18 min read

This Week's [in]Security - Issue 297

CG Blogger : Dec 18, 2022 12:00:00 AM

[in]security

Welcome to This Week’s [in]Security. PCI: PTSv4 extension, DSSv4, Secure Software v1.2. Surcharge backlash. Gift card fraud. Fake products. New breaches, New Ransomware, Downs. Privacy: Policy implications, Apple photos, DHS & Tech. Laws & Regs - Canada, US, World. Fines, Enforcements & Lawsuits. Standards: NIST hashes & IoT. Emerging - AI: ChatGPT & NSFW Images, Cryptography. Defense - Resources, Tools & Techniques, memory-safe languages. Vulnerabilities - Advisories, Significant: Roundup, Cisco, Fortinet. WAFs. Eufy Cams, Botnet karma. Research: abusing AV & EDR, decoupling privacy, air-gaps, Pwn2Own. Cybercrime - active campaigns, Power grid, Android app signing keys, crimes & enforcement. Bad-Actors. Risks, bad software, passwords, disinformation, health, safety, environment, economy, FTX. Russia v. Ukraine. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.

PCI Security Standards Council Bulletin: Expiry Date Extended for PCI PTS POI v4 Devices https://www.pcisecuritystandards.org/wp-content/uploads/2022/12/PTS_POI_v4_Extension_Bulletin.pdf
PCI DSSv4 Updates:

Changes to PCI DSS v4.0 Reporting: In Place with Remediation https://blog.pcisecuritystandards.org/changes-to-pci-dss-v4-0-reporting-in-place-with-remediation

PCI SSF v1.2 …

New Web Software Module Introduced in PCI Secure Software Standard Version 1.2 https://blog.pcisecuritystandards.org/new-web-software-module-introduced-in-pci-secure-software-standard-version1-2
Secure Software Program Guide https://docs-prv.pcisecuritystandards.org/Software%20Security/Supporting%20Document/PCI-Secure-Software-Program-Guide-v1_2.pdf
Secure Software Standard Summary of Changes https://docs-prv.pcisecuritystandards.org/Software%20Security/Standard/PCI-Secure-Software-Standard-Summary-of-Changes-v1_1-to-v1_2.pdf
Secure Software Standard https://docs-prv.pcisecuritystandards.org/Software%20Security/Standard/PCI-Secure-Software-Standard-v1_2.pdf
FAQs for SSF v1.2 https://www.pcisecuritystandards.org/document_library/?category=sware_sec&document=faq_ssf_1_2
SSF Glossary of Terms, Abbreviations, and Acronyms https://docs-prv.pcisecuritystandards.org/Software%20Security/Supporting%20Document/PCI-SSF-Glossary-v1_2.pdf
Qualification Requirements for SSF Assessors https://docs-prv.pcisecuritystandards.org/Software%20Security/Supporting%20Document/PCI-SSF-Qualification-Requirements-for-Assessors-v1_2.pdf

Other payment related:

Australia Sues Amex For Violating Credit Card Distribution Rules https://www.pymnts.com/news/regulation/2022/australia-sues-amex-for-violating-credit-card-distribution-rules/

The ugliness of credit card surcharges:

Canadians balk at being forced to pay an extra fee for credit card purchases https://financialpost.com/executive/executive-summary/credit-card-surcharge-canadians-balk
CRTC rejects Telus' request to charge credit card processing fee for some services https://globalnews.ca/news/9335092/crtc-telus-credit-card-processing-fee-rejected-regulated-home-phone-services/
Tampered Gift Card Warning https://www.ctvnews.ca/canada/former-police-officer-warns-of-scams-involving-tampered-gift-cards-at-retailers-1.6185402
Family says Amazon shipped fake product, refuses refund until 'correct' item returned https://www.cbc.ca/news/business/amazon-returns-1.6669601

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

New Breaches:

Cybersecurity firm ‘sniffed out' hacked Tirupati hospital data on dark web. Now, it's a ‘victim' too https://www.databreaches.net/cybersecurity-firm-sniffed-out-hacked-tirupati-hospital-data-on-dark-web-now-its-a-victim-too/
Lighting Giant Acuity Brands Discloses Two Data Breaches https://www.securityweek.com/lighting-giant-acuity-brands-discloses-two-data-breaches
Around 360K people in Ontario affected by COVAXon privacy breach https://globalnews.ca/news/9338278/covaxon-privacy-breach/
Au: 130,000 Telstra customers exposed in data leak https://www.databreaches.net/au-130000-telstra-customers-exposed-in-data-leak/
6 Lakh Indians' Data Sold on Bot Markets, Making it Most-affected Nation https://www.databreaches.net/6-lakh-indians-data-sold-on-bot-markets-making-it-most-affected-nation/

New Ransomware and "Incidents":

New Ransom Payment Schemes Target Executives, Telemedicine https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/
Rackspace Confirms Ransomware Attack as It Tries to Determine If Data Was Stolen https://www.securityweek.com/rackspace-confirms-ransomware-attack-it-tries-determine-if-data-was-stolen
New Zealand Government Hit by Ransomware Attack on IT Provider https://www.securityweek.com/new-zealand-government-hit-ransomware-attack-it-provider
Cyberattack Shuts Down French Hospital https://www.darkreading.com/attacks-breaches/cyberattack-shuts-down-french-hospital
NJ: With servers still offline, Hudson County Schools of Technology goes old-school low tech https://www.databreaches.net/nj-with-servers-still-offline-hudson-county-schools-of-technology-goes-old-school-low-tech/

Major outages/downs:

Amazon outage https://mobilesyrup.com/2022/12/07/amazon-down-for-hundreds-of-canadians/
Massive DDoS attack takes Russia's second-largest bank VTB offline https://www.bleepingcomputer.com/news/security/massive-ddos-attack-takes-russia-s-second-largest-bank-vtb-offline/

Have-I-Been-Pwned updates:

Abandonia (2022) - 919,790 breached accounts https://haveibeenpwned.com/PwnedWebsites#Abandonia2022

Privacy

Articles about privacy related news, risks, and trends.

What Stricter Data Privacy Laws Mean for Your Cybersecurity Policies https://thehackernews.com/2022/12/what-stricter-data-privacy-laws-mean.html
Apple Kills Its Plan to Scan Your Photos for CSAM. Here’s What’s Next https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/
Tech companies fueled the rise of Homeland Security and domestic surveillance, report finds https://www.theverge.com/2022/12/8/23496852/microsoft-dhs-surveillance-data-fusion
TSA to expand facial recognition across America https://www.theregister.com/2022/12/06/us_transportation_security_agency_facial/

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

Canada:

Ottawa to unveil investment law reforms to address ‘national security concerns' https://globalnews.ca/news/9329880/investment-canada-act-reform-champagne/
From Bad to Worse: Senate Committee Adds Age Verification Requirement for Online Undertakings to Bill C-11 https://www.michaelgeist.ca/2022/12/from-bad-to-worse-senate-committee-adds-age-verification-requirement-for-online-undertakings-to-bill-c-11/
The Law Bytes Podcast, Episode 149: Ryan Clements on the FTX Collapse and Canada's Approach to Crypto Regulation https://www.michaelgeist.ca/2022/12/law-bytes-podcast-episode-149/
Big Cost, Smaller Benefit: Government Modelling Pegs Likely Bill C-18 Revenues at Less Than Half of Parliamentary Budget Officer Estimates https://www.michaelgeist.ca/2022/12/big-cost-smaller-benefit/
How the Government Is Using Bill C-18 to Pick Media Winners and Losers https://www.michaelgeist.ca/2022/12/winnersandlosers/
Important Notice about FIPPA – Mandatory Breach Notification and Privacy Management Program Requirements Coming into Effect on February 1, 2023 https://www.databreaches.net/important-notice-about-fippa-mandatory-breach-notification-and-privacy-management-program-requirements-coming-into-effect-on-february-1-2023/

Victory! Judge's Critical Investigation of Patent Troll Companies Can Move Forward https://www.eff.org/deeplinks/2022/12/victory-judges-critical-investigation-patent-troll-companies-can-move-forward
VICTORY! The Safe Connections Act is Now Law https://www.eff.org/deeplinks/2022/12/victory-safe-connections-act-now-law
VICTORY! San Francisco Bans Killer Robots…For Now https://www.eff.org/deeplinks/2022/12/victory-san-francisco-bans-killer-robotsfor-now
The Supreme Court Must Protect Internet Users' Rights to Access Controversial Information Online https://www.eff.org/deeplinks/2022/12/supreme-court-must-protect-internet-users-rights-access-controversial-information
Meta threatens to remove US news content if new law passes https://www.bbc.co.uk/news/technology-63869013

World:

Taiwan bans state-owned devices from running Chinese platform TikTok https://www.theregister.com/2022/12/07/taiwan_bans_chinese_platform_tiktok/
EU Court: Google Must Delete Inaccurate Search Info If Asked https://www.securityweek.com/eu-court-google-must-delete-inaccurate-search-info-if-asked
EU Says Meta Needs to Change Targeted Ad Practices https://www.pymnts.com/news/regulation/2022/eu-says-meta-needs-to-change-targeted-ad-practices/
A Promising New GDPR Ruling Against Targeted Ads https://www.eff.org/deeplinks/2022/12/promising-new-gdpr-ruling-against-targeted-ads
Crypto Firms May Have to Report EU Tax Evaders https://www.pymnts.com/cryptocurrency/2022/crypto-firms-may-have-to-report-eu-tax-evaders/
The Dangerous Digital Creep of Britain's ‘Hostile Environment' https://www.wired.com/story/digital-by-default-immigration-uk/
Network Usage Fees Will Harm European Consumers and Businesses https://www.eff.org/deeplinks/2022/12/network-usage-fees-will-harm-european-consumers-and-businesses

Enforcements, Fines, Lawsuits:

Meta Expected to Face New Fines After EU Privacy Ruling https://www.securityweek.com/meta-expected-face-new-fines-after-eu-privacy-ruling
Five British Companies Fined For Making Half A Million Nuisance Calls https://packetstormsecurity.com/news/view/34121/Five-British-Companies-Fined-For-Making-Half-A-Million-Nuisance-Calls.html
Indiana sues TikTok for misleading users on child safety and data security https://www.theverge.com/2022/12/7/23499017/tiktok-china-bytedance-lawsuit-mature-content-national-security
Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google https://krebsonsecurity.com/2022/12/judge-orders-u-s-lawyer-in-russian-botnet-case-to-pay-google/
2 women are suing Apple alleging that former partners hid AirTags in a car and a child's backpack and used the devices to stalk them https://www.businessinsider.com/apple-faces-airtag-lawsuit-after-women-allege-stalking-ex-partners-2022-12
Lawsuits come, lawsuits go (settle), Friday edition https://www.databreaches.net/lawsuits-come-lawsuits-go-settle-friday-edition/

Standards News:

NIST Announcement of Proposal to Revise FIPS 180-4, Secure Hash Standard (SHS) https://csrc.nist.gov/News/2022/proposal-to-revise-fips-180-4-secure-hash-standard
NCCoE Releases Final Practice Guide: NIST SP 1800-34, Validating the Integrity of Computing Devices https://www.nccoe.nist.gov/supply-chain-assurance
National Online Informative References (OLIR) Program: Two Draft NIST IRs Available for Comment through January 20 https://content.govdelivery.com/accounts/USNIST/bulletins/33bd98a
NCCoE Releases Preliminary Draft Practice Guide for Trusted IoT Onboarding and Lifecycle Management open for comment until February 3 https://csrc.nist.gov/publications/detail/sp/1800-36/draft

Emerging technology and Innovations

Covering developments and risks with new technologies including AI, Quantum Computing, Cryptography:

Artificial Intelligence & Machine Learning:
Machine Learning Models: A Dangerous New Attack Vector https://www.darkreading.com/threat-intelligence/machine-learning-models-dangerous-new-attack-vector
ChatGPT proves AI is finally mainstream — and things are only going to get weirder https://www.theverge.com/2022/12/8/23499728/ai-capability-accessibility-chatgpt-stable-diffusion-commercialization
OpenAI's new ChatGPT bot: 10 dangerous things it's capable of https://www.bleepingcomputer.com/news/technology/openais-new-chatgpt-bot-10-dangerous-things-its-capable-of/
AI Bot ChatGPT Stuns Academics With Essay Writing Skills / Usability https://packetstormsecurity.com/news/view/34106/AI-Bot-ChatGPT-Stuns-Academics-With-Essay-Writing-Skills-Usability.html
AI-generated answers temporarily banned on coding Q&A site Stack Overflow https://www.theverge.com/2022/12/5/23493932/chatgpt-ai-generated-answers-temporarily-banned-stack-overflow-llms-dangers
ChatGPT shows promise of using AI to write malware https://www.cyberscoop.com/chatgpt-ai-malware/
The Internet's New Favorite AI Proposes Torturing Iranians and Surveilling Mosques https://theintercept.com/2022/12/08/openai-chatgpt-ai-bias-ethics/
OpenAI's new chatbot can hallucinate a Linux shell—or calling a BBS https://arstechnica.com/information-technology/2022/12/openais-new-chatbot-can-hallucinate-a-linux-shell-or-calling-a-bbs/
Apparently I am a robot https://www.aiweirdness.com/writing-like-a-robot/
Bonus: ChatGPT rates recipes by another neural net https://www.aiweirdness.com/bonus-chatgpt-rates-recipes/
Thanks to AI, it's probably time to take your photos off the Internet https://arstechnica.com/information-technology/2022/12/thanks-to-ai-its-probably-time-to-take-your-photos-off-the-internet/
Lensa AI's owner says the company's face-changing tech can be tricked into generating NSFW images — but some users are saying it happened to them without even trying https://www.businessinsider.com/lensa-ai-photo-app-generating-nsfw-images-without-prompting-2022-12
Lensa AI and ‘Magic Avatars': What to Know Before Using the App https://www.wired.com/story/lensa-ai-magic-avatars-security-tips/
How to use MyHeritage's AI Time Machine, a tool that shows what you would look like throughout history https://www.businessinsider.com/guides/tech/myheritage-ai-time-machine

Cryptography and Cryptographic Research:

KEMTLS vs. Post-Quantum TLS: Performance On Embedded Systems https://eprint.iacr.org/2022/1712
On Zero-Knowledge Proofs over the Quantum Internet https://eprint.iacr.org/2022/1701
RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography https://eprint.iacr.org/2022/1697
Practical Quantum-Safe Voting from Lattices, Extended https://eprint.iacr.org/2022/1686
Secret Key Recovery Attacks on Masked and Shuffled Implementations of CRYSTALS-Kyber and Saber https://eprint.iacr.org/2022/1692
Nonce-encrypting AEAD Modes with Farfalle https://eprint.iacr.org/2022/1711
Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol https://eprint.iacr.org/2022/1705

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

Educational events, webinars, courses, etc:

Recap and Resources from the NICE K12 Conference https://content.govdelivery.com/accounts/USNIST/bulletins/33babfa
OpenSSF Membership Exceeds 100, With Many New Members Dedicated to Securing Open Source Software https://www.darkreading.com/application-security/openssf-membership-exceeds-100-with-many-new-members-dedicated-to-securing-open-source-software

General:

What Will It Take to Secure Critical Infrastructure? https://www.darkreading.com/ics-ot/what-will-it-take-to-secure-critical-infrastructure

Methods, Techniques, Tools, and Products:

Shift to Memory-Safe Languages Gains Momentum https://www.darkreading.com/application-security/shift-memory-safe-languages-gains-momentum
Trust in transparency: Private Compute Core https://security.googleblog.com/2022/12/trust-in-transparency-private-compute.html
Kali Linux 2022.4 adds 6 new tools, Azure images, and desktop updates https://www.bleepingcomputer.com/news/security/kali-linux-20224-adds-6-new-tools-azure-images-and-desktop-updates/
Wireshark 4.0.2 and 3.6.10 released, (Wed, Dec 7th) https://isc.sans.edu/diary/rss/29316
Why encrypted backup is so important https://blog.cryptographyengineering.com/2022/12/07/apple-icloud-and-why-encrypted-backup-is-the-only-privacy-issue/
Want to detect Cobalt Strike on the network? Look to process memory https://www.theregister.com/2022/12/06/cobalt_strike_memory_unit_42/
Hybrid fuzzing: Sharpening the spikes of Echidna https://blog.trailofbits.com/2022/12/08/hybrid-echidna-fuzzing-optik-maat/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

Advisories:

CISA orders agencies to patch exploited Google Chrome bug by Dec 26th https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-exploited-google-chrome-bug-by-dec-26th/
Google Chrome Flaw Added to CISA Patch List https://www.darkreading.com/vulnerabilities-threats/google-chrome-flaw-added-to-cisa-patch-list

Significant:

Control Gap Vulnerability Roundup: November 26th to December 2nd https://www.controlgap.com/blog/vulnerability-roundup-november-26th-december-2nd
Cisco discloses high-severity IP phone zero-day with exploit code https://www.bleepingcomputer.com/news/security/cisco-discloses-high-severity-ip-phone-zero-day-with-exploit-code/
Fortinet Patches High-Severity Authentication Bypass Vulnerability in FortiOS https://www.securityweek.com/fortinet-patches-high-severity-authentication-bypass-vulnerability-fortios
Several Code Execution Vulnerabilities Patched in Sophos Firewall https://www.securityweek.com/several-code-execution-vulnerabilities-patched-sophos-firewall

Other Vulnerabilities:

Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet https://www.securityweek.com/over-4000-vulnerable-pulse-connect-secure-hosts-exposed-internet
WAFs of Several Major Vendors Bypassed With Generic Attack Method https://www.securityweek.com/wafs-several-major-vendors-bypassed-generic-attack-method
NETGEAR Router Misconfiguration Opens The Door For Remote Attacks https://www.tenable.com/blog/netgear-router-misconfiguration-opens-the-door-for-remote-attacks
Security Vulnerabilities in Eufy Cameras https://www.schneier.com/blog/archives/2022/12/security-vulnerabilities-in-eufy-cameras.html
Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html
Exploiting CVE-2022-42703 - Bringing back the stack attack https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html
Log4j: One Year Later https://www.imperva.com/blog/log4j-one-year-later/
Syntax errors are the doom of us all, including botnet authors https://arstechnica.com/information-technology/2022/12/advanced-botnet-taken-down-by-an-all-too-human-flaw-syntax-error/

Research on new vulnerabilities:

Antivirus and EDR solutions tricked into acting as data wipers https://www.bleepingcomputer.com/news/security/antivirus-and-edr-solutions-tricked-into-acting-as-data-wipers/
The Decoupling Principle https://www.schneier.com/blog/archives/2022/12/the-decoupling-principle.html
Air-gapped PCs vulnerable to data theft via power supply radiation https://www.bleepingcomputer.com/news/security/air-gapped-pcs-vulnerable-to-data-theft-via-power-supply-radiation/
COVID-bit: New COVert Channel to Exfiltrate Data from Air-Gapped Computers https://thehackernews.com/2022/12/covid-bit-new-covert-channel-to.html
Hackers earn $989,750 for 63 zero-days exploited at Pwn2Own Toronto https://www.bleepingcomputer.com/news/security/hackers-earn-989-750-for-63-zero-days-exploited-at-pwn2own-toronto/
Pwn2Own Toronto 2022, Day 1: Hackers Earn $400,000 for Galaxy S22, SOHO Exploits https://www.securityweek.com/pwn2own-toronto-2022-day-1-hackers-earn-400000-galaxy-s22-soho-exploits
Pwn2Own Toronto 2022, Day 2: Smart Speaker Exploits Earn Big Chunk of $280,000 Total https://www.securityweek.com/pwn2own-toronto-2022-day-2-smart-speaker-exploits-earn-big-chunk-280000-total
Samsung Galaxy S22 gets hacked in 55 seconds at Pwn2Own Toronto https://www.bleepingcomputer.com/news/security/samsung-galaxy-s22-gets-hacked-in-55-seconds-at-pwn2own-toronto/
Zero-Day Hackers Breach Samsung Galaxy S22 Twice In 24 Hours https://www.databreaches.net/zero-day-hackers-breach-samsung-galaxy-s22-twice-in-24-hours/
Sorting Out Randomized TLS Fingerprints https://hnull.org/2022/12/01/sorting-out-randomized-tls-fingerprints/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

Trends, Alerts, and Events (other than major breaches):

Attackers Keep Targeting the US Electric Grid https://www.wired.com/story/attacks-us-electrical-grid-security-roundup/
Leaked Signing Keys Are Being Used to Sign Malware https://www.schneier.com/blog/archives/2022/12/leaked-signing-keys-are-being-used-to-sign-malware.html
New Ransom Payment Schemes Target Executives, Telemedicine https://www.databreaches.net/new-ransom-payment-schemes-target-executives-telemedicine/
Hacked corporate email accounts used to send MSP remote access tool https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accounts-used-to-send-msp-remote-access-tool/
Legit Android apps poisoned by sticky 'Zombinder' malware https://www.theregister.com/2022/12/09/zombinder_android_windows_malware/
New Go-based Botnet Exploiting Dozens of IoT Vulnerabilities to Expand its Network https://thehackernews.com/2022/12/new-go-based-zerobot-botnet-exploiting.html
New TrueBot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm https://thehackernews.com/2022/12/new-truebot-malware-variant-leveraging.html
Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver https://thehackernews.com/2022/12/researchers-uncover-new-drokbk-malware.html
Sneaky hackers reverse defense mitigations when detected https://www.databreaches.net/sneaky-hackers-reverse-defense-mitigations-when-detected/
SoK: Use of Cryptography in Malware Obfuscation https://eprint.iacr.org/2022/1699
Zerobot Weaponizes Numerous Flaws in Slew of IoT Devices https://www.darkreading.com/remote-workforce/zerobot-weaponizes-numerous-flaws-iot-devices
UK arrests five for selling 'dodgy' point of sale software https://www.theregister.com/2022/12/12/j5_electronic_sales_suppression_software_probe/

Crime & Arrests, etc.:

Arizona Man Arrested For Point-Of-Sale Cyber Intrusions https://www.databreaches.net/arizona-man-arrested-for-point-of-sale-cyber-intrusions/
SIM Swapper Who Stole $20 Million Sentenced to Prison https://www.securityweek.com/sim-swapper-who-stole-20-million-sentenced-prison
Suspects arrested for hacking US networks to steal employee data https://www.bleepingcomputer.com/news/security/suspects-arrested-for-hacking-us-networks-to-steal-employee-data/
Wirecard trial of executives opens in German fraud scandal https://www.bbc.co.uk/news/world-europe-63893933
Australia arrests 'Pig Butchering' suspects for stealing $100 million https://www.bleepingcomputer.com/news/security/australia-arrests-pig-butchering-suspects-for-stealing-100-million/
CryptosLabs ‘pig butchering' ring stole up to $505 million since 2018 https://www.bleepingcomputer.com/news/security/cryptoslabs-pig-butchering-ring-stole-up-to-505-million-since-2018/
Scammers Are Scamming Other Scammers Out of Millions of Dollars https://www.wired.com/story/cybercrime-hackers-scams-forums/

Bad-Actors / Nation-States / APTs / Cyber-Mercenaries

News covering Nation-State Actors, APTS, Hacking Groups, Mercenaries, Espionage, and the Notorious:

RCMP suspends contract with Ontario company linked to China https://www.cp24.com/mobile/news/rcmp-suspends-contract-with-ontario-company-linked-to-china-1.6187510
Amnesty International Canada says it was target of Chinese state cyberattack https://globalnews.ca/news/9328262/amnesty-international-canada-cyberattack/
Chinese Hackers Using Russo-Ukrainian War Decoys to Target APAC and European Entities https://thehackernews.com/2022/12/chinese-hackers-using-russo-ukrainian.html
Secret Service: Chinese Hackers Swiped $20M in COVID Relief Funds https://www.pymnts.com/fraud-attack/2022/secret-service-chinese-hackers-swiped-20m-in-covid-relief-funds/
Chinese Hackers Target Middle East Telecoms in Latest Cyber Attacks https://thehackernews.com/2022/12/chinese-hackers-target-middle-east.html
Microsoft warns of Russian cyberattacks throughout the winter https://www.bleepingcomputer.com/news/security/microsoft-warns-of-russian-cyberattacks-throughout-the-winter/
Iranian Hackers Strike Diamond Industry with Data-Wiping Malware in Supply-Chain Attack https://thehackernews.com/2022/12/iranian-hackers-strike-diamond-industry.html
North Korea hits new low by using Seoul Halloween tragedy to exploit Internet Explorer zero-day https://www.theregister.com/2022/12/08/north_korea_seoul_tragedy_exploit/
DEV-0139 launches targeted attacks against the cryptocurrency industry https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/
Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant https://thehackernews.com/2022/12/hack-for-hire-group-targets-travel-and.html
This ransomware gang is a right Royal pain in the AES for healthcare orgs https://www.theregister.com/2022/12/09/royal_ransomware_hhs_warning/
Vice Society Ransomware Attackers Targeted Dozens of Schools in 2022 https://thehackernews.com/2022/12/vice-society-ransomware-attackers.html

Other Security / Risk

Articles covering other types of risks.

General:

Bad Software Cost US Businesses $2.1 Trillion In 2022 https://packetstormsecurity.com/news/view/34123/Bad-Software-Cost-US-Businesses-2.1-Trillion-In-2022.html
Password Reset Calls Are Costing Your Org Big Money https://www.bleepingcomputer.com/news/security/password-reset-calls-are-costing-your-org-big-money/
These Are the 50 Most Popular Passwords in America—and That's Not a Good Thing https://www.mentalfloss.com/posts/most-popular-passwords-in-america
The last phone boxes https://www.theguardian.com/society/2022/apr/28/last-phone-boxes-bt-payphones-uk
Global Population Growth Is Slowing Down. Here's One Reason Why https://www.scientificamerican.com/article/global-population-growth-is-slowing-down-heres-one-reason-why/
Interesting CAPTCHA https://www.schneier.com/blog/archives/2022/12/captcha.html

Disinformation and misinformation

Most convicted terrorists radicalised online, finds MoJ-backed study https://www.theguardian.com/uk-news/2022/dec/08/most-convicted-terrorists-radicalised-online-finds-study

Health:

Canadians choosing cheaper, less-healthy foods, skipping medications to cut costs: poll https://globalnews.ca/news/9337810/rising-food-prices-salvation-army-poll/
Scientists finally know why people get more colds and flu in winter https://www.ctvnews.ca/health/scientists-finally-know-why-people-get-more-colds-and-flu-in-winter-1.6182625
National study confirms breakthrough COVID cases are less severe than COVID in unvaccinated adults https://scienmag.com/national-study-confirms-breakthrough-covid-cases-are-less-severe-than-covid-in-unvaccinated-adults/
New receptor “decoy” drug neutralizes COVID-19 virus and its variants https://scienmag.com/new-receptor-decoy-drug-neutralizes-covid-19-virus-and-its-variants/
Rotten meat could be easier to detect thanks to a new biosensor system developed at Concordia https://scienmag.com/rotten-meat-could-be-easier-to-detect-thanks-to-a-new-biosensor-system-developed-at-concordia/
Vaping: Juul Labs agrees thousands of US settlements https://www.bbc.co.uk/news/business-63888206
The Brains of Teenagers Look Disturbingly Different After Lockdown https://www.sciencealert.com/the-brains-of-teenagers-look-disturbingly-different-after-lockdown
Analysis of wastewater in a New England college town reveals high usage of stimulants and a rise in drug use during the pandemic https://scienmag.com/analysis-of-wastewater-in-a-new-england-college-town-reveals-high-usage-of-stimulants-and-a-rise-in-drug-use-during-the-pandemic/
FSU research links common sweetener with anxiety https://scienmag.com/fsu-research-links-common-sweetener-with-anxiety/
New virus discovered in Swiss ticks https://scienmag.com/new-virus-discovered-in-swiss-ticks/
Ancient Pathogen Is 'Imminent Threat' in Every Part of The World, WHO Warns https://www.sciencealert.com/ancient-pathogen-is-imminent-threat-in-every-part-of-the-world-who-warns
$3.5-Million Hemophilia Gene Therapy Is World's Most Expensive Drug https://www.scientificamerican.com/article/3-5-million-hemophilia-gene-therapy-is-worlds-most-expensive-drug/
The Y Chromosome Is Slowly Vanishing. A New Sex Gene Could Be The Future of Men https://www.sciencealert.com/the-y-chromosome-is-slowly-vanishing-a-new-sex-gene-could-be-the-future-of-men

Safety:

Gunfire at electrical grid kills power for 45,000 in North Carolina https://www.theregister.com/2022/12/05/electrical_grid_carolina/
Guelph police use blood sample to identify break and enter suspect https://globalnews.ca/news/9325773/guelph-police-blood-sample-identify-break-and-enter-suspect/
Woman jabbed with needle while running errands in downtown Toronto https://toronto.ctvnews.ca/woman-jabbed-with-needle-while-running-errands-in-downtown-toronto-1.6182081
Passenger who fell from cruise ship treaded water for 20 hours to survive https://globalnews.ca/news/9326855/james-michael-grimes-cruise-ship-overboard/
Pivot Airlines pilot breaks down how surveillance footage was tampered with https://www.ctvnews.ca/w5/exclusive-surveillance-footage-shows-duffel-bags-being-loaded-onto-pivot-airlines-jet-1.6186742

Environment:

Renewables Are on Pace to Beat Coal as the Largest Power Source by 2025 https://www.scientificamerican.com/article/renewables-are-on-pace-to-beat-coal-as-the-largest-power-source-by-2025/
Nova Scotia's solar industry continues to soar at a record pace https://globalnews.ca/news/9332588/nova-scotia-solar-industry-growing-record-pace/
To Fight Climate Change, We Could Block the Sun. A Lightweight Solar Sail Could Make it Feasible https://www.universetoday.com/159133/to-fight-climate-change-we-could-block-the-sun-a-lightweight-solar-sail-could-make-it-feasible/
Long wait lists, no provincial incentives keep Ontarians from buying EVs, advocate says https://www.cbc.ca/news/canada/toronto/electric-vehicles-ontario-1.6674709
How to Decarbonize Crypto https://www.theatlantic.com/ideas/archive/2022/12/cryptocurrency-mining-environmental-impact-solution/672360/
Researchers harvest electricity from wood soaking in water https://scienmag.com/researchers-harvest-electricity-from-wood-soaking-in-water/
Enjoy It While You Can: Dropping Oxygen Will One Day Suffocate Most Life on Earth https://www.sciencealert.com/enjoy-it-while-you-can-dropping-oxygen-will-one-day-suffocate-most-life-on-earth

Economy:

Tim Cook and President Biden came to Arizona to announce plans for American-made chips https://www.theverge.com/2022/12/6/23497417/apple-tsmc-phoenix-fab-plans-biden-amd-nvidia
Wirecard Trial Sets Up FTX Parallels and Enron Echoes https://www.pymnts.com/digital-payments/2022/wirecard-trial-sets-up-ftx-parallels-and-enron-echoes/
The FTC is investigating crypto firms for possible misconduct following FTX collapse https://www.theverge.com/2022/12/6/23496423/ftx-crypto-sam-bankman-fried-ftc-tom-brady-steph-curry-investigation
FTX Founder Sam Bankman-Fried Faces Market Manipulation Inquiry https://www.nytimes.com/2022/12/07/business/ftx-sbf-crypto-market-investigation.html

Russia v. Ukraine

News and announcements relating to Russia's invasion of Ukraine.

The war:

Ukraine war: Russian military airfields hit by explosions https://www.bbc.co.uk/news/world-europe-63857451
Ukraine hits 'Wagner HQ' in weekend of fighting https://www.bbc.co.uk/news/world-europe-63933132
Russia is tearing through its munitions stockpiles faster than it can refill them, top US intel chief says https://www.businessinsider.com/russia-uses-munitions-stockpiles-faster-than-replacing-them-us-intelligence-2022-12
Russia has stopped using its Iranian suicide drones because they don't work in the cold, Ukraine says https://www.businessinsider.com/russia-stopped-using-iran-suicide-drones-dont-work-cold-ukraine-2022-12
Putin vows to continue hitting Ukraine's power grid https://www.bbc.co.uk/news/world-europe-63907803
Putin: Nuclear risk is rising, but we are not mad https://www.bbc.co.uk/news/world-europe-63893316

Sanctions & economic Impact:

Putin has destroyed Russia's most important oil market – and what's next for crude depends on him and Xi Jinping, energy expert Daniel Yergin says https://markets.businessinsider.com/news/commodities/oil-price-outlook-vladimir-putin-xi-jinping-eu-sanctions-yergin-2022-12
The EU for the first time will seek sanctions against Russia's mining sector, expanding efforts to cripple Russia's wartime economy https://markets.businessinsider.com/news/commodities/russia-mining-eu-sanctions-ukraine-markets-metals-commodities-putin-investment-2022-12
Russia's central bank just issued a warning about 'new economic shocks,' and it shows the new $60/barrel cap on oil is working https://www.businessinsider.com/russia-central-bank-western-oil-price-cap-eu-ban-economy-2022-12
A $200m superyacht seized from Putin's apparent choice for a Ukrainian puppet leader is being sold at auction, with Ukraine keeping the proceeds https://www.businessinsider.com/oligarchs-200m-superyacht-to-be-sold-by-ukraine-at-auction-2022-12

Cyber-attacks and the potential for cyber-war:

Wiper, Disguised as Fake Ransomware, Targets Russian Orgs https://www.darkreading.com/threat-intelligence/wiper-disguised-fake-ransomware-targets-russian-orgs
Russian Espionage APT Callisto Focuses on Ukraine War Support Organizations https://www.securityweek.com/russian-espionage-apt-callisto-focuses-ukraine-war-support-organizations
Russian Hackers Spotted Targeting U.S. Military Weapons and Hardware Supplier https://thehackernews.com/2022/12/russian-hackers-spotted-targeting-us.html

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

Lighter:

CP Holiday Train en route to B.C.'s Interior https://globalnews.ca/news/9338813/cp-holiday-train-b-c-interior/
Is ‘Die Hard' a Christmas Movie? A New and Official Trailer May Finally Answer the Question https://www.mentalfloss.com/posts/die-hard-christmas-movie-trailer
The 10 Best Films of 2022 https://www.theatlantic.com/culture/archive/2022/12/best-movies-2022-tar-nope-the-fabelmans/672387/

Science:

Flameproofing lithium-ion batteries with salt https://scienmag.com/flameproofing-lithium-ion-batteries-with-salt/
Fusion Technology Is Reaching a Turning Point That Could Change The Energy Game https://www.sciencealert.com/fusion-technology-is-reaching-a-turning-point-that-could-change-the-energy-game
Nasa's Orion capsule makes safe return to Earth https://www.bbc.co.uk/news/science-environment-63937345
What Makes Swear Words So $#%+@&! Offensive? Scientists Have Found a Clue https://www.mentalfloss.com/posts/why-swear-words-sound-offensive
The Linguistics of Swearing Explain Why We Substitute Darn for Damn https://www.scientificamerican.com/article/the-linguistics-of-swearing-explain-why-we-substitute-darn-for-damn/