Bloomberg reports: Even as the Covid-19 pandemic forced companies around the world to reimagine the workplace, researchers in Iceland were already conducting two trials of a shorter work week that involved about 2,500 workers — more than 1% of the country's working population. They found that the experiment was an "overwhelming success" — workers were able to work less, get paid the same, while maintaining productivity and improving personal well-being.

The Iceland research has been one of the few large, formal studies on the subject...

[Workers] were helped by their organizations which took concerted steps like introducing formal training programs on time-management to teach them how to reduce their hours while maintaining productivity. The trials also worked because both employees and employers were flexible, willing to experiment and make changes when something didn't work. In some cases, employers had to add a few hours back after cutting them too much...

Participants in the Iceland study reduced their hours by three to five hours per week without losing pay.

Ransomware gangs have silently hit three US water and wastewater treatment facilities this year, in 2021, the US government said in a joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA. From a report: The attacks -- which had been previously unreported -- took place in March, July, and August and hit facilities in Nevada, Maine, and California, respectively. The attacks led to the threat actors encrypting files, and in one case, even corrupting a computer used to control the SCADA industrial equipment deployed inside the treatment plant. The three new incidents were listed as examples of what could happen when water treatment facilities ignore and fail to secure their computer networks.

For at least the second time in 2021, hackers have breached Acer's servers, this time plundering more than 60 gigabytes of data. HotHardware reports: Acer has confirmed that names, addresses, and phone numbers belonging to several million clients have been compromised in the breach, as well as sensitive corporate financial and audit details. If nothing else, this is certainly bad optics for Acer, which earlier this year was on the receiving end of a massive $50 million ransomware campaign. As proof of the data theft, the ransomware gang posted a bunch of stolen files on the REvil website, including financial spreadsheets, bank balances, and bank communications. It was never made clear if this was partially the result of Microsoft Exchange vulnerabilities that had been used before then by Chinese hackers. In any event, now several months latest, hacking group Desorden said it has infiltrated Acer's servers in India and swiped data relating to "millions" of customers.

On Thursday, Gov. Michael Parson (R) called a news conference to warn his state's citizens about a nefarious plot against a teachers' database by a reporter from the St. Louis Post-Dispatch. From a report: "Through a multistep process," Parson said with great solemnity, "an individual took the records of at least three educators, decoded the HTML source code and viewed the Social Security number of those specific educators."

[...] The Post-Dispatch report explains what their reporter, Josh Renaud, did to view the Social Security numbers of Missouri teachers on a website run by the state education department. (The website has been taken down; you can view an old version of it at the Internet Archive.) "Though no private information was clearly visible nor searchable on any of the web pages," the Post-Dispatch's report stated, "the newspaper found that teachers' Social Security numbers were contained in the HTML source code of the pages involved." In other words, it seems, a search tool for teacher credentials responded to searches by including a bunch of information, some of which was embedded in the source code of the page but not visible when just reading the page.

Boeing and U.S. regulators said Thursday that some titanium 787 Dreamliner parts were improperly manufactured over the past three years, the latest in a series of problems to plague the wide-body aircraft. From a report: The quality issue does not affect the immediate safety of flights, the company and the Federal Aviation Administration (FAA) said. Boeing said the parts were provided Leonardo, which bought the items from Italy-based Manufacturing Processes Specification (MPS). MPS is no longer a supplier to Leonardo, Boeing said.

The parts include fittings that help secure the floor beam in one fuselage section, as well as other fittings, spacers, brackets, and clips within other assemblies. Undelivered aircraft will be reworked as needed, Boeing said, adding that any fleet actions would be determined through its normal review process and confirmed with the FAA. The defect was found as the planemaker grapples with other problems in its 787 that have caused it to cut production and halt deliveries since May.

Apple said today that one of the reasons it does not allow app sideloading or the use of third-party app stores on iOS is because of privacy and security reasons, pointing to the fact that Android sees between 15 to 47 times more malware compared to its app ecosystem. The Record reports: Apple says that the reason its iOS devices are locked into the App Store as the only way to install applications is for security reasons, as this allows its security teams to scan applications for malicious content before they reach users. Apple cited statements from multiple sources (DHS, ENISA, Europol, Interpol, NIST, Kaspersky, Wandera, and Norton), all of which had previously warned users against installing apps from outside official app stores, a process known as app sideloading.

Apple's report then goes on to list multiple malware campaigns targeting Android devices where the threat actors asked users to sideload malicious apps hosted on internet sites or third-party app stores. [...] The list includes a host of threats, such as mundane adware, dangerous ransomware, funds-stealing banking trojans, commercial spyware, and even nation-state malware, which Apple said threat actors have spread by exploiting the loophole in Android's app installation process that allows anyone to install apps from anywhere on the internet. Today's 31-page report (PDF) is the second iteration of the same report, with a first version (PDF) being published back in June, shortly after EU authorities announced their investigation.

An anonymous reader quotes a report from from Krebs on Security: A recent phishing campaign targeting Coinbase users shows thieves are getting smarter about phishing one-time passwords (OTPs) needed to complete the login process. It also shows that phishers are attempting to sign up for new Coinbase accounts by the millions as part of an effort to identify email addresses that are already associated with active accounts. Coinbase is the world's second-largest cryptocurrency exchange, with roughly 68 million users from over 100 countries. The now-defunct phishing domain at issue -- coinbase.com.password-reset[.]com -- was targeting Italian Coinbase users (the site's default language was Italian). And it was fairly successful, according to Alex Holden, founder of Milwaukee-based cybersecurity firm Hold Security.

Holden's team managed to peer inside some poorly hidden file directories associated with that phishing site, including its administration page. That panel, pictured in the redacted screenshot below, indicated the phishing attacks netted at least 870 sets of credentials before the site was taken offline. Holden said each time a new victim submitted credentials at the Coinbase phishing site, the administrative panel would make a loud "ding" -- presumably to alert whoever was at the keyboard on the other end of this phishing scam that they had a live one on the hook. In each case, the phishers manually would push a button that caused the phishing site to ask visitors for more information, such as the one-time password from their mobile app. "These guys have real-time capabilities of soliciting any input from the victim they need to get into their Coinbase account," Holden said. Pressing the "Send Info" button prompted visitors to supply additional personal information, including their name, date of birth, and street address. Armed with the target's mobile number, they could also click "Send verification SMS" with a text message prompting them to text back a one-time code.

Holden said the phishing group appears to have identified Italian Coinbase users by attempting to sign up new accounts under the email addresses of more than 2.5 million Italians. His team also managed to recover the username and password data that victims submitted to the site, and virtually all of the submitted email addresses ended in ".it." But the phishers in this case likely weren't interested in registering any accounts. Rather, the bad guys understood that any attempts to sign up using an email address tied to an existing Coinbase account would fail. After doing that several million times, the phishers would then take the email addresses that failed new account signups and target them with Coinbase-themed phishing emails. Holden's data shows this phishing gang conducted hundreds of thousands of halfhearted account signup attempts daily. For example, on Oct. 10 the scammers checked more than 216,000 email addresses against Coinbase's systems. The following day, they attempted to register 174,000 new Coinbase accounts.

Verizon's Visible network has confirmed that some accounts were accessed without authorization. Visible is a cell service owned and operated by Verizon that "pitches itself as a less expensive, 'all-digital' network, meaning there aren't any physical stores like you'd get with a tradtiional carrier," notes The Verge. From the report: Starting on Monday, customers on both Twitter and Reddit reported en masse that they'd been getting emails from the company about changed passwords and addresses, and that they've had difficulties contacting the company's chat support. Visible's customer service account on Twitter seemingly hasn't addressed the issue, besides directing upset customers to its DMs. A user marked as a Visible employee on the subreddit posted a statement on Monday afternoon, saying that a "small number" of accounts were affected, but that the company didn't believe its systems had been breached. The statement did recommend that users change their passwords, but as many commenters pointed out (and as I can confirm), the password reset system currently isn't working. In a follow-up article, The Verge reports that Visible has confirmed customer reports of attackers accessing and changing user accounts. The company said that the breaches were carried out using usernames and passwords from "outside sources," adding that it's worked to "mitigate the issue" since it became aware of it. They're recommending you reset your password if it's one you've used for other services.

Activision unveiled its Ricochet anti-cheat system for Call of Duty games as it tries to attack a longstanding cheating problem that has frustrated a lot of players. From a report: The new system will get rid of players cheating in Call of Duty: Warzone later this year and it will debut with Call of Duty: Vanguard, the new premium game coming on multiple platforms on November 5. Activision, whose parent company Activision Blizzard has been sued for having an alleged toxic culture of its own, said in its announcement that cheating in Call of Duty is frustrating for players, developers, and the entire community. The anti-cheat team has made great strides in fighting this persistent issue that affects so many, but the company said it knows more must be done. Ricochet is supported by a team of dedicated professionals focused on fighting unfair play.

The Ricochet anti-cheat initiative is a multi-faceted approach to combat cheating, featuring new server-side tools which monitor analytics to identify cheating, enhanced investigation processes to stamp out cheaters, updates to strengthen account security, and more. Ricochet's backend anti-cheat security features will launch alongside Call of Duty: Vanguard, and later this year with the Pacific update coming to Call of Duty: Warzone. In addition to server enhancements coming with Ricochet is a new PC kernel-level driver, developed internally for the Call of Duty franchise, and launching first for Call of Duty: Warzone. This driver will assist in the identification of cheaters, reinforcing and strengthening the overall server security. The kernel-level driver launches alongside the Pacific update for Warzone later this year. Further reading: Cheat Maker Is Not Afraid of Call of Duty's New Kernel-Level Anti-Cheat.

AMD warned last week that its chips are experiencing performance issues in Windows 11, and now Microsoft's first update to its new OS has reportedly made the problems worse. From a report: TechPowerUp reports that it's seeing much higher latency, which means worse performance, after the Windows 11 update went live yesterday. AMD and Microsoft found two issues with Windows 11 on Ryzen processors. Windows 11 can cause L3 cache latency to triple, slowing performance by up to 15 percent in certain games. The second issue affects AMD's preferred core technology, that shifts threads over to the fastest core on a processor. AMD says this second bug could impact performance on CPU-reliant tasks. TechPowerUp measured the L3 cache latency on its Ryzen 7 2700X at around 10ns, and Windows 11 increased this to 17ns. "This was made much worse with the October 12 'Patch Tuesday' update, driving up the latency to 31.9ns," says TechPowerUp. That's a huge jump, and the exact type of issue AMD warned about.

A new study (PDF) by a team of university researchers in the UK has unveiled a host of privacy issues that arise from using Android smartphones. BleepingComputer reports: The researchers have focused on Samsung, Xiaomi, Realme, and Huawei Android devices, and LineageOS and /e/OS, two forks of Android that aim to offer long-term support and a de-Googled experience. The conclusion of the study is worrying for the vast majority of Android users: "With the notable exception of /e/OS, even when minimally configured and the handset is idle these vendor-customized Android variants transmit substantial amounts of information to the OS developer and also to third parties (Google, Microsoft, LinkedIn, Facebook, etc.) that have pre-installed system apps." As the summary table indicates, sensitive user data like persistent identifiers, app usage details, and telemetry information are not only shared with the device vendors, but also go to various third parties, such as Microsoft, LinkedIn, and Facebook. And to make matters worse, Google appears at the receiving end of all collected data almost across the entire table.

It is important to note that this concerns the collection of data for which there's no option to opt-out, so Android users are powerless against this type of telemetry. This is particularly concerning when smartphone vendors include third-party apps that are silently collecting data even if they're not used by the device owner, and which cannot be uninstalled. For some of the built-in system apps like miui.analytics (Xiaomi), Heytap (Realme), and Hicloud (Huawei), the researchers found that the encrypted data can sometimes be decoded, putting the data at risk to man-in-the-middle (MitM) attacks. As the study points out, even if the user resets the advertising identifiers for their Google Account on Android, the data-collection system can trivially re-link the new ID back to the same device and append it to the original tracking history. The deanonymization of users takes place using various methods, such as looking at the SIM, IMEI, location data history, IP address, network SSID, or a combination of these. In response to the report, a Google spokesperson said: "While we appreciate the work of the researchers, we disagree that this behavior is unexpected -- this is how modern smartphones work. As explained in our Google Play Services Help Center article, this data is essential for core device services such as push notifications and software updates across a diverse ecosystem of devices and software builds. For example, Google Play services uses data on certified Android devices to support core device features. Collection of limited basic information, such as a device's IMEI, is necessary to deliver critical updates reliably across Android devices and apps."

A woman allegedly hacked into the systems of a flight training school in Florida to delete and tamper with information related to the school's airplanes. In some cases, planes that previously had maintenance issues had been "cleared" to fly, according to a police report. The hack, according to the school's CEO, could have put pilots in danger. From a report: Lauren Lide, a 26-year-old who used to work for the Melbourne Flight Training school, resigned from her position of Flight Operations Manager at the end of November of 2019, after the company fired her father. Months later, she allegedly hacked into the systems of her former company, deleting and changing records, in an apparent attempt to get back at her former employer, according to court records obtained by Motherboard. The news of her arrest was first reported by local TV station News Channel 8.

Derek Fallon, the CEO of Melbourne Flight Training called the police on January 17, 2020, and reported that five days before, he logged onto his account for Flight Circle, an app his company uses to manage and keep track of its airplanes, and found that there was missing information. Fallon found that someone had removed records related to planes with maintenance issues and reminders of inspections had all been deleted, "meaning aircraft which may have been unsafe to fly were purposely made 'airworthy,'" according to a document written by a Melbourne Airport Police officer.

Coinbase is getting into NFTs. The cryptocurrency exchange said Tuesday it plans to launch a marketplace that lets users mint, collect and trade NFTs, or non-fungible tokens. From a report: Users can sign up to a waitlist for early access to the feature, the company said. NFTs are one-of-a-kind digital assets designed to represent ownership of online items like rare art or collectible trading cards. They aren't fungible, meaning you can't exchange one NFT for another like you could with bitcoin and other cryptocurrencies. Sales of such tokens have boomed this year. The NFT market topped $10 billion in transaction volume in the third quarter of 2021, according to DappRadar, a company that tracks data on crypto-based applications.

Japanese technology giant Olympus has confirmed it was hit by a cyberattack over the weekend that forced it to shut down its IT systems in the U.S., Canada and Latin America. From a report: In a statement on its website, Olympus said it is "investigating a potential cybersecurity incident detected October 10" and is "currently working with the highest priority to resolve this issue."

"As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions. We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way. Protecting our customers and partners and maintaining their trust in us is our highest priority. Our investigation is ongoing and we are committed to transparent disclosure and will continue to provide updates as new information becomes available."

It's near-identical to a statement put out by Olympus last month following a cyberattack on its European, Middle East and Africa network.

Microsoft said its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) distributed denial of service attack this year, at the end of August, representing the largest DDoS attack recorded to date. From a report: Amir Dahan, Senior Program Manager for Azure Networking, said the attack was carried out using a botnet of approximately 70,000 bots primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the United States. Dahan identified the target of the attack only as "an Azure customer in Europe."

The Microsoft exec said the record-breaking DDoS attack came in three short waves, in the span of ten minutes, with the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps. Dahan said Microsoft successfully mitigated the attack without Azure going down. Prior to Microsoft's disclosure today, the previous DDoS record was held by a 2.3 Tbps attack that Amazon's AWS division mitigated in February 2020.

An anonymous reader shares a report: By the end of 2021, cybercrime is expected to cost the world $6 trillion. And by 2025, this figure will climb to $10.5 trillion, according to Cybersecurity Ventures. There's been a rash of recent high-profile cyberattacks, including Colonial Pipeline, the SolarWinds breach, and JBS USA. That's perhaps why 80% of senior IT employees believe that their companies lack sufficient protection against cyberattacks, despite increased security investments made in 2020.

To address the challenges, Google today at Google Cloud Next 2021 debuted Work Safer, a program to help organizations, employees, and partners collaborate in hybrid work environments. It also unveiled a new security-focused task force --- the Cybersecurity Action Team -- and a security and resilience framework, in addition to enhanced security capabilities in Workspace. The announcements come after research showing that companies want cloud providers to increase their security efforts. According to a a recent Tripwire survey, while the majority of enterprises believe that public cloud providers are doing enough to ensure security for users, it's "just barely adequate."

LibreOffice and OpenOffice have pushed updates to address a vulnerability that makes it possible for an attacker to manipulate documents to appear as signed by a trusted source. Although the severity of the flaw is classified as moderate, the implications could be dire. BleepingComputer reports: The discovery of the flaw, which is tracked as CVE-2021-41832 for OpenOffice, was the work of four researchers at the Ruhr University Bochum. The same flaw impacts LibreOffice, which is a fork of OpenOffice spawned from the main project over a decade ago, and for their project is tracked as CVE-2021-25635. If you're using either of the open-source office suites, you're advised to upgrade to the latest available version immediately. For OpenOffice, that would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later. Since neither of these two applications offer auto-updating, you should do it manually by downloading the latest version from the respective download centers -- LibreOffice, OpenOffice. If you're using Linux and the aforementioned versions aren't available on your distribution's package manager yet, you are advised to download the "deb", or "rpm" package from the Download center or build LibreOffice from source. If updating to the latest version is not possible for any reason, you can always opt to completely disable the macro features on your office suite, or avoid trusting any documents containing macros.

Microsoft has shared details of a new known issue with Windows 11. The company has confirmed that a problem exists with apps that use certain characters in registry keys. From a report: As a result of the discovery, Microsoft has put a compatibility hold in place that means people with problematic apps installed will not be offered Windows 11 via Windows Update. The issue is under investigation. It seems that the issue is related to, or is an extension of, one of the three initial known issues with Windows 11.

Google has pulled several "stalkerware" ads that violated its policies by promoting apps that encouraged prospective users to spy on their spouses' phone. From a report: These consumer-grade spyware apps are often marketed to parents wishing to monitor their child's calls, messages, apps, photos and location, often under the guise of protecting against predators. But these apps, which are often designed to be installed surreptitiously and without the device owner's consent, have been repurposed by abusers to spy on the phones of their spouses.

[...] Last August, Google banned ads in users' search results that promoted apps that are designed "with the express purpose of tracking or monitoring another person or their activities without their authorization." But TechCrunch found five app makers were still advertising their stalkerware apps as recently as last week. "We do not allow ads promoting spyware for partner surveillance. We immediately removed the ads that violated this policy and will continue to track emerging behaviors to prevent bad actors from trying to evade our detection systems," a Google spokesperson told TechCrunch.

Cristiano Amon is the new boss of Qualcomm, a U.S. tech giant that designs semiconductors. His first task: Convince companies to make more chips for him -- and fast. From a report: Months before Cristiano Amon started as CEO of Qualcomm, he already was at work on his first crisis. To solve it, he sat in a mostly empty meeting room in Taipei and pleaded with executives from one of the world's biggest semiconductor makers for more chips. He needed the help so that Qualcomm, a designer of circuits that go into hundreds of millions of electronic devices every year, could chase new markets and meet demand from big customers such as Apple, Samsung Electronics and China's top handset-makers. In fact, he needed the assistance so much that he got permission from the Taiwanese government to arrive in March and then waited through a three-day quarantine. Once he and his team got to the meeting place in a Taipei hotel, they negotiated with counterparts across a large room outfitted with microphones and speakers to communicate.

"I'm a very big believer that sometimes you have to meet folks in person," said Mr. Amon, who was named CEO in January and officially took over in June. Many new CEOs across the business world had to adjust to their roles amid unprecedented pandemic-era restrictions, getting to know key employees without ever meeting them in person and managing offices and business relationships from far away. Few can say they had a more tumultuous transition than Mr. Amon, a gregarious Brazilian who revels in person-to-person contact. He is juggling a cluster of major challenges -- a global chip shortage, a sudden shift in a key market, and an unexpected acquisition opportunity -- while trying to put his own stamp on a company after working there for more than two decades. He wants to focus on an expansion beyond Qualcomm's core mobile-phone chip business, a shift that began before he took over. "I've been doing many things in parallel and I want to succeed in them all," he said in an interview. "I can't afford not to do them because we're in a hurry."