1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Microsoft fixes serious Windows Hello security flaw

    From TechnologyDaily@1337:1/100 to All on Wed Jul 14 14:30:04 2021
    Microsoft fixes serious Windows Hello security flaw

    Date:
    Wed, 14 Jul 2021 13:14:45 +0000

    Description:
    Windows Hello vulnerability could allow threat actors to impersonate any user.

    FULL STORY ======================================================================

    Cybersecurity experts have shared a proof-of-concept to bypass the Windows Hello biometric authentication system.

    Threat actors can exploit the bypass, demonstrated by identity and access management (IAM) vendor CyberArk, to access an organizations sensitive data
    by impersonating a privileged account.

    Leaning on official figures from Microsoft that suggest that over 84% of Windows 10 users sign-in to their devices using Windows Hello, CyberArk
    argues that the bypass poses a grave security risk for businesses transitioning to password-less authentication. TechRadar needs you!

    We're looking at how our readers use VPNs with streaming sites like Netflix
    so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

    Click here to start the survey in a new window << Heres our list of the best password managers These are the best business password managers Weve
    also rounded up the best identity management software

    While our research was specific to Windows Hello and more so the enterprise offering, Windows Hello for Business, its important to note that potentially any authentication system that allows a pluggable third-party USB camera to act as biometric sensor could be susceptible to this attack without proper mitigation, writes CyberArks Security Researcher, Omer Tsarfati. Targeted attacks

    The exploit, which CyberArk likens to the one used by Tom Cruise in hit film Minority Report , involves using a custom USB device to steal an infrared image of the targets face they want to impersonate.

    The criminal can then use this image to compromise any facial recognition product which relies on a USB camera, such as Windows Hello.

    CyberArk responsibly disclosed the issue to Microsoft, who fixed it as part
    of its July Patch Tuesday update.

    However, based on preliminary testing, CyberArk researchers believe that
    while the mitigation does limit the attack surface, it relies on users having specific cameras.

    Inherent to system design, implicit trust of input from peripheral devices remains. To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it, says Tsarfati. Shield yourself with these best identity theft protection services



    ======================================================================
    Link to news story: https://www.techradar.com/news/microsoft-fixes-serious-windows-hello-security- flaw/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)