This Week's [in]Security - Issue 239

Welcome to This Week’s [in]Security. PCI and payments: PAX/WorldPay/FBI investigation, PCI updates, Mobile Wallets. Digital & Crypto. New breaches: Hotels, Locations, emails, Portpass, NRA. New Ransomware: Free Decryptors, key reuse, A/D, Conti, BlackMatter, SEO poisoning, REvil, TTC, Blue Shield. Major outages, Follow-ups & Fall-out. Privacy: smartglasses. Laws & Regs - Canada, US: Cell phone locations, Cybersecurity disclosures, Right to repair, Ransomware payoffs, National Security bans, Social Media hearings. World: Proton Mail, GDPR evasion, EU DSA, Online Harms. Standards: NSA/CISA 5G & Cloud. Security baseline. NVD API, NIST Supply Chains, Trusted cloud, Defense: Digital life, Attack Surface, Teams, SolarWinds, Twitter MFA, AWS. Vulnerabilities, Zerodays: Windows LPE, Chrome. Shrootless, Other Vulnerabilities: Hardware, Apache, Apple, Wordpress, XP's still around, Fuji, WinRaR, Trojan Source, War-driving. Cybercrime: Trends: NPM, Nation States. Crime. Other Risks: 2022, economy, Meta7FB, time. Health, Safety & Environment. Covid-19: Spread, Curves, Waves, and Variants; Response; Immunity; Impact; Covid Ugly; And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.

• FBI Raids Chinese Point-of-Sale Giant PAX Technology https://krebsonsecurity.com/2021/10/fbi-raids-chinese-point-of-sale-giant-pax-technology/
• [UPDATE] POS Device Maker Pax Draws Scrutiny Following Allegations of ‘Strange Network Activity' https://www.digitaltransactions.net/pos-device-maker-pax-draws-scrutiny-following-allegations-of-strange-network-activity/
• FIS’s Worldpay Replaces PAX Terminals Over Security Concerns https://www.bloombergquint.com/amp/business/fis-s-worldpay-replacing-pax-terminals-over-security-concerns
• Why FBI probe of payment terminal maker PAX matters to banks https://www.americanbanker.com/news/why-fbi-probe-of-payment-terminal-maker-pax-matters-to-banks
• PCI Security Standards Council Hosts Global Payment Security Forum https://www.pcisecuritystandards.org/about_us/press_releases/pr_10282021
• PCI Updates:

• Are remote assessments permitted for PCI DSS? https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/Are-remote-assessments-permitted-for-PCI-DSS

  • What is a compliance-accepting entity? https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/What-is-a-compliance-accepting-entity
  • Who's In Your Wallet? Exploring Mobile Wallet Security https://www.darkreading.com/mobile/who-s-in-your-wallet-exploring-mobile-wallet-security
  • A New Report Shows Just How Many Consumers Have Adopted Digital Payments Since Covid https://www.digitaltransactions.net/a-new-report-shows-just-how-many-consumers-have-adopted-digital-payments-since-covid/
  • Mastercard to let US merchants and banks offer crypto services on its network https://www.independent.co.uk/life-style/gadgets-and-tech/mastercard-us-banks-crypto-services-b1945445.html

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:

  • Hackers Claim 400GB of Data Stolen From Thai Hotel Chain https://www.databreachtoday.com/hackers-claim-400gb-data-stolen-from-thai-hotel-chain-a-17814
  • Location Data Collection Firm Admits Privacy Breach https://packetstormsecurity.com/news/view/32769/Location-Data-Collection-Firm-Admits-Privacy-Breach.html
  • CoinMarketCap: No Breach Despite 3.1M Email Address Leak https://www.databreachtoday.com/coinmarketcap-no-breach-despite-31m-email-address-leak-a-17789
  • Private proof-of-vaccine app Portpass continues to expose personal data even after relaunch and updates https://www.databreaches.net/private-proof-of-vaccine-app-portpass-continues-to-expose-personal-data-even-after-relaunch-and-updates/
  • Another law firm gets hit….. and yes, medical info was in its files https://www.databreaches.net/another-law-firm-gets-hit-and-yes-medical-info-was-in-its-files/
  • PHI Stolen in Practice Management Firm's Ransomware Attack https://www.databreachtoday.com/phi-stolen-in-practice-management-firms-ransomware-attack-a-17813
  • National Rifle Association hacked by Grief? https://www.databreaches.net/national-rifle-association-hacked-by-grief/
  • Healthcare System Phishing Breach Affects 209,000 https://www.databreachtoday.com/healthcare-system-phishing-breach-affects-209000-a-17824
  • Massachusetts Health Network Hacked; Patient Info Exposed https://www.securityweek.com/massachusetts-health-network-hacked-patient-info-exposed
  • Sensitive data of 400,000 German students exposed by API flaw https://www.bleepingcomputer.com/news/security/sensitive-data-of-400-000-german-students-exposed-by-api-flaw/

• New Ransomware and "Incidents":

  • Babuk ransomware decryptor released to recover files for free https://www.bleepingcomputer.com/news/security/babuk-ransomware-decryptor-released-to-recover-files-for-free/
  • Free decryptor released for Atom Silo and LockFile ransomware https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-atom-silo-and-lockfile-ransomware/
  • Decrypting Cobalt Strike Traffic With a "Leaked" Private Key, (Mon, Oct 25th) https://isc.sans.edu/diary/rss/27968
  • Recycled Cobalt Strike key pairs show many crooks are using same cloned installation https://www.theregister.com/2021/10/22/cobalt_strike_virustotal_key_discovery/
  • Changing Approaches to Preventing Ransomware Attacks https://www.securityweek.com/changing-approaches-preventing-ransomware-attacks
  • Active Directory is Now in the Ransomware Crosshairs https://www.tenable.com/blog/active-directory-is-now-in-the-ransomware-crosshairs
  • Conti Ransom Gang Starts Selling Access to Victims https://krebsonsecurity.com/2021/10/conti-ransom-gang-starts-selling-access-to-victims/
  • Ransomware criminals have feelings too: BlackMatter abuse caused crims to shut down negotiation portal https://www.theregister.com/2021/10/25/blackmatter_portal_emsisoft/
  • Ransomware gangs use SEO poisoning to infect visitors https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/
  • FBI Publishes Indicators of Compromise for Ranzy Locker Ransomware https://www.securityweek.com/fbi-publishes-indicators-compromise-ranzy-locker-ransomware
  • GCHQ director outlines plan to 'go after' links between ransomware crims and state actors https://www.theregister.com/2021/10/26/gchq_ransomware_plan/
  • REvil's Cybercrime Reputation in Tatters - Will It Reboot? https://www.databreachtoday.com/revils-cybercrime-reputation-in-tatters-will-reboot-a-17802
  • Will the REvil Story Finally be Over? https://www.databreaches.net/will-the-revil-story-finally-be-over/
  • Chaos ransomware targets gamers via fake Minecraft alt lists https://www.bleepingcomputer.com/news/security/chaos-ransomware-targets-gamers-via-fake-minecraft-alt-lists/
  • Some TTC communication services continue to be down after ransomware attack https://toronto.ctvnews.ca/some-ttc-communication-services-continue-to-be-down-after-ransomware-attack-1.5645275
  • TTC investigating ransomware attack that compromised multiple servers https://toronto.ctvnews.ca/ttc-investigating-ransomware-attack-that-compromised-multiple-servers-1.5644946
  • TTC says investigation underway amid ransomware attack https://globalnews.ca/news/8337090/ttc-ransomware-attack/
  • Blue Shield of California insurance broker victim of ransomware attack https://www.databreaches.net/blue-shield-of-california-insurance-broker-victim-of-ransomware-attack/
  • Gas Stations in Iran Downed by Cyberattack https://www.darkreading.com/attacks-breaches/gas-stations-in-iran-downed-by-cyberattack-reports
  • Ransomware Attack Hits PNG Finance Ministry https://www.securityweek.com/ransomware-attack-hits-png-finance-ministry
  • TN: Professional Healthcare Management discloses ransomware incident https://www.databreaches.net/tn-professional-healthcare-management-discloses-ransomware-incident/

• Major outages/downs:

  • Sudan woke up without Internet https://blog.cloudflare.com/sudan-woke-up-without-internet/
  • South Korean telco KT suffers nationwide outage after routing error https://www.bleepingcomputer.com/news/technology/south-korean-telco-kt-suffers-nationwide-outage-after-routing-error/
  • Voipfone DDoS Attacks Raise Specter of Protection Racket https://www.databreachtoday.com/voipfone-ddos-attacks-raise-specter-protection-racket-a-17805
  • Ransomware Has Disrupted Almost 1,000 Schools In The US This Year https://packetstormsecurity.com/news/view/32773/Ransomware-Has-Disrupted-Almost-1-000-Schools-In-The-US-This-Year.html

• Follow-ups and fall-out:

  • Customers Can Pursue Negligence Claims Directly Against Vendor (Blackbaud) https://www.databreaches.net/customers-can-pursue-negligence-claims-directly-against-vendor-blackbaud/
  • Data breach leads to £10k fine for Scottish charity https://www.databreaches.net/data-breach-leads-to-10k-fine-for-scottish-charity/
  • HIV Scotland fined £10,000 for BCC email blunder identifying names of virus-carriers' patient-advocates https://www.theregister.com/2021/10/25/hiv_scotland_email_fail/

Privacy

Articles about privacy related news, risks, and trends.

• Facebook's new smart glasses may be impressive, but they also raise serious privacy and security concerns https://www.businessinsider.com/facebooks-new-smart-glasses-raise-privacy-concerns-2021-10

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:

  • Ontario introduces legislation to ban non-compete clauses for employees https://www.theglobeandmail.com/canada/article-ontario-to-propose-ban-on-non-compete-clauses-for-employees/
  • Vendors who sold billions in goods to Canada lacked child labour policies: report https://globalnews.ca/news/8331706/child-labour-canada-supply-chain-vendors/
  • Court can't weigh in on Ontario unionized workers' challenge of hospital vax mandate: lawyer https://toronto.ctvnews.ca/court-can-t-weigh-in-on-ontario-unionized-workers-challenge-of-hospital-vax-mandate-lawyer-1.5642751
  • Lawsuit launched against Alberta Health Services over COVID-19 vaccine mandate https://globalnews.ca/news/8324781/lawsuit-alberta-health-services-vaccine-mandate/
  • Mike Ward: Comedian who mocked young disabled singer wins free speech case https://www.bbc.co.uk/news/world-us-canada-59015486

• US:

  • How the FBI Gets Location Information https://www.schneier.com/blog/archives/2021/10/how-the-fbi-gets-location-information.html
  • US State Department to Create Dedicated Cyber Office https://www.databreachtoday.com/us-state-department-to-create-dedicated-cyber-office-a-17807
  • The SEC is serious about cybersecurity and is preparing to fine companies that don’t properly disclose “risk factors” https://hbr.org/2021/09/the-sec-is-serious-about-cybersecurity-is-your-company
  • The US Copyright Office just struck a blow supporting the right to repair https://www.theverge.com/2021/10/27/22747310/us-copyright-office-dmca-section-1201-exemption-rulemaking-report
  • Lawmakers Could Bar Private Company Ransomware Payments https://www.pymnts.com/news/security-and-risk/2021/lawmakers-could-bar-private-company-ransomware-payments/
  • US revokes licence of top Chinese telecoms company https://www.bbc.co.uk/news/business-59055360
  • Justice determines breach of confidentiality of medical records https://www.databreaches.net/justice-determines-breach-of-confidentiality-of-medical-records/
  • Copyright Regulator Eases Restrictions on Research, Education, and Repair https://www.eff.org/deeplinks/2021/10/copyright-regulator-eases-restrictions-research-education-and-repair-0
  • EPIC, Coalition Urge FTC to Issue Rules Protecting Consumers Against Data Abuse and Discrimination https://epic.org/2021/10/epic-coalition-urge-ftc-to-iss.html
  • Social media giants YouTube, TikTok, Snap questioned at Senate hearing over kids' safety https://globalnews.ca/news/8325616/social-media-giants-youtube-tiktok-snap-senate-hearing-kids-safety/
  • The leaked Facebook whistleblower files have triggered an FTC probe into whether the tech giant violated a $5 billion privacy settlement, a report says https://www.businessinsider.com/ftc-probing-facebook-over-leaked-whistleblower-files-report-2021-10
  • Wikileaks: US begins legal appeal to extradite Assange https://www.bbc.co.uk/news/uk-59063976
  • With the vaccination deadline approaching, NYC's largest police union is suing for unvaccinated officers to continue working https://www.businessinsider.com/nyc-police-union-lawsuit-unvaccinated-officers-vaccination-deadline-2021-10
  • Mastodon puts Trump's social network on notice for improperly using its code https://www.theverge.com/2021/10/29/22752850/mastodon-trump-truth-social-network-open-source-gab-legal-notice

• World:

  • Protonmail celebrates Swiss court victory exempting it from telco data retention laws https://www.theregister.com/2021/10/27/protonmail_data_victory/
  • Data-breached Guntrader website calls in liquidators, is reborn as Guntrader 2 Ltd https://www.theregister.com/2021/10/29/guntrader_liquidators_order/
  • Europe's Digital Services Act: On a Collision Course With Human Rights https://www.eff.org/deeplinks/2021/10/europes-digital-services-act-collision-course-human-rights-0
  • Online harms don't need dangerous legislation, they need a spot of naval action https://www.theregister.com/2021/10/25/online_harms_dont_need_dangerous/
  • Facebook, Google, Twitter face grilling by U.K. lawmakers over online safety https://globalnews.ca/news/8331997/facebook-google-twitter-uk-online-safety/
  • Priti Patel pressed to explain award of spy agencies contract to Amazon https://www.theguardian.com/uk-news/2021/oct/26/amazon-web-services-aws-contract-data-mi5-mi6-gchq
  • Australia drafts Online Privacy Bill to bolster data security https://www.bleepingcomputer.com/news/security/australia-drafts-online-privacy-bill-to-bolster-data-security/

• Standards News:

  • NSA and CISA share guidance on securing 5G cloud infrastructure https://www.bleepingcomputer.com/news/security/nsa-and-cisa-share-guidance-on-securing-5g-cloud-infrastructure/
  • Tech Companies Create Security Baseline for Enterprise Software https://www.darkreading.com/application-security/tech-companies-create-security-baseline-for-enterprise-software
  • National Vulnerability Database (NVD) API Keys are NOW Available National Vulnerability Database (NVD) API Keys are NOW Available https://nvd.nist.gov/developers/request-an-api-key
  • 2nd public draft of NIST SP 800-161 Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations available for comment until December 3 https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/draft

• Hardware-Enabled Security and Trusted Cloud: Three draft Reports available for comment through December 6:

  • 2nd Draft NIST Internal Report (IR) 8320, Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases https://csrc.nist.gov/publications/detail/nistir/8320/draft
  • Draft NIST IR 8320B, Hardware-Enabled Security: Policy-Based Governance in Trusted Container Platforms https://csrc.nist.gov/publications/detail/nistir/8320b/draft
  • Draft NIST Special Publication (SP) 1800-19, Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments https://csrc.nist.gov/publications/detail/nistir/8320b/draft

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Securing your digital life, part one: The basics https://arstechnica.com/features/2021/10/securing-your-digital-life-part-1/
• Securing your digital life, part two: The bigger picture—and special circumstances https://arstechnica.com/information-technology/2021/10/securing-your-digital-life-part-2/
• How to Avoid Being Scammed by Fake Job Ads https://www.propublica.org/article/how-to-avoid-being-scammed-by-fake-job-ads#1140051
• Are Baby Boomers More Vulnerable Online Than Younger Generations? You Might Be Surprised https://www.darkreading.com/vulnerabilities-threats/are-baby-boomers-more-vulnerable-online-than-younger-generations-you-might-be-surprised
• Defending Against Open-Source Supply Chain Attacks https://www.databreachtoday.com/defending-against-open-source-supply-chain-attacks-a-17797
• Defending Assets You Don't Know About, Against Cyberattacks https://threatpost.com/defending-unknown-assets-cyberattacks/175730/
• Security does not end with Implementing Controls https://blog.isc2.org/isc2_blog/2021/10/security-does-not-end-with-implementing-controls.html
• The Need for Systems Thinking in Cybersecurity https://www.databreachtoday.com/need-for-systems-thinking-in-cybersecurity-a-17798
• Free Tool Helps Security Teams Measure Their API Attack Surface https://www.darkreading.com/dr-tech/free-tool-helps-security-teams-measure-their-api-attack-surface
• Microsoft Defender ATP adds live response for Linux and macOS https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-adds-live-response-for-linux-and-macos/
• Microsoft is force installing PC Health Check in Windows 10 https://www.bleepingcomputer.com/news/microsoft/microsoft-is-force-installing-pc-health-check-in-windows-10/
• Better late than never: Microsoft rolls out a public preview of E2EE in Teams calls https://www.theregister.com/2021/10/22/e2ee_teams_microsoft/
• Mozilla Firefox Blocks Malicious Add-Ons Installed by 455K Users https://threatpost.com/mozilla-firefox-blocks-malicious-add-ons-installed-by-455k-users/175745/
• Securing the proxy API for Firefox add-ons https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/
• SolarWinds Outlines 'Triple Build' Software Development Model to Secure Supply Chain https://www.securityweek.com/solarwinds-outlines-triple-build-software-development-model-secure-supply-chain
• Twitter employees required to use security keys after 2020 hack https://www.bleepingcomputer.com/news/security/twitter-employees-required-to-use-security-keys-after-2020-hack/
• Ultimate Guide to Leveraging AWS Security Hub and AWS Config to meet SOC 2 Requirements https://www.sans.org/blog/ultimate-guide-to-leveraging-aws-soc-2-requirements
• Pixel 6: Setting a new standard for mobile security https://security.googleblog.com/2021/10/pixel-6-setting-new-standard-for-mobile.html
• Ford Expects to Have 33M Vehicles Receiving Over-the-Air Software Updates by 2028 https://www.pymnts.com/earnings/2021/ford-expects-to-have-33m-vehicles-receiving-over-the-air-software-updates-by-2028/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Zero-day news:

  • All Windows versions impacted by new LPE zero-day vulnerability https://www.bleepingcomputer.com/news/security/all-windows-versions-impacted-by-new-lpe-zero-day-vulnerability/
  • Google Releases Urgent Chrome Update to Patch 2 Actively Exploited 0-Day Bugs https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html
  • Microsoft finds new macOS vulnerability, Shrootless, that could bypass System Integrity Protection https://www.microsoft.com/security/blog/2021/10/28/microsoft-finds-new-macos-vulnerability-shrootless-that-could-bypass-system-integrity-protection/

• Other Vulnerabilities:

  • CISA urges admins to patch critical Discourse code execution bug https://www.bleepingcomputer.com/news/security/cisa-urges-admins-to-patch-critical-discourse-code-execution-bug/
  • MITRE, CISA Announce 2021 List of Most Common Hardware Weaknesses https://www.securityweek.com/mitre-cisa-announce-2021-list-most-common-hardware-weaknesses
  • Apache HTTP Server Path Traversal & Remote Code Execution (CVE-2021-41773 & CVE-2021-42013) https://blog.qualys.com/vulnerabilities-threat-research/2021/10/27/apache-http-server-path-traversal-remote-code-execution-cve-2021-41773-cve-2021-42013
  • Apple Patches 22 Security Flaws Haunting iPhones https://www.securityweek.com/apple-patches-22-security-flaws-haunting-iphones
  • Brutal WordPress plugin bug allows subscribers to wipe sites https://www.bleepingcomputer.com/news/security/brutal-wordpress-plugin-bug-allows-subscribers-to-wipe-sites/
  • WordPress plugin bug impacts 1M sites, allows malicious redirects https://www.bleepingcomputer.com/news/security/wordpress-plugin-bug-impacts-1m-sites-allows-malicious-redirects/
  • Microsoft: Windows KB5006674, KB5006670 updates break printing https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5006674-kb5006670-updates-break-printing/
  • It's Windows XP's 20th birthday and way too many still use it https://www.bleepingcomputer.com/news/microsoft/its-windows-xps-20th-birthday-and-way-too-many-still-use-it/
  • Bulletproof TLS #82 Let’s Encrypt certificates impacted by expired DST Root CA, QUIC and OpenSSL, Apple and early TLS, Keypair javascript RNG bug duplicates SSH keys https://www.feistyduck.com/bulletproof-tls-newsletter/issue_82_expiration_of_dst_root_ca-causes_problems_with_lets_encrypt_certificates
  • Fuji Electric Patches Vulnerabilities in Factory Monitoring Software https://www.securityweek.com/fuji-electric-patches-vulnerabilities-factory-monitoring-software
  • We regret to inform you there's an RCE vuln in old version of WinRAR. Yes, the file decompression utility https://www.theregister.com/2021/10/21/winrar_rce_vuln_positive_technologies/
  • Trojan Source: Invisible Vulnerabilities https://www.lightbluetouchpaper.org/2021/11/01/trojan-source-invisible-vulnerabilities/
  • Researcher cracked 70% of WiFi networks sampled in Tel Aviv https://www.bleepingcomputer.com/news/security/researcher-cracked-70-percent-of-wifi-networks-sampled-in-tel-aviv/
  • Researcher Explains Wi-Fi Password Cracking at Scale https://www.securityweek.com/researcher-explains-wi-fi-password-cracking-scale

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than major breaches):

  • Hackers used billing software zero-day to deploy ransomware https://www.bleepingcomputer.com/news/security/hackers-used-billing-software-zero-day-to-deploy-ransomware/
  • Microsoft: Shrootless bug lets hackers install macOS rootkits https://www.bleepingcomputer.com/news/security/microsoft-shrootless-bug-lets-hackers-install-macos-rootkits/
  • Cybercriminals Take Aim at Connected Car Infrastructure https://www.darkreading.com/attacks-breaches/cybercriminals-take-aim-at-connected-car-infrastructure
  • Malicious Firefox Add-ons Block Browser From Downloading Security Updates https://thehackernews.com/2021/10/malicious-firefox-add-ons-block-browser.html
  • Remote Desktop Protocol (RDP) Discovery, (Sat, Oct 30th) https://isc.sans.edu/diary/rss/27984
  • Android spyware spreading as antivirus software in Japan https://www.bleepingcomputer.com/news/security/android-spyware-spreading-as-antivirus-software-in-japan/
  • Millions of Android Users Scammed in SMS Fraud Driven by Tik-Tok Ads https://threatpost.com/android-scammed-sms-fraud-tik-tok/175739/
  • Malicious Roblox NPMs drop ransomware and password stealers https://www.bleepingcomputer.com/news/security/malicious-roblox-npms-drop-ransomware-and-password-stealers/
  • Recent NPM package hack is an alarming reminder of the risks of website supply-chain fraud https://www.imperva.com/blog/recent-npm-package-hack-is-an-alarming-reminder-of-the-risks-of-website-supply-chain-fraud/
  • Scammers Are Using Fake Job Ads to Steal People's Identities https://www.propublica.org/article/scammers-are-using-fake-job-ads-to-steal-peoples-identities#1138872

• Nation State Actors:

  • Microsoft Digital Defense Report shares new insights on nation-state attacks https://www.microsoft.com/security/blog/2021/10/25/microsoft-digital-defense-report-shares-new-insights-on-nation-state-attacks/
  • SolarWinds attacker on the move: Russia's Nobelium crew has trebled attacks targeting MSPs, cloud resellers, says Microsoft https://www.theregister.com/2021/10/25/nobelium_russia_svr_msp_warning_microsoft/
  • NOBELIUM targeting delegated administrative privileges to facilitate broader attacks https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/
  • Microsoft: Russian SVR hacked at least 14 IT supply chain firms since May https://www.bleepingcomputer.com/news/microsoft/microsoft-russian-svr-hacked-at-least-14-it-supply-chain-firms-since-may/
  • Lazarus Attackers Turn to the IT Supply Chain https://threatpost.com/lazarus-apt-it-supply-chain/175772/
  • New York Times Journalist Hacked with NSO Spyware https://www.schneier.com/blog/archives/2021/10/new-york-times-journalist-hacked-with-nso-spyware.html
  • Apparent Iran-Linked Hackers Breach Israeli Internet Firm https://www.securityweek.com/apparent-iran-linked-hackers-breach-israeli-internet-firm
  • US being hit by huge cyber attacks, Microsoft warns https://www.independent.co.uk/life-style/gadgets-and-tech/us-cyber-attack-today-microsoft-b1944751.html

• Crime & Arrests, etc.:

  • Millions of Android users targeted in subscription fraud campaign https://www.bleepingcomputer.com/news/security/millions-of-android-users-targeted-in-subscription-fraud-campaign/
  • Police arrest criminals behind Norsk Hydro ransomware attack https://www.bleepingcomputer.com/news/security/police-arrest-criminals-behind-norsk-hydro-ransomware-attack/
  • Russian TrickBot Gang Hacker Extradited to U.S. Charged with Cybercrime https://thehackernews.com/2021/10/russian-trickbot-gang-hacker-extradited.html
  • Police arrest 150 suspects after closure of dark web's largest illegal marketplace https://www.theverge.com/2021/10/27/22748317/darkmarket-closure-international-arrests-operation-dark-huntor
  • Police arrest hackers behind over 1,800 ransomware attacks https://www.bleepingcomputer.com/news/security/police-arrest-hackers-behind-over-1-800-ransomware-attacks/
  • Hackers arrested for ‘infiltrating' Ukraine's health database https://www.bleepingcomputer.com/news/security/hackers-arrested-for-infiltrating-ukraine-s-health-database/
  • Ukrainian police detain gang who laundered funds for Russian hacking groups https://www.databreaches.net/ukrainian-police-detain-gang-who-laundered-funds-for-russian-hacking-groups/
  • Kansas Man Admits Hacking Public Water Facility https://www.securityweek.com/kansas-man-admits-hacking-public-water-facility
  • Police seize $2.7 million of crypto from a British teenager in a credit card fraud scheme https://markets.businessinsider.com/news/currencies/police-seize-2-million-cryptocurrency-bitcoin-british-teenager-online-fraud-2021-10
  • DarkSide Transfers $7 Million Worth of Bitcoin https://www.databreachtoday.com/darkside-transfers-7-million-worth-bitcoin-a-17787

Other Security / Risk

Articles covering other types of risks.

• 9 key security threats that organizations will face in 2022 https://www.techrepublic.com/article/9-key-security-threats-that-organizations-will-face-in-2022/
• Data Security In An Unsecure World https://www.datex.ca/blog/data-security-in-an-unsecure-world
• If your hair isn't already gray, 2022's security threats will get it there, warn infosec duo https://www.theregister.com/2021/10/28/fireeye_mcafee_2022/
• Frequency analysis on hundreds of billions of reports at Report URI: Bloom Filters https://scotthelme.co.uk/frequency-analysis-on-hundreds-of-billions-of-reports-at-report-uri-bloom-filters/
• HTTPS Threats Grow More Than 314% Through 2021: Report https://packetstormsecurity.com/news/view/32766/HTTPS-Threats-Grow-More-Than-314-Through-2021-Report.html
• The supply chain crisis could last into 2023 unless governments boost spending in ports, railways, and warehouses, a shipping exec warns https://www.businessinsider.com/shipping-crisis-lasts-till-2023-without-government-intervention-supply-chain-2021-10
• This satellite video shows how cargo-ship backlogs in Southern California ports surged from 0 to 100 in 2 years https://www.businessinsider.com/satellite-video-shows-cargo-ship-backlogs-in-california-ports-tripled-2021-10
• Why everything you want is out of stock or more expensive https://globalnews.ca/news/8276834/supply-chain-shortage-inflation-canada/
• Bank of Canada is signaling faster rate hikes. What that means for Canada's housing market https://globalnews.ca/news/8335266/bank-of-canada-rate-hike-canada-housing/
• Nearly half of Canadian workers think working remotely could hinder career growth: survey https://globalnews.ca/news/8329392/work-from-home-career-growth-survey/
• Meta: Facebook's new name ridiculed by Hebrew speakers https://www.bbc.co.uk/news/world-59090067
• Eight things we learned from the Facebook Papers https://www.theverge.com/22740969/facebook-files-papers-frances-haugen-whistleblower-civic-integrity
• Key Takeaways From the Facebook Papers and Their Fallout https://www.nytimes.com/2021/10/25/business/facebook-papers-takeaways.html
• What Facebook knew https://www.nbcnews.com/tech/tech-news/facebook-knew-radicalized-users-rcna3581
• Facebook, Show Us the Mess https://www.nytimes.com/2021/10/27/technology/facebook-transparency.html
• P=NP? The 50-year-old problem that eludes theoretical computer science (paywall) https://www.technologyreview.com/2021/10/27/1037123/p-np-theoretical-computer-science/
• Unlocking the technology to produce unbreakable screens https://scienmag.com/unlocking-the-technology-to-produce-unbreakable-screens/
• Tripadvisor found nearly 1 million fake reviews submitted to the site last year https://www.businessinsider.com/tripadvisor-found-nearly-1-million-fake-reviews-in-2020-2021-10
• Russian Federal Remote E-voting Scheme of 2021 -- Protocol Description and Analysis https://eprint.iacr.org/2021/1454
• Canadians falling prey to conspiracy theories despite strong trust in institutions: poll https://globalnews.ca/news/8329274/canadians-conspiracy-theories-trust-institutions-poll/
• Meghan target of coordinated Twitter hate campaign, report finds https://www.theguardian.com/society/2021/oct/27/meghan-target-of-co-ordinated-twitter-hate-campaign-report-finds
• Daylight saving time 2021: When does the time change in Ontario? https://toronto.ctvnews.ca/daylight-saving-time-2021-when-does-the-time-change-in-ontario-1.5639801
• Why smart alarm clocks can't be trusted https://www.theverge.com/22727055/alexa-google-smart-speaker-alarm-clocks-backup-battery
• Google recruiters explain how to demonstrate 'past experience' on your resume - even if you've never had a job https://www.businessinsider.com/google-internship-resume-tips-advice-recruiters-past-experience-2021-10

• Health, Safety & Environment:

  • Toronto residents can now book a flu shot appointment for next week at select clinics https://toronto.ctvnews.ca/toronto-residents-can-now-book-a-flu-shot-appointment-for-next-week-at-select-clinics-1.5640928
  • Brain Implant Gives Blind Woman Artificial Vision in Scientific First https://www.sciencealert.com/a-brain-implant-has-allowed-a-blind-woman-to-see-simple-2d-shapes-and-letters
  • Ontario to double number of long-term care home inspectors, allow immediate charges https://globalnews.ca/news/8326168/ontario-double-long-term-care-home-inspectors/
  • People in N.S. bitten by tick can now go to pharmacy for Lyme disease assessment https://globalnews.ca/news/8335124/ns-tick-pharmacy-assessment-lyme-disease/
  • People who eat meat report lower levels of depression and anxiety than vegans do, a recent analysis suggests https://www.businessinsider.com/vegans-report-higher-depression-anxiety-than-meat-eaters-2021-10
  • Cops are collapsing after touching fentanyl, but you can't overdose from skin contact. The likelier story? Panic attacks. https://www.businessinsider.com/cops-collapse-after-touching-fentanyl-likely-panic-attacks-2021-10
  • What's Behind The Strange Drop in American Body Temperatures Over The Past 200 Years? https://www.sciencealert.com/the-strange-drop-in-american-body-temperatures-might-have-to-do-with-physical-activity
  • Lost, missing hiker didn't answer rescuers' calls because it was unknown number https://globalnews.ca/news/8328728/missing-hiker-unknown-number-no-answer/
  • Elon Musk says Tesla is rolling back its newest 'full self-driving' beta after less than 24 hours because of problems with the tech https://www.businessinsider.com/elon-musk-tesla-full-self-driving-fsd-beta-rolled-back-2021-10
  • Plane makes emergency landing on Highway 407 in Markham, Ont. https://toronto.ctvnews.ca/plane-makes-emergency-landing-on-highway-407-in-markham-ont-1.5640564
  • FAA let American Airlines fly planes that shouldn't have been considered airworthy after maintenance oversight lapses, DoT investigation finds https://www.businessinsider.com/faa-oversight-of-american-airlines-safety-programs-is-insufficient-2021-10
  • The Sun Blasted Out a Huge Flare and CME; We Could See Auroras on Halloween https://www.universetoday.com/153132/the-sun-blasted-out-a-huge-flare-and-cme-we-could-see-auroras-on-halloween/
  • Canada is underestimating carbon emissions from forestry sector, environmental groups allege https://www.cbc.ca/news/science/forestry-emissions-accounting-1.6227903
  • N.S. pledges to end use of coal for electricity 10 years earlier than scheduled https://www.cbc.ca/news/canada/nova-scotia/electricity-coal-renewable-climate-change-1.6227075
  • As container ship smoulders off B.C. coast, environmental concerns remain https://www.cbc.ca/news/canada/british-columbia/environmental-concerns-container-ship-fire-1.6224957
  • Can Lego help save Singapore's coral reefs? https://www.bbc.co.uk/news/world-asia-58784313
  • Bermuda Institute of Ocean Sciences joins ASU's Global Futures Lab https://scienmag.com/bermuda-institute-of-ocean-sciences-joins-asus-global-futures-lab/
  • Winter is coming, Ontario — and La Niña is going to make it one to remember https://globalnews.ca/news/8324459/ontario-winter-forecast-2021-2022/

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, waves, reinfection, and variant strains:

  • Ontario reports under 300 new COVID-19 cases for 1st time since early August https://globalnews.ca/news/8325578/ontario-covid-cases-october-26-coronavirus/
  • Quebec reports 5 more deaths, 478 new COVID-19 cases https://globalnews.ca/news/8331952/quebec-covid-19-oct-28-2021/
  • Masks still key to fighting COVID-19 spread despite high vaccination, experts say https://globalnews.ca/news/8326595/mask-mandates-covid-canada-safety/
  • People Who Believe COVID Conspiracies More Likely to Test Positive, Study Confirms https://www.sciencealert.com/people-who-believe-covid-conspiracies-are-more-likely-to-test-positive-study-shows

• Guidance, Response, and Recovery:

  • Canada, U.S. should manage COVID-19 risk next time instead of closing border: report https://globalnews.ca/news/8337256/border-canada-us-task-force-risk/
  • Four Measures That Are Helping Germany Beat COVID https://www.theatlantic.com/ideas/archive/2021/10/four-measures-are-helping-germany-beat-covid-19/620466/
  • Ontario lifts capacity limits in restaurants, gyms, casinos today https://toronto.ctvnews.ca/ontario-lifts-capacity-limits-in-restaurants-gyms-casinos-today-1.5636761
  • Toronto District School Board extends COVID-19 vaccination policy deadline for staff https://globalnews.ca/news/8328976/tdsb-covid-vaccine-policy-deadline-extended/
  • Why Mississauga is concerned about Ontario's plan to lift all COVID-19 restrictions https://toronto.ctvnews.ca/why-mississauga-is-concerned-about-ontario-s-plan-to-lift-all-covid-19-restrictions-1.5642226
  • Majority of Canadians hesitant to hand out Halloween candy to trick-or-treaters: poll https://globalnews.ca/news/8325475/canadians-halloween-candy-trick-or-treaters-poll/
  • Cruises no longer have to follow COVID-19 rules from January, the CDC said https://www.businessinsider.com/cruise-ship-covid-19-restrictions-lifted-january-cdc-2021-10

• Immunity and Vaccinations:

  • Needle-free COVID-19 vaccine shows promise https://scienmag.com/needle-free-covid-19-vaccine-shows-promise/
  • Seniors, frontline healthcare, First Nations adults should get COVID-19 booster: NACI https://globalnews.ca/news/8335090/booster-shot-canada-covid19/
  • Immunocompromised Americans who had a 3rd COVID-19 shot can now get a 4th, CDC says https://www.businessinsider.com/cdc-guidance-update-immunocompromise-fourth-dose-covid-19-vaccine-2021-10

• Impact:

  • Covid in Scotland: Hundreds refused entry in vaccine passport 'chaos' https://www.bbc.co.uk/news/uk-scotland-59034619
  • Ontario could see 50,000 education workers fired if COVID-19 vaccines mandated: Lecce https://globalnews.ca/news/8326651/ontario-could-see-50k-education-workers-fired-covid-vaccine-mandate/

• More of the good, the bad, and the ugly:

  • Ontario doctor's licence suspended after already being barred from issuing COVID-19 medical exemptions https://globalnews.ca/news/8331620/ontario-doctor-licence-suspended-covid/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• The 25 Greatest Zombie Movies of All Time https://www.mentalfloss.com/article/651804/best-zombie-movies
• High-speed laser writing method could pack 500 terabytes of data into CD-sized glass disc https://scienmag.com/high-speed-laser-writing-method-could-pack-500-terabytes-of-data-into-cd-sized-glass-disc/
• NASA's Juno spacecraft finds just how deep Jupiter's Great Red Spot goes https://www.theverge.com/2021/10/28/22749095/nasa-juno-jupiter-great-red-spot-depth
• That Exciting Signal Thought to Be From Proxima Centauri Has Now Been Resolved https://www.sciencealert.com/exciting-mystery-space-technosignals-were-indeed-produced-by-sentient-life-us
• Nasa finds first possible planet outside our galaxy https://www.independent.co.uk/space/nasa-planet-galaxy-milky-way-chandra-b1945004.html