The argument over Apple and Google's plan to use Bluetooth to help with Covid-19 contact tracing escalated this week. But while plenty of societal and efficacy issues remain unresolved, we found answers to some of the tricker questions about the underlying tech. It's not perfect, but protects your privacy better than you might think.
Meanwhile the Pentagon handles its cybersecurity training worse than you might think, ignoring or losing track of the majority of goals it set for itself in that area five years ago. Which might be a little less alarming were this not the Department of Defense we're talking about.
Also alarming: software bugs in the Snoo smart bassinet, now patched, that would have allowed a hacker to shake the bed harder than intended and blare a loud tone near a baby's head. The Happiest Baby Company, which makes the Snoo, insists that the attack was too difficult to pull off to constitute a real-life threat, and there's no indication that a hacker could have caused actual physical harm even if they were successful. Still, it's a reminder that you should think carefully before connecting any device to the internet, given that someone's invariably going to try to break in.
In other Covid-19 news, security researcher Trammell Hudson figured out how to jailbreak a relatively affordable AirSense 10 CPAP machine to act as an emergency ventilator. People shouldn't try to do this themselves, but Hudson hopes the company behind the device will release their own firmware update to the same effect. In the meantime, medical professionals can evaluate the jailbroken devices for themselves to see if they fit their needs.
And if you want to see if your internet service provider is doing the bare minimum to prevent BGP routing errors—an all too common internet scourge—Cloudflare has created a site that lets you do just that. (Spoiler: It probably isn't.)
And there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there.
San Francisco International Airport employee websites were hacked in March. New research from security firm ESET shows links between that attack and Russia's "Energetic Bear" hacking group, one of that country's most active teams. While they've typically targeted critical infrastructure, Energetic Bear has focused on aviation in the past, and generally casts a wide net. They appear to have been trying to obtain the Windows log-in credentials of visitors to SFOConnect.com and SFOConstruction.com. Airport officials forced a password reset, and encouraged any third-party visitors to those sites to do so as well.
As part of Microsoft's regular Patch Tuesday release, the company fixed three Windows zero-day exploits that were being actively exploited by hackers. Microsoft didn't give any details about who and how those flaws were being used, but did credit Google's Threat Analysis Group with the find. Your home PC almost certainly has auto-updates turned on, but enterprise set-ups need to hustle to put in the fix.
Dutch law enforcement often punches well above its weight in cybersecurity, and this week was no exception. Authorities in the country announced that they had taken down 15 DDoS-for-hire services last week, and arrested one alleged DDoS operator. Don't mess with the Dutch! At least not online.
We've been warning about coronavirus phishing scams since January, but unsurprisingly the problem has only gotten worse. This week, Google released some details about the extent to which Covid-19 spam and phishing has flooded Gmail, and the numbers are perversely impressive. Of the 100 million phishing emails that route through Google's email system every day, 18 million are coronavirus or Covid-19 related. That kind of scale is close to unprecedented, and with the virus continuing its spread—and government stimulus checks offering a fresh phishing opportunity—it seems unlikely to slow any time soon.