Amazon to opt-in users to Amazon Sidewalk 

On June 8th, Amazon will enroll Echo, Ring, and other Amazon devices in the US into its new wireless mesh service Amazon Sidewalk. This will use up to 80Kbps of bandwidth, connecting to a shared private wireless backend network with other Amazon device, which will be used for device setup, extending 3rd-party networks like Tile trackers, and letting devices stay online during small service disruptions. While there are no known security or privacy issues with Sidewalk, whenever these are discovered, it will impact a large number of devices suddenly opted-in to the network. 

(Ars Technica)

Rowhammer attacks show the downside of density

Rowhammer attacks were first demonstrated in 2015 by Google security researchers, showing that targeting a row of DRAM transistors could leak electricity into adjacent rows to intentionally flip the bits held in memory. Now security researchers at Google published details on a Half-Double Rowhammer attack, which takes advantage of increased DRAM density to potentially flip bits two or more rows away. Google disclosed the findings to the semiconductor engineering trade organization JEDEC, who subsequently issued stop gap mitigations. But researchers warn a full fix would require a change in how DRAM is engineered going forward. 

(Wired)

Hacking shuts down Swedish infectious disease database

The Swedish Public Health Agency announced it temporarily shutdown SmiNet, the country’s infectious disease database on May 27th after it was targeted by a number of hacking attempts. As a result of the shutdown, the agency was unable to report complete COVID-19 stats in the latter half of the week. The database was brought back online on May 28th, there is currently no evidence of unauthorized parties accessing sensitive information. It’s not clear who was behind the attacks, but it comes in the wake of Conti ransomware operators hitting Ireland’s Department of Health and targeting a variety of US healthcare organizations. 

(Bleeping Computer)

WhatsApp backtracks on privacy policy holdouts

WhatsApp said it now has no plans to limit functionality of users who don’t accept its new privacy policy, instead sending users who haven’t opted-in occasional pop-up reminders about the update, and WhatsApp said these won’t be obnoxious to make the app experience unusable. Previously WhatsApp planned to progressively limit functionality, like losing access to your chat list, for users not opting in to the policy. WhatsApp has not changed the terms of its controversial new privacy policy, and this reversal does not prohibit the service from limiting functionality some time in the future.

(Engadget)

Thanks to our episode sponsor, ReversingLabs

Recent supply chain attacks and executive orders have left 1000’s scrambling for guidance. Join ReversingLabs as they take their exclusive supply chain roadshow to your local region virtually. Hear from app sec specialists and security execs, as they discuss lessons learned, and innovative approaches, that will move your supply chain security and compliance program forward. For more information, visit reversinglabs.com.

Venmo friends lists can now be set to private 

The company now allows the lists to be set to friends only or completely private, previously friend’s lists were always public. This comes after BuzzFeed News documented how it was able to use public friends’ lists to find President Biden, the first lady, and members of their immediate family. This is not a new criticism of Venmo, with the EFF and Mozila calling for a change in its privacy settings back in August 2019. It’s unclear if friend’s lists will remain public by default for new users. 

(BuzzFeed News)

Have I Been Pwned goes open source

Security researcher Troy Hunt announced that the popular breach database service is now open source, with code hosted on GitHub. Hunt initially announced his intention to make the service’s code open source in August 2020. The non-profit .NET Foundation assisted in moving the site to an open source model. Hunt also announced Have I Been Pwned will receive compromised passwords discovered during investigations from the US FBI.

(Troy Hunt)

US NSA reportedly spied on European officials

This comes from a report by Danish public broadcaster Danmarks Radio. The report claims a 2015 review by the Danish Defence Intelligence Service found that from 2012 to 2014, the NSA used Danish information cables to spy on senior European officials in Sweden, Norway, France, and Germany, including German Chancellor Angela Merkel.

(Insider)

Unsubscribe email scams on the rise

A new email spam technique is to send emails asking users to click through to subscribe or unsubscribe to an unspecified or unfamiliar service. These are often used by scammers to create lists of verified email addresses that are being actively monitored for further targeting. Clicking through either link opens up a new mail that’s sent to a variety of email addresses under a spammer’s control. Bleeping Computer confirmed in testing that sending an unsubscribe email as directed results in an inbox quickly being bombarded with spam. 

(Bleeping Computer)