Waze definitely has a personality, thanks to its colorful, cartoony design packed with big icons and bold, in-your-face alerts. It’s also got a playful side when it comes to customization. You can stream music directly through the built-in audio player (Spotify, anyone?), pick a voice “sidekick” like Halo’s Master Chief or comedian Nate Bargatze, and even set a mood once you’ve driven more than 160 kilometers.Google Maps isn’t quite as caricatured, but it is loaded with features. It’s fantastic for exploring neighborhoods, digging into business info, or finding restaurants, parks, and stores. You can even hop into Street View to preview a location before heading out. There are plenty of layers and details too. You can switch between satellite, terrain, air quality, wildfire zones, and even 3D buildings. Now it even has an AR-powered Lens feature that lets you use your phone’s camera to identify shops, restaurants, or landmarks around you and get quick AI-powered info on them. It might feel a little cluttered when you’re just trying to drive, but honestly, it’s kind of fun to click around and see just how much it can do.Also: How to blur your house on Google Street View (and 4 reasons why people do it)While Waze has basic details like business addresses and hours, what about restaurant reviews or photos? Not so much. Google Maps is a beast in this department. Full reviews, photos, peak hours, menus, and more.I’ll admit this can come down to personal preference. If you’re into quirky extras and playful design, Waze definitely delivers. But since I’m not big on the gimmicky stuff and prefer a more feature-rich interface with plenty of discovery options that actually help me get around, I’m giving the edge to Google Maps. More

Over half of ransomware attacks are targeting one of three industries; banking, utilities and retail, according to analysis by cybersecurity researchers – but they’ve also warned that all industries are at risk from attacks. The data has been gathered by Trellix – formerly McAfee Enterprise and FireEye – from detected attacks between July and September 2021, a period when some of the most high profile ransomware attacks of the last year happened. According to detections by Trellix, banking and finance was the most common target for ransomware during the reporting period, accounting for 22% of detected attacks. That’s followed by 20% of attacks targeting the utilities sector and 16% of attacks targeting retailers. Attacks against the three sectors alone account for 58% of all of those detected.  Utilities is a particularly enticing industry for ransomware gangs to target, because the nature of the industry means it provides vital services to people and businesses and if those services can’t be accessed, it has an impact – as demonstrated by the ransomware attack against Colonial Pipeline, which led to gas shortages in the North Eastern United States. The incident saw Colonial paying a ransom of millions to cyber criminals in order to receive the decryption key.  SEE: A winning strategy for cybersecurity (ZDNet special report)Ransomware attacks against retailers can also have a significant impact, forcing shops to be restricted to taking cash payments, or even forcing them to close all together while the issue is resolved, preventing people from buying everyday items they need. Other sectors which were significant targets for ransomware include education, government and industrial services, serving as a warning that no matter which sector they operate in, all organisations could be a potential target for ransomware.  

“Despite the financial, utilities and retail sectors accounting for nearly 60% of all ransomware detections – no business or industry is safe from attack, and these findings should act as a reminder of this,” said Fabien Rech, VP EMEA for Trellix.   “As cybercriminals adapt their methods to target the most sensitive data and services, organisations must shore up their defences to mitigate further threats.” While several high-profile ransomware groups of 2021 seem to have disappeared or gone dark, particularly following arrests, new gangs and malware strains are emerging all the time and ransomware remains a key cybersecurity threat to organisations around the world. In order to help protect networks against ransomware and other cyber attacks, it’s recommended that organisations regularly apply the required security updates to operating systems, applications and software, something which can prevent hackers from exploiting known vulnerabilities to launch attacks. It’s also recommended that organisations apply multi-factor authentication across all accounts and that security teams attempt to scan for credential stealing attacks and other potential suspicious activity in order to prevent attacks before they happen.MORE ON CYBERSECURITY More

A hacker has leaked this month the data of more than 4.2 million users registered on Peatix, an event organizing platform, currently ranked among the Alexa Top 3,500 most popular sites on the internet.

The site’s user data was made available through ads posted via Instagram stories, on Telegram channels, and on several different hacking forums.
According to samples of the Peatix data seen by ZDNet, the leaked information included full names, usernames, emails, and salted and hashed passwords.
Most of the leaked user data belonged to persons with Asian names, which is consistent with the evolution of the Peatix startup, which first launched in Japan in 2011 and later expanded to Singapore in 2013, before opening to the US and other parts of the world.
ZDNet notified Peatix of a possible breach earlier this month, but we never heard back from the company. Nonetheless, Peatix went public and admitted its breach this week through a message posted on its website [PDF, archived].
The company said it has investigated the reports, identified the point of entry, and blocked the intruders from re-accessing its systems.
Peatix reassured users that no financial data was involved as all payments were handled through third-party platforms, and nothing was stored inside its database.

“In addition, based on our investigation to date, we have no reason to believe that any historical data of events in which users participated, any data obtained through our questionnaire function or users’ addresses or phone numbers were accessed,” the company said.
ZDNet also reached out to the hacker who shared Peatix’s data online, on one of the multiple hacking forums. This individual told us that they are not the persons who breached the company but that they were only leaking the data to sabotage a rival data breach broker.

Image: ZDNet
Peatix is currently notifying all impacted users via email and requesting that they change account passwords. More

Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild.

The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an “object lifecycle issue in audio.” 
Google has labeled the vulnerability as a “high” severity security flaw and has fixed the issue in the latest Chrome release.  
Alongside CVE-2021-21166, Huffman also recently reported another high-severity bug, CVE-2021-21165, another object lifestyle issue in audio problem, and CVE-2021-21163, an insufficient data validation issue in Reader Mode. 
The tech giant has not revealed further details concerning how CVE-2021-21166 is being exploited, or by whom. 
Google’s announcement, published on Tuesday, also marked the release of Chrome 89 to the stable desktop channel for Windows, Mac, and Linux machines, which is currently rolling out. Users should upgrade to Chrome 89.0.4389.72 once available. 
The Chrome 89.0.4389.72 release also contains a swathe of other security fixes and browser improvements. In total, 47 bugs have been patched, including a high-severity heap buffer overflow in TabStrip (CVE-2021-21159), another heap buffer overflow in WebAudio (CVE-2021-21160), and a use-after-free issue in WebRTC (CVE-2021-21162). A total of eight vulnerabilities are considered high-severity.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
On February 4, Google pushed out a fix for CVE-2021-21148, a heap buffer overflow in the Chrome V8 JavaScript engine which is also being actively exploited. This high-severity security flaw was reported by Mattias Buelens on January 24. 
This week, Microsoft released urgent updates for four zero-day vulnerabilities in Exchange Server. Microsoft says the bugs are being exploited in “limited targeted attacks” and is urging users to update as quickly as possible. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Peloton has refuted claims made in an “urgent” US safety advisory warning of the risk to children caused by the Tread+. 

The Peloton Tread+, a treadmill that includes Internet and Bluetooth connectivity, a built-in soundbar, and display, is a product offered by Peloton designed to link to real-time exercise classes for users over 16 years of age. On April 17, the US Consumer Product Safety Commission (CPSC) released a video showing two children playing on a Tread+, one of which became temporarily trapped.  The CPSC then published a public health and safety notice to US consumers, urging users with children to “stop using the product immediately.” According to the US agency, the Peloton Tread+ has been linked to 39 incidents involving children and pets, with potential risks including abrasions and fractures. The death of a child has been recorded.  The commission has launched an investigation into the fatality, which was disclosed by Peloton in March. At the time, in a letter to users, Peloton CEO and co-founder John Foley said the company designs and builds products “with safety in mind,” but urged users to “keep children and pets away from Peloton exercise equipment at all times.” Separately, a three-year-old boy suffered head and neck injuries after becoming trapped under a Tread+, leading to what the CPSC calls “significant brain injury.”

“Peloton was shocked and devastated to learn in March that a child died while using the Tread+,” Peloton said. “Within a day of learning this news, Peloton notified CPSC. While preparing its report to CPSC, Peloton learned through a doctor’s report to CPSC’s public database that a child had experienced a brain injury. Peloton spoke to the family who reported that and the child is expected to fully recover.” “In light of multiple reports of children becoming entrapped, pinned, and pulled under the rear roller of the product, CPSC urges consumers with children at home to stop using the product immediately,” the agency warned.  According to the CPSC, one safety incident may have occurred when a parent was using the treadmill, and it may be that “the hazard cannot be avoided simply by locking the device when not in use.”  The US agency recommends that consumers should keep their Tread+ in a locked room and other objects, such as exercise balls, should be kept well away. In response to the alert, Peloton issued its own statement branding the advisory as “misleading” and “inaccurate.” “There is no reason to stop using the Tread+, as long as all warnings and safety instructions are followed,” the company said. “Children under 16 should never use the Tread+, and members should keep children, pets, and objects away from the Tread+ at all times.”   Peloton has also asked users to detach the Safety Key when the treadmill is not in use, as this would prevent the Tread+ from being inadvertently turned on, “precisely to avoid the kind of incident that [the CPSC’s] video depicts.” Furthermore, Peloton claims that the company was willing to make a joint statement with CPSC concerning the safety worries, but the agency “unfairly characterized Peloton’s efforts to collaborate and to correct inaccuracies in CPSC’s press release as an attempt to delay.” In a follow-up note, Peloton’s CEO said there was no obstruction to the investigation, with the exception of the agency’s demands for personal data from customers that requested this information was withheld. “Peloton is disappointed that, despite its offers of collaboration, and despite the fact that the Tread+ complies with all applicable safety standards, CPSC was unwilling to engage in any meaningful discussions with Peloton before issuing its inaccurate and misleading press release,” Peloton added.  Foley says the company has “no intention” of recalling or stopping sales of the Tread+.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More