. The staying power of Microsoft MCSA SQL Development (70-76x) is a strong testament to that. for database admins and developers is a strong testament to that. We predict that business intelligence solutions around Azure will grow to eventually replace this certification, but not anytime soon. Whether on-premises or in the cloud, this certification hasn’t lost its shine within the database market.

8. (ISC)² CISSP (CAT, April 2018)

Despite interest in other specializations like CCSP and CSSLP, the CISSP continues to be the top dog in the security industry. Although slipping in this list compared to other IT certifications, CISSP remains a gold standard that any IT professional, especially in a management role, should consider. These initials are not disappearing from the thousands on LinkedIn anytime soon!

7. Cisco CCNA (200-301)

Although well-known in networking circles, the CCNA has remained the same certification program for many years now. But in the Summer of 2019, all of that changed with a new blueprint emphasizing cloud-based automation. You’ve got until February to test on the old CCNA exam objectives, but stay tuned for a huge update that will be sending network engineers scrambling to update their skills and prove their mettle in 2020!

6. Oracle 12c SQL OCA (1Z0-071)

From self-healing databases and automated cloud AI, the Oracle database has many bells and whistles and still remains a popular choice for large, multinational enterprises. Not without its controversial claims, there is no doubt it is a titan in the database realm, and skilled administrators are in high demand. This is one of the first exams needed to certify as an Oracle Certified Associate (OCA). We saw this title jump into the top ten last year and believe it is a trend we’ll continue to see in 2020.

5. Network+ (N10-007)

This may seem like a head-scratcher, but it is clearly based on our 2019 numbers that more newbies are willing to learn the dark arts of networking. Some of these can be explained away by the huge IoT demand and the growing needs to better support the infrastructure for these devices. As we become more connected, we’ll need to grow the workforce to ensure those connections stay reliable and secure. Also as part of what many consider a core understanding of cybersecurity starting in A+, Network+, and Security+, it is a great start to whatever branch of cybersecurity you are interested in. With that in mind, it’s good to see some growth in this introductory networking certification.

4. EC-Council CEH (v10)

Certified Ethical Hacker is still the ultimate in red team certification, enticing many a hacker into the cameras-lights-action of penetration testing. This is a great, high-level introductory look into the world of a white hat hacker, as it covers ethics, reporting, and a general review of the types of tools used. Though we predict that this certification will continue to grow in 2020, expect blue team related certifications like Certified Network Defender (CND) to rise as more organizations focus on automated protection and scanning over manual exploitation.

3. CompTIA Security+ (SY0-501)

As the IT skills gap, especially in the security space, continues to exist, more individuals will be gravitating to the field with little or no knowledge. Vendor-neutral certifications targeted at the entry-level, specifically well-known ones like Security+, will continue their popularity, as it is again part of the core understanding, of getting a high-level look through the field of cybersecurity. Now this certification has dropped a couple of spots since last year, mainly because more IT professionals are honing their existing skills or dipping their toes into more specialized security professions. If 2019 was the year of security, expect 2020 to re-emphasize traditional IT roles.

2. Microsoft MCSA Windows Server (70-74x)

This certification is also showing some age, but Windows system admins are still needed even in the age of Azure. So it is no surprise that this certification continues to be popular. We expect continued popularity in 2020, but we’re also watching the trend of companies moving toward machine learning to maintain their virtualized networking solutions. Although not as many companies adopted machine learning in 2019 as expected and it is not likely increase significantly in 2020. it is a long-term trend that we’re keeping our eyes on.

1. CompTIA A+ (220-100x)

The future in IT has never been greater with more advanced devices requiring more skilled technicians to manage them. The new 2019 exam emphasizes the newest technologies found in the field, making it a must for a full-fledged hardware technician, or anyone looking to hone their tech support skills. We expect to see this certification’s popularity only grow in 2020.

Honorable Mentions

CCNA CyberOps

This was a new Cisco specialization in 2018, but we’re finally seeing some growth here. Keep your eye on this space.

PMI-ACP

This agile project management certification is one of PMI’s fastest growing, but it’s still not as popular as other project management certs. In 2020, this certification will remain a force to be reckoned with, even as the field of agile certification continues to widen.

Microsoft MCSA Azure

The slew of new Azure certifications, hot on the heels of the huge moves from various enterprises, including the DoD, ensure this certification will only grow in 2020. By adding performance-based labs to these exams, expect to see more and more cloud admins/developers jump on the bandwagon.

CompTIA CySA+

Slow to catch on until late last year, this certification is now growing steadily. We have every reason to expect its popularity among candidates will only grow in 2020. This certification hits right below the CASP and above the Security+ as an interesting intersection between a security auditor and analyst.

via:  kaplanittraining

Remember the recent payment card breach at Wawa convenience stores?

If you’re among those millions of customers who shopped at any of 850 Wawa stores last year but haven’t yet hotlisted your cards, it’s high time to take immediate action.

That’s because hackers have finally put up payment card details of more than 30 million Wawa breach victims on sale at Joker’s Stash, one of the largest dark web marketplaces where cybercriminals buy and sell stolen payment card data.

As The Hacker News reported last month, on 10th December Wawa learned that its point-of-sale servers had malware installed since March 2019, which stole payment details of its customers from potentially all Wawa locations.

At that time, the company said it’s not aware of how many customers may have been affected in the nine-month-long breach or of any unauthorized use of payment card information as a result of the incident.

Now it turns out that the Wawa breach marked itself in the list of largest credit card breaches ever happened in the history of the United States, potentially exposing 30 million sets of payment records.

According to threat intelligence firm Gemini Advisory, on 27th January 2020, hackers started uploading stolen payment card data from Wawa at Joker’s Stash marketplace, titled as ‘BIGBADABOOM-III,’ which reportedly includes card numbers, expiration dates, and cardholder names.

“While the majority of those records were from US banks and were linked to US-based cardholders, some records also linked to cardholders from Latin America, Europe, and several Asian countries,”  Gemini Advisory said.

“Non-US-based cardholders likely fell victim to this breach when traveling to the United States and transacting with Wawa gas stations during the period of exposure.”

“The median price of US-issued records from this breach is currently $17, with some of the international records priced as high as $210 per card.”

In the latest statement released yesterday, Wawa confirmed that the company is aware of reports of criminal attempts to sell customers’ payment card data and to help further protect its customers, the company has ‘alerted payment card processors, payment card brands and card issuers to heighten fraud monitoring activities.’

“We continue to encourage our customers to remain vigilant in reviewing charges on their payment card statements and to promptly report any unauthorized use to the bank or financial institution that issued their payment card by calling the number on the back of the card,” Wawa said.

Customers who bought anything from any of the Wawa convenience stores between March and December last year are advised to block the affected cards and request a new one from your respective financial institution.

via:  thehackernews

Attention! Are you using Firefox as your web browsing software on your Windows, Linux, or Mac systems?

If yes, you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla’s website.

Why the urgency? Mozilla earlier today released Firefox 72.0.1 and Firefox ESR 68.4.1 versions to patch a critical zero-day vulnerability in its browsing software that an undisclosed group of hackers is actively exploiting in the wild.

Tracked as ‘CVE-2019-17026,’ the bug is a critical ‘type confusion vulnerability’ that resides in the IonMonkey just-in-time (JIT) compiler of the Mozilla’s JavaScript engine SpiderMonkey.

In general, a type confusion vulnerability occurs when the code doesn’t verify what objects it is passed to and blindly uses it without checking its type, allowing attackers to crash the application or achieve code execution.

Without revealing details about the security flaw and any details on the ongoing potential cyberattacks, Mozilla said, “incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to type confusion.”

That means, the issue in the vulnerable JavaScript engine component can be exploited by a remote attacker just by tricking an unsuspecting user into visiting a maliciously crafted web page to execute arbitrary code on the system within the context of the application.

The vulnerability was reported to Mozilla by cybersecurity researchers at Qihoo 360 ATA, who has also not yet released any information about their investigation, findings, and exploit.

Though Firefox, by default, automatically installs updates when they are available and activate a new version after a restart, you can always do a manual update using the built-in functionality by navigating to Menu > Help > About Mozilla Firefox.

via:  thehackernews

What an irony — someone hacked the official website of the Monero cryptocurrency project and quietly replaced legitimate Linux and Windows binaries available for download with malicious versions designed to steal funds from users’ wallets.

The latest supply-chain cyberattack was revealed on Monday after a Monero user spotted that the cryptographic hash for binaries he downloaded from the official site didn’t match the hashes listed on it.

Following an immediate investigation, the Monero team today also confirmed that its website, GetMonero.com, was indeed compromised, potentially affecting users who downloaded the CLI wallet between Monday 18th 2:30 am UTC and 4:30 pm UTC.

At this moment, it’s unclear how attackers managed to compromise the Monero website and how many users have been affected and lost their digital funds.

According to an analysis of the malicious binaries done by security researcher BartBlaze, attackers modified legitimate binaries to inject a few new functions in the software that executes after a user opens or creates a new wallet.

The malicious functions are programmed to automatically steal and send users’ wallet seed—sort of a secret key that restores access to the wallet—to a remote attacker-controlled server, allowing attackers to steal funds without any hassle.

“As far as I can see, it doesn’t seem to create any additional files or folders – it simply steals your seed and attempts to exfiltrate funds from your wallet,” the researcher said.

At least one GetMonero user on Reddit claimed to have lost funds worth $7000 after installing the malicious Linux binary.

I can confirm that the malicious binary is stealing coins. Roughly 9 hours after I ran the binary, a single transaction drained my wallet of all $7000,” the user wrote. “I downloaded the build yesterday around 6 pm Pacific time.”

GetMonero officials assured its users that the compromised files were online for a very short amount of time and that the binaries are now served from another safe source.

The officials also strongly advised users to check the hashes of their binaries for the Monero CLI software and delete the files if they don’t match the official ones.

“It’s strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 am UTC and 4:30 pm UTC, to check the hashes of their binaries,” GetMonero said.

“If they don’t match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason.”

To learn how to verify hashes of the files on your Windows, Linux, or macOS system, you can head on to this detailed advisory by the official GetMonero team.

The identity of hackers is still unknown, and since the GetMonero team is currently investigating the incident, The Hacker News will update this article with any new developments.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.

via: thehackernews

Fitbit, Inc. (NYSE: FIT) today announced that it has entered into a definitive agreement to be acquired by Google LLC for $7.35 per share in cash, valuing the company at a fully diluted equity value of approximately $2.1 billion.

“More than 12 years ago, we set an audacious company vision – to make everyone in the world healthier. Today, I’m incredibly proud of what we’ve achieved towards reaching that goal. We have built a trusted brand that supports more than 28 million active users around the globe who rely on our products to live a healthier, more active life,” said James Park, co-founder and CEO of Fitbit. “Google is an ideal partner to advance our mission. With Google’s resources and global platform, Fitbit will be able to accelerate innovation in the wearables category, scale faster, and make health even more accessible to everyone. I could not be more excited for what lies ahead.”

“Fitbit has been a true pioneer in the industry and has created terrific products, experiences and a vibrant community of users,” said Rick Osterloh, Senior Vice President, Devices & Services at Google. “We’re looking forward to working with the incredible talent at Fitbit, and bringing together the best hardware, software and AI, to build wearables to help even more people around the world.”

Fitbit pioneered the wearables category by delivering innovative, affordable and engaging devices and services. Being “on Fitbit” is not just about the device – it is an immersive experience from the wrist to the app, designed to help users understand and change their behavior to improve their health. Because of this unique approach, Fitbit has sold more than 100 million devices and supports an engaged global community of millions of active users, utilizing data to deliver unique personalized guidance and coaching to its users. Fitbit will continue to remain platform-agnostic across both Android and iOS.

Consumer trust is paramount to Fitbit. Strong privacy and security guidelines have been part of Fitbit’s DNA since day one, and this will not change. Fitbit will continue to put users in control of their data and will remain transparent about the data it collects and why. The company never sells personal information, and Fitbit health and wellness data will not be used for Google ads.

The transaction is expected to close in 2020, subject to customary closing conditions, including approval by Fitbit’s stockholders and regulatory approvals.

Qatalyst Partners LLP acted as financial advisor to Fitbit, and Fenwick & West LLP acted as legal advisor.

About Fitbit, Inc. (NYSE: FIT)

Fitbit helps people lead healthier, more active lives by empowering them with data, inspiration and guidance to reach their goals. Fitbit designs products and experiences that track and provide motivation for everyday health and fitness. Fitbit’s diverse line of innovative and popular products include Fitbit Charge 3™, Fitbit Inspire HR™, Fitbit Inspire™ and Fitbit Ace 2™ activity trackers, as well as the Fitbit Ionic™ and Fitbit Versa™ family of smartwatches, Fitbit Flyer™ wireless headphones, and Fitbit Aria family of smart scales. Fitbit products are carried in approximately 39,000 retail stores and in 100+ countries around the globe. Powered by one of the world’s largest databases of activity, exercise and sleep data and Fitbit’s leading health and fitness social network, the Fitbit platform delivers personalized experiences, insights and guidance through leading software and interactive tools, including the Fitbit and Fitbit Coach apps, and Fitbit OS for smartwatches. Fitbit’s paid subscription service, Fitbit Premium, uses your unique data to deliver actionable guidance and coaching in the Fitbit app to help you reach your health and fitness goals. Fitbit Health Solutions develops health and wellness solutions designed to help increase engagement, improve health outcomes, and drive a positive return for employers, health plans and health systems.

Fitbit and the Fitbit logo are trademarks or registered trademarks of Fitbit, Inc. in the U.S. and other countries. Additional Fitbit trademarks can be found www.fitbit.com/legal/trademark-list. Third-party trademarks are the property of their respective owners.

Connect with us on Facebook, Instagram or Twitter and share your Fitbit experience.

Additional Information and Where to Find It

In connection with the proposed acquisition, Fitbit will file relevant materials with the Securities and Exchange Commission (the “SEC”), including a preliminary and definitive proxy statement. Promptly after filing the definitive proxy statement, Fitbit will mail the definitive proxy statement and a proxy card to the stockholders of Fitbit. FITBIT’S STOCKHOLDERS ARE URGED TO READ THE DEFINITIVE PROXY STATEMENT (INCLUDING ANY AMENDMENTS OR SUPPLEMENTS THERETO) CAREFULLY WHEN IT BECOMES AVAILABLE BEFORE MAKING ANY VOTING OR INVESTMENT DECISION WITH RESPECT TO THE PROPOSED TRANSACTION BECAUSE IT WILL CONTAIN IMPORTANT INFORMATION ABOUT THE PROPOSED TRANSACTION AND THE PARTIES TO THE PROPOSED TRANSACTION. Stockholders of Fitbit will be able to obtain a free copy of these documents, when they become available, at the website maintained by the SEC at www.sec.gov or free of charge at www.Fitbit.com.

Additionally, Fitbit will file other relevant materials in connection with the proposed acquisition of Fitbit by Google pursuant to the terms of an Agreement and Plan of Merger, by and among Fitbit, Google and Magnoliophyta Inc. (the “Merger Agreement”). Fitbit and its directors, executive officers and other members of its management and employees, under SEC rules, may be deemed to be participants in the solicitation of proxies of Fitbit stockholders in connection with the proposed acquisition. Stockholders of Fitbit may obtain more detailed information regarding the names, affiliations and interests of certain of Fitbit’s executive officers and directors in the solicitation by reading Fitbit’s most recent Annual Report on Form 10-K, which was filed with the SEC on March 1, 2019 and the proxy statement for Fitbit’s 2019 annual meeting of stockholders, which was filed with the SEC on April 11, 2019. These documents are available free of charge at the SEC’s website at www.sec.gov or by going to Fitbit’s Investor Relations website at www.Fitbit.com. Information concerning the interests of Fitbit’s participants in the solicitation, which may, in some cases, be different than those of Fitbit’s stockholders generally, will be set forth in the definitive proxy statement relating to the proposed transaction when it becomes available.

Forward-Looking Statements

This communication contains “forward-looking” statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, that involve risks and uncertainties. In some cases, you can identify these forward-looking statements by the use of terms such as “expect,” “will,” “continue,” or similar expressions, and variations or negatives of these words, but the absence of these words does not mean that a statement is not forward-looking. All statements other than statements of historical fact are statements that could be deemed forward-looking statements, including, but not limited to: any statements regarding the expected timing of the completion of the transaction; the ability of Google and Fitbit to complete the proposed transaction considering the various conditions to the transaction, some of which are outside the parties’ control, including those conditions related to regulatory approvals; the expected benefits and costs of the proposed transaction; any statements concerning the expected development or competitive performance relating to Fitbit’s products and services; any statements regarding Google’s future intention with Fitbit; any other statements of expectation or belief; and any statements of assumptions underlying any of the foregoing. A number of important factors and uncertainties could cause actual results or events to differ materially from those described in these forward-looking statements, including without limitation: the failure to satisfy any of the conditions to the consummation of the proposed transaction, including the adoption of the Merger Agreement by Fitbit’s stockholders and the receipt of certain governmental and regulatory approvals; the occurrence of any event, change or other circumstance that could give rise to the termination of the Merger Agreement; the outcome of any legal proceedings that may be instituted against Fitbit related to the Merger Agreement or the proposed transaction; unexpected costs, charges or expenses resulting from the proposed transaction; the occurrence of a Company Material Adverse Effect (as defined in the Merger Agreement); and other risks that are described in the reports of Fitbit filed the SEC, including but not limited to the risks described in Fitbit’s Annual Report on Form 10-K for its fiscal year ended December 31, 2018, and that are otherwise described or updated from time to time in other filings with the SEC. Fitbit assumes no obligation to update the information in this communication, except as otherwise required by law. Readers are cautioned not to place undue reliance on these forward-looking statements that speak only as of the date hereof.

View source version on businesswire.com: https://www.businesswire.com/news/home/20191101005318/en/

Fitbit
Investor Contact: Tom Hudson, (415) 604-4106 investor@fitbit.com
Media Contact: Jen Ralls, (415) 941-0037 PR@fitbit.com

Source: Fitbit, Inc.

Spook the heck out of the kids this Halloween with these Echo tricks (and treats).

It’s that time of year again — the holiday where kids dress up as monsters and Alexa comes out to scare. Yes, that’s right, Amazon’s voice assistant can help turn your smart home into the best Halloween house in the neighborhood.

Not only can you conjure up Halloween music and creepy sounds with Alexa, but you can also set up a haunted house-themed light setting. Here are all the ways Amazon Echo ($70 at Amazon) can make your home spooky on All Hallows’ Eve.

Play spooky sounds

It’s not Halloween without spooky sounds, and there are many Alexa skills that are designed for that purpose.

• Spooky Halloween Sounds will play a continuous loop of spooky sounds until you tell Alexa to stop. Just say “Alexa, start Spooky Halloween Sounds” to get started.
  
• Spooky Sounds plays 50 minutes of original spooky sounds (in a continuous loop), complete with an audio easter egg hidden within. Say “Alexa, open Spooky Sounds” to begin.
  
• Spooky Scream will play a random scream after a set time of your choosing. Say “Alexa, ask Spooky Scream to start in five minutes.” Turn up the volume and wait for your unknowing victim to fall right into your trap.

You can also request audio like the Spooky Sounds for Halloween EP on Spotify.

Play Halloween-themed games

If you’re looking for an eerie game to play, there are quite a few Alexa skills to choose from.

• The Magic Door is a popular interactive adventure game. If you take the Dark Forest Path, it will lead you to the Witch’s mansion in search of the Wise Wizard.
  
• Ghost Detector is exactly what it sounds like. You must detect and capture ghosts to earn Ghost Bux, which will let you purchase “improvements, gadgets and missions” to further gameplay.
  
• Haunted Adventure is just one of several spooky adventure games.
  
• Halloween Feel The Pressure is a spin-off of Feel The Pressure with a Halloween twist. You must answer questions based on a letter of the alphabet. You need 10 correct answers in a row to “save your soul.”

Tell scary stories

Want to hear something chilling, yet kid-friendly? Simply say “Alexa, tell me a spooky story” and you’ll hear a short story voiced by an actor. They’re pretty cheesy, so they are best for younger ears.

If you want to hear something a bit scarier, you can try the Scare Me skill. Just say “Alexa, ask Scare Me to tell me a scary story.” It’ll read you a short, two-sentence scary story.

Play Halloween music

Of course, one of Alexa’s best tricks this Halloween is thematic party music. You can easily make (or follow) a playlist with all your Halloween favorites on Amazon Music or Spotify — like this Halloween Party Soundtrack — and ask Alexa to play it. Or you can use the Halloween Music skill.

Check who’s at the door

Did the doorbell just ring, or was that the TV? Check if there are trick-or-treaters waiting with Alexa.

For this, you’ll need a video doorbell — like one from Ring, August Home or Nest — and a device where you can watch a video feed, such as the Echo Show or Echo Dot. If you have an Amazon Fire TV, you can use it to show live video feeds on your TV.

When you hear the doorbell, or think you hear it, ask Alexa to “Answer the front door” or “Show [camera name]” to see who’s there.

Create your own spooky scene

If you have smart bulbs and other smart devices around the house, you can use a SmartThings hub or a service like Yonomi to create scenes that turn your house from normal to Halloween-ready in seconds.

For instance, you could create a scene called Haunted House that:

• Turns the lights orange
  
• Toggles on a smart switch with a decoration plugged into it
  
• Plays a specific Halloween playlist over Sonos speakers

Then you just need to say, “Alexa, turn on the Haunted House.” Here are a few more recommendations from Yonomi.

Get costume ideas

If you still haven’t come up with a solid costume idea, Alexa can help. The Halloween Costume Ideas skill will serve up ideas until you find the right one.

Just say, “Alexa, open Halloween Costume Ideas.” Then answer the “yes” or “no” questions until you come across the perfect costume idea.

Tell Halloween jokes

Alexa has a few thematic jokes up its sleeve. Just say, “Alexa, tell me a Halloween joke.” One of the ones it gave me was, “What’s black and white and dead all over? A zombie in a tuxedo.”

These jokes won’t knock you off your feet, but your kids will probably like them.

When Halloween’s over, dive into the 10 weirdest things your Amazon Echo can do and read how Amazon Echo’s auto features will make your day smooth as buttah.

via:  cnet

Amazon is turning up the heat once again in the world of groceries, and specifically grocery delivery, to make its services more enticing in the face of competition from Walmart, as well as a host of delivery companies like Postmates. The company announced that it would make Amazon Fresh free to use for Prime members, removing the $14.99/month fee that it was charging for the service up to now.

The move is part of a bigger effort that Amazon is making into grocery delivery, which now covers some 2,000 cities when you combine Whole Foods and Amazon Fresh delivery locations. Alongside free delivery, Amazon is giving users one and two-hour delivery options for quicker turnarounds, and it’s making users’ local Whole Foods inventory available online and through the Amazon app.

Prime members who were already using Amazon’s grocery delivery services — either for Amazon’s own-branded service or to get Amazon-owned Whole Foods shopping delivered — will continue to get these, now free.

But Prime members who might be interested in trying this out for the first time will have to sign up here and wait for an invite. (“Given the rapid growth of grocery delivery we expect this will be a popular benefit,” Amazon explained about the waitlist.) It seems that the footprint for Amazon Fresh is currently quite small — around 20 cities — with the rest of that 2,000 covered by Whole Foods, so the sign-up process could also be one way for Amazon to decide where to roll out Amazon Fresh next.

“Prime members love the convenience of free grocery delivery on Amazon, which is why we’ve made Amazon Fresh a free benefit of Prime, saving customers $14.99 per month,” said Stephenie Landry, VP of Grocery Delivery, in a statement. “Grocery delivery is one of the fastest growing businesses at Amazon, and we think this will be one of the most-loved Prime benefits.”

Making Amazon Fresh free is the latest price tinkering (and reduction) that Amazon has made to drive more usage of the grocery service, while at the same time expanding the sweeteners it gives to consumers to lure them into Prime memberships. The $14.99/month fee was introduced back in 2016, itself a reduction on a $299/year fee that Amazon previously charged Amazon Fresh customers. Before that, Amazon charged a $99/year subscription plus separate delivery fees to use the service.

It’s not clear how many customers are already using Amazon Fresh, or whether the service is profitable for the company at this point. Notably, despite the boost of Amazon owning the Whole Foods chain of supermarkets, analysts earlier this year estimated that while Amazon was still seeing its grocery service growing, that growth was slowing. (To add to that, we’ve seen some consolidations that point to Amazon looking for ways to simplify — and reduce the cost of — its overall food and beverage offerings.)

Despite all this, in the U.S., about a year ago it was estimated in a separate report that Amazon accounted for about one-third of all grocery delivery in the U.S.

Grocery delivery is a tricky business, much more perishable than delivering a book or a piece of clothing or consumer electronics. But if done right, it represents a frequently recurring line of revenue. To add to that, Amazon has made fast and free delivery one of the major cornerstones of how it grows its business and attracts customers away from using other online shopping options, or visiting actual brick-and-mortar stores (an area where it looks like it may be expanding, too).

In other words, regardless of whether it is profitable or not, it makes sense that Amazon would invest in ways of trying to boost its grocery delivery service, making it free being perhaps the biggest boost yet (next stop: cash back when you use it?).

Simply put, it fits with the company’s more general economies-of-scale approach: bring in more users buying more groceries, and make up the margins in the latter to offset losses from the former.

But the move to make deliveries “free” — free, that is, for those who are already paying $12.99/month or $119/year for Amazon Prime — is a classic Amazon move not just to boost its own usage numbers of the service.

The company is facing persistent competition from a number of other companies also providing online grocery shopping and delivery. In the U.K., just about every large grocery chain offers this service directly (or through another non-Amazon partner). And in the U.S., Walmart announced just last month that it would be expanding its $98/year Delivery Unlimited service, which up until today would have been a cheaper deal than Amazon’s. Both Postmates and Doordash are among the delivery hopefuls who also have ambitions to make a dent in this area.

via:  techcrunch

Ford provided its first peek of a Mustang-inspired electric crossover nearly 14 months months. Now, it’s ready to show the world what “Mustang-inspired” means.

The automaker said Thursday it will debut the electric SUV on November 17 ahead of the LA Auto Show.

Not much is known about the electric SUV that is coming to market in 2020, despite dropping the occasional teaser image or hint. A new webpage launched recently, which provides few details, namely that Ford is targeting an EPA-estimated range of at least 300 miles. The look, specs and price will have to wait until at least the November 17 debut date.

What we do know is that Ford’s future (and certainly its CEO’s) is tied to the success of this shift to electrification. The Mustang-inspired SUV might not be the cornerstone to this strategy (an electric F150 probably deserves that designation), but it will be a critical piece.

Ford has historically backed hybrid technology. Back in 2016, Ford Chairman Bill Ford said at a Fortune event that he viewed plug-in hybrids as a transitional technology.

A lot has changed. Hybrids are still part of the mix. But in the past 18 months, Ford has put more emphasis on the development and production of all-electric vehicles.

In 2018, the company said it will invest $11 billion to add 16 all-electric vehicles within its global portfolio of 40 electrified vehicles through 2022.

Ford unveiled in September at the Frankfurt Motor Show a range of hybrid vehicles  as part of its plan to reach sales of 1 million electrified vehicles in Europe by the end of 2022.

It also invested in electric vehicle startup Rivian and locked in a deal with Volkswagen that covers a number of areas, including autonomy (via an investment by VW in Argo AI) and collaboration on development of electric vehicles. Ford will use Volkswagen’s MEB platform to develop “at least one” fully electric car for the European market that’s designed to be produced and sold at scale.

via:  TechCrunch

General Electric, one of the few big businesses that still pays out private pensions, said it will freeze pension plans for 20k US employees and offer pension buyouts to another 100k former employees.

Pensions are a pricey problem for GE: Its pension programs face a roughly $22B deficit. Icing these pensions will reduce that deficit by $8B, the company says.

Private pensions used to be HOT

American Express became the first US company to offer a private pension in 1875. By 1930, many of the country’s largest companies — Standard Oil, AT&T, Goodyear, GE — offered pension programs to their ’ployees.

Pensions — AKA “defined benefit” plans — became popular among both employers (who didn’t pay federal corporate income tax on them) and employees (who liked getting predictable retirement checks).

In 1975, 88% of private-sector employees with retirement plans had pensions — they were the rocks upon which Americans built their Jimmy Buffett-inspired retirement dreams.

But then prevalence of pensions plummeted: By 2005, just 33% of private-sector employees with retirement plans had pensions.

So, where-oh-where did all the pensions go?

To put it bluntly: They were 401(k)illed.

Pension-pocalypse came about largely by accident: In 1978, Congress added a new provision to the tax code — subsection 401(k) — that allowed wealthy executives a tax-free option to defer compensation.

The change was aimed at the 1% — and NOT meant to replace pensions — but the cost-saving benefits inadvertently inspired the Great Pension Pivot: In 5 years, nearly ½ of big biz was offering 401(k) programs — which were cheaper than pension programs.

Then, pension programs started FREEZING

In our new, 401(k)razy world, employees — not their employers, as before — are at risk when the markets take a turn for the worse.

This leaves pension-payers like GE with huge costs: GE’s pension obligations are the worst in corporate America, and last year it contributed $6B to try to reduce its deficit.

By freezing its pension program, GE will stop paying out benefits to 20k formerly pensioned employees in 2021 and force them to join its 401(k) program instead (it stopped accepting new pension participants in 2012).

GE joins a number of other big businesses that have rolled back their pension promises in recent years: UPS, AIG, IBM, Boeing, and The Washington Post all changed pension plans since 2014.

via:  thehustle.co