Home Tags Spokeswoman

Tag: spokeswoman

Ex-feds confident Comey’s devices and files are safe, even if FBI...

"E-mail accounts and individual hard drives should be archived."

Meet Greyhound.com, the site that doesn’t allow password changes

Greyhound allows four-digit PINs and stores them in plaintext.

Square hires away Yik Yak engineering team, leaving startup on life...

Square spokeswoman: “We have no comment on this.”

This year’s H-1B cap is quickly reached — and exceeded

The U.S.

Citizenship and Immigration Service (USCIS) said Friday that the H-1B cap for FY 2018 has been reached.

The agency will now hold a computer-generated lottery to distribute the visas.The USCIS didn't say how many visa petitions it received, ...

Already on probation, Symantec issues more illegit HTTPS certificates

EnlargeOwn Work reader comments 16 Share this story A security researcher has unearthed evidence showing that three browser-trusted certificate authorities owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates.
In some cases, those certificates made it possible to spoof protected HTTPS-protected websites. One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate.

These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners.

The remaining 99 certificates were issued without proper validation of the company information in the certificate. Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication they were created for test purposes—were revoked within an hour of being issued.
Still, the move represents a major violation by Symantec, which in 2015 fired an undisclosed number of CA employees for doing much the same thing. Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site.

The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials.

There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is. "Chrome doesn't [immediately] check certificate revocation, so a revoked certificate can be used in an attack just as easily as an unrevoked certificate," Ayer told Ars. "By default, other browsers fail open and accept a revoked certificate as legitimate if the attacker can successfully block the browser from contacting the revocation server." ("Fail open" is a term that means the browser automatically accepts the certificate in the event the browser can't access the revocation list.) The nine certificates issued without the domain name owners' permission affected 15 separate domains, with names including wps.itsskin.com, example.com, test.com, test1.com, test2.com, and others.

Three Symantec-owned CAs—known as Symantec Trust Network, GeoTrust Inc., and Thawte Inc.—issued the credentials on July 14, October 26, and November 15.

The other 99 certificates were issued on many dates between October 21 and January 18.
In an e-mail, a Symantec spokeswoman wrote: "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information." This is the second major violation of the so-called baseline requirements over the past four months.

Those requirements were mandated by the CA/Browser Forum, an industry group made up of CAs and the developers of major browsers that trust them.
In November, Firefox recommended the blocking of China-based WoSign for 12 months after that CA was caught falsifying the issuance date of certificates to get around a prohibition against use of the weak SHA1 cryptographic hashing algorithm. Other browser makers quickly agreed. Ayer discovered the unauthorized certificates by analyzing the publicly available certificate transparency log, a project started by Google for auditing the issuance of Chrome-trusted credentials. Normally, Google requires CAs to report only the issuance of so-called extended validation certificates, which offer a higher level of trust because they verify the identity of the holder, rather than just the control of the domain.

Following Symantec's previously mentioned 2015 mishap, however, Google required Symantec to log all certificates issued by its CAs. Had Symantec not been required to report all certificates, there's a strong likelihood the violation never would have come to light.

General Electrics plays down industrial control plant vulnerabilities

Only a local hacker in a facility would be able to run an attack General Electric (GE) has pushed out an update to its industrial control systems following the discovery of vulnerabilities that create a way for hackers to steal SCADA system passwords. Potential exploits based on the vulnerabilities could be abused to cause process flow disruptions in power stations, utility providers and factories, according to Positive Technologies, the security firm that discovered the flaws. A spokeswoman for GE Digital played down the vulnerabilities, which she said can't be exploited remotely. Only a local hacker in a plant or facility would have been in a position to run an attack, she said, adding that there had been no signs of exploitation. Line-up The CVE-2016-9360 vulnerability (CVSS v3[1] score 6.4) makes it possible for an attacker to have access to legitimate sessions, intercepting user passwords locally.

General Electric's Proficy HMI/SCADA iFIX 5.8 SIM 13[2], Proficy HMI/SCADA CIMPLICITY 9.0[3], Proficy Historian 6.0[4] and their previous versions are vulnerable. Another flaw makes it possible for an attacker or malware with local access to obtain industrial database passwords. iFIX 5.8 (Build 8255) and previous versions are vulnerable. A third vulnerability makes it possible for a local attacker to block the authorisation of the application in the realtime database, either causing a failure at reading and recording history or database inoperability.
Industrial database Proficy Historian Administrator need updating in response to his flaw. Positive Technologies also claimed to have discovered a critical fault in a security mechanism of all three systems related to use of standard passwords at network access authorisation.

This allows remote access to industrial process control, the security firm warns.

GE disputes this saying that the flaws, which were resolved in December, present only a local hack risk. Proficy HMI/SCADA iFIX needs to be updated to version 5.8 SIM 14, Proficy HMI/SCADA CIMPLICITY to version 9.5, and Proficy Historian to version 7.0. The vulnerabilities were reported to GE on July 31, 2015.

The install base of Proficy product family (CIMPLICITY, iFix, Historian) is in the thousands, and they are deployed across multiple industries. An update from ICS-CERT his week explaining the flaws in more detail can be found here. ® Sponsored: Continuous lifecycle London 2017 event.

DevOps, continuous delivery and containerisation. Register now

UK’s largest hospital trust battles Friday 13th malware outbreak

Plug pulled on Barts Health computer gear to prevent cyber-disease spread Malware has infected hospital computers at the UK’s biggest NHS trust. Barts Health, which runs six London hospitals, shut down parts of its network on Friday to prevent the spread of the as-yet-unidentified software nasty.

The organization oversees Mile End Hospital, Newham University Hospital, The Royal London Hospital, St Bartholomew's Hospital, The London Chest Hospital, and Whipps Cross University Hospital. A spokeswoman for the group confirmed to El Reg that it pulled the plug on IT gear as a precaution, and said earlier rumors of a ransomware outbreak were completely false. Patient care has not been affected, she added before pointing us to this statement on the security cockup: On 13 January, Barts Health became aware of an IT attack. We are urgently investigating this matter and have taken a number of drives offline as a precautionary measure. We have already established that the Cerner Millennium patient administration system and the clinical system used for Radiology are not affected. We have tried-and-tested contingency plans in place and are making every effort to ensure that patient care will not be affected. Aatish Pattni, head of threat prevention in northern Europe for Check Point, said: “This attack could be the result of an employee inadvertently clicking the wrong link in an email, or may be a targeted attack against the trust.” Malware infections at NHS hospitals are rare but far from unprecedented.

Barts itself has been a victim before: in November 2008, PCs at three of its hospitals were knocked offline following an infection by the MyTob worm.

The malware outbreak forced the hospitals to briefly reroute ambulances and disrupted hospital administration while the software nasty was contained. ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Man claims Uber driver “left him in a pool of blood”...

EnlargeDaniel Sorabji / Getty Images News reader comments 13 Share this story A New Jersey man sued Uber on Thursday for negligence, fraud, and assault, among other accusations.
In the lawsuit, Joseph Fusco claimed that he was "nearly beaten to death” after his driver refused to drive him from Philadelphia, Pennsylvania to his home in Cherry Hill, New Jersey, about nine miles away. Uber has faced legal battles previously over alleged incidents of violence perpetrated by drivers against passengers. According to the 34-page civil complaint, on the evening of December 22, 2016, Fusco was attending a private party at a Philadelphia sports bar with his colleagues from Allied Universal and other public safety officials from the University of Pennsylvania. By 11:00pm, Fusco decided to go home, and called for an Uber, but seemingly did not put in his destination immediately.

After the driver asked where he was going, Fusco replied: “Jersey.” When the driver responded: “I am not driving to New Jersey,” Fusco repeated his request a second time. As Fusco alleged: The Uber Driver then opened the door, exited the vehicle and walked around the back of the car.

The Uber Driver then opened the front passenger door and dragged Plaintiff out of the front seat by his coat collar.

The Uber Driver severely beat Plaintiff and left him in a pool of blood on the pavement in the freezing cold.

The Uber Driver stomped and kicked Plaintiff in the face and head while he was already unconscious, which upon information and belief, is captured on surveillance video. Fusco was eventually found unconscious by two bystanders, who called 911 and had him taken to a nearby hospital. The complaint alleges that Uber has refused to provide authorities with relevant information of the driver as part of the investigation into this case. The lawsuit also claims that Uber makes a “deceitful pledge to rider safety,” by not adequately conducting background checks on its drivers, and by not fully cooperating with law enforcement. Uber spokeswoman Sophie Schmidt told Ars that the company would not “comment on active litigation.” However, she did confirm that the rider reported the incident to the company on December 23, and added that the driver was “immediately removed.” Schmidt also noted that the company had been in “ongoing contact with law enforcement since they reached out last month and are fully supporting their investigation,” but did not elaborate further. Fusco’s attorney, Matthew Luber, did not immediately respond to Ars’ request for comment.

Man who fired laser pointer at Washington ferry to only pay...

Enlarge / Mark Radan was on board the Washington State Ferry Kitsap (pictured) when he fired the laser in October 2015.reader comments 7 Share this story A United States Coast Guard Hearing Officer has issued a final $9,500 civil penalty against a Washington man who fired a blue laser at a state ferry in October 2015.

The fine marks a notable reduction from the preliminary penalty of $100,000 issued in April 2016. According to a Tuesday statement by the Coast Guard, Mark Raden of Freeland, Washington, was on board the Washington State Ferry Kitsap, traveling between Mukilteo and Clinton, when he fired a laser at the adjacent WSF Tokitae.

The vessel’s master and chief mate were hit in the eyes, which reportedly endangered all 106 passengers.  "Originally there were multiple charges that brought the maximum amount to $100,000 [as] referenced in the original release," Petty Officer 2nd Class Ali Flockerzi, a USCG spokeswoman, told Ars. "Ultimately the hearing officer has the final say and chose to only pursue the one charge for 'interfering with the safe operation of a vessel' and assessed a fine of $9,500."  According to the USCG, Raden also has a “history of lasering incidents,” and pleaded guilty to related charges in Island County Superior Court, where he was ordered to serve 15 days in jail, perform 240 hours of community service, and pay $3,740.89 in restitution to the master and chief mate. Such a penalty of practically no jail time is significantly less when compared to other criminal defendants in laser cases involving aircraft, who faced federal criminal prosecution.

Those cases have often resulted in sentences of one to two years. (Ars recently profiled the case of Barry Bowser, a man in Bakersfield, California, who was sentenced to 21 months in prison after being convicted at trial of knowingly aiming a laser pointer at an aircraft.) "Interfering with the safe operation of a vessel, particularly a large passenger vessel, endangers all of those on board and can also result in significant environmental impacts," Cmdr.

Darwin Jensen, Coast Guard Sector Puget Sound chief of prevention, said in the Tuesday statement. "This one person's irresponsible actions could have had a much more tragic outcome for the passengers of the Tokitae as the vessel was preparing to arrive in Clinton.

The Coast Guard will pursue appropriate criminal or civil enforcement actions against anyone who interferes with the safe operation of vessels."

Fed up with their employer’s scam, two Indian call center workers...

Enlarge / This is a call center in New Dehli, India, not the Phoenix 007 operation that was busted.ILO reader comments 11 Share this story Last year’s unraveling of the massive India-based telephone scam ring may have been helped by a phone call to a Federal Trade Commission lawyer. According to a Tuesday report in The New York Times, the bust seemingly was aided by the efforts of two teenage employees from one of the companies.

The pair blew the whistle on their former employer, the Phoenix 007 call center that's based outside of Mumbai.

The workers reached Betsy Broder of the FTC after being shuffled from the Internal Revenue Service's main switchboard. Indian and American authorities believe that this call center, along with several others, was part of a massive ring to call Americans in the United States and trick them into ponying up thousands of dollars in fraudulent fees.

This criminal operation is believed to have resulted in hundreds of millions of dollars in losses.  Possibly as a result of the efforts of these two young men, Jayesh Dubey and Pawan Poojary, their call center was raided by Indian authorities. (The Times also reported the men’s claim that they helped with the takedown is “unfounded, according to Indian and American investigators, who said that the raid in Thane was carried out entirely by the local police without assistance from American officials.

The Thane police said their informant was not employed by the swindlers.”) Weeks later in October 2016, federal authorities in Texas unsealed criminal charges against dozens of people who are accused of being part of a massive criminal enterprise based around theft, wire fraud, and impersonating government officials. Of those suspects, 20 were arrested in the US, where their criminal cases are ongoing in federal court in Houston. Two of the named US-based suspects, Jerry Norris, of Oakland, California, and Jagdishkumar Chaudhari, of Sarasota, Florida, remain at large. Erica Lacy, a spokeswoman for the Department of Justice, told Ars on Wednesday that there is currently no award for their arrest, “but information about their whereabouts is welcomed and can be provided by contacting the local ICE office or calling the ICE toll free hotline (1-866-DHS-2-ICE).”

Police kept inquiry of high school nude pics scheme quiet for...

EnlargeDawn Endico reader comments 64 Share this story Police in Mountain View, California, told Ars on Tuesday that they are set to formally present the results of their months-long investigation of an online nude photo exchange of high school girls. The presentation will go to county prosecutors before the end of the year. “No arrests or charges filed yet in this case,” Katie Nelson, a spokeswoman for the Mountain View Police Department, told Ars by e-mail. “We are presenting the case to the [district attorney] by year's end, and they will ultimately decide what direction this goes.” As has happened in similar cases in other parts of the country for years now, ringleaders could be prosecuted with child pornography, among other felony charges. Over the weekend, the San Francisco Chronicle broke the story of the investigation. The newspaper reported that the investigation involves a “handful of individuals,” both male and female minors, who are believed to be at the “center of the investigation.” There were photos of at least two girls on a private Dropbox account that was circulated among some students at that school and others as well. The Dropbox account was immediately frozen by police, and no one has since been able to view, access, share, download, or upload anything. The San Jose Mercury News reported Tuesday that the existence of the photos was a “relatively open secret among students” for months. It wasn’t until Monday that the Mountain View Los Altos school district formally acknowledged the investigation to families. In a joint letter by the district and the police, the agencies wrote: MVLA first learned of this incident in August and immediately referred the matter to the Mountain View Police Department. The police department, which has been meticulously investigating this case over the past few months, immediately disabled the Dropbox account when they began their investigation to prevent any further access. Additionally, Mountain View detectives instructed MVLA administrators to maintain confidentiality in order to ensure that no evidence was compromised. More than a year ago, a high school in nearby San Jose was hit with a similar scandal when a student was found to have been distributing nude photos of students via Instagram. As Ars reported previously, a 2014 Drexel University survey found that while the majority of teens sext with each other, an even higher percentage was unaware that engaging in such behavior could be prosecuted as child pornography. The National Conference of State Legislatures began tracking sexting legislation in 2009 and reported that at least 20 states and Guam have enacted bills to address youth sexting.

Fatal flaw found in PricewaterhouseCoopers SAP security software

Instead of fixing the issue, PwC lawyered up A security tool built for SAP systems by PricewaterhouseCoopers has turned out to have worrying security holes of its own. German security research firm ESNC has been analyzing the Automated Controls Evaluator (ACE), which extracts relevant security and configuration data from an SAP system, analyzes it, and generates exception reports by review.

But there appears to be a high-risk hole in the software. "This security vulnerability may allow an attacker to manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," ESNC said in an advisory. "This activity may result in fraud, theft or manipulation of sensitive data including PII such as customer master data and HR payroll information, unauthorized payment transactions and transfer of money." The flaw affects version 8.10.304, but earlier versions might also be affected.
It allows an attacker to inject malware into SAP's Advanced Business Application Programming code systems either remotely or onsite.

That could potentially allow the entire server to be backdoored. "The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients," a PwC spokeswoman told The Reg. "The bulletin describes a hypothetical and unlikely scenario – we are not aware of any situation in which it has materialized." What's potentially worrying about this case is, however, what ESNC said happened when they got in contact with PwC.

The team sent an advisory to PwC on August 18, and had a meeting with PwC officials three days later. After hearing nothing for two weeks, they contacted PwC again to check on progress.

They didn’t get a response, they said, but eight days later they got some – a cease and desist letter from PwC's lawyers. ESNC got a similar legal letter in November, after they informed PwC that they were planning to disclose the vulnerability in November.
It appears some companies haven't heard the latest ideas on responsible disclosure and are lawyering up rather than fixing faults. ® Sponsored: Want to know more about PAM? Visit The Register's hub