This Week's [in]Security - Issue 252 | insecurity | Control Gap

Welcome to This Week’s [in]Security. PCI updates: MPoC. Skimmers, Payments. New breaches, New Ransomware: insiders, Canada FA. Major outages: Record DDoS, Andorra, Tonga. Privacy: tracking censorship, FloC & Topics. Laws & Regs - Canada: CitizenLab on LawBytes. US: China Unicom ban, zero trust, too many laws, Google lawsuit, Cyber-insurance and ransomware, Metaverse-law. World: GDPR, autonomous car liability, China's Internet. Standards: FIPS, NIST, NICE. Defense: EU incident framework, source backup, test people too. Vulnerabilities, Zerodays: Centos 8 (EOL), Apple. Other Vulnerabilities: Disclosure, Polkit/PwnKit, Datacenter remote management, Cameras, mobile protocols. Patching: Windows, QNAP & the forced patch. The Quantum Apocalypse? Cybercrime: Trends: alerts, Revil, BlackCat, Oauth and MFA, BRATA, Dark Herring, BotenaGo/IoT exploit source, DazzleSpy, new tricks. Nation States: Pegasus, APTs. Crime & Enforcement; QR fraud, ID Theft, Rug-Pulls, Swatting. Other Risks: 2M certificates revoked, copywrongs, air tags, gaslighting, unrealestate, cloud costs, following the disinformation money. Russia-Ukraine, Belarus Rail, Health, Safety & Environment: snow, Bitcoin, Winter Olympics, nuclear. Covid-19: Spread, Curves, Waves, and Variants; Response; Treatments; Immunity; Learned; Innovation and more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.

• PCI Updates:

  • Request for Comments: New Mobile Payments on COTS (MPoC) Standard https://blog.pcisecuritystandards.org/request-for-comments-new-mobile-payments-on-cots-mpoc-standard
  • PCI SSC in Brazil: New Regional Engagement Board for 2022 https://blog.pcisecuritystandards.org/pci-ssc-in-brazil-new-regional-engagement-board-for-2022

• Payment skimmers/malware/fraud:

  • Segway store hacked to steal customers' credit cards https://www.bleepingcomputer.com/news/security/segway-store-hacked-to-steal-customers-credit-cards/

• Other payment related:

  • Bluefin Invests in Payfactory to Bring Payments Services to Its Security Clients https://www.digitaltransactions.net/bluefin-invests-in-payfactory-to-bring-payments-services-to-its-security-clients/
  • U.K. Payments Regulator Seeks More Transparency in Card-Acquiring Market https://www.pymnts.com/news/regulation/2022/u-k-payments-regulator-seeks-more-transparency-in-card-acquiring-market/

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:

  • Crime Shop Sells Hacked Logins to Other Crime Shops https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other-crime-shops/
  • BTC-Alpha - 362,426 breached accounts https://haveibeenpwned.com/PwnedWebsites#BTCAlpha
  • St. Lucie's County Drug Screening Lab notifying more than 14,500 people after discovering multi-year misconfiguration of web portal https://www.databreaches.net/st-lucies-county-drug-screening-lab-notifying-more-than-14500-people-after-discovering-multi-year-misconfiguration-of-web-portal/
  • UK: Data breach at Greensward Academy https://www.databreaches.net/uk-data-breach-at-greensward-academy/

• New Ransomware and "Incidents":

  • Ransomware gangs increase efforts to enlist insiders for attacks https://www.bleepingcomputer.com/news/security/ransomware-gangs-increase-efforts-to-enlist-insiders-for-attacks/
  • Staff negligence is now a major reason for insider security incidents https://www.zdnet.com/article/employee-contractor-negligence-is-now-a-major-reason-for-insider-security-incidents
  • Canada's foreign affairs ministry hacked, some services down https://www.databreaches.net/canadas-foreign-affairs-ministry-hacked-some-services-down/
  • PA: Pennsbury's Computer System Breached, Incident Under Investigation https://www.databreaches.net/pa-pennsburys-computer-system-breached-incident-under-investigation/

• Major outages/downs:

  • Microsoft mitigated a record 3.47 Tbps DDoS attack on Azure users https://www.bleepingcomputer.com/news/security/microsoft-mitigated-a-record-347-tbps-ddos-attack-on-azure-users/
  • A DDoS Attack Wiped Out Andorra's Internet https://www.wired.com/story/andorra-ddos-minecraft-nso-group-security-news
  • Nobel Foundation site hit by DDoS attack on award day https://www.bleepingcomputer.com/news/security/nobel-foundation-site-hit-by-ddos-attack-on-award-day/
  • Tonga may have internet restored in 2 weeks as recovery from volcano slowly continues https://globalnews.ca/news/8535986/tonga-volcano-internet-recovery/
  • RedDoorz - 5,890,277 breached accounts https://haveibeenpwned.com/PwnedWebsites#RedDoorz
  • Proposed settlement reached in lawsuit against Excellus https://www.databreaches.net/proposed-settlement-reached-in-lawsuit-against-excellus/
  • Attorney General James Announces $600,000 Agreement with EyeMed After 2020 Data Breach https://www.databreaches.net/attorney-general-james-announces-600000-agreement-with-eyemed-after-2020-data-breach/

Privacy

Articles about privacy related news, risks, and trends.

• New Tracking Global Online Censorship Site Explains Content Moderation Practices and Impacts https://www.eff.org/deeplinks/2022/01/new-tracking-global-online-censorship-site-explains-content-moderation-practices
• Google abandons FLoC, introduces Topics API to replace tracking cookies https://www.theverge.com/2022/1/25/22900567/google-floc-abandon-topics-api-cookies-tracking
• Paris attack survivor finds X-ray for sale online https://www.bbc.co.uk/news/world-europe-60124931
• A Digital Dollar Backer Applauds the Fed But Stresses a Need for Privacy Protections https://www.digitaltransactions.net/a-digital-dollar-backer-applauds-the-fed-but-stresses-a-need-for-privacy-protections/

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:

  • The Law Bytes Podcast, Episode 114: The Citizen Lab's Ron Deibert on Protecting Society from Surveillance Software https://www.michaelgeist.ca/2022/01/law-bytes-podcast-episode-114/
  • Canada's new national long-term care standards released. Here's what is different https://globalnews.ca/news/8540978/long-term-care-national-standards-2022/

• US:

  • US bans telecom giant China Unicom over spying concerns https://www.bbc.co.uk/news/business-60164747
  • White House Publishes Federal Zero Trust Strategy https://www.securityweek.com/white-house-publishes-federal-zero-trust-strategy
  • The US government is starting to crack down on companies that hide negative reviews https://www.businessinsider.com/ftc-cracks-down-companies-hiding-negative-reviews-consumers-fashion-nova-2022-1
  • US lawmakers probe into crypto mining companies' energy use https://www.theverge.com/2022/1/28/22906334/us-lawmakers-letter-cryptocurrency-mining-bitcoin-energy
  • Conflicting State Data Privacy Laws May Drive Up Costs for Businesses https://www.pymnts.com/legal/2022/conflicting-state-data-privacy-laws-may-drive-up-costs-for-businesses/
  • Assange Wins First Stage in Effort to Appeal US Extradition https://www.securityweek.com/assange-wins-first-stage-effort-appeal-us-extradition
  • California Prevails on Net Neutrality Rules https://www.eff.org/deeplinks/2022/01/california-prevails-net-neutrality-and-states-can-go-forth
  • Waymo sues California DMV to keep driverless crash data under wraps https://www.theverge.com/2022/1/28/22906513/waymo-lawsuit-california-dmv-crash-data-foia
  • DC, 3 States Sue Google Saying it Invades Users' Privacy https://www.securityweek.com/dc-3-states-sue-google-saying-it-invades-users-privacy
  • Google sued in US over 'deceptive' location tracking https://www.bbc.co.uk/news/technology-60126012
  • Google's ‘constant surveillance' of users is ‘nearly impossible for users to stop', lawsuit alleges https://www.independent.co.uk/tech/google-surveillance-tracking-lawsuit-america-b2000109.html
  • Intel Fails To Get Spectre, Meltdown Class Action Suits Thrown Out https://packetstormsecurity.com/news/view/33051/Intel-Fails-To-Get-Spectre-Meltdown-Class-Action-Suits-Thrown-Out.html
  • Merck Wins Insurance Lawsuit re NotPetya Attack https://www.schneier.com/blog/archives/2022/01/merck-wins-insurance-lawsuit-re-notpetya-attack.html
  • Legal Thoughts on Metaverse - Data Protection and Privacy https://www.datex.ca/blog/legal-thoughts-on-metaverse-data-protection-and-privacy

• World:

  • European nations issue record €1.1 billion in GDPR fines https://www.csoonline.com/article/3648332/european-nations-issue-record-11-billion-in-gdpr-fines.html#tk.rss_all
  • EU Commission Finds Two-Thirds of EU Websites Violate Consumer Protection Laws https://www.pymnts.com/news/ecommerce/2022/eu-commission-finds-two-thirds-of-eu-websites-violate-consumer-protection-laws/
  • Europe's Hypocrisy Over Personal Data Privacy Exposed https://www.securityweek.com/europes-hypocrisy-over-personal-data-privacy-exposed
  • Internet Society condemns UK's Online Safety Bill for demonising encryption using 'think of the children' tactic https://www.theregister.com/2022/01/28/internet_society_calls_out_uk_encryption_war/
  • U.K. Law Could Hold Automakers, Software Firms Accountable in Autonomous Cars https://www.pymnts.com/news/regulation/2022/u-k-law-could-hold-automakers-software-firms-accountable-in-autonomous-cars/
  • French Competition Authority Will Look Into Cloud Computing Services https://www.pymnts.com/news/regulation/2022/french-competition-authority-will-look-into-cloud-computing-services/
  • China orders web operators to spring clean its entire internet https://www.theregister.com/2022/01/27/china_internet_spring_clean/

• Standards News:

  • FIPS 201-3 Approved and Published: NIST Revises Personal Identity Verification (PIV) of Federal Employees and Contractors https://csrc.nist.gov/publications/detail/fips/201/3/final
  • NIST has released Special Publication (SP) 800-53A Revision 5, Assessing Security and Privacy Controls in Information Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-53A/rev-5/final
  • NIST Draft NISTIR 8286C Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight is available for public comment until March 11 https://csrc.nist.gov/publications/detail/nistir/8286c/draft
  • Call for Participation: Join Project Teams to Implement NICE Strategic Plan Objectives for Cybersecurity: Career Pathways, Credentials Quality and Availability, Incorporating into Public Service Education, Career-Entry Guidance for Employers and Job Seekers https://content.govdelivery.com/accounts/USNIST/bulletins/307ea0d
  • National Initiative for Cybersecurity Education (NICE) Newsletter Winter 2021-22 https://content.govdelivery.com/accounts/USNIST/bulletins/306f22b
  • NIST Privacy Framework turns 2 https://content.govdelivery.com/accounts/USNIST/bulletins/307881c

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• EU to create pan-European cyber incident coordination framework https://www.bleepingcomputer.com/news/security/eu-to-create-pan-european-cyber-incident-coordination-framework/
• The Case for Backing Up Source Code https://www.darkreading.com/dr-tech/source-code-security-the-case-for-making-backups
• Detect-and-Alert: Why It's the Wrong Approach to Client-Side Web Attacks https://sourcedefense.com/resources/detect-and-alert-why-its-the-wrong-approach-to-client-side-web-attacks/
• Test Your Team, Not Just Your Disaster Recovery Plan https://www.darkreading.com/edge-articles/test-your-team-not-just-your-disaster-recovery-plan
• Defending the Supply Chain: Why the DDS Protocol is Critical in Industrial and Software Systems https://www.trendmicro.com/en_us/research/22/a/defending-the-supply-chain-why-dds-is-critical-in-industrial-and-software-systems.html
• Google Drive now warns you of suspicious phishing, malware docs https://www.bleepingcomputer.com/news/google/google-drive-now-warns-you-of-suspicious-phishing-malware-docs/
• JFrog's New Tools Flag Malicious JavaScript Packages https://www.darkreading.com/dr-tech/jfrog-new-tools-flag-malicious-javascript-packages
• SOC 2 Trust Services Categories https://www.sans.org/blog/soc-2-trust-services-categories
• Silkworm security? Researchers create new authentication method using silk fibers https://www.zdnet.com/article/silky-security-researchers-create-new-security-system-using-silk-fibers

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Other Zero-day news:

  • Patching the end of support CentOS 8 Encryption Bug is Urgent – What Are Your Plans? https://thehackernews.com/2022/01/patching-centos-8-encryption-bug-is.html
  • Apple fixes new zero-day exploited to hack macOS, iOS devices https://www.bleepingcomputer.com/news/apple/apple-fixes-new-zero-day-exploited-to-hack-macos-ios-devices/
  • Zerodium Offering $400,000 for Microsoft Outlook Zero-Day Exploits https://www.securityweek.com/zerodium-offering-400000-microsoft-outlook-zero-day-exploits

• Other Vulnerabilities:

  • Log4j Proved Public Disclosure Still Helps Attackers https://www.darkreading.com/attacks-breaches/log4j-proved-public-disclosure-still-helps-attackers
  • 12-Year-Old Polkit Flaw Lets Unprivileged Linux Users Gain Root Access https://thehackernews.com/2022/01/12-year-old-polkit-flaw-lets.html
  • PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit's pkexec (CVE-2021-4034) https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
  • Over 20,000 data center management systems exposed to hackers https://www.bleepingcomputer.com/news/security/over-20-000-data-center-management-systems-exposed-to-hackers/
  • Outlook Security Feature Bypass Allowed Sending Malicious Links https://www.securityweek.com/outlook-security-feature-bypass-allowed-sending-malicious-links
  • Safari Flaws Exposed Webcams, Online Accounts, and More https://www.wired.com/story/safari-flaws-webcam-online-accounts-mic
  • Vulnerability Spotlight: WiFi-connected security camera could be manipulated to spy on communications, among other malicious actions http://blog.talosintelligence.com/2022/01/vuln-spotlight-reolink-cameras.html
  • Hive View security camera customers left in the dark as some gear gives up the ghost https://www.theregister.com/2022/01/24/hive_view_issue/
  • A survey on the security protocols employed by mobile messaging applications, by Ștefania Andrieș and Andrei-Daniel Miron and Andrei Cristian and Emil Simion https://eprint.iacr.org/2022/088

• Patching:

  • Windows 10 KB5009596 update released with bug fixes, improvements https://www.bleepingcomputer.com/news/microsoft/windows-10-kb5009596-update-released-with-bug-fixes-improvements/
  • Microsoft: Windows needs at least 8 hours online to update reliably https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-needs-at-least-8-hours-online-to-update-reliably/
  • New DeadBolt Ransomware Targets NAT Devices https://www.schneier.com/blog/archives/2022/01/new-deadbolt-ransomware-targets-nat-devices.html
  • QNAP warns of new DeadBolt ransomware encrypting NAS devices https://www.bleepingcomputer.com/news/security/qnap-warns-of-new-deadbolt-ransomware-encrypting-nas-devices/
  • QNAP users angry after NAS drives are updated to combat DeadBolt ransomware https://www.databreaches.net/qnap-users-angry-after-nas-drives-are-updated-to-combat-deadbolt-ransomware/
• What is the quantum apocalypse and should we be scared? https://www.bbc.co.uk/news/technology-60144498
• Our take on the Quantum Apocalypse https://controlgap.com/blog/Quantum-Cryptography-for-Risk-Managers

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than major breaches):

  • FBI Warns of Hacker Attacks Conducted by Iranian Cyber Firm https://www.securityweek.com/fbi-warns-hacker-attacks-conducted-iranian-cyber-firm
  • NCSC alerts UK orgs to brace for destructive Russian cyberattacks https://www.bleepingcomputer.com/news/security/ncsc-alerts-uk-orgs-to-brace-for-destructive-russian-cyberattacks/
  • REvil Ransomware Operations Apparently Unaffected by Recent Arrests https://www.securityweek.com/revil-ransomware-operations-apparently-unaffected-recent-arrests
  • Who Wrote the ALPHV/BlackCat Ransomware Strain? https://krebsonsecurity.com/2022/01/who-wrote-the-alphv-blackcat-ransomware-strain/
  • Hackers are taking over CEO accounts with rogue OAuth apps https://www.bleepingcomputer.com/news/security/hackers-are-taking-over-ceo-accounts-with-rogue-oauth-apps/
  • 2FA app with 10,000 Google Play downloads loaded well-known banking trojan https://arstechnica.com/information-technology/2022/01/2fa-app-with-10000-google-play-downloads-loaded-well-known-banking-trojan/
  • Evolved phishing: Device registration trick adds to phishers' toolbox for victims without MFA https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/
  • Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html
  • Widespread FluBot and TeaBot Malware Campaigns Targeting Android Devices https://thehackernews.com/2022/01/widespread-flubot-and-teabot-malware.html
  • TrickBot Malware Using New Techniques to Evade Web Injection Attacks https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html
  • Android malware BRATA wipes your device after stealing data https://www.bleepingcomputer.com/news/security/android-malware-brata-wipes-your-device-after-stealing-data/
  • ‘Dark Herring' Billing Malware Swims onto 105M Android Devices https://threatpost.com/dark-herring-billing-malware-android/178032/
  • Chaes Banking Trojan Hijacks Chrome Browser with Malicious Extensions https://thehackernews.com/2022/01/chaes-banking-trojan-hijacks-chrome.html
  • Millions of Routers, IoT Devices at Risk as Malware Source Code Surfaces on GitHub https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-uploaded-to-github
  • Booby-trapped sites delivered potent new backdoor trojan to macOS users https://arstechnica.com/information-technology/2022/01/booby-trapped-sites-delivered-potent-new-backdoor-trojan-to-macos-users/
  • Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.html
  • Microsoft warns of multi-stage phishing campaign leveraging Azure AD https://www.bleepingcomputer.com/news/security/microsoft-warns-of-multi-stage-phishing-campaign-leveraging-azure-ad/
  • Hackers Using New Evasive Technique to Deliver AsyncRAT Malware https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.html
  • Hackers Using New Malware Packer DTPacker to Avoid Analysis, Detection https://thehackernews.com/2022/01/hackers-using-new-malware-packer.html
  • Lazarus hackers use Windows Update to deploy malware https://www.bleepingcomputer.com/news/security/lazarus-hackers-use-windows-update-to-deploy-malware/
  • Malicious PowerPoint files used to push remote access trojans https://www.bleepingcomputer.com/news/security/malicious-powerpoint-files-used-to-push-remote-access-trojans/

• Nation State Actors:

  • Researchers break down WhisperGate wiper malware used in Ukraine website defacement https://www.zdnet.com/article/researchers-break-down-whispergate-wiper-malware-used-in-ukraine-website-defacement
  • F.B.I. Secretly Bought Israeli Spyware and Explored Hacking U.S. Phones https://www.nytimes.com/2022/01/28/world/middleeast/israel-pegasus-spyware.html
  • Finnish diplomats' phones infected with NSO Group Pegasus spyware https://www.bleepingcomputer.com/news/security/finnish-diplomats-phones-infected-with-nso-group-pegasus-spyware/
  • The Battle for the World's Most Powerful Cyberweapon https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html
  • German govt warns of APT27 hackers backdooring business networks https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-hackers-backdooring-business-networks/
  • Russian APT29 hackers' stealthy malware undetected for years https://www.bleepingcomputer.com/news/security/russian-apt29-hackers-stealthy-malware-undetected-for-years/
  • Investigating APT36 or Earth Karkaddan's Attack Chain and Malware Arsenal https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html
  • MoleRats APT Launches Spy Campaign on Bankers, Politicians, Journalists https://threatpost.com/molerats-apt-spy-bankers-politicians-journalists/177907/

• Crime & Arrests, etc.:

  • Canadian Radio-television and Telecommunications Commission (CRTC) investigation targets Dark Web marketplace vendors and administrator https://www.databreaches.net/canadian-radio-television-and-telecommunications-commission-crtc-investigation-targets-dark-web-marketplace-vendors-and-administrator/
  • Cryptocurrency fraud ‘exploding' in Canada, according to consumer advocacy groups https://globalnews.ca/news/8535188/cryptocurrency-fraud-canada-consumer-advocacy/
  • QR Code Transactions Are on the Rise, But Now So Are Concerns About QR Code Fraud https://www.digitaltransactions.net/%ef%bf%bcqr-code-transactions-are-on-rise-but-now-so-are-concerns-about-qr-code-fraud/
  • 105 million Android users targeted by subscription fraud campaign https://www.bleepingcomputer.com/news/security/105-million-android-users-targeted-by-subscription-fraud-campaign/
  • Cybercrooks laundered $8.6 billion worth of dirty crypto last year as laundering surged 30%, Chainalysis says. https://markets.businessinsider.com/news/currencies/crypto-crime-blockchain-money-laundering-bitcoin-ethereum-defi-chainalysis-2022-1
  • Smuggling individuals across Canada-U.S. border a prevalent and concerning issue: experts https://globalnews.ca/news/8535214/smuggling-individuals-canada-us-border/
  • Own one of these vehicles? MPI releases top 10 targeted for catalytic converter theft https://globalnews.ca/news/8540381/manitoba-thieves-catalytic-converters/
  • ‘Grandparent scam' targeting seniors in Toronto: police https://toronto.ctvnews.ca/grandparent-scam-targeting-seniors-in-toronto-police-1.5757112
  • Scary Fraud Ensues When ID Theft & Usury Collide https://krebsonsecurity.com/2022/01/scary-fraud-ensues-when-id-theft-usury-collide/
  • US DoD staffer with top-secret clearance stole identities from work systems to apply for loans https://www.theregister.com/2022/01/27/dod_sharepoint_apple_white_house/
  • Hackers Creating Fraudulent Crypto Tokens as Part of 'Rug Pull' Scams https://thehackernews.com/2022/01/hackers-creating-fraudulent-crypto.html
  • Hackers hijack smart contracts in cryptocurrency token 'rug pull' exit scams https://www.zdnet.com/article/hackers-hijack-smart-contracts-in-new-cryptocurrency-token-rug-pull-scams
  • Hackers have stolen $80 million in cryptocurrency from the Qubit DeFi platform https://www.theverge.com/2022/1/28/22906366/cryptocurrency-hackers-steal-qubit-binance-ethereum
  • Fake Investor John Bernard Sinks Norwegian Green Shipping Dreams https://krebsonsecurity.com/2022/01/fake-investor-john-bernard-sinks-norwegian-green-shipping-dreams/
  • Manitoba man accused of making dangerous ‘swatting' calls in 6 U.S. states https://globalnews.ca/news/8579259/manitoba-man-accused-swatting-calls-u-s/
  • N.Y. nurses allegedly made $1.5M selling fake COVID-19 vaccination cards https://globalnews.ca/news/8580504/new-york-fake-covid-19-vaccination-cards/
  • Russian Authorities Arrest Head of International Cybercrime Group https://www.securityweek.com/russian-authorities-arrest-head-international-cybercrime-group
  • Canadian man linked to thedarkoverlord sentenced to federal prison for trafficking stolen identities on the dark web https://www.databreaches.net/canadian-man-linked-to-thedarkoverlord-sentenced-to-federal-prison-for-trafficking-stolen-identities-on-the-dark-web/
  • Chester County Man Pleads Guilty to Hacking into Area College Computer Networks https://www.databreaches.net/chester-county-man-pleads-guilty-to-hacking-into-area-college-computer-networks/
  • DeepDotWeb operator sentenced to eight years behind bars https://www.zdnet.com/article/deepdotweb-operator-sentenced-to-eight-years-behind-bars

Other Security / Risk

Articles covering other types of risks.

• Alert: Let's Encrypt to revoke about 2 million HTTPS certificates in two days https://www.theregister.com/2022/01/26/lets_encrypt_certificates/
• Bulletproof TLS #85 Newsletter: WebTransport TLS w/hashes “serverCertificateHashes” , Let’s Encrypt revokes certs, key sizes https://www.feistyduck.com/bulletproof-tls-newsletter/issue_85_webtransport_allows_tls_connections_with_certificate_hash (and History of Cryptographic Key Sizes https://eprint.iacr.org/2021/894))
• Google Drive flags nearly empty files for 'copyright infringement' https://www.bleepingcomputer.com/news/security/google-drive-flags-nearly-empty-files-for-copyright-infringement/
• Three things Web3 should fix in 2022 https://www.theverge.com/2022/1/28/22906010/web3-nft-internet-history-video-platformer
• Tracking Secret German Organizations with Apple AirTags https://www.schneier.com/blog/archives/2022/01/tracking-secret-german-organizations-with-apple-airtags.html
• At long last, Nvidia and AMD GPU street prices are beginning to drop https://www.theverge.com/2022/1/24/22899527/nvidia-amd-gpu-rtx-3080-radeon-price-drop-ebay-ps5-xbox-series-x-playstation
• CipherTrace ‘Honeypot' Use For Crypto Crime Comes Under Scrutiny https://www.pymnts.com/cybersecurity/2022/ciphertrace-honeypot-use-for-crypto-crime-comes-under-scrutiny/
• The Forgotten Hollywood History Behind the Term Gaslighting https://www.mentalfloss.com/article/654923/forgotten-hollywood-history-behind-term-gaslighting
• Searching for legendary social engineer Suzy Thunder https://www.theverge.com/c/22889425/susy-thunder-headley-hackers-phone-phreakers-claire-evans
• True story? Lie detection systems go high-tech https://www.bbc.co.uk/news/business-60153129
• What's the Deal With Anti-Cheat Software in Online Games? https://www.wired.com/story/kernel-anti-cheat-online-gaming-vulnerabilities
• Windows 11 is getting Android apps, taskbar improvements, and more next month https://www.theverge.com/2022/1/26/22902477/microsoft-windows-11-update-android-apps-preview-taskbar-notepad-media-player
• Ontario man who missed oil changes responsible for $19,000 engine replacement https://toronto.ctvnews.ca/ontario-man-who-missed-oil-changes-responsible-for-19-000-engine-replacement-1.5752834
• Facebook Eyes Sale of Diem Assets https://www.pymnts.com/facebook/2022/facebook-eyes-sale-of-diem-assets/
• A New Jersey toddler spent nearly $1,800 using his mom's phone. She didn't know until packages started arriving. https://www.washingtonpost.com/nation/2022/01/25/new-jersey-toddler-walmart-cart-online-shopping/
• F-35C fighter jet: Race is on to reach sunken US plane... before China https://www.bbc.co.uk/news/world-us-canada-60148482
• How Australia's PM presented WeChat account loss as a China threat https://www.bbc.co.uk/news/world-australia-60150732
• Metaverse real estate isn't really land — it's a 'risky' crypto asset that's nothing like the physical thing https://www.businessinsider.com/metaverse-land-buy-real-estate-crypto-asset-2022-1
• I've seen the metaverse – and I don't want it https://www.theguardian.com/games/2022/jan/25/ive-seen-the-metaverse-and-i-dont-want-it
• Social media has changed the stock market game. Why regulators are paying attention https://globalnews.ca/news/8534763/social-media-has-changed-the-stock-market-game-why-regulators-are-paying-attention/
• How I Got Pwned by My Cloud Costs https://www.troyhunt.com/how-i-got-pwned-by-my-cloud-costs/
• Cracking a $2 million crypto wallet https://www.theverge.com/2022/1/24/22898712/crypto-hardware-wallet-hacking-lost-bitcoin-ethereum-nft
• Anti-vaxxers making ‘at least $2.5m' a year from publishing on Substack https://www.theguardian.com/technology/2022/jan/27/anti-vaxxers-making-at-least-25m-a-year-from-publishing-on-substack
• Bitcoin ‘Black Friday' price crash: Why it happened, and what comes next https://www.independent.co.uk/tech/bitcoin-price-crash-why-analysis-b1999443.html
• Ukraine crisis: Nord Stream 2 pipeline could be axed, US warns https://www.bbc.co.uk/news/world-europe-60151839
• Hackers say they encrypted Belarusian Railway servers in protest https://www.bleepingcomputer.com/news/security/hackers-say-they-encrypted-belarusian-railway-servers-in-protest/
• Ukraine Attack: Hackers Had Access for Months Before Causing Damage https://www.securityweek.com/ukraine-attack-hackers-had-access-months-causing-damage
• Russia threatens ‘retaliatory measures' if Ukraine demands are not met https://globalnews.ca/news/8539106/russia-threatens-retaliation-ukraine-demands/
• Putin's No Chess Master https://www.theatlantic.com/ideas/archive/2022/01/russia-ukraine-putin-nato/621370/

• Health, Safety & Environment:

  • Most physicians paid by volume, despite push for quality and value https://scienmag.com/most-physicians-paid-by-volume-despite-push-for-quality-and-value/
  • Estimated 300,000 people in UK have potentially fatal heart valve disease https://scienmag.com/estimated-300000-people-in-uk-have-potentially-fatal-heart-valve-disease/
  • Insights into a cystic fibrosis treatment may herald a novel class of drugs https://scienmag.com/insights-into-a-cystic-fibrosis-treatment-may-herald-a-novel-class-of-drugs/
  • A Hidden Pattern in Your Retina May Reveal if You're at Risk of a Future Heart Attack https://www.sciencealert.com/eye-scans-could-be-used-as-a-way-of-assessing-heart-disease-risk
  • New Immunotherapy Study Gives Encouraging News For Children With Peanut Allergy https://www.sciencealert.com/new-immunotherapy-study-gives-encouraging-news-for-children-with-peanut-allergy
  • Protecting People from Deadly Shellfish https://www.scientificamerican.com/article/these-shellfish-could-kill-you/
  • Robot successfully performs keyhole surgery on pigs without human help https://www.theguardian.com/technology/2022/jan/26/robot-successfully-performs-keyhole-surgery-on-pigs-without-human-help
  • Scientists build new device that may help people who are blind ‘see' in infrared https://www.independent.co.uk/life-style/gadgets-and-tech/infrared-blind-people-3d-goggles-b1999193.html
  • Discovered: Non-hallucinogenic psychedelic analogs that demonstrate therapeutic effects https://scienmag.com/discovered-non-hallucinogenic-psychedelic-analogs-that-demonstrate-therapeutic-effects/
  • Zika vaccine shows promising results in preclinical studies https://scienmag.com/zika-vaccine-shows-promising-results-in-preclinical-studies/
  • Moderna begins trial of HIV vaccine that uses mRNA technology https://globalnews.ca/news/8543179/moderna-hiv-vaccine-trial/
  • F.A.A. Says It Has Reached a Deal Over 5G Service at Airports https://www.nytimes.com/2022/01/28/technology/faa-5g-verizon-att.html
  • How Airlines Can Solve Their 5G Problem https://www.scientificamerican.com/article/how-airlines-can-solve-their-5g-problem/
  • Is It Safe to Eat Food in Bloated Packaging? A Food Safety Expert Weighs In https://www.mentalfloss.com/article/654958/is-bloated-food-packaging-safe
  • Crews in Toronto have removed 17,000 tones of snow, more coming https://globalnews.ca/news/8535045/crews-in-toronto-have-removed-17000-tones-of-snow-more-coming/
  • Ontario road conditions https://511on.ca/List/Alerts
  • Greece Snowstorm: Thousands of drivers left stranded as storm hits Athens https://www.bbc.co.uk/news/world-europe-60129827
  • Computer simulations give avalanche forecasters deeper insight, says researcher https://www.cbc.ca/news/canada/british-columbia/computer-simulations-give-avalanche-forecasters-deeper-insight-says-researcher-1.6326339
  • Arizona camper falls to his death while trying to take mountain selfie https://globalnews.ca/news/8542607/selfie-death-richard-jacobson-arizona-mountain/
  • 'Killer Lake' in Africa Looks Like Paradise, But It's Hiding a Deadly Secret https://www.sciencealert.com/killer-lake-in-africa-looks-like-paradise-but-it-s-hiding-a-vast-deadly-secret
  • Stowaway survives 11-hour flight in nose wheel of cargo plane https://globalnews.ca/news/8534395/stowaway-11-hour-flight-amsterdam/
  • We Already Have the Technology to Save Earth From a “Don't Look Up” Comet or Asteroid https://www.universetoday.com/154264/we-already-have-the-technology-to-save-earth-from-a-dont-look-up-comet-or-asteroid/
  • In 7176 BCE, the Sun erupted in what may be the biggest blast in 10,000 years https://www.syfy.com/syfy-wire/bad-astronomy-huge-solar-storm-9200-year-ago-discovered-in-ancient-ice-cores
  • How do we solve bitcoin's carbon problem? https://www.theguardian.com/technology/2022/jan/30/how-do-we-solve-bitcoins-carbon-problem
  • B.C. glaciers melting 7 times faster in past decade than previous years, UNBC study finds https://www.cbc.ca/news/canada/british-columbia/glacier-melt-climate-change-unbc-1.6327259
  • Giant iceberg releases 152 billion tons of fresh water around remote Atlantic island https://www.theverge.com/2022/1/24/22895124/iceberg-south-georgia-melt-fresh-water-climate
  • Climate change puts Winter Olympics and future of snow sports at risk: report https://globalnews.ca/news/8539771/climate-change-winter-olympics-research/
  • Rare 'downburst' that wiped out swathes of N.W.T. forest last summer could be harbinger of future storms https://www.cbc.ca/news/canada/north/nwt-downburst-flattened-trees-sambaa-k-e-1.6327845
  • Could nuclear power help B.C. reach its climate change goals? SFU research makes the case https://globalnews.ca/news/8541073/bc-nuclear-power-climate-change/
  • Getting hydrogen out of banana peels https://scienmag.com/getting-hydrogen-out-of-banana-peels/
  • Not Even Free Money Can Fix a Carbon Tax https://www.theatlantic.com/science/archive/2022/01/carbon-tax-rebate-policy/621363/

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, waves, reinfection, and variant strains:

  • 'A bit surreal': It's been two years since Canada's first COVID-19 case https://www.ctvnews.ca/health/coronavirus/a-bit-surreal-it-s-been-two-years-since-canada-s-first-covid-19-case-1.5753396
  • Canada has detected BA.2 cases. What we know about this Omicron subvariant https://globalnews.ca/news/8538300/omicron-subvariant-ba-2-explained/
  • Omicron subvariant BA.2 detected in Ontario https://toronto.ctvnews.ca/omicron-subvariant-ba-2-detected-in-ontario-1.5759105
  • Scientists are closely watching an Omicron subtype spreading in Denmark, the UK, Singapore and India https://www.businessinsider.com/covid-scientist-track-omicron-variant-new-case-denmark-ba1-ba2-2022-
  • Decline in Toronto's COVID-19 infections could be slowing or plateauing: wastewater data https://toronto.ctvnews.ca/decline-in-toronto-s-covid-19-infections-could-be-slowing-or-plateauing-wastewater-data-1.5758694
  • Quebec surpasses 13,000 COVID-19 deaths, the highest in Canada https://globalnews.ca/news/8539432/quebec-covid-19-update-jan-26-2022/
  • Ontario's COVID-19 case count surpasses 1,000,000, deaths top 11,000 https://toronto.ctvnews.ca/ontario-s-covid-19-case-count-surpasses-1-000-000-deaths-top-11-000-1.5751998

• Guidance, Response, and Recovery:

  • Majority of Canadians support more COVID-19 restrictions for unvaccinated: poll https://globalnews.ca/news/8532791/covid-unvaccinated-restrictions-tax-poll/
  • Face mask rule changes: 'We've got to protect business' https://www.bbc.co.uk/news/uk-england-hereford-worcester-60152956
  • Covid travel tests axed for fully vaccinated in England https://www.bbc.co.uk/news/business-60109945
  • Some Ontario teachers are refusing work over school COVID-19 concerns https://toronto.ctvnews.ca/some-ontario-teachers-are-refusing-work-over-school-covid-19-concerns-1.5754561
  • Food can be sold at Ontario movie theatres once restrictions loosen Jan. 31: sources https://globalnews.ca/news/8542078/ontario-movie-theatres-food-sales-concession-stands-covid/
  • Unvaccinated man denied heart transplant by Boston hospital https://www.bbc.co.uk/news/world-us-canada-60132765

• Treatments, Testing, Triage, Trials, and things we Learned:

  • Fast, cheap test can detect COVID-19 virus' genome without need for PCR https://scienmag.com/fast-cheap-test-can-detect-covid-19-virus-genome-without-need-for-pcr/

• Immunity and Vaccinations:

  • Large study provides reassurance that COVID-19 vaccination does not affect fertility or early pregnancy https://scienmag.com/large-study-provides-reassurance-that-covid-19-vaccination-does-not-affect-fertility-or-early-pregnancy/
  • 4th COVID shot made people over 60 twice as resistant to infection: Israel https://globalnews.ca/news/8534036/4th-covid-vaccine-infection-israel/
  • Pfizer and BioNTech have started testing an Omicron-specific COVID-19 vaccine for adults https://www.businessinsider.com/pfizer-biontech-testing-omicron-specific-COVID-vaccine-adult-trials-2022-1
  • Things we learned:
  • SARS vs. COVID-19: What we didn't learn the last time https://toronto.ctvnews.ca/sars-vs-covid-19-what-we-didn-t-learn-the-last-time-1.5752524
  • SARS-CoV-2 can remain active for longer than recommended quarantine period, study shows https://scienmag.com/sars-cov-2-can-remain-active-for-longer-than-recommended-quarantine-period-study-shows/
  • Researchers identify immunological markers for SARS-CoV-2 reinfection https://scienmag.com/researchers-identify-immunological-markers-for-sars-cov-2-reinfection/

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Innovations & Inventions:

  • Record-Breaking Nuclear Fusion Experiment Achieves Historic Plasma Milestone https://www.sciencealert.com/record-breaking-nuclear-fusion-experiment-achieves-a-new-plasma-milestone
  • Tiny materials lead to a big advance in quantum computing https://scienmag.com/tiny-materials-lead-to-a-big-advance-in-quantum-computing/
  • Car that transforms into plane in just minutes cleared to fly https://www.independent.co.uk/life-style/gadgets-and-tech/car-plane-fly-slovakia-b1999865.html
  • James Webb Space Telescope Has Arrived Successfully at L2 https://www.universetoday.com/154189/webb-has-arrived-successfully-at-l2/

• Other:

  • A Harvard Mathematician Has Basically Solved an Epic, 150-Year-Old Chess Problem https://www.sciencealert.com/a-harvard-mathematician-has-solved-an-epic-150-year-old-chess-problem
  • Message in a bottle from Scottish girl found in Norway after 25 years https://www.bbc.co.uk/news/uk-scotland-north-east-orkney-shetland-60121185
  • New AI paint colors https://www.aiweirdness.com/new-ai-paint-colors/
  • 13 Rovers Recently Competed to Scour the (Simulated) Moon to Harvest Resources https://www.universetoday.com/154173/13-rovers-recently-competed-to-scour-the-simulated-moon-to-harvest-resources/
  • Glowing meteor lights up northern B.C. sky https://www.cbc.ca/news/canada/british-columbia/bolide-northern-bc-fort-nelson-1.6326184
  • Remembering NASA Engineer Jerry Woodfill, the Inspiration Behind “13 Things That Saved Apollo 13” https://www.universetoday.com/154164/remembering-nasa-engineer-jerry-woodfill-the-inspiration-behind-13-things-that-saved-apollo-13/
  • NASA is Already Designing Hardware for a Mars Sample Return Mission https://www.universetoday.com/154252/nasa-is-already-designing-hardware-for-a-mars-sample-return-mission/
  • NASA's 'Nuclear Option' May Be Crucial for Getting Humans to Mars https://www.scientificamerican.com/article/nasas-nuclear-option-may-be-crucial-for-getting-humans-to-mars/
  • A Private Mission to Scan the Cloud Tops of Venus for Evidence of Life https://www.universetoday.com/154211/a-private-mission-to-scan-the-cloud-tops-of-venus-for-evidence-of-life/
  • 5,000 Exoplanets! https://www.universetoday.com/154217/5000-exoplanets/
  • Finally, an Explanation for the Cold Spot in the Cosmic Microwave Background https://www.universetoday.com/154147/finally-an-explanation-for-the-cold-spot-in-the-cosmic-microwave-background/
  • There are 40 quintillion black holes in the observable Universe. More or less. https://www.syfy.com/syfy-wire/bad-astronomy-black-holes-quintillions