Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 11 hours 33 min ago

Pwn2Own Contest Will Pay $900,000 For Hacks That Exploit Tesla's Model 3

Tue, 01/15/2019 - 18:05
The Model 3 will be entered into Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest. The prize for the winning security researchers: a Model 3. TechCrunch reports: Pwn2Own, which is in its 12th year and run by Trend Micro's Zero Day Initiative, is known as one of the industry's toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program. Pwn2Own's spring vulnerability research competition, Pwn2Own Vancouver, will be held March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. And, of course, Tesla . Pwn2Own is run in conjunction with the CanSec West conference. There will be "more than $900,000 worth of prizes available for attacks that subvert a variety of [the Model 3's] onboard systems," reports Ars Technica. "The biggest prize will be $250,000 for hacks that execute code on the car's getaway, autopilot, or VCSEC." "A gateway is the central hub that interconnects the car's powertrain, chassis, and other components and processes the data they send. The autopilot is a driver assistant feature that helps control lane changing, parking, and other driving functions. Short for Vehicle Controller Secondary, VCSEC is responsible for security functions, including the alarm."

Hackers Broke Into An SEC Database and Made Millions From Inside Information, Says DOJ

Tue, 01/15/2019 - 17:45
Federal prosecutors unveiled charges in an international stock-trading scheme that involved hacking into the Securities and Exchange Commission's EDGAR corporate filing system. "The scheme allegedly netted $4.1 million for fraudsters from the U.S., Russia and Ukraine," reports CNBC. "Using 157 corporate earnings announcements, the group was able to execute trades on material nonpublic information. Most of those filings were 'test filings,' which corporations upload to the SEC's website." From the report: The scheme involves seven individuals and operated from May to at least October 2016. Prosecutors said the traders were part of the same group that previously hacked into newswire services. Carpenito, in a press conference Tuesday, said the thefts included thousands of valuable, private business documents. "After hacking into the EDGAR system they stole drafts of [these] reports before the information was disseminated to the general public," he said. Those documents included quarterly earnings, mergers and acquisitions plans and other sensitive news, and the criminals were able to view it before it was released as a public filing, thus affecting the individual companies' stock prices. The alleged hackers executed trades on the reports and also sold them to other illicit traders. One inside trader made $270,000 in a single day, according to Carpenito. The hackers used malicious software sent via email to SEC employees. Then, after planting the software on the SEC computers, they sent the information they were able to gather from the EDGAR system to servers in Lithuania, where they either used it or distributed the data to other criminals, Carpenito said.

Project Alias Hacks Amazon Echo and Google Home To Protect Your Privacy

Tue, 01/15/2019 - 15:20
fahrbot-bot writes: The gadget, called Alias, is an always-listening speaker, designed to fit on top of an Amazon Echo or Google Home, where it looks like a mass of melted candle wax. It's composed of a 3D-printed top layer, a mic array, a Raspberry Pi, and two speakers. It only connects to the internet during the initial setup process. Alias stays "off the grid" while you're using it, preventing your conversations from leaving the device. When the Alias hears its own (customizable) wake word, it'll stop broadcasting white noise and wake up Alexa or Google Assistant so you can use them as normal.

WordPress To Show Warnings on Servers Running Outdated PHP Versions

Tue, 01/15/2019 - 10:02
The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version. From a report: The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (5.6 or lower). The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version. In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site. [...] Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS.

DerbyCon Will Hold Its Last InfoSec Conference in September This Year

Mon, 01/14/2019 - 20:55
DerbyCon 9.0, the upcoming edition of the popular InfoSec conference in September, will be its last. From an official announcement: When we first started DerbyCon, our goal was to create a conference where we could all come together to collaborate and share as a community, but most importantly as a profession. DerbyCon 1.0 was a huge gamble for us both personally and financially, but we believed in what we were doing, and it worked. For those that don't know the history of DerbyCon, it started off inside of a pizza shop as an idea between a few friends. Our goal was to create an affordable conference that shared a lot of what we had experienced in our early days in security. The ideas of collaboration, community, and the betterment of the industry and the safety of technology were at the forefront. At the end of DerbyCon 1.0, we realized that the conference was a huge success and our dream became a reality. [...] What we have had to deal with on the back-end the past few years is more than just running a conference and sharing with friends. The conference scene in general changed drastically and small pocket groups focus on outrage and disruption where there is no right answer (regardless of how you respond, it's wrong), instead of coming together, or making the industry better. There is a small, yet vocal group of people creating negativity, polarization, and disruption, with the primary intent of self-promotion to advance a career, for personal gain, or for more social media followers. Individuals that would have us be judge, jury, and executioner for people they have had issues with outside of the conference that has nothing to do with the conference itself. Instead of working hard in research, being a positive force in the industry, or sharing their own unique experiences (which makes us better as a whole), they tear others down in order to promote themselves. This isn't just about DerbyCon, it is present at other conferences as well and it's getting worse each year. We've spoken with a number of conference organizers, and each year it becomes substantially more difficult to host a conference where people can come together in large group settings. It's not just conferences either. This behavior is happening all over the place on social media, in our industry, targeting people trying to do good. As a community, we add fuel to fire, attack others, and give them a platform in one massive toxic environment. We do this all in fear of repercussions from upsetting others. Until this pattern changes, it will continue to get worse.

Tidal Under Criminal Investigation In Norway Over 'Faked' Streams

Mon, 01/14/2019 - 16:10
An anonymous reader quotes a report from Engadget: High-fidelity music streaming service Tidal is under criminal investigation in Norway for allegedly inflating album streams for Beyonce's Lemonade and Kanye West's The Life of Pablo. The alleged faking of streaming numbers was exposed last year by Norwegian newspaper Dagens Naeringsliv (DN), which said it had obtained a hard drive with the tampered data. Around 1.3 million accounts were supposedly used to lift the play counts of said albums by "several hundred million," with Tidal paying out higher royalty fees to the two artists and their record labels as a result. In the wake of the report, a Norwegian songwriter's association known as Tono filed an official police complaint against Tidal. The Jay-Z-owned streaming service denied the accusations and subsequently launched an internal review to be conducted by a third-party cyber security company, which is still ongoing. Today, DN revealed that Norway's National Authority for Investigation and Prosecution of Economic and Environmental Crime (Okokrim) has begun an investigation into data manipulation at Tidal. Though still in its early stages, Okokrim says that at least four former Tidal employees (including its former head of business intelligence -- responsible for analyzing streams) have been interrogated in front of a judge as part of the investigation. The quartet have faced a total of 25 hours of questioning thus far. Three former staffers reportedly recognized signs of meddling with the albums and contacted a lawyer before notifying Tidal. "All three individuals resigned from the company in 2016 after signing what a DN source called 'the gold standard of confidentiality contracts,'" reports Engadget.

Hack Allows Escape of Play-With-Docker Containers

Mon, 01/14/2019 - 15:30
secwatcher quotes a report from Threatpost: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack. "The team was able to escape the container and run code remotely right on the host, which has obvious security implications," wrote researchers in a technical write-up posted Monday. Play-with-Docker is an open source free in-browser online playground designed to help developers learn how to use containers. While Play-with-Docker has the support of Docker, it was not created by nor is it maintained by the firm. The environment approximates having the Alpine Linux Virtual Machine in browser, allowing users to build and run Docker containers in various configurations. The vulnerability was reported to the developers of the platform on November 6. On January 7, the bug was patched. As for how many instances of Play-with-Docker may have been affected, "CyberArk estimated there were as many as 200 instances of containers running on the platform it analyzed," reports Threatpost. "It also estimates the domain receives 100,000 monthly site visitors."

Windows 7 Enters Its Final Year of Free Support

Mon, 01/14/2019 - 14:10
An anonymous reader quotes a report from Ars Technica: Windows 7's five years of extended support will expire on January 14, 2020 -- exactly one year from today. After this date, security fixes will no longer be freely available for the operating system that's still widely used. As always, the end of free support does not mean the end of support entirely. Microsoft has long offered paid support options for its operating systems beyond their normal lifetime, and Windows 7 is no different. What is different is the way that paid support will be offered. For previous versions of Windows, companies had to enter into a support contract of some kind to continue to receive patches. For Windows 7, however, the extra patches will simply be an optional extra that can be added to an existing volume license subscription -- no separate support contract needed -- on a per-device basis. These Extended Security Updates (ESU) will be available for three years after the 2020 cut-off, with prices escalating each year.

Web Hosting Sites Bluehost, DreamHost, Hostgator, OVH and iPage Were Vulnerable To Simple Account Takeover Hacks

Mon, 01/14/2019 - 13:30
A security researcher has found, reported and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer's account from some of the largest web hosting companies on the internet. From a news report: In some cases, clicking on a simple link would have been enough for Paulos Yibelo, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers -- Bluehost, DreamHost, Hostgator, OVH and iPage. "All five had at least one serious vulnerability allowing a user account hijack," he told TechCrunch, with which he shared his findings before going public. The results of his vulnerability testing likely wouldn't fill customers with much confidence. The bugs, now fixed -- according to Yibelo's writeup -- represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base -- with the potential to go easily wrong. In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost's one million domains and OVH's four million domains -- totaling some seven million domains.

The Super-Secure Quantum Cable Hiding In the Holland Tunnel

Mon, 01/14/2019 - 12:15
Zorro shares a report: Commuters inching through rush-hour traffic in the Holland Tunnel between Lower Manhattan and New Jersey don't know it, but a technology likely to be the future of communication is being tested right outside their car windows. Running through the tunnel is a fiber-optic cable that harnesses the power of quantum mechanics to protect critical banking data from potential spies. The cable's trick is a technology called quantum key distribution, or QKD. Any half-decent intelligence agency can physically tap normal fiber optics and intercept whatever messages the networks are carrying: They bend the cable with a small clamp, then use a specialized piece of hardware to split the beam of light that carries digital ones and zeros through the line. The people communicating have no way of knowing someone is eavesdropping, because they're still getting their messages without any perceptible delay. QKD solves this problem by taking advantage of the quantum physics notion that light -- normally thought of as a wave -- can also behave like a particle. At each end of the fiber-optic line, QKD systems, which from the outside look like the generic black-box servers you might find in any data center, use lasers to fire data in weak pulses of light, each just a little bigger than a single photon. If any of the pulses' paths are interrupted and they don't arrive at the endpoint at the expected nanosecond, the sender and receiver know their communication has been compromised.

Too Many Workers Are Trapped By Non-Competes

Mon, 01/14/2019 - 06:51
Why have wages been so slow to rise at a time when demand for workers has pushed the U.S. unemployment rate to its lowest point in nearly half a century? One answer: contracts that tie millions of unspecialized workers to their jobs. Bloomberg reports: In far too many cases, these so-called noncompetes are an unwarranted restriction on freedom to transact and a drag on growth. If Congress won't act to narrow their scope, states should take the lead. The desire to keep workers from defecting to rival employers is as old as employment itself. As far back as the 15th century, English masters, such as dyers or blacksmiths, made apprentices promise not to set up shop nearby. Courts often refused to uphold such agreements, viewing them as coercive. As a House of Lords decision put it in 1893, "There is obviously more freedom of contract between buyer and seller than between master and servant or between an employer and a person seeking employment." More than a century later, the idea is back in vogue, as companies exploit the power that comes with increasing size and market concentration. In the U.S., new employees are commonly required to sign contracts that forbid them to work in the same industry for a given period. The practice makes sense for highly paid jobs involving big investments in training, and for staff with valuable proprietary knowledge. But it isn't being limited to those kinds of employees. A 2014 survey found that about two in five workers were or had at some point been bound in this way, including workers such as security guards and camp counselors. Some 12 percent of employees without a bachelor's degree and earning less than $40,000 a year were tied down.

Google Reportedly Blacklists 'Ethereum' As a Google Ad Keyword, Startup Claims

Mon, 01/14/2019 - 05:13
An anonymous reader quotes a report from Yahoo: Google has reportedly blacklisted keywords mentioning Ethereum (ETH) on its advertising platform Google Ads, smart contract auditing startup Decenter tweeted on Jan. 10. The official Google Ads account replied to the tweet stating that cryptocurrency exchanges targeting the United States and Japan can be advertised on the platform, and that targeting other countries could be the reason for the ad rejection. When Decenter explained that they are a group of developers doing smart contract security audits and that they were seeing the error message when trying to use the "ethereum development services" and "ethereum security audits" keywords, Google Ads' official account answered: "Although we wouldn't be able to preemptively confirm if your keyword is eligible to trigger ads, we'd recommend that you refer to the 'Cryptocurrencies' section of our policy on Financial products and services." When Decenter asked the Ethereum community on Reddit in an open query about the alleged Google Ads policy changes, the team specified that: "Any of the keywords that contain "ethereum" in our campaigns are no longer showing ads as of January 9th and are now reporting the following error." Decenter said they have tested keywords for "ethereum smart contract audits" and "eos smart contract audits" and found that only the EOS-referenced keyword showed ads. Google banned all cryptocurrency-related advertising of all types in June 2018. However, Google announced in September 2018 that it would change its ad policy in October, reallowing some crypto businesses to advertise on its platform. Namely, the changes allow cryptocurrency exchanges ads in the United States and Japan.

200 Million Chinese Resumes Leak In Huge Database Breach

Sun, 01/13/2019 - 18:02
According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read. Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

Aaron Swartz's Federal Judge Gives Anonymous Hacker 10 Years In Prison For DDoS Attacks On Children's Hospitals

Sun, 01/13/2019 - 12:20
Danngggg writes: Many will remember Martin Gottesfeld since he was arrested on a speedboat coming from Cuba. He volunteered at trial that he and his wife had just been denied political asylum by Castro. Gottesfeld has said he did it to defend the life of an innocent child named Justina Pelletier. On Thursday, the same judge that over saw the Aaron Swartz case sentenced the Anonymous hacktivist to 10 years in federal prison for a DDoS of Boston Children's Hospital, Harvard-affiliated hospitals, and Wayside Youth and Family. The sentence included $440,000 in restitution, 3 years supervised release, and other conditions. The week before, Gottesfeld docketed a 690-page affidavit (including exhibits) documenting the judge's conflicts of interest and why he doesn't belong anywhere near the case. That's available on the FreeMartyG website. Local news spoke to his wife after the sentencing hearing as well.

Huawei Fires Employee Arrested In Poland Over Alleged Spying

Sun, 01/13/2019 - 07:15
Chinese tech giant Huawei has fired Weijing Wang, an employee recently arrested in Poland over spying allegations despite security officials saying the espionage wasn't directly tied to the company. The staffer brought the company into "disrepute," according to a statement. Police also arrested a Polish citizen in connection to the case. Engadget reports: The incident comes at a particularly bad time for Huawei. On top of general distrust sparked by Western governments and intelligence agencies, CFO Wangzhou Meng is facing extradition to the U.S. over accusations she helped avoid sanctions. People are already suspicious, and the arrest doesn't do the company any favors. Moreover, there are already potential consequences. Polish internal affairs minister Joachim Brudzinski has asked the European Union and NATO to coordinate any potential bans on Huawei gear. While Poland is still willing to work with China, the official wanted countries to clarify their stances. There's already been talk of reviewing Huawei's involvement in Poland's 5G network, and this might exacerbate the situation.

The US Government Has Amassed Terabytes of Internal WikiLeaks Data

Sun, 01/13/2019 - 06:14
An anonymous reader shares an excerpt from a Gizmodo report, written by national security reporter and transparency activist Emma Best: Late last year, the U.S. government accidentally revealed that a sealed complaint had been filed against Julian Assange, the founder of WikiLeaks. Shortly before this was made public, the FBI reconfirmed its investigation of WikiLeaks was ongoing, and the Wall Street Journal reported that the Department of Justice was optimistic that it would be able to extradite Assange. Soon after, portions of sealed transcripts leaked that implicate WikiLeaks and Assange in directing hackers to target governments and corporations. The charges against Assange have not been officially revealed, though it's plausible that the offenses are related to Russian hacking and the DNC emails. The alleged offenses in the complaint notwithstanding, the government has an abundance of data to work with: over a dozen WikiLeaks' computers, hard drives, and email accounts, including those of the organization's current and former editors-in-chief, along with messages exchanged with alleged Russian hackers about DNC emails. Through a series of search warrants, subpoenas, equipment seizures, and cooperating witnesses, the federal government has collected internal WikiLeaks data covering the majority of the organization's period of operations, from 2009 at least through 2017. In some instances, the seized data has been returned and allegedly destroyed, such as in the case of David House, a technologist and friend of Chelsea Manning when she famously became a source for WikiLeaks. In others, the seized materials include communications between WikiLeaks and their sources. Some of these discussions show WikiLeaks discussing their other sources and specific identifying details about them. Other seizures gave authorities a deeper view of the internal workings of WikiLeaks, including one of the earliest known seizures of WikiLeaks-related data, executed on December 14, 2010, when the messages and user information of several WikiLeaks-linked Twitter accounts were ordered. This search-and-seizure order included direct messages associated with WikiLeaks and its founder, former Army private first class and WikiLeaks source Chelsea Manning, WikiLeaks editor Rop Gongrijp, former WikiLeaks associate Jacob Appelbaum, and former WikiLeaks associate and Icelandic MP Birgitta Jonsdottir, between November 1, 2009, and the order's execution.

Should America Build a Virtual Border Wall? Or Just Crowdfund It...

Sat, 01/12/2019 - 16:39
As America's government faces its longest-ever shutdown over the president's demands for border wall funding, House Speaker Nancy Pelosi has suggested "possible alternatives to a physical wall," according to one Silicon Valley newspaper: Among the president's justifications for a wall is to stop drugs from coming into the United States, so Pelosi proposed spending "hundreds of millions of dollars" for technology to scan cars for drugs, weapons and contraband at the border. "The positive, shall we say, almost technological wall that can be built is what we should be doing," Pelosi, D-San Francisco, said during her weekly press conference. That didn't go over well with Fight for the Future, a digital rights advocacy group that on Friday started a petition asking Democrats to drop plans for a "technological wall" that it says could threaten Fourth Amendment rights that guard against unreasonable searches and seizures. "Current border surveillance programs subject people to invasive and unconstitutional searches of their cell phones and laptops, location tracking, drone surveillance, and problematic watchlists," the group's petition says... In December, the Department of Homeland Security's Office of the Inspector General released a report that showed searches of electronic devices at the border were up nearly 50 percent in 2017. The report also found that border agents were not always following standard operating procedures for searches, including failing to properly document such searches. In addition, information copied by agents were not always deleted as required. The article also notes that Anduril Industries -- founded by Oculus Rift designer Palmer Luckey (and funded by Peter Thiel) -- is one of several companies already working on "a virtual border wall." CNN also reports on a GoFundMe campaign started by an Air Force veteran to simply crowdfund the construction of the wall. Though 340,747 people pledged over $20 million, it failed to reach its $1 billion goal, and is now pointing supporters to a newly-formed non-profit corporation -- named "We Build the Wall." Meanwhile, another 7,121 GoFundMe members have pledged $160,985 to a rival campaign raising money for ladders to climb over Trump's wall.

Marriott Faces Multiple Class-Action Lawsuits Over Hotel Reservation Data Breach

Sat, 01/12/2019 - 05:00
An anonymous reader quotes a report from Vox: More than 150 people who previously stayed in Marriott properties are suing the hotel chain in a federal class-action lawsuit, claiming that Marriott didn't do enough to protect them from a data breach that exposed more than 300 million guests' personal information, including names, credit card information, and passport numbers. The suit, which was filed Maryland federal district court on January 9, claims that Marriott did not adequately protect guest information before the breach and, once the breach had been discovered, "failed to provide timely, accurate, and adequate notice" to guests whose information may have been obtained by hackers. According to the suit, Marriott's purchase of the Starwood properties [in 2016] is part of the problem. "This breach had been going on since 2014. In conducting due diligence to acquire Starwood, Marriott should have gone through and done an accounting of the cybersecurity of Starwood," Amy Keller, an attorney at DiCello Levitt & Casey who is representing the Marriott guests, told Vox. "In so doing, it should have caught -- at the very least -- that there was some suspicious activity concerning the database where a lot of consumer information was contained." Instead, Keller said, the breach continued for an additional two years after the acquisition, until Marriott caught it in September 2018. And even then, the suit claims, the company waited until November to tell guests about the breach.

Polish Police Arrest Huawei Executive On Suspicion Of Spying For China

Fri, 01/11/2019 - 12:30
A Huawei executive has been arrested in Poland on charges of spying for China, Poland's counterintelligence service said Friday. NPR reports: A government spokesman identified the suspect as Weijing W.; media reports in Poland and China say he also is known as Stanislaw Wang, Huawei's sales director in Poland. In a coordinated arrest Tuesday, authorities also detained and charged a Polish citizen named Piotr D. who works for the telecom company Orange Polska. He is a former Internal Security Agency official, according to Poland's TVP Info, which first reported the story. Police searched both of the suspects' homes Tuesday. In addition, TVP Info says, Internal Security Agency officers searched Huawei's headquarters in Poland and an Orange office where Piotr D. worked. The government has evidence that the two suspects "cooperated with the Chinese services" as they conducted espionage against Poland, according to Stanislaw Zaryn, spokesman for the special services branch, in a tweet about the case.

Mondelez, the US Food Company That Owns Oreo and Cadbury Brands, Sues Zurich in Test For Cyber Hack Insurance

Fri, 01/11/2019 - 06:01
Mondelez, the US food company that owns the Oreo and Cadbury brands, is suing its insurance company, Zurich, for refusing to pay out on a $100m claim for damage caused by the NotPetya cyber attack. From a report: The case will be the first serious legal dispute over how companies can recover the costs of a cyber attack [Editor's note: the article may be paywalled; alternative source], as insurance groups seek to tightly define their liabilities. "It's a pretty big deal. I've never seen an insurance company take this position," said Robert Stines, a cyber law specialist at the US law firm Freeborn. "It's going to send ripples through the insurance industry. Major companies are going to rethink what's in their policies." The NotPetya attack in the summer of 2017 crippled the computer systems of companies around the world, including Merck, the pharmaceuticals company, Reckitt Benckiser, the consumer group, and Maersk, the world's largest shipping group. It caused billions of dollars of damage and has been blamed by the US and the UK on Russian hackers attacking the Ukrainian government. [...] According to the Mondelez court documents, Zurich initially worked to adjust the claim in the usual way and at one point even promised to make a $10m interim payment. But it later refused to pay, relying on an exclusion in the policy for "a hostile or warlike action" by a government or sovereign power or people acting for them. Mondelez described Zurich's refusal as "unprecedented" and is seeking $100m in damages. Both companies declined to comment on the case.