This Week's [in]Security - Issue 235

Welcome to This Week’s [in]Security. PCI and payments: Remote Assessment, PA-DSS/SSF transition. CPE Maintenance, P2PE v3.1, PIN Program, Technical FAQ, DSS FAQ, Neiman Marcus card breach, ApplePay/Visa Express Travel vulnerability. New breaches: Meet the Pandora Papers (Remember the Panama Papers?) , Linkedin Scrape (126M), Barclays, Portpass & Sask QR vaccine apps, GrupoGSS. Mult-party breach impact, New Ransomware: Human-operated ransomware. Follow-ups & Fall-out: Fatal ransomware, Clubhouse, Facebook data collection (3.8B), Dallas Police, Epik. Privacy: android location tracking, pandemic privacy. Laws & Regs: Canada: vaccine passports. US: 4th amendment. World: Russia. Standards: NIST updates, drafts, papers, news. Defense: Webinars, Webinars. CISA. Tools, email, DMARC, TLS 1.3, Tokenization vs. Encryption, Tracking crypto, scambaiting. Vulnerabilities, Zerodays: Other Vulnerabilities: 5G apps, after patching, OWASP 2021, AirTags, Azure, MS MFA, Elastic Stack API, Autodiscover, vCenter. University Wi-Fi, Bitcoin ATMs, Cybercrime: Trends: OTP bots, Fake Pegasus defense, GriftHorse SMS fraud, FinSpy, FoggyWeb. Nation States. Crime: Other Risks: Domain Names, Outsourced, Misinformation, Lying AI, Bulletproof TLS, Health, Safety & Environment. Covid-19: Spread, Curves, Waves, and Variants; Response; Treatments; Immunity; Impact; Covid Ugly; And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.

• New/Updated Standards:

  • Just published: Remote assessment guidance https://blog.pcisecuritystandards.org/new-guidelines-on-remote-assessments
  • PCI SSC Remote Assessment Guidelines and Procedures https://www.pcisecuritystandards.org/documents/PCI-SSC-Remote-Assessment-Guidelines-Procedures-v1_0.pdf
  • Transitioning from PA-DSS to the PCI Software Security Framework https://www.pcisecuritystandards.org/documents/Transitioning_from_PA-DSS_to_SSF_Resource_Guide.pdf
  • PCI SSC CPE Maintenance Guide v5.1 https://www.pcisecuritystandards.org/documents/PCI_SSC_CPE_Maintenance_Guide_v5.1.pdf
  • Just Published: P2PE v3.1 https://blog.pcisecuritystandards.org/just-published-p2pe-v3-1
  • Industry Feedback Drives Updates to PCI P2PE Standard https://www.pcisecuritystandards.org/about_us/press_releases/pr_09302021
  • P2PE 3.1 Changes https://www.pcisecuritystandards.org/documents/PCI-P2PE-v3_1-Summary-of-Changes.pdf
  • P2PE 3.1 Standard https://www.pcisecuritystandards.org/documents/PCI-P2PE-v3_1-Standard.pdf
  • Solution P-ROV Template https://www.pcisecuritystandards.org/documents/PCI-P2PE-SOL-ROV-Template_v3_1.pdf
  • Application P-ROV Template https://www.pcisecuritystandards.org/documents/PCI-P2PE-APP_ROV-Template_v3_1.pdf
  • Encryption Management Services P-ROV Template https://www.pcisecuritystandards.org/documents/PCI-P2PE-EMS-ROV-Template_v3_1.pdf
  • Decryption Management Services P-ROV Template https://www.pcisecuritystandards.org/documents/PCI-P2PE-DMS_ROV-Template_v3_1.pdf
  • Key Management Services P-ROV Template https://www.pcisecuritystandards.org/documents/PCI-P2PE-KMS-ROV-Template_v3_1.pdf
  • Merchant-Managed Solution P-ROV Template https://www.pcisecuritystandards.org/documents/PCI-P2PE-MMS-ROV-Template_v3_1.pdf
  • QPA Program Guide v1.1 https://www.pcisecuritystandards.org/documents/QPA_Program_Guide__v1.1.pdf
  • QPA Qualification Requirements https://www.pcisecuritystandards.org/documents/QPA_Qualification_Requirements__v1.1.pdf
  • PTS PIN Technical FAQs (mandatory) https://www.pcisecuritystandards.org/documents/PTS_PIN_Technical_FAQs_v3_Sept_2021.pdf

• New/Updated FAQs:

  • FAQ #1117 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-truncated-Primary-Account-Numbers-PAN-required-to-be-protected-in-accordance-with-PCI-DSS
  • FAQ #1146 https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-is-the-difference-between-masking-and-truncation
• Neiman Marcus discloses May, 2020 incident that impacted 4.6 million customers https://www.databreaches.net/neiman-marcus-discloses-may-2020-incident-that-impacted-4-6-million-customers/
• 3.1M Neiman Marcus Customer Card Details Breached https://threatpost.com/neiman-marcus-customers-breach/175284/
• Neiman Marcus Confirms Payment Cards Compromised in Data Breach https://www.securityweek.com/neiman-marcus-confirms-payment-cards-compromised-data-breach
• Security experts urge iPhone users to remove Visa as a transport card via Apple Pay due to pay without unlock man-in-the-middle attack https://www.independent.co.uk/life-style/gadgets-and-tech/apple-pay-iphone-visa-security-b1929748.html

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:

  • Pandora Papers: King of Jordan amassed £70m secret property empire https://www.bbc.co.uk/news/world-58781350
  • LinkedInScrape - 125,698,496 breached accounts https://haveibeenpwned.com/PwnedWebsites#LinkedInScrape
  • Barclays Hacked by Cyberthieves Using Monzo Account, PISP https://www.pymnts.com/news/security-and-risk/2021/barclays-hacked-cyberthieves-monzo-account-pisp/

• Portpass app may have exposed hundreds of thousands of users' personal data https://www.cbc.ca/news/canada/calgary/portpass-privacy-breach-1.6191749

  • Saskatchewan deletes vaccine QR codes while privacy glitch gets fixed https://www.cbc.ca/news/canada/saskatchewan/saskatchewan-removing-qr-codes-privacy-breach-1.6189482
  • GrupoGSS data appears on the internet after what appeared to be a ransom agreement …. went nowhere? https://www.databreaches.net/grupogss-data-appears-on-the-internet-after-what-appeared-to-be-a-ransom-agreement-went-nowhere/
  • A multi-party data breach creates 26x the financial damage of single-party breach https://www.databreaches.net/a-multi-party-data-breach-creates-26x-the-financial-damage-of-single-party-breach/

• New Ransomware and "Incidents":

  • Human-operated ransomware and why it is different than commodity ransomware https://docs.microsoft.com/en-ca/security/compass/human-operated-ransomware
  • A guide to combatting human-operated ransomware: Part 2 https://www.microsoft.com/security/blog/2021/09/27/a-guide-to-combatting-human-operated-ransomware-part-2/
  • Colossus Ransomware Hits Automotive Company in the U.S. https://www.securityweek.com/colossus-ransomware-hits-automotive-company-us
  • Trucking giant Forward Air reports ransomware data breach https://www.bleepingcomputer.com/news/security/trucking-giant-forward-air-reports-ransomware-data-breach/
  • Sandhills online machinery markets shut down by ransomware attack https://www.bleepingcomputer.com/news/security/sandhills-online-machinery-markets-shut-down-by-ransomware-attack/

• Follow-ups and fall-out:

  • A Death Due to Ransomware https://www.schneier.com/blog/archives/2021/10/a-death-due-to-ransomware.html
  • 3.8 Billion Users' Combined Clubhouse, Facebook Data Up for Sale https://threatpost.com/clubhouse-facebook-data-sale/175023/
  • City of Dallas calls IT protocols ‘inadequate' in 131-page report on police data loss https://www.databreaches.net/city-of-dallas-calls-it-protocols-inadequate-in-131-page-report-on-police-data-loss/
  • Anonymous: We've leaked disk images stolen from far-right-friendly web host Epik https://www.theregister.com/2021/09/30/anonymous_second_epik_dump/

Privacy

Articles about privacy related news, risks, and trends.

• Android users' location tracked by ‘snooping beacon' technology in apps - despite it being banned by Google https://www.independent.co.uk/life-style/gadgets-and-tech/android-apps-snooping-xmode-sdk-location-google-ban-b1930637.html
• Pandemic Privacy Explained https://citizenlab.ca/2021/09/pandemic-privacy-explained/
• Experts Slam Social Media Platforms' Data Policies https://www.databreachtoday.com/experts-slam-social-media-platforms-data-policies-a-17635
• Citizen Lab September Newsletter https://mailchi.mp/citizenlab.ca/ronald-deibert-wins-shaughnessy-cohen-prize-apple-issues-update-security-update-and-lgbtiq-censorship

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:

  • The Law Bytes Podcast, Episode 102: Colleen Flood on the Legal, Ethical and Policy Implications of Vaccine Passports https://www.michaelgeist.ca/2021/09/law-bytes-podcast-episode-102/
  • Ontario human rights watchdog says anti-vaxxers don't deserve special treatment https://www.blogto.com/city/2021/09/ontario-human-rights-watchdog-anti-vaxxers-dont-deserve-special-accomodations/
  • ‘Fatally flawed' legal challenge to Saskatchewan proof-of-vaccine mandate struck down in court https://globalnews.ca/news/8237794/legal-challenge-saskatchewan-proof-of-vaccine-mandate-struck-down-court/

• US:

  • In U.S. v Wilson, the Ninth Circuit Reaffirms Fourth Amendment Protection for Electronic Communications https://www.eff.org/deeplinks/2021/09/us-v-wilson-ninth-circuit-reaffirms-fourth-amendment-protection-electronic
  • California Extends Telehealth Privacy, Security Waivers https://www.databreachtoday.com/california-extends-telehealth-privacy-security-waivers-a-17656
  • Tesla sued by Texas cops after a Model X on Autopilot slammed into five officers https://www.theverge.com/2021/9/28/22698388/tesla-texas-lawsuit-cops-autopilot-crash-injury

• World:

  • Russia threatens YouTube ban for deleting RT channels https://www.bbc.co.uk/news/technology-58737433

• Standards News:

  • 2020 Cybersecurity and Privacy Program Annual Report https://csrc.nist.gov/publications/detail/sp/800-214/final
  • Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide | NIST SP 1271 https://csrc.nist.gov/publications/detail/sp/1271/final
  • New Online Tool to Improve Stakeholder Engagement with Security and Privacy Controls https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/public-comments#!/home
  • White Paper | Benefits of an Updated Mapping Between the NIST CSF and NERC Critical Infrastructure Protection Standards https://csrc.nist.gov/publications/detail/white-paper/2021/09/29/updated-mapping-between-nist-csf-and-nerc-cip-standards/final
  • Draft Secure Software Development Framework (SSDF) Version 1.1 open for comment until https://csrc.nist.gov/publications/detail/sp/800-218/draft
  • Draft SP 800-204C Implementation of DevSecOps for a Microservices-based Application with Service Mesh is open for comment until November 1 https://csrc.nist.gov/publications/detail/sp/800-204c/draft
  • NICE News: Fall 2021 Quarterly eNewsletter https://content.govdelivery.com/accounts/USNIST/bulletins/2f4bec6

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Upcoming Webinars, Virtual Events, and other training related:

  • NICE Webinar: Digital Citizenship- Safety and Security for an Online World October 20, 2020 | 2:00-3:00 PM EDT https://www.nist.gov/news-events/events/2021/10/nice-webinar-digital-citizenship-safety-and-security-online-world
• CISA and Girls Who Code Partner to Create Career Pathways for Young Women https://www.darkreading.com/careers-and-people/cisa-and-girls-who-code-partner-to-create-career-pathways-for-young-women
• CISA releases tool to help orgs fend off insider threat risks https://www.bleepingcomputer.com/news/security/cisa-releases-tool-to-help-orgs-fend-off-insider-threat-risks/
• Hardening Your VPN https://www.schneier.com/blog/archives/2021/09/hardening-your-vpn.html
• Security does not end with Implementing Controls https://blog.isc2.org/isc2_blog/2021/09/security-does-not-end-with-implementing-controls.html
• Android, Java bug bunting tool Mariana Trench goes open source https://www.zdnet.com/article/android-java-bug-bunting-tool-mariana-trench-becomes-open-source
• ImmuniWeb Launches Free Tool for Identifying Unprotected Cloud Storage https://www.securityweek.com/immuniweb-launches-free-tool-identifying-unprotected-cloud-storage
• Introducing the Secure Open Source Pilot Program https://security.googleblog.com/2021/10/introducing-secure-open-source-pilot.html
• Cloudflare Is Taking a Shot at Email Security https://www.wired.com/story/cloudflare-taking-a-shot-at-email-security
• New Microsoft Exchange service mitigates high-risk bugs automatically https://www.bleepingcomputer.com/news/microsoft/new-microsoft-exchange-service-mitigates-high-risk-bugs-automatically/
• How Does DMARC Prevent Phishing? https://thehackernews.com/2021/09/how-does-dmarc-prevent-phishing.html
• TLS 1.3 and SSL - the current state of affairs, (Tue, Sep 28th) https://isc.sans.edu/diary/rss/27882
• Tokenization vs. Encryption for Data Protection Compliance https://www.securityweek.com/tokenization-vs-encryption-data-protection-compliance
• Tracking Stolen Cryptocurrencies https://www.schneier.com/blog/archives/2021/09/tracking-stolen-cryptocurrencies.html
• How to Find 'Stalkerware' on Your Devices https://www.nytimes.com/2021/09/29/technology/personaltech/stalkerware-apps-protection.html
• Who scams the scammers? Meet the scambaiters https://www.theguardian.com/technology/2021/oct/03/who-scams-the-scammers-meet-the-amateur-scambaiters-taking-on-the-crooks
• How to Spot an Ineffective Security Practitioner https://www.securityweek.com/how-spot-ineffective-security-practitioner

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Zero-day news:

  • Chrome 94 Update Patches Actively Exploited Zero-Day Vulnerability https://www.securityweek.com/chrome-94-update-patches-actively-exploited-zero-day-vulnerability
  • Google Patches Two More Exploited Zero-Day Vulnerabilities in Chrome https://www.securityweek.com/google-patches-two-more-exploited-zero-day-vulnerabilities-chrome

• Other Vulnerabilities:

  • 95% of Smartphone Apps are Not Secure on 5G Networks, Security Pros Say https://www.pymnts.com/news/security-and-risk/2021/95-percent-smartphone-apps-are-not-secure-5g-networks/
  • 50% of Servers Have Weak Security Long After Patches Are Released https://www.darkreading.com/vulnerabilities-threats/50-of-servers-have-weak-security-long-after-patches-are-released
  • OWASP Ten-10 2021 shuffle and new risk (Insecure Design, Software and Data Integrity failures, Server Side Request Forgery) https://owasp.org/Top10/
  • Why Should I Care About HTTP Request Smuggling? https://www.darkreading.com/edge-ask-the-experts/why-should-i-care-about-http-request-smuggling-
  • Apple AirTag Bug Enables ‘Good Samaritan’ Attack (beware scanning lost tags) https://krebsonsecurity.com/2021/09/apple-airtag-bug-enables-good-samaritan-attack/
  • New Azure AD Bug Lets Hackers Brute-Force Passwords Without Getting Caught https://thehackernews.com/2021/09/new-azure-ad-bug-lets-hackers-brute.html
  • PoC exploit released for Azure AD brute-force bug—here's what to do https://arstechnica.com/information-technology/2021/09/poc-exploit-released-for-azure-ad-brute-force-bug-heres-what-to-do/
  • Microsoft 365 multi-factor authentication issue blocks logins https://www.bleepingcomputer.com/news/microsoft/microsoft-365-multi-factor-authentication-issue-blocks-logins/
  • CISA Warns of Hikvision Camera Flaw as U.S. Aims to Rid Chinese Gear From Networks https://www.securityweek.com/cisa-warns-hikvision-camera-flaw-us-aims-rid-chinese-gear-networks
  • QNAP fixes critical bugs in QVR video surveillance solution https://www.bleepingcomputer.com/news/security/qnap-fixes-critical-bugs-in-qvr-video-surveillance-solution/
  • Salt Security Finds Widespread Elastic Stack API Security Vulnerability that Exposes Customer and System Data https://www.darkreading.com/application-security/salt-security-finds-widespread-elastic-stack-api-security-vulnerability-that-exposes-customer-and-system-data
  • Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years https://www.theregister.com/2021/09/27/microsoft_exchange_autodiscover/
  • CISA: Wide Exploitation of New VMware vCenter Server Flaw Likely https://www.darkreading.com/vulnerabilities-threats/cisa-says-wide-exploitation-likely-of-new-vmware-center-server-flaw
  • Working exploit released for VMware vCenter CVE-2021-22005 bug https://www.bleepingcomputer.com/news/security/working-exploit-released-for-vmware-vcenter-cve-2021-22005-bug/
  • Thousands of University Wi-Fi Networks Expose Log-In Credentials https://threatpost.com/misconfiguration-university-wifi-login-credentials/175157/
  • The US network of bitcoin ATMs is vulnerable to hacks, according to crypto exchange Kraken https://markets.businessinsider.com/news/currencies/bitcoin-atms-hacks-crypto-vulnerable-exchange-kraken-report-2021-9
• In-depth Analysis of Side-Channel Countermeasures for CRYSTALS-Kyber Message Encoding on ARM Cortex-M4 https://eprint.iacr.org/2021/1307
• Towards Quantum Large-Scale Password Guessing on Real-World Distributions https://eprint.iacr.org/2021/1299

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than major breaches):

  • The Rise of One-Time Password Interception Bots https://krebsonsecurity.com/2021/09/the-rise-of-one-time-password-interception-bots/
  • Beware of Fake Amnesty International Antivirus for Pegasus that Hacks PCs with Malware https://thehackernews.com/2021/10/beware-of-fake-amnesty-international.html
  • Hundreds of scam apps hit over 10 million Android devices https://arstechnica.com/gadgets/2021/10/hundreds-of-scam-apps-hit-over-10-million-android-devices/
  • FinSpy surveillance malware is now spreading through UEFI bootkits https://www.zdnet.com/article/finspy-surveillance-malware-is-now-spreading-through-uefi-bootkits
  • Microsoft Warns of FoggyWeb Malware Targeting Active Directory FS Servers https://thehackernews.com/2021/09/microsoft-warns-of-foggyweb-malware.html
  • Shades of SolarWinds Attack Malware Found in New 'Tomiris' Backdoor https://www.darkreading.com/vulnerabilities-threats/shades-of-solarwinds-attack-malware-found-in-new-tomiris-backdoor
  • SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor https://threatpost.com/solarwinds-active-directory-servers-foggyweb-backdoor/175056/
  • Atlassian Confluence RCE Flaw Abused in Multiple Cyberattack Campaigns https://thehackernews.com/2021/09/atlassian-confluence-rce-flaw-abused-in.html
  • Hackers Targeting Brazil's PIX Payment System to Drain Users' Bank Accounts https://thehackernews.com/2021/09/hackers-targeting-brazils-pix-payment.html
  • Hydra malware targets customers of Germany's second largest bank https://www.bleepingcomputer.com/news/security/hydra-malware-targets-customers-of-germanys-second-largest-bank/
  • Credential Spear-Phishing Uses Spoofed Zix Encrypted Email https://threatpost.com/credential-spear-phishing-uses-spoofed-zix-encrypted-email/175044/
  • Crypto Bug Uncovers 'WannaCry 2.0' Clues https://www.databreachtoday.com/interviews/crypto-bug-uncovers-wannacry-20-clues-i-4969
  • Flubot Android malware now spreads via fake security updates https://www.bleepingcomputer.com/news/security/flubot-android-malware-now-spreads-via-fake-security-updates/

• Nation State Actors:

  • Russian Turla APT Group Deploying New Backdoor on Targeted Systems https://thehackernews.com/2021/09/russian-turla-apt-group-deploying-new.html
  • EU: Russia Behind ‘Ghostwriter' Campaign Targeting Germany https://threatpost.com/eu-russia-ghostwriter-germany/175025/
  • Chinese Hackers Used a New Rootkit to Spy on Targeted Windows 10 Users https://thehackernews.com/2021/10/chinese-hackers-used-new-rootkit-to-spy.html
  • How nation-state attackers like NOBELIUM are changing cybersecurity https://www.microsoft.com/security/blog/2021/09/28/how-nation-state-attackers-like-nobelium-are-changing-cybersecurity/
  • New APT ChamelGang Targets Russian Energy, Aviation Orgs https://threatpost.com/apt-chamelgang-targets-russian-energy-aviation/175272/

• Crime & Arrests, etc.:

  • The growing problem of ‘swatting' and why experts say it's a dangerous trend https://globalnews.ca/news/8239097/swatting-growing-problem-experts/
  • Russia arrests cybersecurity expert on treason charge https://arstechnica.com/information-technology/2021/09/russia-arrests-cybersecurity-expert-on-treason-charge/
  • U.S. Extradites Convicted Russian Hacker Aleksei Burkov To Russia https://www.databreaches.net/u-s-extradites-convicted-russian-hacker-aleksei-burkov-to-russia/
  • Ethereum dev admits to helping North Korea evade crypto sanctions https://www.bleepingcomputer.com/news/security/ethereum-dev-admits-to-helping-north-korea-evade-crypto-sanctions/
  • How Google Geofence Warrants Helped Catch Capitol Rioters https://www.wired.com/story/capitol-riot-google-geofence-warrant
  • Ukraine takes down call centers behind cryptocurrency investor scams https://www.bleepingcomputer.com/news/security/ukraine-takes-down-call-centers-behind-cryptocurrency-investor-scams/
  • Toronto police make arrests after $1M stolen from company that refills ATMs https://globalnews.ca/news/8227215/toronto-arrests-atm-stolen-money-project-heavy-bag/
  • US Extradites CardPlanet Operator Back to Russia https://www.darkreading.com/threat-intelligence/us-extradites-cardplanet-operator-back-to-russia

Other Security / Risk

Articles covering other types of risks.

• Most Large Enterprises Fail to Protect Their Domain Names https://www.darkreading.com/cloud/large-enterprises-fail-to-implement-domain-protection-measures
• Outsourced Software Poses Greater Risks to Enterprise Application Security https://www.darkreading.com/edge-threat-monitor/outsourced-software-pose-greater-risks-to-enterprise-application-security
• Misinformation Is About to Get So Much Worse https://www.theatlantic.com/technology/archive/2021/09/eric-schmidt-artificial-intelligence-misinformation/620218/
• The truth about artificial intelligence? It isn't that honest | John Naughton https://www.theguardian.com/commentisfree/2021/oct/02/the-truth-about-artificial-intelligence-it-isnt-that-honest
• Bulletproof TLS Newsletter #81: HTTPS Everywhere plug-in no longer needed, Let’s Encrypt root cert expiry, various vulns, MitM phishing https://www.feistyduck.com/bulletproof-tls-newsletter/issue_81_with_https_everywhere_there_is_no_longer_any_need_for_the_https_everywhere_plug-in
• Remember when beta testing was free? https://www.theverge.com/22700064/amazon-astro-google-chromebook-beta-test
• German IT Security Watchdog Examines Xiaomi Phone https://packetstormsecurity.com/news/view/32676/German-IT-Security-Watchdog-Examines-Xiaomi-Phone.html
• Huawei Case Raises Fears of 'Hostage Diplomacy' by China https://www.nytimes.com/2021/09/28/us/politics/huawei-meng-wanzhou-hostage-diplomacy-china.html
• Australia: Crocodile sinks his teeth into a flying drone https://www.bbc.co.uk/news/world-58773120
• Crypto platform mistakenly gives $90M to users, asks for refund https://www.bleepingcomputer.com/news/security/crypto-platform-mistakenly-gives-90m-to-users-asks-for-refund/
• Scalper bots are now targeting graphics card vendors https://www.zdnet.com/article/scalper-bots-are-now-targeting-graphics-card-vendors
• Quantum computing hits the desktop, no cryo-cooling required (5 qubits - novel no threat to cryptography) https://newatlas.com/quantum-computing/quantum-computing-desktop-room-temperature/
• Understanding neuromorphic computing, and why Intel's excited about it https://arstechnica.com/science/2021/09/understanding-neuromorphic-computing-and-why-intels-excited-about-it/
• Can an Average Passenger Actually Be Talked Through Landing a Plane in an Emergency? https://www.mentalfloss.com/article/650464/can-passenger-be-talked-through-landing-plane-emergency
• Famous Viking Map of North America Turns Out to Be an Epic Loki-Worthy Deception https://www.sciencealert.com/one-of-the-most-famous-viking-maps-of-north-america-has-turned-out-to-be-a-fake

• Health, Safety & Environment:

  • 7 Everyday American Food Additives Banned in Other Countries https://www.mentalfloss.com/article/650663/american-food-additives-banned-other-countries
  • Scientists discover 14 genes that cause obesity https://scienmag.com/scientists-discover-14-genes-that-cause-obesity/
  • More effective treatment of Alzheimer's https://scienmag.com/more-effective-treatment-of-alzheimers/
  • 'This is brilliant': Material that kills 99.9 per cent of germs to be installed on the TTC https://toronto.ctvnews.ca/this-is-brilliant-material-that-kills-99-9-per-cent-of-germs-to-be-installed-on-the-ttc-1.5604819
  • This Tiny 'Vaccine Patch' Could Prompt Stronger Immune Response Than a Needle https://www.sciencealert.com/this-tiny-vaccine-patch-could-prompt-stronger-immune-responses-than-a-needle
  • YouTube to remove all anti-vaccine misinformation https://www.bbc.co.uk/news/technology-58743252
  • Uncontrollable vomiting due to marijuana use on rise, study finds https://www.cnn.com/2021/09/17/health/marijuana-vomiting-wellness/index.html
  • UK public told to challenge police after woman's murder https://www.bbc.co.uk/news/uk-58757375
  • Whistler woman handed $60,000 in fines for regularly feeding bears https://globalnews.ca/news/8237883/whistler-woman-handed-60000-in-fines-for-regularly-feeding-bears/
  • 8 of the Biggest Tsunamis in History https://www.mentalfloss.com/article/650662/biggest-tsunamis-in-history
  • Mitigating carbon may have unintended consequences https://scienmag.com/mitigating-carbon-may-have-unintended-consequences/
  • Human behavior sabotages CO2-reducing strategies https://scienmag.com/human-behavior-sabotages-co2-reducing-strategies/
  • How Climate Change Helped Fires Cross the Sierra Nevada for the First Time https://www.scientificamerican.com/article/how-climate-change-helped-fires-cross-the-sierra-nevada-for-the-first-time/
  • How many climate disasters will today's children face? Scientists release estimate https://www.cbc.ca/news/science/children-climate-change-1.6191898
  • Nearly 24 Species of Wildlife Are About to Be Declared Extinct https://www.mentalfloss.com/article/650759/animal-species-declared-extinct
  • No regulation of plastic ending up in Great Lakes https://www.cbc.ca/news/thenational/no-regulation-of-plastic-ending-up-in-great-lakes-1.6195955

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, waves, reinfection, and variant strains:

  • U.S. reaches 700,000 deaths from COVID-19 as Delta variant hits unvaccinated https://globalnews.ca/news/8238218/us-covid-19-deaths-700k/
  • Science table says Ontario's 4th wave has ‘flattened,' releases ‘wide range' of case projections https://globalnews.ca/news/8227118/ontario-covid-modelling-projections-fall-2021/
  • Ontario reports fewer than 500 new COVID-19 cases for 2nd straight day https://globalnews.ca/news/8229701/ontario-covid-cases-september-29-coronavirus/

• Guidance, Response, and Recovery:

  • Ontario makes it mandatory for long-term care staff, volunteers to be fully vaccinated against COVID-19 by Nov. 15 https://toronto.ctvnews.ca/ontario-makes-it-mandatory-for-long-term-care-staff-volunteers-to-be-fully-vaccinated-against-covid-19-by-nov-15-1.5607655
  • Travellers to P.E.I. to be tested for COVID-19 at its borders starting Thursday https://globalnews.ca/news/8227858/pei-covid-19-border-testing-delta/
  • AGCO revokes liquor license of Kingston, Ont. restaurant for ignoring vaccine mandate https://globalnews.ca/news/8233529/covid-vaccine-proof-agco-liquor-license-kingston-restaurant/
  • Dalhousie urges homecoming partiers to not attend campus for a week https://globalnews.ca/news/8223249/dalhousie-homecoming-parties/
  • United Airlines to fire staff who refuse vaccine https://www.bbc.co.uk/news/business-58731340

• Treatments, Testing, Triage, Trials, and things we Learned:

  • Covid antiviral pill can halve risk of hospitalisation https://www.bbc.co.uk/news/health-58764440
  • Russia counting on COVID-19 antibody tests. Western experts say it's unwise https://globalnews.ca/news/8238505/russia-covid-antibody-tests/

• Immunity and Vaccinations:

  • Vaccinated and unvaccinated Canadians have very negative relationships: poll https://globalnews.ca/news/8223316/vaccinated-unvaccinated-canadians-negative-relationships-poll/
  • Israel adds COVID-19 booster shot requirement to its vaccine passport https://globalnews.ca/news/8239533/israel-covid-green-pass-booster-shot/

• Impact:

  • 37% of COVID-19 patients show at least one long-term symptom, study finds https://globalnews.ca/news/8230037/long-term-symptom-covid-19-patients-study/
  • Health-care capacity has cost Canada economically amid pandemic: report https://globalnews.ca/news/8237837/canada-health-care-capacity-covid-19/

• More of the good, the bad, and the ugly:

  • Englehart, Ont., doctor sanctioned for 'disgraceful' conduct related to COVID-19 https://northernontario.ctvnews.ca/englehart-ont-doctor-sanctioned-for-disgraceful-conduct-related-to-covid-19-1.5603594
  • Network of Right-Wing Health Care Providers Is Making Millions Off Hydroxychloroquine and Ivermectin, Hacked Data Reveals https://theintercept.com/2021/09/28/covid-telehealth-hydroxychloroquine-ivermectin-hacked/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• The 20 Scariest Movies Ever Made, According to Science https://www.mentalfloss.com/article/650758/scariest-movies-ever-made
• You can now buy a keyboard that only copies and pastes https://www.theverge.com/2021/9/29/22700522/stack-overflow-macropad-mechanical-keyboard-specs
• HMCS Harry DeWolf docks in North Vancouver between ‘historic' sails https://globalnews.ca/news/8237825/hmcs-harry-dewolf-north-vancouver-historic-sail/
• Virgin Galactic allowed to resume flying SpaceShipTwo following investigation https://www.cbc.ca/news/world/virgin-galactic-spaceshiptwo-faa-probe-1.6194504
• SpaceX's Starlink satellites could be a stronger, more secure alternative to GPS, new research suggests https://www.independent.co.uk/life-style/gadgets-and-tech/spacex-starlink-satellites-gps-alternative-b1927778.html
• This is the Reactor That Could Make it Possible to Return From Mars https://www.universetoday.com/152722/this-is-the-reactor-that-could-make-it-possible-to-return-from-mars/
• A 19th-century artist's astronomical drawings are stunningly accurate. Compare them to NASA images today. https://www.businessinsider.com/19th-century-astronomy-drawings-match-nasa-images-today-2021-9
• Gigantic Comet Approaching From Outer Solar System May Be The Largest Ever Seen https://www.sciencealert.com/a-comet-inward-bound-from-the-outer-solar-system-could-be-the-largest-ever-recorded
• Rogue Planets Could be Habitable https://www.universetoday.com/152785/rogue-planets-could-be-habitable/
• There's a Binary Star System That May Explode in Your Lifetime https://www.sciencealert.com/there-s-a-binary-star-system-that-may-explode-in-your-lifetime