19.8 C
London
Sunday, September 24, 2017
Home Tags Spokeswoman

Tag: spokeswoman

Federal courthouse in Fresno is set to see a lot of action in coming months.
In previous comments, Bridenstine has supported a human return to the Moon.
All or part of Santee Cooper is up for sale after Summer nuclear plant hit difficulties.
"E-mail accounts and individual hard drives should be archived."
Greyhound allows four-digit PINs and stores them in plaintext.
Square spokeswoman: “We have no comment on this.”
The U.S.

Citizenship and Immigration Service (USCIS) said Friday that the H-1B cap for FY 2018 has been reached.

The agency will now hold a computer-generated lottery to distribute the visas.The USCIS didn't say how many visa petitions it received, ...
EnlargeOwn Work reader comments 16 Share this story A security researcher has unearthed evidence showing that three browser-trusted certificate authorities owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates.
In some cases, those certificates made it possible to spoof protected HTTPS-protected websites. One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate.

These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners.

The remaining 99 certificates were issued without proper validation of the company information in the certificate. Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication they were created for test purposes—were revoked within an hour of being issued.
Still, the move represents a major violation by Symantec, which in 2015 fired an undisclosed number of CA employees for doing much the same thing. Even when CA-issued certificates are discovered as fraudulent and revoked, they can still be used to force browsers to verify an impostor site.

The difficulty browsers have in blacklisting revoked certificates in real-time is precisely why industry rules strictly control the issuance of such credentials.

There's no indication that the unauthorized certificates were ever used in the wild, but there's also no way to rule out that possibility, however remote it is. "Chrome doesn't [immediately] check certificate revocation, so a revoked certificate can be used in an attack just as easily as an unrevoked certificate," Ayer told Ars. "By default, other browsers fail open and accept a revoked certificate as legitimate if the attacker can successfully block the browser from contacting the revocation server." ("Fail open" is a term that means the browser automatically accepts the certificate in the event the browser can't access the revocation list.) The nine certificates issued without the domain name owners' permission affected 15 separate domains, with names including wps.itsskin.com, example.com, test.com, test1.com, test2.com, and others.

Three Symantec-owned CAs—known as Symantec Trust Network, GeoTrust Inc., and Thawte Inc.—issued the credentials on July 14, October 26, and November 15.

The other 99 certificates were issued on many dates between October 21 and January 18.
In an e-mail, a Symantec spokeswoman wrote: "Symantec has learned of a possible situation regarding certificate mis-issuance involving Symantec and other certificate authorities. We are currently gathering the facts about this situation and will provide an update once we have completed our investigation and verified information." This is the second major violation of the so-called baseline requirements over the past four months.

Those requirements were mandated by the CA/Browser Forum, an industry group made up of CAs and the developers of major browsers that trust them.
In November, Firefox recommended the blocking of China-based WoSign for 12 months after that CA was caught falsifying the issuance date of certificates to get around a prohibition against use of the weak SHA1 cryptographic hashing algorithm. Other browser makers quickly agreed. Ayer discovered the unauthorized certificates by analyzing the publicly available certificate transparency log, a project started by Google for auditing the issuance of Chrome-trusted credentials. Normally, Google requires CAs to report only the issuance of so-called extended validation certificates, which offer a higher level of trust because they verify the identity of the holder, rather than just the control of the domain.

Following Symantec's previously mentioned 2015 mishap, however, Google required Symantec to log all certificates issued by its CAs. Had Symantec not been required to report all certificates, there's a strong likelihood the violation never would have come to light.
Only a local hacker in a facility would be able to run an attack General Electric (GE) has pushed out an update to its industrial control systems following the discovery of vulnerabilities that create a way for hackers to steal SCADA system passwords. Potential exploits based on the vulnerabilities could be abused to cause process flow disruptions in power stations, utility providers and factories, according to Positive Technologies, the security firm that discovered the flaws. A spokeswoman for GE Digital played down the vulnerabilities, which she said can't be exploited remotely. Only a local hacker in a plant or facility would have been in a position to run an attack, she said, adding that there had been no signs of exploitation. Line-up The CVE-2016-9360 vulnerability (CVSS v3[1] score 6.4) makes it possible for an attacker to have access to legitimate sessions, intercepting user passwords locally.

General Electric's Proficy HMI/SCADA iFIX 5.8 SIM 13[2], Proficy HMI/SCADA CIMPLICITY 9.0[3], Proficy Historian 6.0[4] and their previous versions are vulnerable. Another flaw makes it possible for an attacker or malware with local access to obtain industrial database passwords. iFIX 5.8 (Build 8255) and previous versions are vulnerable. A third vulnerability makes it possible for a local attacker to block the authorisation of the application in the realtime database, either causing a failure at reading and recording history or database inoperability.
Industrial database Proficy Historian Administrator 5.0.195.0 need updating in response to his flaw. Positive Technologies also claimed to have discovered a critical fault in a security mechanism of all three systems related to use of standard passwords at network access authorisation.

This allows remote access to industrial process control, the security firm warns.

GE disputes this saying that the flaws, which were resolved in December, present only a local hack risk. Proficy HMI/SCADA iFIX needs to be updated to version 5.8 SIM 14, Proficy HMI/SCADA CIMPLICITY to version 9.5, and Proficy Historian to version 7.0. The vulnerabilities were reported to GE on July 31, 2015.

The install base of Proficy product family (CIMPLICITY, iFix, Historian) is in the thousands, and they are deployed across multiple industries. An update from ICS-CERT his week explaining the flaws in more detail can be found here. ® Sponsored: Continuous lifecycle London 2017 event.

DevOps, continuous delivery and containerisation. Register now
Plug pulled on Barts Health computer gear to prevent cyber-disease spread Malware has infected hospital computers at the UK’s biggest NHS trust. Barts Health, which runs six London hospitals, shut down parts of its network on Friday to prevent the spread of the as-yet-unidentified software nasty.

The organization oversees Mile End Hospital, Newham University Hospital, The Royal London Hospital, St Bartholomew's Hospital, The London Chest Hospital, and Whipps Cross University Hospital. A spokeswoman for the group confirmed to El Reg that it pulled the plug on IT gear as a precaution, and said earlier rumors of a ransomware outbreak were completely false. Patient care has not been affected, she added before pointing us to this statement on the security cockup: On 13 January, Barts Health became aware of an IT attack. We are urgently investigating this matter and have taken a number of drives offline as a precautionary measure. We have already established that the Cerner Millennium patient administration system and the clinical system used for Radiology are not affected. We have tried-and-tested contingency plans in place and are making every effort to ensure that patient care will not be affected. Aatish Pattni, head of threat prevention in northern Europe for Check Point, said: “This attack could be the result of an employee inadvertently clicking the wrong link in an email, or may be a targeted attack against the trust.” Malware infections at NHS hospitals are rare but far from unprecedented.

Barts itself has been a victim before: in November 2008, PCs at three of its hospitals were knocked offline following an infection by the MyTob worm.

The malware outbreak forced the hospitals to briefly reroute ambulances and disrupted hospital administration while the software nasty was contained. ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub
EnlargeDaniel Sorabji / Getty Images News reader comments 13 Share this story A New Jersey man sued Uber on Thursday for negligence, fraud, and assault, among other accusations.
In the lawsuit, Joseph Fusco claimed that he was "nearly beaten to death” after his driver refused to drive him from Philadelphia, Pennsylvania to his home in Cherry Hill, New Jersey, about nine miles away. Uber has faced legal battles previously over alleged incidents of violence perpetrated by drivers against passengers. According to the 34-page civil complaint, on the evening of December 22, 2016, Fusco was attending a private party at a Philadelphia sports bar with his colleagues from Allied Universal and other public safety officials from the University of Pennsylvania. By 11:00pm, Fusco decided to go home, and called for an Uber, but seemingly did not put in his destination immediately.

After the driver asked where he was going, Fusco replied: “Jersey.” When the driver responded: “I am not driving to New Jersey,” Fusco repeated his request a second time. As Fusco alleged: The Uber Driver then opened the door, exited the vehicle and walked around the back of the car.

The Uber Driver then opened the front passenger door and dragged Plaintiff out of the front seat by his coat collar.

The Uber Driver severely beat Plaintiff and left him in a pool of blood on the pavement in the freezing cold.

The Uber Driver stomped and kicked Plaintiff in the face and head while he was already unconscious, which upon information and belief, is captured on surveillance video. Fusco was eventually found unconscious by two bystanders, who called 911 and had him taken to a nearby hospital. The complaint alleges that Uber has refused to provide authorities with relevant information of the driver as part of the investigation into this case. The lawsuit also claims that Uber makes a “deceitful pledge to rider safety,” by not adequately conducting background checks on its drivers, and by not fully cooperating with law enforcement. Uber spokeswoman Sophie Schmidt told Ars that the company would not “comment on active litigation.” However, she did confirm that the rider reported the incident to the company on December 23, and added that the driver was “immediately removed.” Schmidt also noted that the company had been in “ongoing contact with law enforcement since they reached out last month and are fully supporting their investigation,” but did not elaborate further. Fusco’s attorney, Matthew Luber, did not immediately respond to Ars’ request for comment.
Enlarge / Mark Radan was on board the Washington State Ferry Kitsap (pictured) when he fired the laser in October 2015.reader comments 7 Share this story A United States Coast Guard Hearing Officer has issued a final $9,500 civil penalty against a Washington man who fired a blue laser at a state ferry in October 2015.

The fine marks a notable reduction from the preliminary penalty of $100,000 issued in April 2016. According to a Tuesday statement by the Coast Guard, Mark Raden of Freeland, Washington, was on board the Washington State Ferry Kitsap, traveling between Mukilteo and Clinton, when he fired a laser at the adjacent WSF Tokitae.

The vessel’s master and chief mate were hit in the eyes, which reportedly endangered all 106 passengers.  "Originally there were multiple charges that brought the maximum amount to $100,000 [as] referenced in the original release," Petty Officer 2nd Class Ali Flockerzi, a USCG spokeswoman, told Ars. "Ultimately the hearing officer has the final say and chose to only pursue the one charge for 'interfering with the safe operation of a vessel' and assessed a fine of $9,500."  According to the USCG, Raden also has a “history of lasering incidents,” and pleaded guilty to related charges in Island County Superior Court, where he was ordered to serve 15 days in jail, perform 240 hours of community service, and pay $3,740.89 in restitution to the master and chief mate. Such a penalty of practically no jail time is significantly less when compared to other criminal defendants in laser cases involving aircraft, who faced federal criminal prosecution.

Those cases have often resulted in sentences of one to two years. (Ars recently profiled the case of Barry Bowser, a man in Bakersfield, California, who was sentenced to 21 months in prison after being convicted at trial of knowingly aiming a laser pointer at an aircraft.) "Interfering with the safe operation of a vessel, particularly a large passenger vessel, endangers all of those on board and can also result in significant environmental impacts," Cmdr.

Darwin Jensen, Coast Guard Sector Puget Sound chief of prevention, said in the Tuesday statement. "This one person's irresponsible actions could have had a much more tragic outcome for the passengers of the Tokitae as the vessel was preparing to arrive in Clinton.

The Coast Guard will pursue appropriate criminal or civil enforcement actions against anyone who interferes with the safe operation of vessels."