Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label New Feature. Show all posts

Google, Apple, Microsoft to Soon Bring Passwordless Sign-Ins for Users

 

Big tech giant companies including Apple, Google, and even Microsoft announced almost two years ago that the companies will create a passwordless future for all, thus, dismissing the need for passwords for protection and making authentication more secure. 

On the occasion of World Password Day, May 5, these tech giants encourage passwordless sign-ins in every device including mobiles, laptops, and browser platforms such as Chrome, Edge, and Safari browsers; and the Windows and macOS desktops in the coming year. 

Google's Sampath Srinivas who is in charge of the secure authentication said the "passkey will bring us much closer to the passwordless future" as tech giants seek a "common passwordless sign-in standard". 

This new standard for passwordless authentication is created by FIDO (Fast Identity Online) and the World Wide Web Consortium. Passwordless authentication will allow users to have access to their online accounts as usual but using a unique cryptographic token called a passkey will be quicker in the user's sign-in authentication and allow a person to log in without a password. 

Apple Senior Director of platform product marketing Kurt Knight said, "Just as we design our products to be intuitive and capable, we also design them to be private and secure. Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.” 

This new feature will allow apps and websites to offer easy passwordless sign-ins, and security to users across devices and platforms said apple. Also, without password log-ins is expected to be a much safer way, considering that passwords are more prone to malicious activities. Plus, maintaining and remembering passwords is a difficult task for many. 

Microsoft’s vice president for security, compliance, identity, and privacy, Vasu Jakkal, said that "With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows—using a passkey on an Apple device.”

GitHub Brings Auto-Blocking Feature Including API Keys and Tokens

GitHub announced this Monday that it widened its code hosting platform's secret scanning features for GitHub Advanced Security customers to automatically restrict secret leaks. Secret scanning is a premium security feature provided to companies that use GitHub's Advanced Security license. Organizations can use this feature for extra repository scanning. The feature works via matching patterns mentioned by the organization or provided by a service partner or provider. 

Every match is defined as a security alert in the repos' Security tab or to providers if it connects with a provider pattern. The latest feature is called as push protection, it is made to protect against accidental exposure of creds before implementing code to remote repositories. The new feature attaches secret scanning within the developers' workflow and works using 69 token types (API keys, management certificates, access tokens, private creds, secret keys, noticed with a less "false positive" identification rate. 

"With push protection, GitHub will check for high-confidence secrets as developers push code and block the push if a secret is identified. High-confidence secrets have a low positive rate, so security teams can protect their organizations without compromising developer experience," GitHub reports. If the GitHub Enterprise Cloud is able to find a secret before implementing the code, the git push is restricted to let the developers recheck and delete the secrets from the code they tried to shift towards remote repos. 

"GitHub Advanced Security helps secure organizations around the world through its secret scanning, code scanning, and supply chain security capabilities, including Dependabot alerts and Dependabot security updates that are forever free," says the GitHub blog. 

How to enable Push Protection for your company? 

1. Go to GitHub, and find the page of the company. 
2. Under the organization name, open settings. 
3. In the sidebar section, find "Security," open Code security and analysis. 
4. After that, find "GitHub Advanced Security." 
5. Find "Secret Scanning" in push notifications, click enable all. 
6. Finally, click "Automatically enable for private repositories added to secret scanning."

AMD Admits Ryzen 5000 CPU Exploit Could Leave Your PC Open to Hackers

 

According to AMD itself, AMD's Zen 3 CPU architecture may include a feature that could be exploited by hackers in a Spectre-like side-channel attack. 

With Zen 3, the speculative execution feature—which is a common feature in modern processors— is known as Predictive Store Forwarding (PSF). Essentially its task is to guess which instruction is most likely to be sent next through the use of branch prediction algorithms and fetch that command in anticipation. The aim is to speed up the microprocessor's output pipeline, but the feature comes with risks, according to TechPowerUp. 

In the occurrence of a misinterpretation, software such as web browsers that use 'sandboxing' can expose your CPU to side-channel attacks. 

Sandboxing (isolation) is actually aimed at protecting against threats by placing malicious code on the naughty step and challenging its motivations. However, similar to the Spectre vulnerabilities, possible changes to the cache state in such cases could result in hackers gaining access to portions of one’s personal data. 

Due to Spectre and Meltdown vulnerabilities, web browsers don't tend to rely on isolation processes as much nowadays, but there are still risks that AMD outlines forthrightly. 

Under the security analysis section of a publicly accessible AMD report, "A security concern arises if code exists that implements some kind of security control which can be bypassed when the CPU speculates incorrectly. This may occur if a program (such as a web browser) hosts pieces of untrusted code and the untrusted code can influence how the CPU speculates in other regions in a way that results in data leakage."

"If an attacker is able to run code within a target application, they may be able to influence speculation on other loads within the same application by purposely training the PSF predictor with malicious information." 

However, there is a way to protect yourself from the feature's potential flaws, which is by simply disabling PSF. However, this is not an option that AMD recommends because it has the potential to stifle performance. In certain cases, Meltdown and Spectre mitigations in Intel CPUs had also led to similar performance limitations.

The tests by Phronix show that turning off the feature only reduces CPU output by 1%. A firmware update could provide a short-term patch for those that are currently affected, but a long-term solution will likely have to come in the form of a change to the architecture itself.