Naughty Dog is delaying The Last of Us Part 1 (TLOU) for PC’s release until March 28th. This is only a slight pushback from its initial March 3rd release date.

The developer says it needs an additional few weeks to ensure TLOU’s PC port meets its standards.

The Last of Us Part I PC will now be released on March 28. An update from our team: pic.twitter.com/lvApDT71Xj

— Naughty Dog (@Naughty_Dog) February 3, 2023

The Last of Us TV show is now streaming on Crave in Canada. While the critically acclaimed TV show follows portions of the video game closely (at least so far), certain aspects have been adapted for television, providing more background to specific characters.

Source: @Naughty_Dog

Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, February 3rd, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

In a few minutes David Shipley of Beauceron Security in New Brunswick will be here to discuss recent cybersecurity events. But first a quick look back at headlines from the past seven days:

The 2020 ransomware attack that temporarily crippled a Maryland public school district started with a staff member falling for a phishing email, according to a report released last week. That wasn’t the only human failure. David and I will talk about lessons learned.

We’ll also look at two new pieces of computer-wiping malware from a Russian-based group targeting Ukraine.

We’ll delve into a heated online debate that a misconfiguration of the KeePass password management application could allow anyone to copy supposedly protected passwords.

And David and I will discuss the aftermath of the dismantling of the Hive ransomware gang’s IT infrastructure.

Also in the news, manufacturers of point-of-sale devices have been warned of new malware that defeats the secure tap-and-pay capability of credit and debit cards. Researchers at Kaspersky say the latest version of the Prilex gang’s malware forces customers using infected POS devices to insert their cards into the payment devices. That way the malware can read transaction information hidden when customers wirelessly tap their cards. POS makers and distributors have to combat this advance.

Microsoft has disabled fake partner network accounts created by crooks to enable phishing scams. The crooks were impersonating legitimate companies when enrolling in the partner program. They then used the access to trick firms into granting permission to access fraudulent apps created by the crooks. The goal was to hack companies’ email. Most victims were in the U.K. and Ireland.

QNAP released a fix to close a vulnerability in storage devices that runs its QTS 5.0.1 operating system. It needs to be installed as soon as possible.

GitHub has revoked a number of code signing certificates for some versions GitHub Desktop for Mac and Atom apps. This comes after Microsoft discovered threat actors had stolen the certificates.

And administrators of servers running the Redis in-memory database were warned that a hacking group has been compromising Redis servers for the last 15 months. The group is dubbed HeadCrab and uses malware undetectable by traditional anti-virus, say researchers at Aqua Security. As a result the gang has created a botnet of at least 1,200 servers. Redis should not be exposed directly to the internet.

(The following transcript, which has been edited for clarity, is the first part of our discussion. Play the podcast to hear the entire conversation)

Howard: Let’s start with the report on the 2020 ransomware attack on the Baltimore County Public School system. The county surrounds the city of Baltimore. At the time the system supported 173 schools, 100,000 computers and devices used by 140,000 students, teachers and staff members. The attack started with an educator receiving a phishing message pretending to be from an official of a college. Attached was a supposed invoice. The educator fell for the lure, tried opening the attachment but couldn’t — the report doesn’t say why. That might have stopped things. But the person sent the email to an IT tech liaison person, who then forwarded it to a security contractor. The contractor mistakenly opened the attachment on an unsecured email domain and that triggered the spread of the malware and the eventual ransomware attack. The school board’s antivirus couldn’t detect the malware because the file format wasn’t known. The malware had been programmed to not execute immediately, another reason why it wasn’t detected. But the malware was able to quietly disable critical functions on the IT network that could have prevented the malware from spreading the ransomware. It didn’t help that some of the previous security recommendations by the state’s auditor had NOT been implemented, including moving the board’s publicly accessible database servers to the cloud. Nor had multifactor authentication been implemented. What do you make of this incident?

David Shipley: First, I’m glad that we have the level of transparency with this report. I have no doubt in my mind Baltimore County Public School District is not unique. Think about how every public school district is squeezed for every penny and dollar. None of this [report] surprises me, but all of this transparency can help others learn from this. And let’s be honest: we don’t expect schools to be as secure as we expect banks in critical infrastructure — and criminals know that, have been hammering away at the sector. I really appreciate the transparency. I wish they [the report authors] had gone a little bit further. I’m still confused by what they mean by the [contractor using an] unsecure email domain. I would have much preferred to understand more about the mechanics of this. Was the security consultant’s device connected to the school’s network at the time? And I would love to know what ransomware family this was. I would love to know if the security consultant had elevated privileges? Was a combination of opening it on a device that was connected to the network with elevated privilege that led to this. which is what I currently hypothesize because it just seems incredibly unclear. I did some background research on the total cost of this incident and to date it’s US$10 million — and they’re still not fully recovered … The chain of events is preventable. The question now is, with valuable information will other school districts be given the resources the time and the support to make these changes?

Howard: It sounded like from this report that the school board had two email networks. One of them was secured and one wasn’t secured. Is this common? Is this good practice?

David: This is where the report doesn’t help. I don’t think that it’s terribly common, and I don’t think it’s necessarily what they intended. I think this [synopsis] is the potential [broken] telephone effect of highly technical expertise and forensic reports hitting kind of a bureaucratic process. It would be weird to have two entirely separate email systems, one of which if you compromise you sink the battleship. That’s unusual.

Howard: Coincidentally, because this is about a human failure in someone falling for a phishing scam, this week Terranova Security released the results of its annual Gone Phishing Tournament, which is an international test of how many employees will fall for a phishing test. This year’s test was a supposed gift card offer Seven per cent of people clicked on the link to see more information. And three per cent of those people actually entered their company credentials to get the supposed gift card — which, of course, is an absolute violation of security awareness training. That three per cent failure rate is actually good news. Because more people fell for tricks in previous tests. So the failure rate has gone down. But even still, if you think about it in a company of 100 employees three would have given away their passwords had this test been real.

David: The challenge with phishing remains. By the way, criminals know this: Phishing attacks were up 61 per cent in the fourth quarter of 2022. The sophistication of phishing attacks continues to escalate. We’ve done research with millions of phishes is we know that if an organization does not educate their employees about phishing and doesn’t do phishing simulations on a regular basis their click rate can be as high as 33 per cent. So it doesn’t surprise me the click rate on a per template basis varies dramatically so like this. A seven per cent click rate is cool. But if you put a little bit more effort, like the manager’s name into the [test phishing] email template you wouldn’t believe the additional impact [in staff falling for the lure].

Howard: Here’s something else: The malware did not corrupt the Baltimore County school board’s backup files. But when IT tried to use the latest backup some of the files relating to the HR department and staff payroll were unreadable or damaged. So the school board IT department had to use a one-year-old backup file — which of course didn’t have the latest HR and payroll information.

David: It’s so critical to have exercises where on a quarterly basis you actually try to recover something from your backups. Rotate through your critical systems and try your backups at depth. This has to be part of the routine maintenance and process of maintaining backups. You cannot assume that automated systems are always going to work. Change happens. Drift happens within technology, and if you don’t pay attention it will catch you. Badly.

Howard: The report recommends the school board do things that every IT pro should know: Follow the 3-2-1 backup rule, which is three copies of data on two different devices with one stored offsite; use cloud backups with intelligence; do regular backup tests and have security awareness training for staff.

David: These are all the good basics. The other part that I think needs to be included in these recommendations is that the senior leadership of school districts need to practice tabletop cyber attack scenarios annually. Work through a ransomware incident, work through a staff member going rogue etc. You’ll realize gaps in your technology processes … The reality is education is under attack and it’s going to remain under attack. The only way it’s going to change is if the sector increases its vigilance.

Howard: This reminds me of another news story this week: A senior Microsoft security official told a CISO conference in Toronto that many cyber attacks are successful because firms haven’t implemented cyber security basics like limiting privileged access and using multifactor authentication.

David: Cybersecurity isn’t a story about the lack of technology controls. We have thousands of vendors offering thousands of ways to reduce risk for organizations. But it goes back to people processing culture. Are we giving IT teams the time to set these up? Are they getting the political buy-in from management? The greatest barrier to multifactor authentication is not cost or technology. You can afford a decent MFA from a variety of different providers — and honestly, if you can’t afford it you should re-evaluate what you’re doing because it’s less than a cup of coffee. The biggest barrier is people don’t want to be inconvenienced; they resist change. They only want to apply it to certain groups. The biggest barrier to security is culture and process.

The post Cyber Security Today, Week in Review for Friday, February 3, 2023 first appeared on IT World Canada.

If you use Twitter to log into any important services, games, or other stuff, you may want to set up alternate login methods. Twitter’s upcoming API changes may break your ability to log in with Twitter.

At least, that’s the warning from two popular online games. Genshin Impact and Arknights (spotted by The Verge) both shared warnings on Twitter that gamers should change their logins just in case.

IMPORTANT: "Login With Twitter Account" Service Adjustment Notice

We are in the process of confirming the impact of the Twitter API adjustments on game account login and the corresponding resolutions.#GenshinImpact #HoYoverse pic.twitter.com/Su7g7RuOYk

— Genshin Impact (@GenshinImpact) February 3, 2023

Genshin Impact tweeted that it’s ” in the process of confirming the impact of the Twitter API adjustments on game account login” and suggested in a follow-up that customers link their email address to their HoYoverse account to avoid login problems.

[Important Notice]

In regard to Twitter's recent announcement on API policy change, we STRONGLY recommend players binding their game accounts with the Yostar account if have not done so in case of any contingency.#Arknights #Yostar pic.twitter.com/b8aOX0q6ew

— Arknights_EN (@ArknightsEN) February 3, 2023

Similarly, Arknights tweeted that players should bind their game accounts to a Yostar account in case of issues stemming from Twitter’s API change. (I particularly enjoyed the perplexing image tweeted in response to the warning).

These warnings come after Twitter announced plans to remove the free tier of its API and start charging for access. It remains unclear if the adjustment will impact login services like this, but given how Elon Musk’s previous rash changes impacted Twitter, better safe than sorry.

Source: Genshin Impact, Arknights Via: The Verge

Google appears to be working on improving the lock screen customization options for Pixel phones.

Mishaal Rahman, senior technical editor for Esper, shared several glimpses of the work-in-progress changes in a recent tweet thread (via Android Police). Rahman was able to find most of the details in the third Android 13 QPR2 beta.

First up, Rahman detailed a new preview user interface (UI) for picking a wallpaper and style. This includes a new fullscreen preview and some other tweaks. However, Rahman notes it appears unfinished (he suspects Google is making room for several upcoming customization options like custom clocks and lock screen shortcuts).

Here's a look at the "revamped" Wallpaper & style UI. It doesn't look finished, but I think the idea is to make room for all the upcoming lock screen customization options (custom clock, lock screen shortcuts).

Credits: @Za_Raczke pic.twitter.com/HGRtx3WIOE

— Mishaal Rahman (@MishaalRahman) February 1, 2023

Rahman then shared a look at the lock screen shortcuts feature, which lets users assign functions to a left and right button. Some of the functions visible in the screenshots include turning on the flashlight, do not disturb, and smart home device controls. There’s also an option to pick a custom lock screen clock, and Rahman points to a Twitter thread he made in mid-January about the new clock options.

To activate the new lock screen shortcuts, Rahman says you have to long-press them instead of simply tapping them, which should help reduce accidental activations.

Here's a first look at the settings page for the new lock screen shortcuts feature! pic.twitter.com/5q08OWyq9o

— Mishaal Rahman (@MishaalRahman) February 1, 2023

Overall, it looks like a future Android update will enable a ton of customization options on Pixel phones, bringing them more in line with Samsung and Apple — both companies offer ways to customize your lock screen.

Android Police suggests the features will arrive with the next Pixel Feature Drop, which should release in March 2023.

Source: @MishaalRahman Via: Android Police

Telus appears to have acquired internet service provider (ISP), Start.ca.

Peter Nowak, an executive at ISP TekSavvy, shared the news on Twitter. Nowak didn’t share how he confirmed the acquisition.

Got it confirmed: https://t.co/S8whcDkGM4, another indie ISP, has been quietly acquired by Telus.

— Peter Nowak (@peternowak) February 3, 2023

It’s unclear how many customers the acquisition impacts and if it went through regulatory approval.

Additionally, Nowak states the telecom giant has also overtaken a second ISP, Altima.

MobileSyrup cannot independently confirm the news but will provide an update once available.

This isn’t the first time Altima’s name has been associated with Telus. Flanker brand Koodo partnered with the ISP in December to offer discounted internet services.

Both Altima and Start.ca serve Ontario residents.

Image credit: Shutterstock 

Twitter will now share revenue it makes from ads with creators.

In a tweet, CEO Elon Musk said the revenue will apply “for ads that appear in their reply threads.”

Starting today, Twitter will share ad revenue with creators for ads that appear in their reply threads

— Elon Musk (@elonmusk) February 3, 2023

The specifics on how much creators can make remains unclear. All we know is that creators must be part of Twitter Blue.

The news comes as Twitter announced it will start charging developers to access its once free API, likely ending free access to some of the best Twitter adjacent apps on the market.

Sonos is offering solid discounts on its premium soundbars, subwoofers, speakers, complete home theatre sets and more, just in time for Super Bowl Sunday on February 12th.

Check out the deals from the promotion below:

Arc: $949 (regularly $1,099)

Sub (Gen 3): $799 (regularly $949)

Beam (Gen 2): $484 (regularly $559)

One: $219 (regularly $269)

Immersive Set with Arc: $2,186 (regularly $2,586)

Two Room Set with Sonos One: $438 (regularly $538)

Premium Entertainment Set with Arc: $1,748 (regularly $2,048)

Immersive Set with Beam: $1,531 (regularly $1,606)

Entertainment Set with Beam: $1,o33 (regularly $1,108)

2 Room Set with Arc: $1,448 (regularly $1,598)

Indoor / Outdoor Set: $718 (regularly $768)

Surround Set with Arc: $1,447 (regularly $1,597)

Surround Set with Beam: $982 (regularly $1,057)

Arc Mount Set: $1,038 (regularly $1,188)

Immersive Set with Beam with Sub Gen 3: $1,721 (regularly $2,046)

Beam Mount Set: $553 (regularly $628)

Premium Entertainment Set with Beam: $1,283 (regularly $1,508)

Premium Home Theatre Completion Set with One: $1,237 (regularly $1,487)

Premium Home Theatre Completion Set with One SL: $1,297 (regularly $1,447)

The Sonos sale ends on Sunday, February 12th.

MobileSyrup utilizes affiliate partnerships. These partnerships do not influence our editorial content, though we may earn a commission on purchases made via these links that helps fund the journalism provided free on our website.

Image credit: Sonos

Source: Sonos

Acanac is providing a new deal specifically for Start.ca and Altima customers.

For over 19 years, Acanac, an internet provider based in Ontario and Quebec, has provided internet service to its customers. Now, Acanac has announced a new limited-time offer for customers looking to save big on their monthly internet bill.

Start.ca or Altima customers who switch to any of Acanac’s internet services – including plans that offer speeds up to 1Gbps – will receive their first six months completely free of charge.

With the increase in competition in the telecom marketplace lately, this is a very competitive offer and good news for potential customers. It’s also important to note that this deal is only available for a limited time.

While most internet providers offer discounts at only specific speeds, this deal is available on any plan in the Acanac line-up, including speed tiers of up to 1Gbps in Ontario and up to 400Mbps in Quebec. The company is also waiving modem, installation, and activation fees. A one-year contract is required to obtain the 6-month offer.

If you’re a Start.ca or an Altima customer, this is an offer worth considering – especially compared to other deals currently in the market. You can check out the deal at acanac.com/altima or acanac.com/start.

This story is sponsored by Acanac. MobileSyrup publishes sponsored posts. These partnerships do not influence our editorial content.

Thousands of people have lost their jobs due to recent layoffs at leading tech companies worldwide, but Apple employees aren’t part of that group, at least for now.

This is because Apple CEO Tim Cook belives layoffs aren’t the only answer to reduce costs.

“I view layoffs as a last resort kind of thing,” Cook told the Wall Street Journal. “You can never say never.”

While layoffs can’t be completely ignored, Cook told the publication there are other ways to reduce costs. Apple is “managing costs very tightly and is curtailing hiring in certain areas while continuing to hire in others,” he said.

But other factors also play a role in Apple retaining employees.

As 9to5Mac points out, the company didn’t rush to grow its employee count over the last couple of years like other tech companies did. Citing a January 21st report from the Wall Street Journal, Apple only grew its employee base by 20 percent between September 2019 and September 2022. In comparison, its competitors increased hiring between 57 percent and 100 percent.

However, it remains unclear if this will stay true for long. Apple’s most recent quarterly report shows the company’s most significant revenue decline since 2019.

Google and Spotify are among the many companies to recently layoff employees.

Image credit: Shutterstock 

Source: Wall Street Journal Via: 9to5Mac

Google plans to host an online event dubbed ‘Live from Paris’ on February 8th, where the company will talk about AI, Search, Maps and more.

In the event description on the YouTube page for the event, Google notes that it’s “reimagining how people search for, explore and interact with information, making it more natural and intuitive than ever before to find what you need.” The company goes on to note that it’s “opening up greater access to information for people everywhere, through Search, Maps and beyond.”

Moreover, Android Police reports that Google told the publication it plans to talk about how it will use AI to reshape search.

While that all sounds interesting, it’s worth noting the timing of all this. For one, Google typically doesn’t do announcements like this early in the year — we’d see these at the company’s annual I/O developer conference instead. But that conference is still happening in May as usual.

This suggests Google is trying to react quickly to OpenAI and ChatGPT. Reports have swirled for the last few weeks that Google has gone “code red” over ChatGPT and is rushing to respond, such as by sharing a recent research project called ‘MusicLM‘ that makes music with AI and reportedly testing a ChatGPT-like chatbot called ‘Apprentice Bard’ based on Google’s LaMDA language model. (Yes, the same one that an ex-Google employee claimed was sentient.)

Adding to that, Google CEO Sundar Pichai said on a recent earnings call that Google was preparing to let people “interact directly” with its newest language models “as a companion to search.”

Meanwhile, Microsoft has also been in the news for its massive investments in OpenAI and reported plans to integrate ChatGPT into various products, like Bing search. More recently, Microsoft revealed its Teams Premium service with AI capabilities powered by the GPT-3.5 language model — the same one used by ChatGPT.

It’ll be interesting to see how Google responds to all this, though it seems we may learn that sooner rather than later. Moreover, Android Police suggested Google was pushing its internal teams tasked with overseeing fairness and ethics in AI to approve projects faster, which could have significant drawbacks if AI projects aren’t properly vetted before the public gets access to them.

Source: Google Via: Android Police