fbpx
0

Lawsuits Surge Over Websites’ ADA failures

Lawsuits Surge Over Websites’ ADA compliance failures

Businesses with websites that can’t be navigated by the blind are getting pummeled with lawsuits.

The new frontier in federal disability litigation has accelerated dramatically in recent years, with some companies now getting hit by lawsuits for the second or third time even after they’ve reached settlements to upgrade their sites.

Companies say the suits—targeting restaurants and retail stores, art galleries and banks—are fueled by plaintiffs’ lawyers looking for an easy payday. Disabled consumers argue they deserve to be able to access the internet freely.

The number of website-access lawsuits filed in federal court reached 2,250 in 2018, almost three times the 814 filed in 2017, according to law firm Seyfarth Shaw LLP. Most of the cases have been filed in New York and Florida, the firm’s data shows, though a recent appellate decision is likely to prompt more action in California.

On an inaccessible site, screen readers can’t properly translate the content. They get stuck, simply saying “image” instead of describing it, or not saying which information should be typed into blank fields on an ordering page.

The ADA prohibits discrimination against the disabled in all places of public accommodation, which most courts have interpreted to include websites connected to a physical business.

The Justice Department said in 2010 it would create website-access guidelines. It delayed the rule-making, then dropped it—leaving businesses to argue that they can’t upgrade websites to standards that don’t exist. The Justice Department declined to comment.

Plaintiffs’ lawyers and courts say that argument is a poor excuse.

In a closely watched ruling, the Ninth U.S. Circuit Court of Appeals recently sided with a blind man who sued Domino’s Pizza in 2016 after he was unable to order customized pizzas from the restaurant’s website. The court said the federal disability law unequivocally applies to the pizza chain’s website and mobile app.

Domino’s “has received fair notice” of the need for its technology to be accessible, the court said, adding that, “Our Constitution does not require that Congress or DOJ spell out exactly how Domino’s should fulfill this obligation.”

A Domino’s spokesman declined to comment.

Most website-access lawsuits settle, lawyers involved say—often for $20,000 or less in attorney fees and costs, plus an agreement to improve websites within two years. Overhauling a website to make it work seamlessly with screen readers can cost from several thousand to several hundred thousand dollars, depending on the complexity.

“There’s no excuse for companies today not to have fixed and remediated their websites,” said Jeffrey Gottlieb, a New York attorney who has filed hundreds of ADA website cases. “I find only a lawsuit pushes them to do it.”

Florida defense lawyer Anastasia Protopapadakis says her clients usually don’t resist updating their websites. But when they get hit with a complaint, she said, “a lot of them feel this is just a method of legal extortion.”

An analysis by UsableNet, a provider of accessibility technology and services, found that 20% of the website lawsuits filed in 2018 were against companies that had already been sued.

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home SecuritySystem, Networking, Access ControlFire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

0
Penetration Test and Vulnerability Assessment

Penetration Test and Vulnerability Assessment

The Difference Between a Vulnerability Assessment and a Penetration Test

There are many views on what constitutes a Vulnerability Assessment versus a Penetration Test. The main distinction, however, seems to be that some believe a thorough Penetration Test involves identifying as many vulnerabilities as possible, while others feel that Penetration Tests are goal-oriented and are mostly unconcerned with what other vulnerabilities may exist.

I am in the latter group, and what follows is my argument for why you should be too.

Language Matters

Language is important, and we have two terms for a reason. We already have an (aptly named I might add) security test for compiling a complete list of vulnerabilities, i.e. a Vulnerability Assessment. If there isn’t a clear, communicable distinction between this test type and a penetration test then we shouldn’t be using separate terms. Such a distinction does exist, however, and it’s a crucial one.

Clarified Definitions

, The Difference Between a Vulnerability Assessment and a Penetration Test

Vulnerability Assessments are designed to yield a prioritized list of vulnerabilities and are generally for clients who already understand they are not where they want to be in terms of security. The customer already knows they have issues and simply need help identifying and prioritizing them.

The more issues identified the better, so naturally a white box approach should be embraced when possible. The deliverable for the assessment is, most importantly, a prioritized list of discovered vulnerabilities (and often how to remediate).

Penetration Tests are designed to achieve a specific, attacker-simulated goal and should be requested by customers who are already at their desired security posture. A typical goal could be to access the contents of the prized customer database on the internal network, or to modify a record in an HR system.

The deliverable for a penetration test is a report of how security was breached in order to reach the agreed-upon goal (and often how to remediate).

A Physical Analog

The Difference Between a Vulnerability Assessment and a Penetration Test

A good analog for this is a Tiger Team working for the government, like richard marcinko used to run with Red Cell. Think about what his missions were: things like gain control of a nuclear submarine and bring it out into the bay.

So imagine that he’s getting debriefed after a successful mission where he broke in through the east fence, and someone were to ask him about the security of the western side of the building. The answer would be simple:

We didn’t even go to the west side. We saw an opening on the east-facing fence and we went after our target.

If the person doing the debrief were to respond with, “You didn’t check the other fences? What kind of security test is it where you didn’t even check all the fences?”, the answer would be equally direct:

Listen, man, I could have come in a million ways. I could have burrowed under the fences altogether, parachuted in, got in the back of a truck coming in–whatever. You told me to steal your sub, and that’s what I did. If you wanted a list of all the different ways your security sucks, you should have hired an auditor–not a SEAL team.

The Question of Exploitation

Another mistake people make when discussing vulnerability assessments vs. penetration tests is to pivot immediately to exploitation. The basic narrative is:

Finding vulnerabilities is a vulnerability assessment, and exploiting them is a penetration test.

This is incorrect.

Exploitation can be imagined as a sliding bar between none and full, which can be leveraged in both vulnerability assessments and penetration tests. Although most serious penetration tests lean heavily towards showing rather than telling (i.e. heavy on the exploitation side), it’s also the case that you can often show that a vulnerability is real without full exploitation.

A penetration testing team may be able to simply take pictures standing next to the open safe, or to show they have full access to a database, etc., without actually taking the complete set of actions that a criminal could. And vulnerability assessments can slide along this scale as well for any subset of the list of issues discovered.

This could be time consuming, but exploitation doesn’t, by definition, move you out of the realm of vulnerability assessment. The only key attributes of a VA vs. PT are list-orientation vs. goal-orientation, and the question of exploitation is simply not part of that calculation.

The Notion that Penetration Tests Include Vulnerability Assessments

It’s also inaccurate to say that penetration tests always include a vulnerability assessment. Recall that penetration tests are goal-based, meaning that if you achieve your goal then you are successful. So, you likely perform something like a vulnerability assessment to find a good vuln to attack during a pentest, but you could just as easily find a vuln within 20 minutes that gets you to your goal.

It is accurate to say, in other words, that penetration tests rely on finding a one or more vulnerabilities to take advantage of, and that people often use some sort of process to systematically discover vulns for that purpose, but because they stop when they have what they need, and don’t give the customer a complete and prioritized list of vulnerabilities, they didn’t actually do a vulnerability assessment.

Summary

Vulnerability Assessment

  • Customer Maturity Level: Low to Medium. Usually requested by customers who already know they have issues, and need help getting started.
  • Goal: Attain a prioritized list of vulnerabilities in the environment so that remediation can occur.
  • Focus: Breadth over depth.

Penetration Test

  • Customer Maturity Level: High. The client believes their defenses to be strong, and wants to test that assertion.
  • Goal: Determine whether a mature security posture can withstand an intrusion attempt from an advanced attacker with a specific goal.
  • Focus: Depth over breadth.

Article Provided by: Daniel Miessler

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like to discuss how Liquid Video Technologies can help you secure your data or would like to discuss your next Home Security System, Networking, Access ControlFire, IT consultant or PCI Compliance, needs.  Please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.

HTTPS, HTTP, Not Secure, Google Chrome, Greenville South Carolina, Liquid Video Technologies

All Sites that don’t use HTTPS, will soon start being shamed on Google as ‘ Not Secure ‘!

The HTTPS in a URL stands for, Hyper Text Transfer Protocol Secure, and states that when transferring data between your browser and the website that you are connected is ‘secure.’ If your website is using the http, your connection is not encrypted and therefore not secure. The good news is that the HTTPS is relatively cheap to implement and serves as a powerful baseline before approaching other difficult issues, as far as protective measures go.

Starting in July 2018, Google will start marking all sites still using unencrypted HTTP as ‘not secure’ on the new updated Chrome (version 48). This will then put a bigger burden on website owners to switch over to the encrypted HTTPS, also, this form of tagging (Not Secure) will notify users about how the sites they visit operate and maintain their websites. Right now, Google says, “68 percent of Chrome traffic on Android and Windows is protected, while that number rises to 78 percent on Chrome OS and Mac, with 81 of the top 100 sites on the web using HTTPS by default.”

HTTPS, SSL, HTTP, Not Secure, Websites, Security, Networking, Liquid Video Technologies, Greenville South Carolina

Still a few major sites like Alibaba.com, BBC.com, and IMDB.com don’t use HTTPS. This will become a bigger potential problem for these sites, in the future, with security concerns. Plus, Google also uses HTTPS as a ranking metric for searching on its browser. By continuing to use the HTTP, sites should be getting less traffic directed to them than others site on the web use HTTPS. Which presumably influences the website’s overall revenue.

Note that, labeling sites using HTTP, as not secure, is something Mozilla toyed around with as well. After it was implemented a similar approach to sites using HTTP in Firefox Nightly version 59 back in December 2017.

If needing more information on Upgrading your website to HTTPS please contact Liquid Video Technologies at (864) 859-9848. Where our friendly staff will be happy to assist you.

Article Written by: Morgan Justice

 

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com

New Website Look, Liquid Video Technologies, Greenville, South Carolina

New Website, New Look!

New Website for all our Customers and Clients!

Liquid Video Technologies knows you all have been waiting for this day. After some hard work and dedication, we now have got our new website up and running on all devices! This will be a great opportunity for families, contractors, and business owners to venture around our new site on different service installations that LVT can provide.

If you don’t know who we are, Liquid Video Technologies does everything from Video Surveillance, Networking, Automation, and many more services. We have been providing the best security equipment for almost 20 years for our local families and business owners in our community. We understand the importance of protecting your loved ones and knowing when you are gone for a month, week, or weekend all that is important is safe from any threats.

Still lost? Don’t worry, call a Liquid Video Technologies specialist today at 866.466.6563 or email at info@liquidvideotechnologies.com.

Please keep Liquid Video Technologies in mind next time you need help with Video Surveillance, Security, Access Control, Networking, Automation, Audio, and Fire Alarm Systems.

If you know what you want or need, we give out ‘Free Quotes’ on all services we provide and install!

Liquid Video Technologies Logo, Security, Video Surveillance, Greenville South Carolina

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com