Uncle Sam, D-Link told to battle in court over claims of shoddy device security: Judge snubs summary judgment bids

No spittin', no cussin', either, Cali judge rules


America's trade watchdog's case against network device maker D-Link will go ahead next January – after a district judge rebuked the two sides for wasting money drawing up and filing demands for summary judgments.

The US Federal Trade Commission (FTC) brought its lawsuit against Taiwanese D-Link early last year in California, and in doing so griped about a host of alleged bad practices, including hard-coded passwords, command-injection vulnerabilities, misplaced security keys, and plaintext password storage in D-Link's gear. These, the watchdog claimed, amounted to misrepresentation by a company that touted the advanced security of its products, and thus put buyers at risk.

Last year, the commission tried to cut straight to the punchline by asking for a summary judgment against the manufacturer. In doing so, the regulator sought to throw out an expert report by the defense's Dr Kent Van Liere, and drop more than three of its own complaints to make things nice and easy for the court. Those to-be-dropped allegations covered D-Link's misrepresentation of its security response policy, its router security, and its IP camera user-interface security.

For its part, D-Link also requested a summary judgment that would dismiss the case against it.

US District Court Judge James Donato isn't having any of it, telling the two parties on Monday [PDF] the legal battle is going to trial: “The parties' cross-motions here are not suitable for summary judgement,” he wrote in an order that quoted the old maxim: "No spittin’, no cussin’, and no summary judgment."

Dead photo via Shutterstock

Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage

READ MORE

Judge Donato added that there are “genuine disputes of material fact that will require a trial,” since the paperwork on each side runs to more than 100 pages, not counting the “voluminous declarations and exhibits.”

He also lambasted the two sides for wasting their money trying to sidestep the trial: “Since federal judicial records indicate that summary judgment is granted in a minority of cases, routinely filing the motion almost certainly increases the overall cost of litigating civil cases in federal court without a net benefit.”

Both sides had also tried to exclude each others' expert witnesses from evidence in what's known as a “Daubert motion” (so called because the 1993 Daubert versus Merrell Dow Pharmaceuticals case in which the Supreme Court set the standard for admitting expert testimony).

Judge Donato reckons he can judge the experts for himself, thank you: “The court will make its reliability and admissibility determinations during trial, and will disregard any admitted evidence that it ultimately determines is not sound.”

The case is scheduled for a pretrial conference meeting on January 3, 2019, with the bench trial – there will be no jury – starting on January 14 that year. ®

Broader topics


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Abortion rights: US senators seek ban on sale of health location data
    With Supreme Court set to overturn Roe v Wade, privacy is key

    A group of senators wants to make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    A bill filed this week by five senators, led by Senator Elizabeth Warren (D-MA), comes in anticipation the Supreme Court's upcoming ruling that could overturn the 49-year-old Roe v. Wade ruling legalizing access to abortion for women in the US.

    The worry is that if the Supreme Court strikes down Roe v. Wade – as is anticipated following the leak in May of a majority draft ruling authored by Justice Samuel Alito – such sensitive data can be used against women.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • For a few days earlier this year, rogue GitHub apps could have hijacked countless repos
    A bit of a near-hit for the software engineering world

    A GitHub bug could have been exploited earlier this year by connected third-party apps to hijack victims' source-code repositories.

    For almost a week in late February and early March, rogue applications could have generated scoped installation tokens with elevated permissions, allowing them to gain otherwise unauthorized write or administrative access to developers' repos. For example, if an app was granted read-only access to an organization or individual's code repo, the app could effortlessly escalate that to read-write access.

    This security blunder has since been addressed and before any miscreants abused the flaw to, for instance, alter code and steal secrets and credentials, according to Microsoft's GitHub, which assured The Register it's "committed to investigating reported security issues."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading

Biting the hand that feeds IT © 1998–2022