STE WILLIAMS

Mondelez, US food distributor and owner of major brands Ritz and Nabisco, has filed a lawsuit against Zurich Insurance Group after its claim seeking $100 million for NotPetya damage was denied.

NotPetya struck global companies with a massive ransomware attack back in 2017. Instead of encrypting data and demanding money for its return, as most ransomware attacks do, it aimed to wreak havoc by permanently damaging files. A new Financial Times report states 1,700 Mondelez servers and 24,000 laptops were permanently damaged in the global attack.

Mondelez’s insurance policy covered “physical loss or damage to electronic data, programs, or software” with “the malicious introduction of a machine code or instruction,” ZDNet points out. Zurich rejected the $100 million claim, saying the NotPetya attack was “hostile or warlike action in time of peace or war.” This voided the claim; now Mondelez is suing Zurich in response.

The case prompts a question of how “war exclusion” factors into cyberattacks evolving in size and strength. In February 2018, the UK government officially declared Russia’s military was responsible for the NotPetya campaign, which was aimed at destabilizing Ukraine and spread around the world.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/notpetya-victim-mondelez-sues-zurich-insurance-for-$100-million/d/d-id/1333640?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A class-action suit over a 2015 attack demonstration against a Jeep Cherokee can move forward, US Supreme Court rules.

The US Supreme Court, this week, enabled a class action cybersecurity-related lawsuit against Fiat-Chrysler to proceed, after refusing to hear the auto company’s appeal. 

In 2015, security researchers Charlie Miller and Chris Valasek showed that they could remotely take over a Jeep Cherokee’s control systems by hacking through the SUV’s infotainment system. In 2016, they showed they could do it again.

Even though no examples of the hack have been seen in the wild, and Fiat-Chrysler issued a recall affecting more than a million cars in order to patch the vulnerability, a class-action suit was filed against the company.

The plaintiffs say Fiat-Chrysler knew about the vulnerability as early as 2011 but did nothing about it until the public demonstration. They contend that, had they known of the issue, they might have chosen to purchase different vehicles.

Fiat-Chrysler had filed an appeal asking that the suit be dismissed because the vulnerability has been patched. Now, the US Supreme Court says that the suit can go forward, remediation notwithstanding. Arguments in the suit are scheduled to be heard beginning in October.

For more, read here and here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/scotus-says-suit-over-fiat-chrysler-hack-can-move-forward/d/d-id/1333639?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s time to crown a new Sysadmin From Hell. Or from heaven, if you’re law enforcement. His name is Cristian Rodríguez: a Colombian IT geek who wound up working for drug kingpin “El Chapo” Joaquin Guzmán, got flipped by the FBI, and is likely going to go down in history as being the man most responsible for (probably) sending his ex-boss to jail – likely, for life.

On Tuesday, two months into Guzmán’s trial in Brooklyn, the FBI admitted that agents had cracked the communications between El Chapo and his associates (and his wife and mistresses) by enlisting Guzmán’s help to move a custom encryption system from Canada into the Netherlands and to then hand over the encryption keys.

For a detailed look at the drug lord’s systems engineer, his background, the story of how he got recruited by multiple cartels, and the work he carried out at their behest, check out USA Today’s coverage.

New York Times reporter Alan Feuer recounted a summary given in court by FBI special agent Steven Marston of how Rodríguez enabled the bureau to tap more than 1,500 calls on the cartel’s encrypted system between April 2011 and January 2012.

Some of the details:

In February 2010, an undercover FBI agent met with the target of a sensitive investigation: Christian Rodriguez, an… twitter.com/i/web/status/1…

—
Alan Feuer (@alanfeuer) January 08, 2019

The two sat down in a hotel in Manhattan and posing as a gangster, the undercover agent told the cartel’s IT guy th… twitter.com/i/web/status/1…

—
Alan Feuer (@alanfeuer) January 08, 2019

So began a secret operation that w/in a year allowed the FBI to crack El Chapo’s covert communication system and ul… twitter.com/i/web/status/1…

—
Alan Feuer (@alanfeuer) January 08, 2019

El Chapo’s takedown was accomplished with “hi-tech cloak dagger stuff,” as Feuer put it.

About a decade ago, before he dropped out to build his own business, Rodríguez was an electronics system engineering student specializing in cybersecurity at a college in Colombia.

One of his clients was Colombian drug lord Jorge Cifuentes, who recommended him to Guzmán. Cifuentes told El Chapo that Rodríguez could set him up a closed, encrypted voice-over-IP (VoIP) network for totally secure communications. Rodríguez traveled to Guzmán’s headquarters in the Mexican county of Sinaloa to set it up, enabling El Chapo to place encrypted calls that law enforcement couldn’t tap.

Rodríguez initially put Guzmán’s servers in Canada, but after the FBI recruited him, he told his boss that he was doing a system upgrade that included moving the servers to the Netherlands. Once the servers were in the Netherlands, Rodríguez gave the FBI the encryption keys, enabling agents to intercept communications.

According to Rodríguez, Guzmán wasn’t satisfied with encrypted, unbreakable phone communications. He allegedly had a keen interest in eavesdropping, and he asked his sysadmin to install spyware on phones used by his associates and his family. He also asked Rodríguez to install spyware on his mistress’s laptop – something Rodríguez said he could do in three minutes and which he pulled off as Guzmán distracted her.

Rodríguez said that he got paid about $100,000 for the initial network. He said that he also installed spyware that logged call histories and locations of encrypted cell phones for about 50 people who worked for the Sinaloa cartel. But over and above call histories and locations, Guzmán really enjoyed eavesdropping.

The NY Post quoted Rodríguez:

It was like his toy.

He would call a person to their extension, they would talk, they would hang up, and then he would call another line to open the microphone and listen to what was being said about him.

Yikes, what a boss. Rodríguez turned out to be one hell of an insider threat to the cartel, though – the kind the FBI builds cases on. As special agent Marston told it, Rodríguez’s assistance proved so valuable that FBI agents considered nominating him for a multi-million dollar government reward.

Rodríguez didn’t wind up getting that reward: the idea was discarded, Marston said. But he did come out of this alive, having been moved to the US for his safety. He won’t be facing charges as a co-conspirator with either the Mexican or the Colombian cartel, Marston said.

The Brooklyn judge is also watching the star witness’s back. From USA Today:

U.S. District Court Judge Brian Cogan, wary of the cartel’s reputation for murder and brutality, barred courtroom sketch artists from depicting Rodríguez’s face in their drawings.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/D1q93gkT9MY/

You might want to question putting your money into a new trading platform that can’t even spring for a good translator.

Or, as DX.Exchange put it on its site:

Digital Stocks , How its works?

If only that were the biggest problem of the platform, which allows people to trade currencies and “digitized” versions of Apple, Tesla, and other stocks. A few days ago, a curious trader wanted to see how robust the platform is, along with how well it protects users’ sensitive financial and legal information.

So, as Ars Technica tells it, the trader set up a dummy account and started to explore, using the Chrome browser’s developer tools to get better visibility into the platform’s inner workings.

And lo! What a hot mess he encountered therein.

According to Ars, the trader discovered that HTTP responses from the platform included a tangled spaghetti of extraneous data, including other users’ authentication tokens, plus password-reset links.

When you log in to a website you hand over your password and the website gives you an authentication token in return. Until you log out, your browser will hand back the authentication token with each subsequent page request to show that the request is coming from you.

The token is supposed to be kept secret from everyone but you and the website (because it’s as good as a password), and it’s protected from snooping as it travels back and forth between your browser and the website by TLS (Transport Layer Security).

That protection is worthless though if your token gets sent to somebody else. If a bad actor ends up with your token, and you haven’t logged out by the time they get it, then they have the same access to your account that you do.

In this case the trader was also able to open a permanent backdoor into a compromised account by enabling API access on it.

The trader requested anonymity, fearful of the company taking legal action against him. As it is, he couldn’t even find a way to contact the company’s security team – or anybody, for that matter, though Ars obviously did get through – nor any mention of a bug bounty program. Ars quoted him:

The fact that I’m even scared to tell them and there’s not even a way to do it, it’s ridiculous.

It gets worse

Ars Technica Security Editor Dan Goodin says that the publication confirmed what the trader was reporting. The site’s tokens (which followed the JSON Web Tokens standard) were easily decoded to discover the full names and email addresses of DX.Exchange users contained within.

By examining the contents of the tokens, the trader established that the data leaking from the site included employees’ tokens:

You can see from the account’s email address it’s @coins.exchange [which is a domain used by many of the platform’s employees]. I have pretty good confidence I could do this for a day and get an administrative token and have everything.

In other words, a patient attacker who was prepared to wait until the site sent them a token for a highly privileged user could have been a threat to the entire platform, not just individual accounts.

Goodin speculates that with unfettered access an attacker might have been able to spike the site with malware, download its user data or drain the funds of its 600,000 registered users.

Ars gave DX.Exchange officials a heads-up on Tuesday afternoon and, after a short delay and a false start, the leak was finally plugged shortly after 8am Pacific Time on Wednesday.

The leak itself was one thing. But Goodin noted a slew of red flags beyond that, including the site’s sloppiness with tokens:

Besides the leak itself, there’s also the sloppiness of its token system. Best practices call for authentication tokens to be time stamped and then signed with a private encryption key each time a user sends it to a site. This prevents what are known as replay attacks, in which hackers gain unauthorized access to an account by copying the user’s valid Web request and pasting it into a new, fraudulent request.

The fact that there was no clear way to report a security problem was another red flag.

We can scarcely blame the trader who found the leaks for wanting to keep a low profile and keep his name and phone number away from DX.Exchange. Companies with security holes don’t always respond with an abundance of gratitude.

The St Jude vs MedSec debacle comes to mind. St Jude, the pacemaker company, sued IoT security firm MedSec for defamation after it published what St Jude said was bogus information about bugs in its equipment… life-threatening bugs that it nonetheless went on to patch, mind you.

We need all the help we can get from ethical hackers who responsibly disclose vulnerabilities, and they shouldn’t be scared away by fears of retribution over ethical disclosure. That’s just one hurdle they face; as it is, their talents are being tempted away by ever-fatter bounties from zero-day buyers, and lawmakers have on multiple occasions proposed punitive anti-hacking laws.

The very least that ethical vulnerability disclosers should be able to expect is a clear way to disclose.

Bear in mind that being in “beta” mode, as DX.Exchange says it is, is no excuse for poor security hygiene. To paraphrase one reader’s comment on Ars’s coverage, if a site’s taking your money like it’s full-release, it can’t expect to be held to beta-stage obligations.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/PPNkAABfdLw/

With every new hack, it’s becoming clearer that older forms of two-factor authentication (2FA) are no longer the reassuring security protection they once were.

The latest and perhaps most significant is that researcher Piotr Duszyński has published a tool called Modlishka (Polish: “Mantis”) capable of automating the phishing of one-time passcodes (OTPs) sent by SMS or generated using authentication apps.

On one level, Modlishka is simply a tool that sits on the same server as a phishing site capturing any credentials and 2FA tokens the user can be tricked into sending it.

But instead of cloning the phished site (Gmail, say), it behaves like a reverse proxy, cleverly feeding the user content from the real site to make an attack look more convincing.

The user thinks they are interacting with the real site because they are – Modlishka, meanwhile, proxies all of this without the user realising.

A video demo shows how Modlishka could be used to phish a Google user but it could just as easily be used against any service where the same authentication is in use.

Explains Duszyński:

This tool should be very useful to all penetration testers, that want to carry out an effective phishing campaign (also as part of their red team engagements).

Was it right to publish such a powerful tool? Arguably, yes. When used for its intended purpose – simulating phishing attacks against 2FA as part of a penetration or social engineering test – it offers an important insight into the vulnerability of this type of security.

As for being used by cybercriminals, there are probably plenty of other tools that can do a similar job given that phishing OTP codes isn’t a new technique.

Within days of one another in December, separate reports emerged of attacks where phishing had successfully been used to obtain OTP codes as part of targeted campaigns.

The first was against high-value US targets, while the second was documented by Amnesty International as having been part of a campaign to break into the email accounts of over 1,000 human rights campaigners.

Ambitiously, the latter attempted to crack email services such as ProtonMail and Tutanota, which have additional layers of security and log all accesses.

What to do?

OTP phishing has limitations, starting with the maximum 30-second window during which a captured code must be used before it is replaced by a new one. It also depends on being able to socially engineer the target user into visiting a phishing site first.

If you use a password manager to enter credentials, it won’t trigger on a phishing domain, which can be taken as a suspicious sign.

The best defence, however, is not to abandon OTP 2FA but move to something more secure, which almost all big sites now offer as an option.

As Duszyński says:

Currently, the only way to address this issue, from a technical perspective, is to entirely rely on 2FA hardware tokens, that are based on U2F protocol.

U2F tokens can be bought from Yubico but also direct from Google in the form of the Titan key. Because these are based on public-key encryption, they don’t transmit phishable codes.

Ideally, you need to buy and enrol two (one being a backup), which could cost around £40 ($50). We’d argue the investment is well worth it given how many sites you can secure with one key.

If you think this type of security sounds expensive, consider the cost of a phished email, Facebook or Twitter account that you can’t access or reset.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zhM_olDJMy8/

Old Twitter posts could reveal more about you than you think, according to a research paper released this month. Tweets could reveal places you visited and things you did, even if you didn’t explicitly mention them.

Researchers from the Foundation for Research and Technology in Greece and the University of Illinois found all this out after writing a tool called LPAuditor. The software mines publicly available tweet data that anyone can download from Twitter via its application programming interface (API).

Using the tool, they analyzed the metadata – hidden information about a tweet embedded in the post – to identify users’ homes, workplaces and sensitive places that they visited. In dozens of cases, they were also able to identify the users behind anonymous Twitter accounts.

In the paper, entitled Please Forget Where I Was Last Summer: The Privacy Risks of Public Location (Meta)Data, the researchers said:

even if users are cautious and nothing sensitive is disclosed in the tweets, the location information obtainable with our duration- based approach can result in significant privacy loss.

The insecurity stems from historical Twitter data posted prior to April 2015. Before this date, if a user geotagged themselves in a broad area such as a city, the social network embedded their exact GPS coordinates in the tweet’s metadata. Users simply looking at the Twitter app or web site would not have been aware of this because it only shows up in the raw data obtained via the API. Although Twitter stopped embedding this data in 2015, the historical information is still publicly available via the API.

The researchers took the GPS coordinates in the historical data and used publicly available geolocation services to map them to an address. It then grouped tweets mapped to the same address, producing clusters of tweets, and timestamped them to trend the frequency and timing of the user’s tweets from specific locations.

The team used some basic assumptions about home life in the US to identify home addresses, such as the tendency to leave in the morning and return at night and to be there a lot at weekends. It used similar assumptions about working hours to identify where Twitter users worked, and even accounted for variations like night shifts.

The researchers also mapped the GPS coordinates of users’ other tweets against other addresses and venues listed in Foursquare. This told them which other locations users were likely to have tweeted from. From that, they created potentially sensitive clusters (PSCs) indicating sensitive locations that users probably visited.

They did all of this without even looking at the actual content of the tweets, but by correlating this metadata with that content they could get an even clearer picture of what the user was doing. By looking for phrases like “at home” or “at work”, they could confirm that a location was a home or work address.

Similarly, by looking for lists of keywords related to medical, religious and sex or nightlife activities, they could confirm that a user was at a sensitive location engaged in a particular activity even though the tweet didn’t explicitly mention that place or behaviour. They explained in the paper:

In one case, the user expressed negative feelings about his/her doctor, while the GPS coordinates place the user in the office of a mental health professional. In another example, the user complained about some blood tests, while being geo-located at a rehab center.

Not only were the researchers able to infer more about users from their tweets, but they could also accurately identify many anonymous twitter accounts, the paper said. They added that third parties could use this data to identify users and potentially infer things about their behaviour. These could range:

…from a repressive regime de-anonymizing an activist’s account to an insurance company inferring a customer’s health issues, or a potential employer conducting a background check.

Twitter does allow people to go back and delete tweets or remove their location data retroactively. The problem is that because the data is available to the public, data brokers and other third parties are likely to already have copies of it.

Removing your location data from the Twitter data won’t stop those third parties tracking you:

Twitter’s invasive privacy policy cannot be dismissed as a case of a vulnerability that has been fixed. As long as this historical data persists online, users will continue to face the significant privacy risks that we have highlighted in this paper.

In short, what happens in Vegas may not always stay in Vegas. If you tweeted it, it could well have gone everywhere.

The researchers will present their paper at the Network and Distributed System Security Symposium (NDSS) next month.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/bUjELz1OQ7o/

Five months after he was found guilty of orchestrating a distributed denial-of-service attack against US healthcare providers, the self-styled Anonymous hacker Martin Gottesfeld has been sentenced to 121 months in prison.

In 2014, Gottesfeld knocked Boston Children’s Hospital and the Wayside Youth Family Support Network offline and disrupted computer systems for days, all to draw attention to a messy custody battle over Connecticut teenager Justina Pelletier. She was staying at Wayside at the time.

The teen was diagnosed with a rare disease at Tufts Medical Center, however, doctors at Boston Children’s Hospital believed it was psychological, and accused the parents of medical child abuse. With a judge’s permission, the docs took custody of her in Massachusetts, taking her away from her friends and family. She was eventually released to her parents 16 months later, by order of the courts.

After the FBI tracked down the Anon miscreant and raided his home, Gottesfeld and his wife attempted to flee capture in a sailboat, but neither of them were up to the task of navigating the Caribbean. First, he was blown off course, then rescued by a Disney cruise ship and handed over to the Feds in Florida.

Last August, the computer engineer was found guilty of conspiring to damage computers by a Massachusetts jury. In sentencing this week, District Judge Nathaniel Gorton described Gottesfeld’s crime as “contemptible, invidious and loathsome,” and in addition to the ten-year stretch in the clink, the judge ordered him to cough up $443,000 in restitution. Assistant US Attorney David D’Addio had described Gottesfeld as a “self-aggrandizing menace.”

Excuse … Gottesfeld’s note to the court (click to enlarge)

In a handwritten letter to the court last May, it’s clear Gottesfeld – who represented himself at trial – was convinced he was doing the right thing by attacking the hospital networks. The 34-year-old alleged that Justina’s plight was a “crime against humanity” that was being covered up by federal prosecutors, and somehow associated the saga with the suicide of internet activist Aaron Swartz.

According to a Reuters report, Gottesfeld plans to appeal, and said he had no regrets. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/11/opjustina_hacker_ten_years/

Polish authorities have reportedly arrested Huawei’s sales director and an ex-security agency staffer on allegations of spying.

Hua-no-wei! NSA, FBI, CIA bosses put Chinese mobe makers on blast

READ MORE

National media reported that two people had been arrested, one of whom is reported to be a sales director at the Chinese hardware supplier.

According to media outlet TVP, the other was a Polish national who used to work at the country’s internal security agency (Agencja Bezpieczeństwa Wewnętrznego, ABW) and more recently Orange.

It said that the pair had been charged under Polish laws relating to espionage and Polish state news agency PAP said that they would be detained for three months.

The arrests mark escalating concerns among western governments about the Chinese company’s activities.

The allegations were that Huawei was using its kit to spy on other governments – claims the firm has strenuously and repeatedly denied.

Nonetheless, intelligence bods recommended banning the use of the kit, and official blocks are in place for state-funded projects in the US, Australia and New Zealand.

FBI director Chris Wray said in February that they were concerned about allowing a company “that is beholden to foreign governments that don’t share our values to gain positions of power inside our telecommunications networks”.

And in December, Huawei’s CFO was arrested by Canadian police, amid allegations she broke sanctions on selling equipment to Iran – something the firm again denied.

Of the latest reported arrest of its staff, Huawei said in a statement to Reuters that it was “aware of the situation, and we are looking into it. We have no comment for the time being.”

It added: “Huawei complies with all applicable laws and regulations in the countries where it operates, and we require every employee to abide by the laws and regulations in the countries where they are based.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/11/poland_reportedly_arrests_huawei_official_for_spying/

A former vice president of medical app Your.MD has claimed “false information could be fed into the diagnostic system” as a result of security failings in the software’s backend.

Randeep Sidhu is claiming he was unfairly dismissed from his £110,000 post as Your.MD’s deputy veep of product after making legally protected disclosures about the state of the software back in 2017.

The app itself lets users input symptoms of illness and then suggests potential diagnoses and presents medical information. Judging by its “About” page, it appears to draw some of its responses from the NHS Choices medical info website.

Sidhu told the Central London Employment Tribunal that Your.MD execs Matteo Berlucchi (chief exec) and Alessandro Traverso (chief operating officer) ignored warnings about the app’s medical safety in what he described as a rush to launch its version 3 in late 2017.

“I was being neutered from discussing [the problems] publicly. I was told not to raise anything in front of anyone,” Sidhu told the tribunal yesterday.

Your.MD’s barrister, Gavin Mansfield QC, challenged Sidhu’s assertion by suggesting that doctors advising the app firm were the ones raising concerns, saying: “That was an issue that doctors were raising, not you.”

“No,” replied Sidhu. “The doctors were raising it. I was also raising it.”

Is it truly vulnerable if it’s not on Google?

During further cross-examination this morning, Sidhu claimed that Your.MD’s execs ignored specific information about security concerns he raised with them, saying these were “underlying issues” from previous versions of the app that “hadn’t been dealt with yet”. He said that he had raised the infosec concerns as part and parcel of his worries over the medical safety of advice given out by the app.

“Data security is an important part of medical safety. Revealing a patient’s data is absolutely an issue of medical safety. A patient being misdiagnosed with something because of a data security issue: that’s a medical problem,” he told the tribunal’s three-strong panel.

Mansfield responded by saying: “A patient wouldn’t have been misdiagnosed because of a data security issue,” to which Sidhu riposted: “False information could be fed into the diagnostic system which could result in someone having the wrong diagnosis.”

Although Sidhu said the internal Your.MD database powering the app, Alexandria, “is exposed to the internet”, Mansfield commented that “it doesn’t come up in a search”.

“That doesn’t necessarily make it safe,” replied Sidhu.

“Someone would have to know the URL to find that database,” said Mansfield, to which Sidhu replied: “Correct.”

“And it doesn’t come up on a Google search,” continued Mansfield.

Sidhu, who was seated in the centre of the room between each side’s barristers, facing the judges, replied: “Just because something isn’t available on Google doesn’t mean it isn’t discoverable. Bank server URLs aren’t publicly available on Google but its not impossible for hackers to find those URLs. The app would help identify that.”

Did you raise it at the time, or are you merely telling us that’s what you did?

Returning to the purpose of the cross-examination – to find out whether Sidhu had truly raised these concerns at an internal meeting on 17 October 2017, as he claims – Mansfield pointed out that Sidhu’s “pleaded case is that [version 3 of the app] was released before it was safe to do so. It is not that you raised any security issues at that meeting.”

The former veep said he’d “highlighted that there [were] security concerns and medical concerns that hadn’t been addressed. Did I individually detail each part of the system that’s broken? No.”

Employment Judge Goodman, chairwoman of the panel, intervened: “What we want to know is what you said… you may not remember the exact words but [what we want is] the level of detail.”

Picking his words carefully, Sidhu replied to the judge by saying: “I did not go into the level of detail in the apps where it says Alexandria is, blah blah, technical detail is not what I went into. Because it was not a forum where it was appropriate to raise that level of technical detail.”

A triumphant Mansfield then pinned Sidhu to his witness statement. “If you mentioned those concerns you would have put them in your witness statement at paragraph 132. That’s right, isn’t it?”

Paragraph 132 of Sidhu’s witness statement, as seen by The Register, described how, during a management meeting, he was asked to give a presentation to staff emphasising company values such as “honesty” and “clinical safety and service”. The final two sentences said: “During the meeting, I questioned how the company values corresponded with Your.MD’s recent decision to release the V3 App when it was not ready as explained at paragraph 90 above and not fully safe for potential users. This concern was also shared by the medical team.”

Paragraph 90 described how doctors advising Your.MD “had made a plan about what countries it was safe to release the App” [sic] and also said that Sidhu “questioned how the company values corresponded with Your.MD’s decision to release the V3 app in particular countries where it had not been approved for release”.

Sidhu replied to Mansfield: “Like I said, clinical safety, in my mind, [was] congruent to what I said. We’re looking at these as 3 or 4 separate things. If we’re talking about them, particularly security concerns, they’d be described together… there was existing security concerns that weren’t being addressed.”

A dogged Mansfield, crossing his arms and leaning back in his seat, concluded: “You didn’t say that, you’d didn’t raise existing security concerns. You raised concerns about the decision to release the V3 app… none of this was said on the 17th October, the safety, the medical concerns. None of it is true.”

In addition to unfair dismissal, Sidhu also claimed he was subject to whistleblowing detriment, direct discrimination and harassment because of race and sexual orientation, among other things. In his grounds of claim he described himself as “a British Indian homosexual man”.

The tribunal panel was made up of Employment Judge Mrs S Goodman, assisted by lay members Mr D Eggmore and Mrs J Cameron. Barrister Andrew Hochhauser QC represented Sidhu. The case continues. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/11/your_md_employment_tribunal_security_concerns/

The IT impact of the ongoing partial US federal government shutdown has begun to show up in the form of degraded computer security. According to internet services biz Netcraft, more than 80 TLS certificates used on .gov websites have expired and have not been renewed.

That’s caused a bunch of HTTPS-protected .gov sites to become inaccessible or throw up browser errors. Meanwhile, some websites, such as NIST.gov, have been scaled back due to the funding freeze.

Not all of those aforementioned TLS certificates have lapsed since the budget impasse became apparent on December 22, 2018. For example a US Justice Department website sports a TLS certificate from web registrar Go Daddy that expired on December 17, 2018.

But other websites sport more recently lapsed certs like NASA’s Rocket Test website, which expired on January 5, 2019. The Lawrence Berkeley Lab website, expired on January 8, 2019.

Due to the expired certificates, would-be visitors may find it difficult to access to affected websites or may be kept away entirely by scary browser warning messages.

In theory, Netcraft observes, support for HTTP Strict Transport Security (HSTS) in modern browsers should prevent users from visiting websites with invalid certs. But because many government websites fail to implement HSTS correctly, visitors to these misconfigured sites will still be able to bypass warnings, raising the possibility of man-in-the-middle attacks.

The partial government shutdown arises from President Trump’s insistence that Congress pass a national budget that includes $5.7bn for the border wall he previously said would be paid for by Mexico. The Democrats now in control of the US House of Representatives have rejected Trump’s plan, and there’s no evident interest in a compromise at the moment. As a result, roughly 400,000 federal government employees are expected to continue working without pay, and another 400,000 are barred from work, again unpaid, as they are deemed non-essential.

FYI: NASA eggheads can’t fix a knackered Hubble space ‘scope camera – thanks to Trump’s govt shutdown

READ MORE

With government agencies limiting operations, including the Departments of Agriculture, Commerce, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, State, Transportation, and the Treasury, not to mention the Environmental Protection Agency, official inattention is magnifying security risks.

As the funding freeze loomed last month, DHS issued shutdown guidance saying it’s expected only 2,008 of its 3,531 employees in the recently formed Cybersecurity and Infrastructure Security Agency (CISA) would be active in the absence of funding. That means a lot of IT security work will be left undone. While a skeleton staff remains active at NIST to keep the national vulnerability database and time servers running, the majority of employees were sent home and its website pared back, somewhat hampering security research.

On Thursday, the FBI Agents Association, a group that represents almost 13,000 active duty FBI Special Agents, sent a petition to the White House and Congressional leaders warning of the impact of the shutdown on the national law enforcement agency. Although some agents continue to work, albeit unpaid, while thousands of fellow bureau workers remain at home, their resources and investigations are limited.

Noting that FBI workers will not be paid on Friday, January 11, as they should be, the petition asks for elected leaders to fund agency operations “before financial insecurity compromises national security.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/11/government_shutdown_security/