Join today and have your say! It’s FREE!

Become a member today, It's free!

We will not release or resell your information to third parties without your permission.
Please Try Again
{{ error }}
By providing my email, I consent to receiving investment related electronic messages from Stockhouse.

or

Sign In

Please Try Again
{{ error }}
Password Hint : {{passwordHint}}
Forgot Password?

or

Please Try Again {{ error }}

Send my password

SUCCESS
An email was sent with password retrieval instructions. Please go to the link in the email message to retrieve your password.

Become a member today, It's free!

We will not release or resell your information to third parties without your permission.
Quote  |  Bullboard  |  News  |  Opinion  |  Profile  |  Peers  |  Filings  |  Financials  |  Options  |  Price History  |  Ratios  |  Ownership  |  Insiders  |  Valuation

Lifeist Wellness Inc V.LFST

Alternate Symbol(s):  LFSWF

Lifeist Wellness Inc. is a Canada-based health-tech company. The Company leverages advancements in science and technology to develop innovative products to support human wellness and transform lives. The Company's key asset is its United States biosciences subsidiary Mikra Cellular Sciences Inc. (Mikra), a biosciences and consumer wellness company focused on developing and selling products. Mikra's products consists of Focus, Protect, Serenity, and CELLF.


TSXV:LFST - Post by User

Bullboard Posts
Post by BronxBullon Nov 08, 2018 3:18pm
279 Views
Post# 28945942

Namaste plugs web security flaw

Namaste plugs web security flawMedical pot company plugs web security flaw but privacy concerns persist
THE CANADIAN PRESS

Updated: November 8, 2018

TORONTO — A prominent Canadian medical marijuana company took weeks to fix a website security weakness that could have allowed hackers to access a patient’s sensitive information.
In an interview this week, the chief technology officer of Namaste Technologies said the changes were made late last month ahead of plans to roll out a complete reworking of the flawed application, which had been put in place in January.

The vulnerability allowed anyone to confirm whether a particular email address was registered with Namaste. More significantly, the website allowed an unlimited number of password attempts instead of locking a user out after three failed log-ins as is usually done.
“We’ve basically removed the ability to perform brute force attacks — made it more difficult, really,” Chad Agate, the chief technology officer of the Toronto-based company, said. “We do work to resolve those technical issues.”

Medical marijuana websites typically request personal information that goes well beyond name, address, age and a copy of photo ID. Some require physical information such as height and weight, along with answers to questions such as whether the applicant has suffered from schizophrenia and what medications they take.

The patched Namaste program, which now returns a “obfuscated” generic message in terms of user names and locks out a user after three failed log-ins, was implemented weeks after a user alerted the company to the problem and The Canadian Press began asking questions about the issue.

Kurtis Cicalo, an Ottawa-based website developer and consultant, said a sophisticated hacker could have accessed a Namaste user’s account in seconds.
While there is no evidence intruders did in fact obtain or misuse users’ medical data, Cicalo said the security flaw was not unique to Namaste, which among other things bills itself as operator of the largest global cannabis e-commerce platform.

“My worry is that these sites have been active for months and although I’d like to believe I’m the first person to notice such obvious security flaws, I have to think I’m not, Cicalo said. “This one was super easy to find. Anyone could have found it. It’s so basic, it should never have happened.”
Cicalo also said he was able to access the site even using a computer address that appeared to originate from abroad.

“If somebody is accessing medical cannabis records from China, it should be a red flag,” said Cicalo, who wondered whether companies cut security corners in their rush to jump on the money-making cannabis bandwagon. “There’s a very basic lack of security on pretty much every company site.”

Cicalo said the officer of the federal privacy commissioner suggested he contact the companies involved and only file a personal complaint as a last resort.
Eugene Ocapalla, a lawyer who teaches drug policy at the University of Ottawa, said users, sellers and those in between have to be more aware of privacy concerns related to pot. Buying marijuana for medical purposes, he said, carries a potential double whammy.

“If somebody’s information gets taken from a website, you’re learning something about the person’s health condition which for one thing is generally considered very sensitive information,” Ocapalla said. “On top of that, you’re talking about a drug that is still much maligned in many circles, including by some foreign jurisdictions, most notably the United States.”
Part of the problem facing web developers is the need to balance ease of use against security concerns. As a rule, the more secure a site, the harder it is for the ordinary user to navigate.
“On password complexity, we had a lot of customers pushing back,” Agate said. “We try to find the best balance.”

Cicalo said he understood the user-friendly vs. security debate, but said he was pleased Namaste, which says it has more than 30 websites in more than 20 countries under various brands, had finally fixed a “major vulnerability.”
 
https://windsorstar.com/pmn/news-pmn/canada-news-pmn/medical-pot-company-plugs-web-security-flaw-but-privacy-concerns-persist/wcm/b47734f6-d534-4abd-b1fd-16a092fdbe99
Bullboard Posts