Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Privacy Tools. Show all posts

Microsoft's Priva Platform: Revolutionizing Enterprise Data Privacy and Compliance

 

Microsoft has taken a significant step forward in the realm of enterprise data privacy and compliance with the expansive expansion of its Priva platform. With the introduction of five new automated products, Microsoft aims to assist organizations worldwide in navigating the ever-evolving landscape of privacy regulations. 

In today's world, the importance of prioritizing data privacy for businesses cannot be overstated. There is a growing demand from individuals for transparency and control over their personal data, while governments are implementing stricter laws to regulate data usage, such as the AI Accountability Act. Paul Brightmore, principal group program manager for Microsoft’s Governance and Privacy Platform, highlighted the challenges faced by organizations, noting a common reactive approach to privacy management. 

The new Priva products are designed to shift organizations from reactive to proactive data privacy operations through automation and comprehensive risk assessment. Leveraging AI technology, these offerings aim to provide complete visibility into an organization’s entire data estate, regardless of its location. 

Brightmore emphasized the capabilities of Priva in handling data requests from individuals and ensuring compliance across various data sources. The expanded Priva family includes Privacy Assessments, Privacy Risk Management, Tracker Scanning, Consent Management, and Subject Rights Requests. These products automate compliance audits, detect privacy violations, monitor web tracking technologies, manage user consent, and handle data access requests at scale, respectively. 

Brightmore highlighted the importance of Privacy by Design principles and emphasized the continuous updating of Priva's automated risk management features to address emerging data privacy risks. Microsoft's move into the enterprise AI governance space with Priva follows its recent disagreement with AI ethics leaders over responsibility assignment practices in its AI copilot product. 

However, Priva's AI capabilities for sensitive data identification could raise concerns among privacy advocates. Brightmore referenced Microsoft's commitment to protecting customer privacy in the AI era through technologies like privacy sandboxing and federated analytics. With fines for privacy violations increasing annually, solutions like Priva are becoming essential for data-driven organizations. 

Microsoft strategically positions Priva as a comprehensive privacy governance solution for the enterprise, aiming to make privacy a fundamental aspect of its product stack. By tightly integrating these capabilities into the Microsoft cloud, the company seeks to establish privacy as a key driver of revenue across its offerings. 

However, integrating disparate privacy tools under one umbrella poses significant challenges, and Microsoft's track record in this area is mixed. Privacy-native startups may prove more agile in this regard. Nonetheless, Priva's seamless integration with workplace applications like Teams, Outlook, and Word could be its key differentiator, ensuring widespread adoption and usage among employees. 

Microsoft's Priva platform represents a significant advancement in enterprise data privacy and compliance. With its suite of automated solutions, Microsoft aims to empower organizations to navigate complex privacy regulations effectively while maintaining transparency and accountability in data usage.

Laptops with Windows Hello Fingerprint Authentication Vulnerable

 


Microsoft’s Windows Hello security, which offers a passwordless method of logging into Windows-powered machines may not be as secure as users think. Microsoft Windows Hello fingerprint authentication was evaluated for security over its fingerprint sensors embedded in laptops. This led to the discovery of multiple vulnerabilities that would allow a threat actor to bypass Windows Hello Authentication completely. 

As reported by Blackwing Intelligence in a blog post, Microsoft's Offensive Research and Security Engineering (MORSE) had asked them to conduct an assessment of the security of the three top fingerprint sensors embedded in laptops, in response to a recent request. 

There was research conducted on three laptops, the Dell Inspiron 15, the Lenovo ThinkPad T14, and the Microsoft Surface Pro Type Cover with Fingerprint ID, which were used in the study. It was discovered that several vulnerabilities in the Windows Hello fingerprint authentication system could be exploited by researchers working on the project.

In addition, The document also reveals that the fingerprint sensors used in Lenovo ThinkPad T14, Dell Inspiron 15, Surface Pro 8 and X tablets made by Goodix, Synaptics, and ELAN were vulnerable to man-in-the-middle attacks due to their underlying technology. 

A premier sensor enabling fingerprint authentication through Windows Hello is not as secure as manufacturers would like. It has been discovered that there are several security flaws in many fingerprint sensors used in many laptops that are compatible with the Windows Hello authentication feature due to the use of outdated firmware. 

It was discovered by researchers at Blackwing Intelligence, a company that conducts research into the security, offensive capabilities, and vulnerability of hardware and software products. The researchers found weaknesses in fingerprint sensors embedded in the devices from Goodix, Synaptics, and ELAN, all of which are manufactured by these manufacturers. 

Using fingerprint reader exploits requires users to already have fingerprint authentication set up on their targeted laptops so that the exploits can work. Three fingerprint sensors in the system are all part of a type of sensor that is known as "match on chip" (MoC), which includes all biometric management functions in the integrated circuit of the sensor itself.

Concept Of Vulnerability Match On Chip As reported by Cyber Security News, this vulnerability is due to a flaw within the concept of the "match on chip" type sensors. Microsoft removed the option of storing some fingerprint templates on the host machine and replaced it with a "match on chip" sensor.  This means that the fingerprint templates are now stored on the chip, thus potentially reducing the concern that fingerprints might be exfiltrated from the host if the host becomes compromised, which could compromise the privacy of your data. 

Despite this, this method has a downside as it does not prevent malicious sensors from spoofing the communication between the sensor and the host, so in this case, an authorized and authenticated user who is using the sensor can easily be fooled. 

There have been several successful attempts at defeating Windows Hello biometric-based authentication systems in the past, but this isn't the first time. This month, Microsoft released two patches (CVE-2021-34466, CVSS score: 6.1), aimed at patching up a security flaw that was rated medium severity in July 2021, and that could allow an adversary to hijack the login process by spoofing the target's face. 

The validity of Microsoft's statement as to whether they will be able to find a fix for the flaws is still unclear; however, this is not the first time Windows Hello, a biometric-based system, has been the victim of attacks. A proof of concept in 2021 showed that by using an infrared photo of a victim with the facial recognition feature of Windows Hello, it was possible to bypass the authentication method. Following this, Microsoft fixed the issue to prevent the problem from occurring again.