This Week's [in]Security - Issue 297

Welcome to This Week’s [in]Security. PCI: PTSv4 extension, DSSv4, Secure Software v1.2. Surcharge backlash. Gift card fraud. Fake products. New breaches, New Ransomware, Downs. Privacy: Policy implications, Apple photos, DHS & Tech. Laws & Regs - Canada, US, World. Fines, Enforcements & Lawsuits. Standards: NIST hashes & IoT. Emerging - AI: ChatGPT & NSFW Images, Cryptography. Defense - Resources, Tools & Techniques, memory-safe languages. Vulnerabilities - Advisories, Significant: Roundup, Cisco, Fortinet. WAFs. Eufy Cams, Botnet karma. Research: abusing AV & EDR, decoupling privacy, air-gaps, Pwn2Own. Cybercrime - active campaigns, Power grid, Android app signing keys, crimes & enforcement. Bad-Actors. Risks, bad software, passwords, disinformation, health, safety, environment, economy, FTX. Russia v. Ukraine. And more.

PCI Compliance and Payments

News and announcements relating to Payment Security, PCI, Card Brands, Payments, Payment Malware and Fraud, and Payment Related Compliance.

• PCI Security Standards Council Bulletin: Expiry Date Extended for PCI PTS POI v4 Devices https://www.pcisecuritystandards.org/wp-content/uploads/2022/12/PTS_POI_v4_Extension_Bulletin.pdf
• PCI DSSv4 Updates:
• Changes to PCI DSS v4.0 Reporting: In Place with Remediation https://blog.pcisecuritystandards.org/changes-to-pci-dss-v4-0-reporting-in-place-with-remediation
• PCI SSF v1.2 …
• New Web Software Module Introduced in PCI Secure Software Standard Version 1.2 https://blog.pcisecuritystandards.org/new-web-software-module-introduced-in-pci-secure-software-standard-version1-2
• Secure Software Program Guide https://docs-prv.pcisecuritystandards.org/Software%20Security/Supporting%20Document/PCI-Secure-Software-Program-Guide-v1_2.pdf
• Secure Software Standard Summary of Changes https://docs-prv.pcisecuritystandards.org/Software%20Security/Standard/PCI-Secure-Software-Standard-Summary-of-Changes-v1_1-to-v1_2.pdf
• Secure Software Standard https://docs-prv.pcisecuritystandards.org/Software%20Security/Standard/PCI-Secure-Software-Standard-v1_2.pdf
• FAQs for SSF v1.2 https://www.pcisecuritystandards.org/document_library/?category=sware_sec&document=faq_ssf_1_2
• SSF Glossary of Terms, Abbreviations, and Acronyms https://docs-prv.pcisecuritystandards.org/Software%20Security/Supporting%20Document/PCI-SSF-Glossary-v1_2.pdf
• Qualification Requirements for SSF Assessors https://docs-prv.pcisecuritystandards.org/Software%20Security/Supporting%20Document/PCI-SSF-Qualification-Requirements-for-Assessors-v1_2.pdf
• Other payment related:
• Australia Sues Amex For Violating Credit Card Distribution Rules https://www.pymnts.com/news/regulation/2022/australia-sues-amex-for-violating-credit-card-distribution-rules/
• The ugliness of credit card surcharges:
• Canadians balk at being forced to pay an extra fee for credit card purchases https://financialpost.com/executive/executive-summary/credit-card-surcharge-canadians-balk
• CRTC rejects Telus' request to charge credit card processing fee for some services https://globalnews.ca/news/9335092/crtc-telus-credit-card-processing-fee-rejected-regulated-home-phone-services/
• Tampered Gift Card Warning https://www.ctvnews.ca/canada/former-police-officer-warns-of-scams-involving-tampered-gift-cards-at-retailers-1.6185402
• Family says Amazon shipped fake product, refuses refund until 'correct' item returned https://www.cbc.ca/news/business/amazon-returns-1.6669601

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• New Breaches:
• Cybersecurity firm ‘sniffed out' hacked Tirupati hospital data on dark web. Now, it's a ‘victim' too https://www.databreaches.net/cybersecurity-firm-sniffed-out-hacked-tirupati-hospital-data-on-dark-web-now-its-a-victim-too/
• Lighting Giant Acuity Brands Discloses Two Data Breaches https://www.securityweek.com/lighting-giant-acuity-brands-discloses-two-data-breaches
• Around 360K people in Ontario affected by COVAXon privacy breach https://globalnews.ca/news/9338278/covaxon-privacy-breach/
• Au: 130,000 Telstra customers exposed in data leak https://www.databreaches.net/au-130000-telstra-customers-exposed-in-data-leak/
• 6 Lakh Indians' Data Sold on Bot Markets, Making it Most-affected Nation https://www.databreaches.net/6-lakh-indians-data-sold-on-bot-markets-making-it-most-affected-nation/
• New Ransomware and "Incidents":
• New Ransom Payment Schemes Target Executives, Telemedicine https://krebsonsecurity.com/2022/12/new-ransom-payment-schemes-target-executives-telemedicine/
• Rackspace Confirms Ransomware Attack as It Tries to Determine If Data Was Stolen https://www.securityweek.com/rackspace-confirms-ransomware-attack-it-tries-determine-if-data-was-stolen
• New Zealand Government Hit by Ransomware Attack on IT Provider https://www.securityweek.com/new-zealand-government-hit-ransomware-attack-it-provider
• Cyberattack Shuts Down French Hospital https://www.darkreading.com/attacks-breaches/cyberattack-shuts-down-french-hospital
• NJ: With servers still offline, Hudson County Schools of Technology goes old-school low tech https://www.databreaches.net/nj-with-servers-still-offline-hudson-county-schools-of-technology-goes-old-school-low-tech/
• Major outages/downs:
• Amazon outage https://mobilesyrup.com/2022/12/07/amazon-down-for-hundreds-of-canadians/
• Massive DDoS attack takes Russia's second-largest bank VTB offline https://www.bleepingcomputer.com/news/security/massive-ddos-attack-takes-russia-s-second-largest-bank-vtb-offline/
• Have-I-Been-Pwned updates:
• Abandonia (2022) - 919,790 breached accounts https://haveibeenpwned.com/PwnedWebsites#Abandonia2022

Privacy

Articles about privacy related news, risks, and trends.

• What Stricter Data Privacy Laws Mean for Your Cybersecurity Policies https://thehackernews.com/2022/12/what-stricter-data-privacy-laws-mean.html
• Apple Kills Its Plan to Scan Your Photos for CSAM. Here’s What’s Next https://www.wired.com/story/apple-photo-scanning-csam-communication-safety-messages/
• Tech companies fueled the rise of Homeland Security and domestic surveillance, report finds https://www.theverge.com/2022/12/8/23496852/microsoft-dhs-surveillance-data-fusion
• TSA to expand facial recognition across America https://www.theregister.com/2022/12/06/us_transportation_security_agency_facial/

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:
• Ottawa to unveil investment law reforms to address ‘national security concerns' https://globalnews.ca/news/9329880/investment-canada-act-reform-champagne/
• From Bad to Worse: Senate Committee Adds Age Verification Requirement for Online Undertakings to Bill C-11 https://www.michaelgeist.ca/2022/12/from-bad-to-worse-senate-committee-adds-age-verification-requirement-for-online-undertakings-to-bill-c-11/
• The Law Bytes Podcast, Episode 149: Ryan Clements on the FTX Collapse and Canada's Approach to Crypto Regulation https://www.michaelgeist.ca/2022/12/law-bytes-podcast-episode-149/
• Big Cost, Smaller Benefit: Government Modelling Pegs Likely Bill C-18 Revenues at Less Than Half of Parliamentary Budget Officer Estimates https://www.michaelgeist.ca/2022/12/big-cost-smaller-benefit/
• How the Government Is Using Bill C-18 to Pick Media Winners and Losers https://www.michaelgeist.ca/2022/12/winnersandlosers/
• Important Notice about FIPPA – Mandatory Breach Notification and Privacy Management Program Requirements Coming into Effect on February 1, 2023 https://www.databreaches.net/important-notice-about-fippa-mandatory-breach-notification-and-privacy-management-program-requirements-coming-into-effect-on-february-1-2023/
• US:
• Victory! Judge's Critical Investigation of Patent Troll Companies Can Move Forward https://www.eff.org/deeplinks/2022/12/victory-judges-critical-investigation-patent-troll-companies-can-move-forward
• VICTORY! The Safe Connections Act is Now Law https://www.eff.org/deeplinks/2022/12/victory-safe-connections-act-now-law
• VICTORY! San Francisco Bans Killer Robots…For Now https://www.eff.org/deeplinks/2022/12/victory-san-francisco-bans-killer-robotsfor-now
• The Supreme Court Must Protect Internet Users' Rights to Access Controversial Information Online https://www.eff.org/deeplinks/2022/12/supreme-court-must-protect-internet-users-rights-access-controversial-information
• Meta threatens to remove US news content if new law passes https://www.bbc.co.uk/news/technology-63869013
• World:
• Taiwan bans state-owned devices from running Chinese platform TikTok https://www.theregister.com/2022/12/07/taiwan_bans_chinese_platform_tiktok/
• EU Court: Google Must Delete Inaccurate Search Info If Asked https://www.securityweek.com/eu-court-google-must-delete-inaccurate-search-info-if-asked
• EU Says Meta Needs to Change Targeted Ad Practices https://www.pymnts.com/news/regulation/2022/eu-says-meta-needs-to-change-targeted-ad-practices/
• A Promising New GDPR Ruling Against Targeted Ads https://www.eff.org/deeplinks/2022/12/promising-new-gdpr-ruling-against-targeted-ads
• Crypto Firms May Have to Report EU Tax Evaders https://www.pymnts.com/cryptocurrency/2022/crypto-firms-may-have-to-report-eu-tax-evaders/
• The Dangerous Digital Creep of Britain's ‘Hostile Environment' https://www.wired.com/story/digital-by-default-immigration-uk/
• Network Usage Fees Will Harm European Consumers and Businesses https://www.eff.org/deeplinks/2022/12/network-usage-fees-will-harm-european-consumers-and-businesses
• Enforcements, Fines, Lawsuits:
• Meta Expected to Face New Fines After EU Privacy Ruling https://www.securityweek.com/meta-expected-face-new-fines-after-eu-privacy-ruling
• Five British Companies Fined For Making Half A Million Nuisance Calls https://packetstormsecurity.com/news/view/34121/Five-British-Companies-Fined-For-Making-Half-A-Million-Nuisance-Calls.html
• Indiana sues TikTok for misleading users on child safety and data security https://www.theverge.com/2022/12/7/23499017/tiktok-china-bytedance-lawsuit-mature-content-national-security
• Judge Orders U.S. Lawyer in Russian Botnet Case to Pay Google https://krebsonsecurity.com/2022/12/judge-orders-u-s-lawyer-in-russian-botnet-case-to-pay-google/
• 2 women are suing Apple alleging that former partners hid AirTags in a car and a child's backpack and used the devices to stalk them https://www.businessinsider.com/apple-faces-airtag-lawsuit-after-women-allege-stalking-ex-partners-2022-12
• Lawsuits come, lawsuits go (settle), Friday edition https://www.databreaches.net/lawsuits-come-lawsuits-go-settle-friday-edition/
• Standards News:
• NIST Announcement of Proposal to Revise FIPS 180-4, Secure Hash Standard (SHS) https://csrc.nist.gov/News/2022/proposal-to-revise-fips-180-4-secure-hash-standard
• NCCoE Releases Final Practice Guide: NIST SP 1800-34, Validating the Integrity of Computing Devices https://www.nccoe.nist.gov/supply-chain-assurance
• National Online Informative References (OLIR) Program: Two Draft NIST IRs Available for Comment through January 20 https://content.govdelivery.com/accounts/USNIST/bulletins/33bd98a
• NCCoE Releases Preliminary Draft Practice Guide for Trusted IoT Onboarding and Lifecycle Management open for comment until February 3 https://csrc.nist.gov/publications/detail/sp/1800-36/draft

Emerging technology and Innovations

Covering developments and risks with new technologies including AI, Quantum Computing, Cryptography:

• Artificial Intelligence & Machine Learning:
• Machine Learning Models: A Dangerous New Attack Vector https://www.darkreading.com/threat-intelligence/machine-learning-models-dangerous-new-attack-vector
• ChatGPT proves AI is finally mainstream — and things are only going to get weirder https://www.theverge.com/2022/12/8/23499728/ai-capability-accessibility-chatgpt-stable-diffusion-commercialization
• OpenAI's new ChatGPT bot: 10 dangerous things it's capable of https://www.bleepingcomputer.com/news/technology/openais-new-chatgpt-bot-10-dangerous-things-its-capable-of/
• AI Bot ChatGPT Stuns Academics With Essay Writing Skills / Usability https://packetstormsecurity.com/news/view/34106/AI-Bot-ChatGPT-Stuns-Academics-With-Essay-Writing-Skills-Usability.html
• AI-generated answers temporarily banned on coding Q&A site Stack Overflow https://www.theverge.com/2022/12/5/23493932/chatgpt-ai-generated-answers-temporarily-banned-stack-overflow-llms-dangers
• ChatGPT shows promise of using AI to write malware https://www.cyberscoop.com/chatgpt-ai-malware/
• The Internet's New Favorite AI Proposes Torturing Iranians and Surveilling Mosques https://theintercept.com/2022/12/08/openai-chatgpt-ai-bias-ethics/
• OpenAI's new chatbot can hallucinate a Linux shell—or calling a BBS https://arstechnica.com/information-technology/2022/12/openais-new-chatbot-can-hallucinate-a-linux-shell-or-calling-a-bbs/
• Apparently I am a robot https://www.aiweirdness.com/writing-like-a-robot/
• Bonus: ChatGPT rates recipes by another neural net https://www.aiweirdness.com/bonus-chatgpt-rates-recipes/
• Thanks to AI, it's probably time to take your photos off the Internet https://arstechnica.com/information-technology/2022/12/thanks-to-ai-its-probably-time-to-take-your-photos-off-the-internet/
• Lensa AI's owner says the company's face-changing tech can be tricked into generating NSFW images — but some users are saying it happened to them without even trying https://www.businessinsider.com/lensa-ai-photo-app-generating-nsfw-images-without-prompting-2022-12
• Lensa AI and ‘Magic Avatars': What to Know Before Using the App https://www.wired.com/story/lensa-ai-magic-avatars-security-tips/
• How to use MyHeritage's AI Time Machine, a tool that shows what you would look like throughout history https://www.businessinsider.com/guides/tech/myheritage-ai-time-machine
• Cryptography and Cryptographic Research:
• KEMTLS vs. Post-Quantum TLS: Performance On Embedded Systems https://eprint.iacr.org/2022/1712
• On Zero-Knowledge Proofs over the Quantum Internet https://eprint.iacr.org/2022/1701
• RISC-V Instruction Set Extensions for Lightweight Symmetric Cryptography https://eprint.iacr.org/2022/1697
• Practical Quantum-Safe Voting from Lattices, Extended https://eprint.iacr.org/2022/1686
• Secret Key Recovery Attacks on Masked and Shuffled Implementations of CRYSTALS-Kyber and Saber https://eprint.iacr.org/2022/1692
• Nonce-encrypting AEAD Modes with Farfalle https://eprint.iacr.org/2022/1711
• Careful with MAc-then-SIGn: A Computational Analysis of the EDHOC Lightweight Authenticated Key Exchange Protocol https://eprint.iacr.org/2022/1705

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• Educational events, webinars, courses, etc:
• Recap and Resources from the NICE K12 Conference https://content.govdelivery.com/accounts/USNIST/bulletins/33babfa
• OpenSSF Membership Exceeds 100, With Many New Members Dedicated to Securing Open Source Software https://www.darkreading.com/application-security/openssf-membership-exceeds-100-with-many-new-members-dedicated-to-securing-open-source-software
• General:
• What Will It Take to Secure Critical Infrastructure? https://www.darkreading.com/ics-ot/what-will-it-take-to-secure-critical-infrastructure
• Methods, Techniques, Tools, and Products:
• Shift to Memory-Safe Languages Gains Momentum https://www.darkreading.com/application-security/shift-memory-safe-languages-gains-momentum
• Trust in transparency: Private Compute Core https://security.googleblog.com/2022/12/trust-in-transparency-private-compute.html
• Kali Linux 2022.4 adds 6 new tools, Azure images, and desktop updates https://www.bleepingcomputer.com/news/security/kali-linux-20224-adds-6-new-tools-azure-images-and-desktop-updates/
• Wireshark 4.0.2 and 3.6.10 released, (Wed, Dec 7th) https://isc.sans.edu/diary/rss/29316
• Why encrypted backup is so important https://blog.cryptographyengineering.com/2022/12/07/apple-icloud-and-why-encrypted-backup-is-the-only-privacy-issue/
• Want to detect Cobalt Strike on the network? Look to process memory https://www.theregister.com/2022/12/06/cobalt_strike_memory_unit_42/
• Hybrid fuzzing: Sharpening the spikes of Echidna https://blog.trailofbits.com/2022/12/08/hybrid-echidna-fuzzing-optik-maat/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Advisories:
• CISA orders agencies to patch exploited Google Chrome bug by Dec 26th https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-exploited-google-chrome-bug-by-dec-26th/
• Google Chrome Flaw Added to CISA Patch List https://www.darkreading.com/vulnerabilities-threats/google-chrome-flaw-added-to-cisa-patch-list
• Significant:
• Control Gap Vulnerability Roundup: November 26th to December 2nd https://www.controlgap.com/blog/vulnerability-roundup-november-26th-december-2nd
• Cisco discloses high-severity IP phone zero-day with exploit code https://www.bleepingcomputer.com/news/security/cisco-discloses-high-severity-ip-phone-zero-day-with-exploit-code/
• Fortinet Patches High-Severity Authentication Bypass Vulnerability in FortiOS https://www.securityweek.com/fortinet-patches-high-severity-authentication-bypass-vulnerability-fortios
• Several Code Execution Vulnerabilities Patched in Sophos Firewall https://www.securityweek.com/several-code-execution-vulnerabilities-patched-sophos-firewall
• Other Vulnerabilities:
• Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet https://www.securityweek.com/over-4000-vulnerable-pulse-connect-secure-hosts-exposed-internet
• WAFs of Several Major Vendors Bypassed With Generic Attack Method https://www.securityweek.com/wafs-several-major-vendors-bypassed-generic-attack-method
• NETGEAR Router Misconfiguration Opens The Door For Remote Attacks https://www.tenable.com/blog/netgear-router-misconfiguration-opens-the-door-for-remote-attacks
• Security Vulnerabilities in Eufy Cameras https://www.schneier.com/blog/archives/2022/12/security-vulnerabilities-in-eufy-cameras.html
• Critical Ping Vulnerability Allows Remote Attackers to Take Over FreeBSD Systems https://thehackernews.com/2022/12/critical-ping-vulnerability-allows.html
• Exploiting CVE-2022-42703 - Bringing back the stack attack https://googleprojectzero.blogspot.com/2022/12/exploiting-CVE-2022-42703-bringing-back-the-stack-attack.html
• Log4j: One Year Later https://www.imperva.com/blog/log4j-one-year-later/
• Syntax errors are the doom of us all, including botnet authors https://arstechnica.com/information-technology/2022/12/advanced-botnet-taken-down-by-an-all-too-human-flaw-syntax-error/
• Research on new vulnerabilities:
• Antivirus and EDR solutions tricked into acting as data wipers https://www.bleepingcomputer.com/news/security/antivirus-and-edr-solutions-tricked-into-acting-as-data-wipers/
• The Decoupling Principle https://www.schneier.com/blog/archives/2022/12/the-decoupling-principle.html
• Air-gapped PCs vulnerable to data theft via power supply radiation https://www.bleepingcomputer.com/news/security/air-gapped-pcs-vulnerable-to-data-theft-via-power-supply-radiation/
• COVID-bit: New COVert Channel to Exfiltrate Data from Air-Gapped Computers https://thehackernews.com/2022/12/covid-bit-new-covert-channel-to.html
• Hackers earn $989,750 for 63 zero-days exploited at Pwn2Own Toronto https://www.bleepingcomputer.com/news/security/hackers-earn-989-750-for-63-zero-days-exploited-at-pwn2own-toronto/
• Pwn2Own Toronto 2022, Day 1: Hackers Earn $400,000 for Galaxy S22, SOHO Exploits https://www.securityweek.com/pwn2own-toronto-2022-day-1-hackers-earn-400000-galaxy-s22-soho-exploits
• Pwn2Own Toronto 2022, Day 2: Smart Speaker Exploits Earn Big Chunk of $280,000 Total https://www.securityweek.com/pwn2own-toronto-2022-day-2-smart-speaker-exploits-earn-big-chunk-280000-total
• Samsung Galaxy S22 gets hacked in 55 seconds at Pwn2Own Toronto https://www.bleepingcomputer.com/news/security/samsung-galaxy-s22-gets-hacked-in-55-seconds-at-pwn2own-toronto/
• Zero-Day Hackers Breach Samsung Galaxy S22 Twice In 24 Hours https://www.databreaches.net/zero-day-hackers-breach-samsung-galaxy-s22-twice-in-24-hours/
• Sorting Out Randomized TLS Fingerprints https://hnull.org/2022/12/01/sorting-out-randomized-tls-fingerprints/

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than major breaches):
• Attackers Keep Targeting the US Electric Grid https://www.wired.com/story/attacks-us-electrical-grid-security-roundup/
• Leaked Signing Keys Are Being Used to Sign Malware https://www.schneier.com/blog/archives/2022/12/leaked-signing-keys-are-being-used-to-sign-malware.html
• New Ransom Payment Schemes Target Executives, Telemedicine https://www.databreaches.net/new-ransom-payment-schemes-target-executives-telemedicine/
• Hacked corporate email accounts used to send MSP remote access tool https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accounts-used-to-send-msp-remote-access-tool/
• Legit Android apps poisoned by sticky 'Zombinder' malware https://www.theregister.com/2022/12/09/zombinder_android_windows_malware/
• New Go-based Botnet Exploiting Dozens of IoT Vulnerabilities to Expand its Network https://thehackernews.com/2022/12/new-go-based-zerobot-botnet-exploiting.html
• New TrueBot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm https://thehackernews.com/2022/12/new-truebot-malware-variant-leveraging.html
• Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver https://thehackernews.com/2022/12/researchers-uncover-new-drokbk-malware.html
• Sneaky hackers reverse defense mitigations when detected https://www.databreaches.net/sneaky-hackers-reverse-defense-mitigations-when-detected/
• SoK: Use of Cryptography in Malware Obfuscation https://eprint.iacr.org/2022/1699
• Zerobot Weaponizes Numerous Flaws in Slew of IoT Devices https://www.darkreading.com/remote-workforce/zerobot-weaponizes-numerous-flaws-iot-devices
• UK arrests five for selling 'dodgy' point of sale software https://www.theregister.com/2022/12/12/j5_electronic_sales_suppression_software_probe/
• Crime & Arrests, etc.:
• Arizona Man Arrested For Point-Of-Sale Cyber Intrusions https://www.databreaches.net/arizona-man-arrested-for-point-of-sale-cyber-intrusions/
• SIM Swapper Who Stole $20 Million Sentenced to Prison https://www.securityweek.com/sim-swapper-who-stole-20-million-sentenced-prison
• Suspects arrested for hacking US networks to steal employee data https://www.bleepingcomputer.com/news/security/suspects-arrested-for-hacking-us-networks-to-steal-employee-data/
• Wirecard trial of executives opens in German fraud scandal https://www.bbc.co.uk/news/world-europe-63893933
• Australia arrests 'Pig Butchering' suspects for stealing $100 million https://www.bleepingcomputer.com/news/security/australia-arrests-pig-butchering-suspects-for-stealing-100-million/
• CryptosLabs ‘pig butchering' ring stole up to $505 million since 2018 https://www.bleepingcomputer.com/news/security/cryptoslabs-pig-butchering-ring-stole-up-to-505-million-since-2018/
• Scammers Are Scamming Other Scammers Out of Millions of Dollars https://www.wired.com/story/cybercrime-hackers-scams-forums/

Bad-Actors / Nation-States / APTs / Cyber-Mercenaries

News covering Nation-State Actors, APTS, Hacking Groups, Mercenaries, Espionage, and the Notorious:

• RCMP suspends contract with Ontario company linked to China https://www.cp24.com/mobile/news/rcmp-suspends-contract-with-ontario-company-linked-to-china-1.6187510
• Amnesty International Canada says it was target of Chinese state cyberattack https://globalnews.ca/news/9328262/amnesty-international-canada-cyberattack/
• Chinese Hackers Using Russo-Ukrainian War Decoys to Target APAC and European Entities https://thehackernews.com/2022/12/chinese-hackers-using-russo-ukrainian.html
• Secret Service: Chinese Hackers Swiped $20M in COVID Relief Funds https://www.pymnts.com/fraud-attack/2022/secret-service-chinese-hackers-swiped-20m-in-covid-relief-funds/
• Chinese Hackers Target Middle East Telecoms in Latest Cyber Attacks https://thehackernews.com/2022/12/chinese-hackers-target-middle-east.html
• Microsoft warns of Russian cyberattacks throughout the winter https://www.bleepingcomputer.com/news/security/microsoft-warns-of-russian-cyberattacks-throughout-the-winter/
• Iranian Hackers Strike Diamond Industry with Data-Wiping Malware in Supply-Chain Attack https://thehackernews.com/2022/12/iranian-hackers-strike-diamond-industry.html
• North Korea hits new low by using Seoul Halloween tragedy to exploit Internet Explorer zero-day https://www.theregister.com/2022/12/08/north_korea_seoul_tragedy_exploit/
• DEV-0139 launches targeted attacks against the cryptocurrency industry https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/
• Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant https://thehackernews.com/2022/12/hack-for-hire-group-targets-travel-and.html
• This ransomware gang is a right Royal pain in the AES for healthcare orgs https://www.theregister.com/2022/12/09/royal_ransomware_hhs_warning/
• Vice Society Ransomware Attackers Targeted Dozens of Schools in 2022 https://thehackernews.com/2022/12/vice-society-ransomware-attackers.html

Other Security / Risk

Articles covering other types of risks.

• General:
• Bad Software Cost US Businesses $2.1 Trillion In 2022 https://packetstormsecurity.com/news/view/34123/Bad-Software-Cost-US-Businesses-2.1-Trillion-In-2022.html
• Password Reset Calls Are Costing Your Org Big Money https://www.bleepingcomputer.com/news/security/password-reset-calls-are-costing-your-org-big-money/
• These Are the 50 Most Popular Passwords in America—and That's Not a Good Thing https://www.mentalfloss.com/posts/most-popular-passwords-in-america
• The last phone boxes https://www.theguardian.com/society/2022/apr/28/last-phone-boxes-bt-payphones-uk
• Global Population Growth Is Slowing Down. Here's One Reason Why https://www.scientificamerican.com/article/global-population-growth-is-slowing-down-heres-one-reason-why/
• Interesting CAPTCHA https://www.schneier.com/blog/archives/2022/12/captcha.html
• Disinformation and misinformation
• Most convicted terrorists radicalised online, finds MoJ-backed study https://www.theguardian.com/uk-news/2022/dec/08/most-convicted-terrorists-radicalised-online-finds-study
• Health:
• Canadians choosing cheaper, less-healthy foods, skipping medications to cut costs: poll https://globalnews.ca/news/9337810/rising-food-prices-salvation-army-poll/
• Scientists finally know why people get more colds and flu in winter https://www.ctvnews.ca/health/scientists-finally-know-why-people-get-more-colds-and-flu-in-winter-1.6182625
• National study confirms breakthrough COVID cases are less severe than COVID in unvaccinated adults https://scienmag.com/national-study-confirms-breakthrough-covid-cases-are-less-severe-than-covid-in-unvaccinated-adults/
• New receptor “decoy” drug neutralizes COVID-19 virus and its variants https://scienmag.com/new-receptor-decoy-drug-neutralizes-covid-19-virus-and-its-variants/
• Rotten meat could be easier to detect thanks to a new biosensor system developed at Concordia https://scienmag.com/rotten-meat-could-be-easier-to-detect-thanks-to-a-new-biosensor-system-developed-at-concordia/
• Vaping: Juul Labs agrees thousands of US settlements https://www.bbc.co.uk/news/business-63888206
• The Brains of Teenagers Look Disturbingly Different After Lockdown https://www.sciencealert.com/the-brains-of-teenagers-look-disturbingly-different-after-lockdown
• Analysis of wastewater in a New England college town reveals high usage of stimulants and a rise in drug use during the pandemic https://scienmag.com/analysis-of-wastewater-in-a-new-england-college-town-reveals-high-usage-of-stimulants-and-a-rise-in-drug-use-during-the-pandemic/
• FSU research links common sweetener with anxiety https://scienmag.com/fsu-research-links-common-sweetener-with-anxiety/
• New virus discovered in Swiss ticks https://scienmag.com/new-virus-discovered-in-swiss-ticks/
• Ancient Pathogen Is 'Imminent Threat' in Every Part of The World, WHO Warns https://www.sciencealert.com/ancient-pathogen-is-imminent-threat-in-every-part-of-the-world-who-warns
• $3.5-Million Hemophilia Gene Therapy Is World's Most Expensive Drug https://www.scientificamerican.com/article/3-5-million-hemophilia-gene-therapy-is-worlds-most-expensive-drug/
• The Y Chromosome Is Slowly Vanishing. A New Sex Gene Could Be The Future of Men https://www.sciencealert.com/the-y-chromosome-is-slowly-vanishing-a-new-sex-gene-could-be-the-future-of-men
• Safety:
• Gunfire at electrical grid kills power for 45,000 in North Carolina https://www.theregister.com/2022/12/05/electrical_grid_carolina/
• Guelph police use blood sample to identify break and enter suspect https://globalnews.ca/news/9325773/guelph-police-blood-sample-identify-break-and-enter-suspect/
• Woman jabbed with needle while running errands in downtown Toronto https://toronto.ctvnews.ca/woman-jabbed-with-needle-while-running-errands-in-downtown-toronto-1.6182081
• Passenger who fell from cruise ship treaded water for 20 hours to survive https://globalnews.ca/news/9326855/james-michael-grimes-cruise-ship-overboard/
• Pivot Airlines pilot breaks down how surveillance footage was tampered with https://www.ctvnews.ca/w5/exclusive-surveillance-footage-shows-duffel-bags-being-loaded-onto-pivot-airlines-jet-1.6186742
• Environment:
• Renewables Are on Pace to Beat Coal as the Largest Power Source by 2025 https://www.scientificamerican.com/article/renewables-are-on-pace-to-beat-coal-as-the-largest-power-source-by-2025/
• Nova Scotia's solar industry continues to soar at a record pace https://globalnews.ca/news/9332588/nova-scotia-solar-industry-growing-record-pace/
• To Fight Climate Change, We Could Block the Sun. A Lightweight Solar Sail Could Make it Feasible https://www.universetoday.com/159133/to-fight-climate-change-we-could-block-the-sun-a-lightweight-solar-sail-could-make-it-feasible/
• Long wait lists, no provincial incentives keep Ontarians from buying EVs, advocate says https://www.cbc.ca/news/canada/toronto/electric-vehicles-ontario-1.6674709
• How to Decarbonize Crypto https://www.theatlantic.com/ideas/archive/2022/12/cryptocurrency-mining-environmental-impact-solution/672360/
• Researchers harvest electricity from wood soaking in water https://scienmag.com/researchers-harvest-electricity-from-wood-soaking-in-water/
• Enjoy It While You Can: Dropping Oxygen Will One Day Suffocate Most Life on Earth https://www.sciencealert.com/enjoy-it-while-you-can-dropping-oxygen-will-one-day-suffocate-most-life-on-earth
• Economy:
• Tim Cook and President Biden came to Arizona to announce plans for American-made chips https://www.theverge.com/2022/12/6/23497417/apple-tsmc-phoenix-fab-plans-biden-amd-nvidia
• Wirecard Trial Sets Up FTX Parallels and Enron Echoes https://www.pymnts.com/digital-payments/2022/wirecard-trial-sets-up-ftx-parallels-and-enron-echoes/
• The FTC is investigating crypto firms for possible misconduct following FTX collapse https://www.theverge.com/2022/12/6/23496423/ftx-crypto-sam-bankman-fried-ftc-tom-brady-steph-curry-investigation
• FTX Founder Sam Bankman-Fried Faces Market Manipulation Inquiry https://www.nytimes.com/2022/12/07/business/ftx-sbf-crypto-market-investigation.html

Russia v. Ukraine

News and announcements relating to Russia's invasion of Ukraine.

• The war:
• Ukraine war: Russian military airfields hit by explosions https://www.bbc.co.uk/news/world-europe-63857451
• Ukraine hits 'Wagner HQ' in weekend of fighting https://www.bbc.co.uk/news/world-europe-63933132
• Russia is tearing through its munitions stockpiles faster than it can refill them, top US intel chief says https://www.businessinsider.com/russia-uses-munitions-stockpiles-faster-than-replacing-them-us-intelligence-2022-12
• Russia has stopped using its Iranian suicide drones because they don't work in the cold, Ukraine says https://www.businessinsider.com/russia-stopped-using-iran-suicide-drones-dont-work-cold-ukraine-2022-12
• Putin vows to continue hitting Ukraine's power grid https://www.bbc.co.uk/news/world-europe-63907803
• Putin: Nuclear risk is rising, but we are not mad https://www.bbc.co.uk/news/world-europe-63893316
• Sanctions & economic Impact:
• Putin has destroyed Russia's most important oil market – and what's next for crude depends on him and Xi Jinping, energy expert Daniel Yergin says https://markets.businessinsider.com/news/commodities/oil-price-outlook-vladimir-putin-xi-jinping-eu-sanctions-yergin-2022-12
• The EU for the first time will seek sanctions against Russia's mining sector, expanding efforts to cripple Russia's wartime economy https://markets.businessinsider.com/news/commodities/russia-mining-eu-sanctions-ukraine-markets-metals-commodities-putin-investment-2022-12
• Russia's central bank just issued a warning about 'new economic shocks,' and it shows the new $60/barrel cap on oil is working https://www.businessinsider.com/russia-central-bank-western-oil-price-cap-eu-ban-economy-2022-12
• A $200m superyacht seized from Putin's apparent choice for a Ukrainian puppet leader is being sold at auction, with Ukraine keeping the proceeds https://www.businessinsider.com/oligarchs-200m-superyacht-to-be-sold-by-ukraine-at-auction-2022-12
• Cyber-attacks and the potential for cyber-war:
• Wiper, Disguised as Fake Ransomware, Targets Russian Orgs https://www.darkreading.com/threat-intelligence/wiper-disguised-fake-ransomware-targets-russian-orgs
• Russian Espionage APT Callisto Focuses on Ukraine War Support Organizations https://www.securityweek.com/russian-espionage-apt-callisto-focuses-ukraine-war-support-organizations
• Russian Hackers Spotted Targeting U.S. Military Weapons and Hardware Supplier https://thehackernews.com/2022/12/russian-hackers-spotted-targeting-us.html

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Lighter:
• CP Holiday Train en route to B.C.'s Interior https://globalnews.ca/news/9338813/cp-holiday-train-b-c-interior/
• Is ‘Die Hard' a Christmas Movie? A New and Official Trailer May Finally Answer the Question https://www.mentalfloss.com/posts/die-hard-christmas-movie-trailer
• The 10 Best Films of 2022 https://www.theatlantic.com/culture/archive/2022/12/best-movies-2022-tar-nope-the-fabelmans/672387/
• Science:
• Flameproofing lithium-ion batteries with salt https://scienmag.com/flameproofing-lithium-ion-batteries-with-salt/
• Fusion Technology Is Reaching a Turning Point That Could Change The Energy Game https://www.sciencealert.com/fusion-technology-is-reaching-a-turning-point-that-could-change-the-energy-game
• Nasa's Orion capsule makes safe return to Earth https://www.bbc.co.uk/news/science-environment-63937345
• What Makes Swear Words So $#%+@&! Offensive? Scientists Have Found a Clue https://www.mentalfloss.com/posts/why-swear-words-sound-offensive
• The Linguistics of Swearing Explain Why We Substitute Darn for Damn https://www.scientificamerican.com/article/the-linguistics-of-swearing-explain-why-we-substitute-darn-for-damn/