sig Expert Insights – California Supreme Court Upholds Proposition 22 By www.littler.com Published On :: Thu, 01 Aug 2024 20:18:33 +0000 Alexander T. MacDonald and Joy C. Rosenquist discuss California’s Proposition 22 and a recent California Supreme Court decision that upheld the voter-approved law allowing app-based drivers to work as independent contractors. Westlaw Today View (Subscription required) Full Article
sig EXPERT INSIGHTS—Latest updates to Illinois personnel records review act By www.littler.com Published On :: Thu, 22 Aug 2024 15:20:40 +0000 Elizabeth K. Hanford and Shanthi Gaur discuss amendments to Illinois’ Personnel Records Review Act, which impose new obligations on employers navigating personnel record requests. Westlaw Today View (Subscription required) Full Article
sig Canada’s Proposed Modern Slavery Act Would Impose Significant Annual Reporting Obligations on Certain Private-Sector Entities By www.littler.com Published On :: Fri, 28 Oct 2022 18:04:03 +0000 Bill S-211 would enact the Modern Slavery Act, which would require covered employers to report annually on efforts to combat forced and child labour. If the Modern Slavery Act receives Royal Assent in 2022, it will take effect January 1, 2023, and employer reporting requirements will commence May 31, 2023. Non-Canadian entities that do business in Canada and meet the size and activity requirements might be subject to this law. Full Article
sig Texas Governor Signs Preemption Bill, CROWN Act, and Other Legislation into Law By www.littler.com Published On :: Fri, 11 Aug 2023 19:53:47 +0000 The Texas legislature meets only for approximately six months every other year. This session, many bills signed into law impact employers. This article summarizes some of these new laws and how they impact employment operations in the State of Texas. State Preemption of Conflicting Local Laws (AKA the “Death Star Law”) Full Article
sig SpaceX’s Bid to Upend NLRB Follows Signals From Supreme Court By www.littler.com Published On :: Tue, 16 Jan 2024 22:28:42 +0000 Alexander MacDonald comments on the implications of SpaceX’s lawsuit against the NLRB, which alleges that the board violates constitutional separation of powers and due process protections by wielding different types of authority in the same case. Bloomberg Law View (Subscription required.) Full Article
sig BIPA claim accrual changes signed into law By www.littler.com Published On :: Thu, 08 Aug 2024 14:58:22 +0000 Orly Henry discusses BIPA reform and applying the law to pending cases. Chicago Daily Law Bulletin View (Subscription required) Full Article
sig Philadelphia Hotel, Airport Hospitality, and Event Center Businesses Face Significant New Recall and Retention Obligations By www.littler.com Published On :: Mon, 12 Apr 2021 15:56:30 +0000 Philadelphia has imposed significant new recall and retention obligations on hotel, airport hospitality, and event center businesses as they struggle to recover in this uncertain COVID-19 economy. The new obligations are contained in a legislative package, styled as the Black Workers Matter Economic Recovery Package, which became law in Januar Full Article
sig Clearing the Way to Compliance: Hindsight Is So 2020 By www.littler.com Published On :: Tue, 21 Sep 2021 15:12:44 +0000 Full Article
sig Signed, Sealed, Delivered: New Jersey Implements Long-Delayed Landmark WARN Law By www.littler.com Published On :: Tue, 10 Jan 2023 23:11:39 +0000 On January 10, 2023, Governor Philip D. Murphy signed into law S3162 / A4768, which makes the 2020 amendments to NJ WARN effective 90 days from his signature, irrespective of whether a State of Emergency still exists. As previously reported, under these amendments: Full Article
sig When Is Reassignment a Reasonable Accommodation? By www.littler.com Published On :: Fri, 06 Sep 2024 16:56:25 +0000 Peter Petesch discusses several key considerations for employers considering role reassignment as an accommodation – most notably, that reassignment should always be an option during the accommodation process. SHRM View (Subscription required.) Full Article
sig IMS Insights Podcast: Episode 24 - Helene Wasserman on The Impact of Mentors By www.littler.com Published On :: Tue, 23 Mar 2021 20:46:59 +0000 Helene Wasserman shares her view on how mentorships can positively impact career paths. The National Law Review View Article (Subscription required.) Full Article
sig The Contractual Basis of Incentive Compensation Re-Emphasized: Restricted Stock in Lieu of Cash Wages Can Be Forfeited By Resignation in California By www.littler.com Published On :: Thu, 12 Nov 2009 03:16:02 +0000 In Schachter v. Citigroup, Inc.,1 the California Supreme Court rejected claims that an incentive plan that conditioned the earning of restricted stock based on continued service was unlawful where the employee voluntarily elected to participate in the plan, and the employee quit before the date on which the incentive was earned. The plan was lawful even though the incentive plan was funded from wages that the employee would have otherwise received in cash. Full Article
sig Another Unexpected Surprise for International Assignees: Section 457A (No, Not 409A!) of the U.S. Tax Code By www.littler.com Published On :: Tue, 14 Feb 2012 23:09:56 +0000 By now, most lawyers advising international companies on compensation packages for expatriates that include deferred compensation are familiar with section 409A of the United States Internal Revenue Code ("US tax code" or "Code"). Full Article
sig The Virginia Supreme Court on Damages, Equity Valuation, and the Significance of Delaware Corporations Law in the Termination and Removal of a Chairman and CEO By www.littler.com Published On :: Fri, 01 Feb 2013 19:47:03 +0000 The Virginia Supreme Court has spoken again on the calculation of damages in a complex employment contract case. In Online Resources Corp. v. Lawlor, No. 120208 (Va. Jan. 10, 2013), the court addressed the expert qualifications required for the valuation of equity following the termination of the chairman and chief executive officer (CEO) ("executive") of a publicly-traded company, as well as the applicability of Delaware Corporations Law to related change in control (CIC) provisions. Background Full Article
sig Insight into the H-1B Visa Process By www.littler.com Published On :: Wed, 01 May 2024 13:44:10 +0000 Immigration associates George Thompson and Deepti Orekondy discuss the nuances and intricacies of filing of an H-1B visa application, including H-1B Cap petitions, and how to help employers maintain H-1B compliance. This podcast delves into common pitfalls and strategic considerations for an employer filing an H-1B petition. Full Article
sig USCIS Extends Work Permits Under TPS Designations for Certain Countries By www.littler.com Published On :: Wed, 26 Jun 2024 19:26:00 +0000 On June 20, 2024, USCIS extended the validity of certain work permits issued to Temporary Protected Status (TPS) beneficiaries under the TPS designations for El Salvador, Honduras, Nepal, Nicaragua, and Sudan. All impacted beneficiaries will receive Form I-797, Notice of Action, notifying them of the extension of their Employment Authorization Documents (EADs or “work permits”) through March 9, 2025. Full Article
sig Expert Insights – Minnesota Now Recognizes Claims for Negligent Selection of Independent Contractors By www.littler.com Published On :: Thu, 01 Aug 2024 20:03:40 +0000 Ben Sandahl discusses a Minnesota case that raises several issues for companies working with independent contractors. Westlaw Today View (Subscription required) Full Article
sig Insight: Puerto Rico Labor secretary clarifies application of Act 27-2024 By www.littler.com Published On :: Fri, 20 Sep 2024 17:31:09 +0000 Verónica M. Torres-Torres explains new guidance on exemptions for remote workers and airline staff in Puerto Rico. News is My Business View Full Article
sig Protection for Criminal Antitrust Whistleblowers Signed into Law By www.littler.com Published On :: Thu, 14 Jan 2021 19:42:05 +0000 Largely overshadowed by the rise in COVID-19 deaths and the January 6, 2021, siege on the Capitol, the Criminal Antitrust Anti-Retaliation Act of 2019 (“the Act”) became law on December 23, 2020. See 15 U.S.C. § 7a-3. The Act, which Senator Chuck Grassley sponsored, prohibits employers from retaliating against individuals who report criminal antitrust violations to their employer or the federal government, or who participate in a federal governmental criminal antitrust investigation or proceeding. Background Full Article
sig Pencils, Paper, and Now NLRA Legal Protections – New General Counsel Memorandum Provides College Student Athletes with a Very Significant New “School Supply” By www.littler.com Published On :: Fri, 01 Oct 2021 18:32:52 +0000 On September 29, 2021, National Labor Relations Board (NLRB) General Counsel (GC) Jennifer A. Abruzzo released a nine-page memorandum taking the unequivocal position that “certain Players at Academic Institutions” are employees under Section 2(3) of the National Labor Relations Act (NLRA). Refusing to call such players “student athletes,” Abruzzo asserts in the memorandum (GC 21-08) that: Full Article
sig Florida’s Governor Signs Bill to Defund DEI Initiatives at Colleges By www.littler.com Published On :: Tue, 16 May 2023 20:01:03 +0000 Governor Ron DeSantis has signed Senate Bill (SB) 266, officially prohibiting the state’s public colleges and universities from spending state or federal money on programs or campus activities that advocate for Diversity, Equity, and Inclusion (DEI). The legislation aims to replace “niche subjects” like Critical Race Theory (CRT) and gender studies with “more employable majors,” according to the governor. The law would also restrict public colleges from providing initiatives like anti-bias, DEI, and cultural competence training for educators, staff members, and students. Full Article
sig DHS Announces Updated STEM Designated Degree Program List By www.littler.com Published On :: Thu, 03 Aug 2023 14:42:51 +0000 On July 12, 2023, the U.S. Department of Homeland Security (DHS) updated the STEM Designated Degree Program List by adding eight new qualifying fields of study. The Program List is generally used to determine whether a degree completed by an F-1 nonimmigrant student qualifies as a science, technology, engineering, or mathematics (STEM) degree as determined by DHS. Full Article
sig Connecticut Addresses E-Cigarettes and Vapor Products, Imposes Signage Requirements on Select Employers By www.littler.com Published On :: Thu, 05 Nov 2015 14:21:46 +0000 Connecticut has passed a new law regulating electronic nicotine delivery systems and vapor products in various venues, including numerous places of employment. Effective October 1, 2015, Public Act No. 15 206 (the Act) supersedes and preempts any relevant provisions of municipal laws or ordinances regarding the use of these products. The Law The Act prohibits the use of electronic nicotine delivery systems and vapor products in: 1. buildings owned or leased and operated by the state or its political subdivisions, Full Article
sig DOL Opinion Letter Offers Additional Insight Regarding Regular Rate Treatment of Expense Reimbursement Payments By www.littler.com Published On :: Mon, 11 Nov 2024 18:21:11 +0000 On November 8, 2024, the U.S. Department of Labor (DOL) issued Opinion Letter FLSA2024-01. This letter provides additional clarity about whether daily expense reimbursement payments can be excluded from an employee’s regular rate when calculating overtime pay under the Fair Labor Standards Act (FLSA). Full Article
sig Colorado’s Landmark AI Legislation Would Create Significant Compliance Burden for Employers Using AI Tools By www.littler.com Published On :: Thu, 16 May 2024 21:09:22 +0000 UPDATE: On May 17, 2024, Colorado Governor Jared Polis signed Senate Bill 24-205 into law, although not without reservations. Governor Polis sent a letter to the members of the Colorado General Assembly encouraging them to reconsider and amend aspects of Senate Bill 24-205 before it takes effect on February 1, 2026. Full Article
sig Canada: SCC Decision Offers Potential Insight into Privacy Rights for Private-Sector Employees By www.littler.com Published On :: Thu, 08 Aug 2024 19:55:42 +0000 In a significant decision focused on public employers, the Supreme Court of Canada (SCC) recently held that Ontario public school boards are “government” and, as such, they are subject to the provisions of the Canadian Charter of Rights and Freedoms (Charter), and their teachers are protected from unreasonable search and seizure in their places of employment. In York Region District School Board v. Full Article
sig Businesses breathe sigh of relief after Dutch expat tax reversal By www.littler.com Published On :: Tue, 29 Oct 2024 19:30:05 +0000 Stephan Swinkels discusses a major reversal in reforms to Dutch tax law that would have impacted the recruitment and mobility of highly skilled foreign talent. Global Mobility Lawyer View (Subscription required) Full Article
sig ETSI releases three specifications for cloud-based digital signatures By www.etsi.org Published On :: Thu, 28 Apr 2022 09:16:42 GMT ETSI releases three specifications for cloud-based digital signatures Sophia Antipolis, 2 April 2019 The ETSI technical committee on Electronic Signature Infrastructure (TC ESI) has just released a set of three Technical Specifications for cloud-based digital signatures supporting mobile devices: ETSI TS 119 431-1, ETSI TS 119 431-2 and ETSI TS 119 432. This new set of standards supports the creation of digital signatures in the cloud, facilitating digital signature deployment by avoiding the need for specialized user software and secure devices. Read More... Full Article
sig ETSI and the Linux Foundation sign Memorandum of Understanding enabling industry standards and Open Source collaboration By www.etsi.org Published On :: Thu, 28 Apr 2022 13:57:05 GMT ETSI and the Linux Foundation sign Memorandum of Understanding enabling industry standards and Open Source collaboration San Francisco, US, and Sophia Antipolis, France, 26 April 2019 Today, the Linux Foundation, the nonprofit organization enabling mass innovation through sustainable open source, signed a Memorandum of Understanding with ETSI, the independent organization providing global standards for ICT services across all sectors of industry, to bring open source and standards closer and foster synergies between them. Read More... Full Article
sig COAI and ETSI sign MoU to foster a closer co-operation on Telecom Standardization By www.etsi.org Published On :: Tue, 02 Jul 2019 07:17:19 GMT COAI and ETSI sign MoU to foster a closer co-operation on Telecom Standardization New Delhi & Sophia Antipolis, 13 May 2019 Acknowledging the role of standards, especially in the context of emerging technologies and technologies of the future and the need to collaborate and work in partnership with different types of organizations around the world, COAI, the apex industry association representing leading Telecom, Internet, Technology and Digital Services companies and ETSI, a leading standardization organization for Information and Communication Technology (ICT) standards fulfilling European and global market needs announced to come together once again to work and collaborate on areas of mutual interest. Read More... Full Article
sig ETSI signs MoUs with Khronos and OARC for Augmented Reality By www.etsi.org Published On :: Wed, 03 Jun 2020 15:41:00 GMT ETSI signs MoUs with Khronos and OARC for Augmented Reality Liaison agreements strengthen the outreach of the ETSI group on AR Sophia Antipolis, 3 June 2020 ETSI has signed two Memoranda of Understanding (MoUs) with the Khronos® Group and OARC (Open AR Cloud Association) to allow the exchange of views and expertise between ETSI and both organizations to further develop interoperability of AR components, systems and services necessary to enable a thriving ecosystem with a diverse range of technologies and solution providers. Read More... Full Article
sig SESAR Deployment Manager signs MoU with ETSI for European Air Traffic Management modernization By www.etsi.org Published On :: Thu, 28 Apr 2022 06:23:22 GMT SESAR Deployment Manager signs MoU with ETSI for European Air Traffic Management modernization Sophia Antipolis, 27 July 2020 SESAR Deployment Manager (SDM) has recently signed an MoU with ETSI, namely to participate to the ETSI technical group making standards for aeronautics (TG AERO). SESAR aims at the modernization of Europe’s Air Traffic Management (ATM), crucial for the sustainability of European aviation and the forecasted increase in air traffic by 2035 (pre covid-19 forcast). SDM synchronizes and coordinates the deployment of common projects, translating the regulatory requirements to the industry. Read More... Full Article
sig Designing tomorrow’s world: ETSI unveils strategy in line with its ambitious vision By www.etsi.org Published On :: Thu, 17 Dec 2020 13:13:55 GMT ‘Designing tomorrow’s world’: ETSI unveils strategy in line with its ambitious vision Sophia Antipolis, 3 December 2020 At the meeting of its General Assembly yesterday ETSI has validated a new strategy, the result of an intensive development process over the last months. Titled ‘Designing tomorrow’s world’, the strategy has been shaped by ETSI’s diverse global community, drawing on the expertise and experience of more than 900 member organizations that include multinational and smaller companies, start-ups, research organizations and governmental institutions. Read More... Full Article
sig The Agricultural Industry Electronics Foundation signs MoU with ETSI By www.etsi.org Published On :: Wed, 20 Jan 2021 10:29:19 GMT The Agricultural Industry Electronics Foundation signs MoU with ETSI Sophia Antipolis, 20 January 2021 On 7 January, the Agricultural Industry Electronics Foundation (AEF) signed a Memorandum for Understanding (MoU) with ETSI. Read More... Full Article
sig ETSI standard to secure digital signatures solves issue for 4,000 banks By www.etsi.org Published On :: Fri, 04 Jun 2021 16:07:39 GMT ETSI standard to secure digital signatures solves issue for 4,000 banks Sophia Antipolis, 17 March 2021 ETSI is pleased to unveil ETSI TS 119 182-1, a specification for digital signatures supported by PKI and public key certificates which authenticates the origin of transactions ensuring that the originator can be held accountable and access to sensitive resources can be controlled. Read More... Full Article
sig ‘Designing tomorrow’s world’: ETSI introduces its new strategy in line with its ambitious vision By www.etsi.org Published On :: Fri, 07 May 2021 12:23:36 GMT ‘Designing tomorrow’s world’: ETSI introduces its new strategy in line with its ambitious vision Sophia Antipolis, 5 May 2021 Today ETSI is pleased to introduce its new strategy, the result of an intensive development process over the last months, validated at the ETSI General Assembly in December 2020. Titled ‘Designing tomorrow’s world’, the strategy builds on a recognition of the global importance of Information and Communication Technology (ICT) for a sustainable development and to support the digital transformation of society. Read More... Full Article
sig ETSI virtual training on electronic signatures and trust services: register now! By www.etsi.org Published On :: Wed, 26 May 2021 13:42:39 GMT ETSI virtual training on electronic signatures and trust services: register now! Sophia Antipolis, 26 May 2021 The ETSI Technical Committee Electronic Signatures and Infrastructures (TC ESI) is organising a training on its standards on trust services and their use. This virtual event will take place on 1 June from 11:00 CEST to 15:00 CEST. Read More... Full Article
sig ASIA PKI Consortium signs MoU with ETSI By www.etsi.org Published On :: Thu, 02 Dec 2021 14:38:11 GMT ASIA PKI Consortium signs MoU with ETSI Sophia Antipolis, 2 December 2021 During the ETSI General Assembly, ASIA PKI and ETSI signed a Memorandum of Understanding (MoU) to structure and strengthen the relationship between both organizations and foster a closer relationship. Read More... Full Article
sig PKI Consortium signs MoU with ETSI By www.etsi.org Published On :: Tue, 01 Feb 2022 12:56:06 GMT PKI Consortium signs MoU with ETSI Sophia Antipolis, 1 February 2022 On 26 January PKI Consortium and ETSI signed a Memorandum of Understanding (MoU) to structure and strengthen the relationship between both organizations and foster a closer relationship. Read More... Full Article
sig Bureau of Indian Standards signs MoU with ETSI By www.etsi.org Published On :: Mon, 16 May 2022 08:26:52 GMT Bureau of Indian Standards signs MoU with ETSI Sophia Antipolis, 16 May 2022 Bureau of Indian Standards (BIS), India’s national standards body, has signed a Memorandum of Understanding (MoU) with the European standards body ETSI with a common objective to perform & promote international standardization, which will benefit both by adopting a complimentary approach to the standardization, fostering closer cooperation, and further strengthening their relationship. Read More... Full Article
sig ETSI eSignature testing event helps industry to comply with EU regulation By www.etsi.org Published On :: Tue, 26 Jul 2022 08:11:45 GMT ETSI eSignature testing event helps industry to comply with EU regulation Sophia Antipolis, 22 July 2022 With the eIDAS Regulation, European Union Member States have put in place the necessary technical means to process electronically signed documents that are required when using an online service offered by, or on behalf of, a public sector body. In order to ensure that the cross-border dimension works in practice, testing needs to be done to mutually check Member States’ signatures against their existing digital signature validation applications. Read More... Full Article
sig ETSI signs MoU with the French organization for railway standardization By www.etsi.org Published On :: Mon, 24 Oct 2022 08:53:00 GMT ETSI signs MoU with the French organization for railway standardization Sophia Antipolis, 24 October 2022 ETSI and the Bureau de normalisation ferroviaire (BNF), the French organization for railway standardization, have just signed a Memorandum of Understanding to structure and strengthen their relationship. Read More... Full Article
sig ETSI signs MoU with the OpenID Foundation By www.etsi.org Published On :: Tue, 25 Oct 2022 06:31:39 GMT ETSI signs MoU with the OpenID Foundation Sophia Antipolis, 25 October 2022 ETSI and the OpenID Foundation signed a Memorandum of Understanding on 12 September to contribute to the establishment of a global information infrastructure. Read More... Full Article
sig 6G-IA and ETSI sign MoU bridging the gap between European research, standards and industry By www.etsi.org Published On :: Tue, 24 Jan 2023 09:09:38 GMT Sophia Antipolis, France/Brussels, Belgium 24 January 2023 The 6G-IA brings together a global industry community of telecoms and digital actors such as operators, manufacturers, research institutes, universities, verticals, SMEs and ICT associations. The association carries out a wide range of activities in strategic areas including standardization, frequency spectrum, R&D projects, technology skills, collaboration with key vertical industry sectors, notably the development of trials, and international cooperation. Read More... Full Article
sig New ETSI White Paper on MEC Support for Edge Native Design: an application developer perspective By www.etsi.org Published On :: Thu, 22 Jun 2023 13:06:18 GMT Sophia Antipolis, 22 June 2023 ETSI has just released a new White Paper on “MEC Support for Edge Native Design” written by members of the ETSI Multi-access Edge Computing group (ISG MEC). This White Paper provides an overview and vision about the Edge Native approach, as a natural evolution of Cloud Native. Read More... Full Article
sig ETSI releases standard for IT solution providers to comply with EU regulation on electronic signatures in email messages By www.etsi.org Published On :: Tue, 19 Sep 2023 15:47:36 GMT Sophia Antipolis, 20 September 2023 ETSI has published a new standard on “Requirements for trust service providers issuing publicly trusted S/MIME certificates” (ETSI TS 119 411-6 ) helping Trust Service Providers comply with new standards for S/MIME certificates that are enforced since 1 September 2023. Secure MIME (S/MIME) certificates are used to sign, verify, encrypt, and decrypt email messages. Read More... Full Article
sig ETSI Signs Pledge to Future Standardization Professionals By www.etsi.org Published On :: Thu, 30 Nov 2023 15:07:44 GMT Sophia Antipolis, 30 November 2023 ETSI proudly announces its commitment to fostering the education and skills development of the next generation of European standardization professionals. This initiative is part of a voluntary pledge which ETSI’s Director-General Luis Jorge Romero signed today in Brussels in the presence of the Commissioner for Internal Market of the European Union, Thierry Breton. It was launched by the European Commission’s High-Level Forum on European Standardization, specifically under the workstream on Education and Skills. Read More... Full Article
sig Future confidence: Inaugural LTA Signature Augmentation and Validation Plugtests™ focuses on Long-Term Archive signatures By www.etsi.org Published On :: Fri, 12 Apr 2024 08:59:25 GMT Sophia Antipolis, 21 February 2024 ETSI’s first LTA Signature Augmentation and Validation Plugtests™ has seen international participants exchange over 35 000 digital signature validation reports. Held from 23 October - 22 December 2023, the remote interoperability event was organized by the ETSI Centre for Testing and Interoperability (CTI), on behalf of ETSI’s Technical Committee for Electronic Signatures and Trust Infrastructures (TC ESI). This Plugtests™ event was facilitated with the support and co-funding of the European Commission (EC) and the European Free Trade Association (EFTA). Conducted using a dedicated web portal, sessions over the month-long Plugtests™ attracted the involvement of 190 participants from 121 organizations across 38 countries. Read More... Full Article
sig Graphic Designer II By phf.tbe.taleo.net Published On :: Thu, 11 Jul 2024 20:27:58 GMT Job Summary The International Food Policy Research Institute (IFPRI) seeks a highly motivated Graphic Designer II to join our Communications and Public Affairs team. This position is a one-year, renewable appointment, based in its New Delhi office, India and report to the Manager for Creative Solutions, who is based in Washington, DC. The Graphic Designer will produce high-quality and professional visual communication products to promote IFPRI's research to a diverse range of target audiences and through multiple channels. The successful candidate will be an enthusiastic, creative, and team-oriented individual with experience designing and delivering compelling visual communication outputs in a dynamic environment. Interested candidates should submit a resume, cover letter, and a portfolio demonstrating their graphic design work. The portfolio should include a variety of projects showcasing skills in typography, layout, creativity, and use of design software (Adobe InDesign, Illustrator, Photoshop, and Canva) and include. links to digital portfolios or PDF attachments. Applications without a portfolio will not be considered. Interested applicants must have work authorization to work in India. Essential Duties: Specific duties and responsibilities include but are not limited to: Design both print and digital visual communication products: Develop multiple design concepts and carry them through to final delivery, including but not limited to conference banners, brochures, data visualizations, flyers, posters, presentations, research reports, and websites. Layout print publications: Design and layout policy papers and reports while assisting in the creation of flexible InDesign templates. Create engaging digital content: Design visual content for the IFPRI website, interactive applications, social media, and email campaigns. Apply design principles: Utilize knowledge of layout, color theory, typography, and iconography to execute a wide variety of graphic design projects for both print and digital media. Provide branding guidance: Insure IFPRI products adhere to a consistent visual style and uphold professional standards, providing branding guidance to staff as needed. Brand design: Develop and execute creative concepts for branding, including logos, typography, color palettes, and overall visual identity. Innovate in interactive design: Lead initiatives on using innovative methods of interactive design to communicate research findings to both new and established audiences. Web Design: Develop visual design for IFPRI’s main website and microsites, ensure adherence to style guidelines. Coordinate printing: Manage the printing process of IFPRI publications and materials with local and international vendors. Collaborate effectively: Work collaboratively across the institution to ensure the timely delivery of high-quality design deliverables. Monitor and educate on digital trends: Stay updated on current digital trends, technologies, and industry standards, and educate both the team and IFPRI staff on best practices. Required Qualifications: Bachelor's Degree in Art Design, Fine arts, Communications, Marketing or related field plus five years of relevant professional experience or Master’s plus three years in related field. Experience in graphic design, producing high-quality artwork, illustrations, and other graphics for communication purposes, including websites. Proven graphic design experience with a strong portfolio demonstrating excellent typography, layout, and creativity. Extensive experience with Adobe InDesign, Illustrator, and Photoshop. Basic knowledge/understanding of DTP software like Corel Draw. Proficiency in using Canva for creating and managing visual content. In-depth knowledge and understanding of social media and web platforms, with demonstrated experience generating engaging content. Familiarity with designing within PowerPoint and MS Word. Ability to work quickly to meet tight deadlines and handle multiple projects simultaneously. Outstanding organizational and planning skills, with exceptional attention to detail. Strong interpersonal and collaboration skills; proven ability to be flexible in a team-oriented environment with diverse groups of people. Physical Demand & Work environment: Employee will sit in an upright position for a long period of time. Employee will lift between 0-10 pounds. Employee is required to have close visual acuity to perform activities such as: data preparation, web-scraping, preparing, and analyzing data and figure s; dashboard; viewing computer terminal; extensive coding. Full Article
sig From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25 By www.tenable.com Published On :: Tue, 22 Oct 2024 11:11:11 -0400 Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.BackgroundIn January 1999, David E. Mann and Steven M. Christey published the paper “Towards a Common Enumeration of Vulnerabilities” describing an effort to create interoperability between multiple vulnerability databases. To achieve a common taxonomy for vulnerabilities and exposures, they proposed Common Vulnerabilities and Exposures (CVE). In September 1999, the MITRE Corporation finalized the first CVE list, which included 321 records. CVE was revealed to the world the following month.As of October 2024, there are over 240,000 CVEs. including many that have significantly impacted consumers, businesses and governments. The Tenable Security Response Team has chosen to highlight the following 25 significant vulnerabilities, followed by links to product coverage for Tenable customers to utilize.25 Significant CVEsCVE-1999-0211: SunOS Arbitrary Read/Write VulnerabilityArbitrary ReadArbitrary WriteLocalCritical1999Why it’s significant: To our knowledge, there is no formally recognized “first CVE.” However, the GitHub repository for CVE.org shows that the first CVE submitted was CVE-1999-0211 on September 29, 1999 at 12:00AM. Because it was the first one, we’ve chosen to highlight it. The vulnerability was first identified in 1991 and a revised patch was issued in 1994.CVE-2010-2568: Windows Shell Remote Code Execution VulnerabilityRemote Code ExecutionExploitedZero-DayLocalStuxnetHigh2010Why it’s significant: Regarded as one of the most sophisticated cyberespionage tools ever created, Stuxnet was designed to target SCADA systems in industrial environments to reportedly sabotage Iran's nuclear program. Stuxnet exploited CVE-2010-2568 as one of its initial infection vectors, spreading via removable drives. Once a compromised USB drive was inserted into a system, Stuxnet was executed automatically via the vulnerability, infecting the host machine, propagating to other systems through network shares and additional USB drives.CVE-2014-0160: OpenSSL Information Disclosure VulnerabilityHeartbleedInformation DisclosureExploitedZero-DayNetworkCybercriminalsHigh2014Why it’s significant: Dubbed “Heartbleed” because it was found in the Heartbeat extension of OpenSSL, this vulnerability allows an attacker, without prior authentication, to send a malicious heartbeat request with a false length field, claiming the packet contains more data than it does. The receiving system would then return data from its memory extending beyond the legitimate request, which may include sensitive private data, such as server keys and user credentials. OpenSSL is used by millions of websites, cloud services, and even VPN software, for encryption, making Heartbleed one of the most widespread vulnerabilities at the time.CVE-2014-6271: GNU Bash Shellshock Remote Code Execution VulnerabilityShellshock Bash Bug Remote Code ExecutionExploitedZero-DayNetworkCybercriminalsCritical2014Why it’s significant: An attacker could craft an environment variable that contained both a function definition and additional malicious code. When Bash, a command interpreter used by Unix-based systems including Linux and macOS, processed this variable, it would execute the function, but also run the arbitrary commands appended after the function definition. “Shellshock” quickly became one of the most severe vulnerabilities discovered, comparable to Heartbleed’s potential impact. Attackers could exploit Shellshock to gain full control of vulnerable systems, leading to data breaches, service interruptions and malware deployment. The impact extended far beyond local systems. Bash is used by numerous services, particularly web servers, via CGI scripts to handle HTTP requests.CVE-2015-5119: Adobe Flash Player Use After FreeRemote Code Execution Denial-of-ServiceExploitedZero-DayCybercriminalsAPT GroupsCritical2015Why it’s significant: Discovered during the Hacking Team data breach, it was quickly weaponized, appearing in multiple exploit kits. CVE-2015-5119 is a use-after-free flaw in Flash’s ActionScript ByteArray class, allowing attackers to execute arbitrary code by tricking users into visiting a compromised website. It was quickly integrated into attack frameworks used by Advanced Persistent Threat (APT) groups like APT3, APT18, and Fancy Bear (APT28). These groups, with ties to China and Russia, used the vulnerability to spy on and steal data from governments and corporations. Fancy Bear has been associated with nation-state cyber warfare, exploiting Flash vulnerabilities for political and military intelligence information gathering. This flaw, along with several other Flash vulnerabilities, highlighted Flash’s risks, accelerating its eventual phase-out.CVE-2017-11882: Microsoft Office Equation Editor Remote Code Execution VulnerabilityRemote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsHigh2017Why it’s significant: The vulnerability existed for 17 years in Equation Editor (EQNEDT32.EXE), a Microsoft Office legacy component used to insert and edit complex mathematical equations within documents. Once CVE-2017-11882 became public, cybercriminals and APT groups included it in maliciously crafted Office files. It became one of 2018’s most exploited vulnerabilities and continues to be utilized by various threat actors including SideWinder.CVE-2017-0144: Windows SMB Remote Code Execution VulnerabilityEternalBlueRemote Code ExecutionExploitedNetworkWannaCry NotPetyaHigh2017Why it’s significant: CVE-2017-0144 was discovered by the National Security Agency (NSA) and leaked by a hacker group known as Shadow Brokers, making it widely accessible. Dubbed “EternalBlue,” its capacity to propagate laterally through networks, often infecting unpatched machines without human interaction, made it highly dangerous. It was weaponized in the WannaCry ransomware attack in May 2017 and spread globally. It was reused by NotPetya, a data-destroying wiper originally disguised as ransomware. NotPetya targeted companies in Ukraine before spreading worldwide. This made it one of history’s costliest cyberattacks.CVE-2017-5638: Apache Struts 2 Jakarta Multipart Parser Remote Code Execution VulnerabilityRemote Code ExecutionExploitedNetworkEquifax BreachCritical2017Why it’s significant: This vulnerability affects the Jakarta Multipart Parser in Apache Struts 2, a popular framework for building Java web applications. An attacker can exploit it by injecting malicious code into HTTP headers during file uploads, resulting in remote code execution (RCE), giving attackers control of the web server. CVE-2017-5638 was used in the Equifax breach, where personal and financial data of 147 million people was stolen, emphasizing the importance of patching widely-used frameworks, particularly in enterprise environments, to prevent catastrophic data breaches.CVE-2019-0708: Remote Desktop Services Remote Code Execution VulnerabilityBlueKeep DejaBlue Remote Code ExecutionExploitedNetworkRansomware GroupsCybercriminalsCritical2019Why it’s significant: Dubbed "BlueKeep," this vulnerability in Windows Remote Desktop Services (RDS) was significant for its potential for widespread, self-propagating attacks, similar to the infamous WannaCry ransomware. An attacker could exploit this flaw to execute arbitrary code and take full control of a machine through Remote Desktop Protocol (RDP), a common method for remote administration. BlueKeep was featured in the Top Routinely Exploited Vulnerabilities list in 2022 and was exploited by affiliates of the LockBit ransomware group.CVE-2020-0796: Windows SMBv3 Client/Server Remote Code Execution VulnerabilitySMBGhost EternalDarknessRemote Code ExecutionExploited NetworkCybercriminalsRansomware GroupsCritical2020Why it’s significant: Its discovery evoked memories of EternalBlue because of the potential for it to be wormable, which is what led to it becoming a named vulnerability. Researchers found it trivial to identify the flaw and develop proof-of-concept (PoC) exploits for it. It was exploited in the wild by cybercriminals, including the Conti ransomware group and its affiliates.CVE-2019-19781: Citrix ADC and Gateway Remote Code Execution VulnerabilityPath TraversalExploitedNetworkAPT GroupsRansomware GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway is significant due to its rapid exploitation by multiple threat actors, including state-sponsored groups and ransomware affiliates. By sending crafted HTTP requests, attackers could gain RCE and take full control of affected devices to install malware or steal data. The vulnerability remained unpatched for a month after its disclosure, leading to widespread exploitation. Unpatched systems are still being targeted today, highlighting the risk of ignoring known vulnerabilities.CVE-2019-10149: Exim Remote Command Execution VulnerabilityRemote Command ExecutionExploitedNetworkAPT GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Exim, a popular Mail Transfer Agent, allows attackers to execute arbitrary commands with root privileges simply by sending a specially crafted email. The availability of public exploits led to widespread scanning and exploitation of vulnerable Exim servers, with attackers using compromised systems to install cryptocurrency miners (cryptominers), launch internal attacks or establish persistent backdoors. The NSA warned that state-sponsored actors were actively exploiting this flaw to compromise email servers and gather sensitive information.CVE-2020-1472: Netlogon Elevation of Privilege VulnerabilityZerologonElevation of PrivilegeExploitedLocalRansomware GroupsAPT GroupsCybercriminalsCritical2020Why it’s significant: This vulnerability in the Netlogon Remote Protocol (MS-NRPC) allows attackers with network access to a Windows domain controller to reset its password, enabling them to impersonate the domain controller and potentially take over the entire domain. Its severity was underscored when Microsoft reported active exploitation less than two months after disclosure and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to patch the flaw. Despite available patches, it continues to be exploited by ransomware groups, APT groups, and others, highlighting its broad and ongoing impact on network security.CVE-2017-5753: CPU Speculative Execution Bounds Check Bypass VulnerabilitySpectreSpeculative Execution Bounds Check BypassLocalMedium2018Why it’s significant: In a speculative execution process, an idle microprocessor waiting to receive data speculates what the next instruction might be. Although meant to enhance performance, this process became a fundamental design flaw affecting the security of numerous modern processors. In Spectre’s case, an attacker-controlled process could read arbitrary memory belonging to another process. Since its discovery in January 2018, Spectre has affected nearly all modern processors from Intel, AMD and ARM. While it’s difficult to execute a successful Spectre attack, fully remediating the root cause is hard and requires microcode as well as operating system updates to mitigate the risk.CVE-2017-5754: CPU Speculative Execution Rogue Data Cache Load VulnerabilityMeltdownSpeculative Execution Rogue Data Cache LoadLocalHigh2018Why it’s significant: Meltdown, another speculative execution vulnerability released alongside Spectre, can allow a userspace program to read privileged kernel memory. It exploits a race condition between the memory access and privilege checking while speculatively executing instructions. Meltdown impacts desktop, laptop and cloud systems and, according to researchers, may affect nearly every Intel processor released since 1995. With a wide reaching impact, both Spectre and Meltdown sparked major interest in a largely unexplored security area. The result: a slew of research and vulnerability discoveries, many of which were also given names and logos. While there’s no evidence of a successful Meltdown exploit, the discovery showcased the risk of security boundaries enforced by hardware.CVE-2021-36942: Windows LSA Spoofing VulnerabilityPetitPotamSpoofingExploitedZero-DayNetworkRansomware GroupsHigh2021Why it’s significant: This vulnerability can force domain controllers to authenticate to an attacker-controlled destination. Shortly after a PoC was disclosed, it was adopted by ransomware groups like LockFile, which have chained Microsoft Exchange vulnerabilities with PetitPotam to take over domain controllers. Patched in the August 2021 Patch Tuesday release, the initial patch for CVE-2021-36942 only partially mitigated the issue, with Microsoft pushing general mitigation guidance for defending against NTLM Relay Attacks.CVE-2022-30190: Microsoft Windows Support Diagnostic Tool Remote Code ExecutionFollinaRemote Code ExecutionExploitedZero-DayLocalQakbot RemcosHigh2022Why it’s significant: Follina, a zero-day RCE vulnerability in MSDT impacting several versions of Microsoft Office, was later designated CVE-2022-30190. After public disclosure in May 2022, Microsoft patched Follina in the June 2022 Patch Tuesday. After disclosure, reports suggested that Microsoft dismissed the flaw’s initial disclosure as early as April 2022. Follina has been widely adopted by threat actors and was associated with some of 2021’s top malware strains in a joint cybersecurity advisory from CISA and the Australian Cyber Security Centre (ACSC), operating under the Australian Signals Directorate (ASD).CVE-2021-44228: Apache Log4j Remote Code Execution VulnerabilityLog4ShellRemote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsCritical2021Why it’s significant: Log4j, a Java logging library widely used across many products and services, created a large attack surface. The discovery of CVE-2021-44228, dubbed “Log4Shell,” caused great concern, as exploitation simply requires sending a specially crafted request to a server running a vulnerable version of Log4j. After its disclosure, Log4Shell was exploited in attacks by cryptominers, DDoS botnets, ransomware groups and APT groups including those affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC).CVE-2021-26855: Microsoft Exchange Server Server-Side Request Forgery VulnerabilityProxyLogonServer-Side Request Forgery (SSRF)ExploitedZero-DayNetworkAPT Groups Ransomware GroupsCybercriminalsCritical2021Why it’s significant: CVE-2021-26855 was discovered as a zero-day along with four other vulnerabilities in Microsoft Exchange Server. It was exploited by a nation-state threat actor dubbed HAFNIUM. By sending a specially crafted HTTP request to a vulnerable Exchange Server, an attacker could steal the contents of user mailboxes using ProxyLogon. Outside of HAFNIUM, ProxyLogon has been used by ransomware groups and other cybercriminals. Its discovery created a domino effect, as other Exchange Server flaws, including ProxyShell and ProxyNotShell, were discovered, disclosed and subsequently exploited by attackers.CVE-2021-34527: Microsoft Windows Print Spooler Remote Code Execution VulnerabilityPrintNightmareRemote Code ExecutionExploitedLocalAPT GroupsRansomware GroupsCybercriminalsHigh2021Why it’s significant: This RCE in the ubiquitous Windows Print Spooler could grant authenticated attackers arbitrary code execution privileges as SYSTEM. There was confusion surrounding the disclosure of this flaw, identified as CVE-2021-34527 and dubbed “PrintNightmare.” Originally, CVE-2021-1675, disclosed in June 2021, was believed to be the real PrintNightmare. However, Microsoft noted CVE-2021-1675 is “similar but distinct” from PrintNightmare. Since its disclosure, several Print Spooler vulnerabilities were disclosed, while a variety of attackers, including the Magniber and Vice Society ransomware groups exploited PrintNightmare.CVE-2021-27101: Accellion File Transfer Appliance (FTA) SQL Injection VulnerabilitySQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2021Why it’s significant: The file transfer appliance from Accellion (now known as Kiteworks) was exploited as a zero-day by the CLOP ransomware group between December 2020 and early 2021. Mandiant, hired by Kiteworks to investigate, determined that CLOP (aka UNC2546) exploited several flaws in FTA including CVE-2021-27101. This was CLOP’s first foray into targeting file transfer solutions, as they provide an easy avenue for the exfiltration of sensitive data that can be used to facilitate extortion.CVE-2023-34362: Progress Software MOVEit Transfer SQL Injection VulnerabilitySQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2023Why it’s significant: CLOP’s targeting of file transfer solutions culminated in the discovery of CVE-2023-34362, a zero-day in Progress Software’s MOVEit Transfer, a secure managed file transfer software. CLOP targeted MOVEit in May 2023 and the ramifications are still felt today. According to research conducted by Emsisoft, 2,773 organizations have been impacted and information on over 95 million individuals has been exposed as of October 2024. This attack underscored the value in targeting file transfer solutions.CVE-2023-4966: Citrix NetScaler and ADC Gateway Sensitive Information Disclosure VulnerabilityCitrixBleedInformation DisclosureExploitedZero-DayNetworkRansomware GroupsAPT GroupsCritical2023Why it’s significant: CVE-2023-4966, also known as “CitrixBleed,” is very simple to exploit. An unauthenticated attacker could send a specially crafted request to a vulnerable NetScaler ADC or Gateway endpoint and obtain valid session tokens from the device’s memory. These session tokens could be replayed back to bypass authentication, and would persist even after the available patches had been applied. CitrixBleed saw mass exploitation after its disclosure, and ransomware groups like LockBit 3.0 and Medusa adopted it.CVE-2023-2868: Barracuda Email Security Gateway (ESG) Remote Command Injection VulnerabilityRemote Command InjectionExploitedZero-DayNetworkAPT GroupsCritical2023Why it’s significant: Researchers found evidence of zero-day exploitation of CVE-2023-2868 in October 2022 by the APT group UNC4841. While Barracuda released patches in May 2023, the FBI issued a flash alert in August 2023 declaring them “ineffective,” stating that “active intrusions” were being observed on patched systems. This led to Barracuda making an unprecedented recommendation for the “immediate replacement of compromised ESG appliances, regardless of patch level.”CVE-2024-3094: XZ Utils Embedded Malicious Code VulnerabilityEmbedded Malicious CodeZero-DayUnknown Threat Actor (Jia Tan)Critical2024Why it’s significant: CVE-2024-3094 is not a traditional vulnerability. It is a CVE assigned for a supply-chain backdoor discovered in XZ Utils, a compression library found in various Linux distributions. Developer Andres Freund discovered the backdoor while investigating SSH performance issues. CVE-2024-3094 highlighted a coordinated supply chain attack by an unknown individual that contributed to the XZ GitHub project for two and a half years, gaining the trust of the developer before introducing the backdoor. The outcome of this supply chain attack could have been worse were it not for Freund’s discovery.Identifying affected systemsA list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:CVE-1999-0211CVE-2010-2568CVE-2014-0160CVE-2014-6271CVE-2015-5119CVE-2017-11882CVE-2017-0144CVE-2017-5638CVE-2019-0708CVE-2020-0796CVE-2019-19781CVE-2019-10149CVE-2020-1472CVE-2017-5753CVE-2017-5754CVE-2021-36942CVE-2022-30190CVE-2021-44228CVE-2021-26855CVE-2021-34527CVE-2021-27101CVE-2023-34362CVE-2023-4966CVE-2023-2868CVE-2024-3094 Full Article
