Tag Archive for: Allowed

US Department of Labor finds Salt Lake City restaurant supply company illegally employed 22 minor-aged workers beyond hours allowed

/in


SALT LAKE CITY – A federal investigation has found a Salt Lake City restaurant supply company allowed 22 employees – ages 14 and 15 – to work as many as 46 hours per workweek, and to begin work after midnight – both illegal practices under child labor laws. 

Investigators with the U.S. Department of Labor’s Wage and Hour Division found Specialty Consulting Services LLC – operating as Standard Restaurant Supply – violated child labor work hours standards of the Fair Labor Standards Act. The employer also failed to keep accurate time records including the date of birth for one minor-aged employee, in violation of the FLSA’s recordkeeping  provision.

The division assessed $16,595 in penalties to resolve the child labor violations.

The investigation follows a March 2022 announcement by the division’s Southwest Region reminding Salt Lake City-area employers of the importance of complying with federal child labor laws, and its stepped up enforcement efforts. 

Minors as young as 14- and 15-years-old not only worked beyond permitted hours, but more than half of them were employed in violation of the Fair Labor Standards Act by being allowed to work long shifts often exceeding eight hours,” explained Wage and Hour Division District Director Kevin Hunt in Salt Lake City. “Our investigators continue to see an increase in child labor violations in several industries. We will take vigorous action whenever we discover young workers’ safety and well-being are being jeopardized by employers who fail to follow the law.”

Federal labor law prohibits the employment of workers under the age of 14 in non-agricultural settings. 14- and 15-year-olds must work outside of the hours of school and cannot work:

  • More than 3 hours on a school day, including Friday.
  • More than 18 hours per week when school is in session.
  • More than 8 hours per day when school is not in session.
  • More than 40 hours per week when school is not in session.
  • Before 7 a.m. or after 7 p.m. on any day, except from June 1 through Labor Day, when nighttime work hours are extended to 9 p.m.

“We urge employers in the region to gain a full understanding of child labor regulations and ensure…

Source…

Google Home smart speaker bug could have allowed hackers to spy on your conversations

/in


A security researcher has won a $107,500 bug bounty after discovering a way in which hackers could install a backdoor on Google Home devices to seize control of their microphones, and secretly spy upon their owners’ conversations.

Vulnerability hunter Matt Kunze initially reported the problem to Google in early 2021, after experiments with his own Google Home smart speaker noticed the ease with which it added new users via the Google Home app.

Kunze discovered that connected users could send commands remotely to paired Google Home devices via its cloud API.

In a technical blog post, Kunze described a possible attack scenario:

  1. Attacker wishes to spy on victim. Attacker can get within wireless proximity of the Google Home (but does NOT have the victim’s Wi-Fi password).
  2. Attacker discovers victim’s Google Home by listening for MAC addresses with prefixes associated with Google Inc. (e.g. E4:F0:42).
  3. Attacker sends deauth packets to disconnect the device from its network and make it enter setup mode.
  4. Attacker connects to the device’s setup network and requests its device info.
  5. Attacker connects to the internet and uses the obtained device info to link their account to the victim’s device.
  6. Attacker can now spy on the victim through their Google Home over the internet (no need to be within proximity of the device anymore).

According to Kunze, a malicious hacker who has successfully linked his account to the targeted Google Home device can now execute commands remotely: controlling smart switches, making purchases online, remotely unlock doors and vehicles, or opening smart locks by brute-forcing a user’s PIN.

Kunze even determined that he could exploit a Google Home speaker’s “call <phone number>” command, effectively transmitting everything picked up by its microphone to a phone number of the hacker’s choice.

Thankfully, Kunze’s responsible disclosure of the vulnerabilities to Google mean that none of the security flaws should be possible to exploit any more.  Google fixed the security holes in April 2021, although details have only been made public now.

Of course, that does mean that for some years millions of people were…

Source…

GitHub Attack Allowed Attackers to Steal Okta’s Source Code

/in


Okta has, however, confirmed that attackers couldn’t access its customer data or services.

Authentication giant Okta has suffered yet another security breach. Reportedly, someone stole Okta’s source code after attacking its repositories on GitHub.

Okta’s chief security officer, David Bradbury, issued a “confidential” email notification to their “security contacts,” revealing that the suspicious activity the company detected earlier in December 2022 has led to the leaking of its code repositories.

“Upon investigation, we have concluded that such access was used to copy Okta code repositories,” Okta’s notification read.

“We have decided to share this information consistent with our commitment to transparency and partnership with our customers,” Okta explained.

According to Bradbury, GitHub notified it about a possible suspicious activity and that someone accessed its code repositories. Okta launched an investigation and concluded that the access had indeed occurred. In response, the company temporarily restricted access to Okta GitHub repositories and suspected all GitHub integrations with 3rd party apps.

Okta has confirmed that the attackers couldn’t access its customer data or services, reports Bleeping Computer. Hence, users of its different services, including HIPAA, DoD, and FedRAMP, were unaffected by this incident and didn’t need to adopt threat-prevention practices.

It is worth noting that the users of these services are mainly US-based government, healthcare, and defence organizations.

Okta and Cyber Attacks

Okta is a cloud-based identity and access management platform that provides secure single sign-on, user provisioning, data security and mobile device management.

The company already had a troublesome year regarding security. In March 2022, Okta confirmed a data breach by the ransomware group LAPSUS$, and in September, Auth0, which is owned by Okta, reported the theft of its old source code.

Possible Repercussions?

There’s no doubt that source code is a valuable asset, and its stealing or leaking can have far-reaching consequences. Okta, a mainstream authentication platform, should be really…

Source…

Bugs in Lego Resale Site Allowed Hackers to Hijack Accounts

/in


Security analysts have found bugs in Lego’s second-hand online marketplace that left its users at risk of account hijacking and data leakage.

In a blog post(Opens in a new window), Salt Labs said that the issues, now resolved, affected Lego-owned BrickLink.com, the world’s largest official marketplace for Lego bricks.

The security researchers said that two API security issues could have enabled an attacker to take over BrickLink accounts, and access and steal personally identifiable information stored on the site. The vulnerabilities could have also allowed attackers to gain access to internal production data and compromise internal servers, Bleeping Computer reports(Opens in a new window).

The BrickLink bugs were spotted when Salt Lab analysts were experimenting with user input fields on the marketplace site. 

The first flaw noted by the researchers included a cross-site scripting (XSS) deficiency in the “Find Username” dialog box of the coupon search section which allowed for the “injection and execution” of code that could target a target’s machine.

The flaw, if exploited correctly, means attackers could have access to personal details such as a targeted user’s email address, shipping address, order, and message history, Salt Lab said.

Researchers also exploited a flaw on the “Upload to Wanted List” page where a faulty endpoint parsing mechanism allowed them to launch an attack that could read internal production data. 

Recommended by Our Editors

The analysts said that they were unable to confirm or deny whether any of the vulnerabilities were exploited.

PCMag contacted Lego for comment on the BrickLink bugs but did not immediately receive a response.

The security analysts encourage any concerned Lego fan to directly contact the brand if they are concerned about the reported vulnerabilities. 

In October, Lego decided to discontinue its Mindstorms range of programmable robots, after 24 years of production. It means the end of Lego’s $359.99 Mindstorms Robot Inventor Kit, which lets Lego-fans build five different robot models out of 949 Lego bricks.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories…

Source…