Amazon to opt-in users to Amazon Sidewalk
On June 8th, Amazon will enroll Echo, Ring, and other Amazon devices in the US into its new wireless mesh service Amazon Sidewalk. This will use up to 80Kbps of bandwidth, connecting to a shared private wireless backend network with other Amazon device, which will be used for device setup, extending 3rd-party networks like Tile trackers, and letting devices stay online during small service disruptions. While there are no known security or privacy issues with Sidewalk, whenever these are discovered, it will impact a large number of devices suddenly opted-in to the network.
Rowhammer attacks show the downside of density
Rowhammer attacks were first demonstrated in 2015 by Google security researchers, showing that targeting a row of DRAM transistors could leak electricity into adjacent rows to intentionally flip the bits held in memory. Now security researchers at Google published details on a Half-Double Rowhammer attack, which takes advantage of increased DRAM density to potentially flip bits two or more rows away. Google disclosed the findings to the semiconductor engineering trade organization JEDEC, who subsequently issued stop gap mitigations. But researchers warn a full fix would require a change in how DRAM is engineered going forward.
Hacking shuts down Swedish infectious disease database
The Swedish Public Health Agency announced it temporarily shutdown SmiNet, the country’s infectious disease database on May 27th after it was targeted by a number of hacking attempts. As a result of the shutdown, the agency was unable to report complete COVID-19 stats in the latter half of the week. The database was brought back online on May 28th, there is currently no evidence of unauthorized parties accessing sensitive information. It’s not clear who was behind the attacks, but it comes in the wake of Conti ransomware operators hitting Ireland’s Department of Health and targeting a variety of US healthcare organizations.
Thanks to our episode sponsor, ReversingLabs
Venmo friends lists can now be set to private
The company now allows the lists to be set to friends only or completely private, previously friend’s lists were always public. This comes after BuzzFeed News documented how it was able to use public friends’ lists to find President Biden, the first lady, and members of their immediate family. This is not a new criticism of Venmo, with the EFF and Mozila calling for a change in its privacy settings back in August 2019. It’s unclear if friend’s lists will remain public by default for new users.
Have I Been Pwned goes open source
Security researcher Troy Hunt announced that the popular breach database service is now open source, with code hosted on GitHub. Hunt initially announced his intention to make the service’s code open source in August 2020. The non-profit .NET Foundation assisted in moving the site to an open source model. Hunt also announced Have I Been Pwned will receive compromised passwords discovered during investigations from the US FBI.
US NSA reportedly spied on European officials
This comes from a report by Danish public broadcaster Danmarks Radio. The report claims a 2015 review by the Danish Defence Intelligence Service found that from 2012 to 2014, the NSA used Danish information cables to spy on senior European officials in Sweden, Norway, France, and Germany, including German Chancellor Angela Merkel.
Unsubscribe email scams on the rise
A new email spam technique is to send emails asking users to click through to subscribe or unsubscribe to an unspecified or unfamiliar service. These are often used by scammers to create lists of verified email addresses that are being actively monitored for further targeting. Clicking through either link opens up a new mail that’s sent to a variety of email addresses under a spammer’s control. Bleeping Computer confirmed in testing that sending an unsubscribe email as directed results in an inbox quickly being bombarded with spam.