Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Windows Hello. Show all posts
Windows Hello
AI technology Copilot Cyber Security data security Edge Browser Microsoft Microsoft Copilot Privacy Concerns Windows 11 Recall Windows Hello

Microsoft Revises AI Feature After Privacy Concerns

 

Microsoft is making changes to a controversial feature announced for its new range of AI-powered PCs after it was flagged as a potential "privacy nightmare." The "Recall" feature for Copilot+ was initially introduced as a way to enhance user experience by capturing and storing screenshots of desktop activity. However, following concerns that hackers could misuse this tool and its saved screenshots, Microsoft has decided to make the feature opt-in. 

"We have heard a clear signal that we can make it easier for people to choose to enable Recall on their Copilot+ PC and improve privacy and security safeguards," said Pavan Davuluri, corporate vice president of Windows and Devices, in a blog post on Friday. The company is banking on artificial intelligence (AI) to drive demand for its devices. Executive vice president Yusuf Medhi, during the event's keynote speech, likened the feature to having photographic memory, saying it used AI "to make it possible to access virtually anything you have ever seen on your PC." 

The feature can search through a user's past activity, including files, photos, emails, and browsing history. While many devices offer similar functionalities, Recall's unique aspect was its ability to take screenshots every few seconds and search these too. Microsoft claimed it "built privacy into Recall’s design" from the beginning, allowing users control over what was captured—such as opting out of capturing certain websites or not capturing private browsing on Microsoft’s browser, Edge. Despite these assurances, the company has now adjusted the feature to address privacy concerns. 

Changes will include making Recall an opt-in feature during the PC setup process, meaning it will be turned off by default. Users will also need to use Windows' "Hello" authentication process to enable the tool, ensuring that only authorized individuals can view or search their timeline of saved activity. Additionally, "proof of presence" will be required to access or search through the saved activity in Recall. These updates are set to be implemented before the launch of Copilot+ PCs on June 18. The adjustments aim to provide users with a clearer choice and enhanced control over their data, addressing the potential privacy risks associated with the feature. 

Microsoft's decision to revise the Recall feature underscores the importance of user feedback and the company's commitment to privacy and security. By making Recall opt-in and incorporating robust authentication measures, Microsoft seeks to balance innovation with the protection of user data, ensuring that AI enhancements do not compromise privacy. As AI continues to evolve, these safeguards are crucial in maintaining user trust and mitigating the risks associated with advanced data collection technologies.
Read more »
Windows Hello
Biometric data Cyber Security FIDO2 Microsoft passkey authentication password-less personal accounts Phishing Attacks Security Windows Hello

Microsoft Introduces Passkey Authentication for Personal Microsoft Accounts

 

Microsoft has introduced a new feature allowing Windows users to log into their Microsoft consumer accounts using a passkey, eliminating the need for traditional passwords. This passkey authentication method supports various password-less options such as Windows Hello, FIDO2 security keys, biometrics like facial scans or fingerprints, and device PINs.

These "consumer accounts" are personal accounts used for accessing a range of Microsoft services including Windows, Office, Outlook, OneDrive, and Xbox Live. The announcement coincides with World Password Day, with Microsoft aiming to enhance security against phishing attacks and eventually phase out passwords entirely.

Previously available for logging into websites and applications, passkey support is now extended to Microsoft accounts, streamlining the login process without requiring a password.

Passkeys, unlike passwords, utilize a cryptographic key pair where the private key remains securely stored on the user's device. This method enhances security as it eliminates the risk of password interception or theft, and it simplifies the login experience, reducing reliance on password memorization and minimizing risky practices such as password recycling.

Moreover, passkeys offer compatibility across various devices and operating systems, ensuring a seamless authentication process. However, Microsoft's approach of syncing passkeys across devices raises some security concerns, potentially compromising account security if accessed by unauthorized individuals.

To enable passkey support for Microsoft accounts, users can create a passkey through a provided link and select from options like facial recognition, fingerprint, PIN, or security key. Supported platforms include Windows 10 and newer, macOS Ventura and newer, Safari 16 or newer, ChromeOS, Chrome, Microsoft Edge 109, iOS 16 and newer, and Android 9 and newer. Upon signing in, users can select their passkey from the list and proceed with the authentication process using the chosen method.
Read more »
Windows Hello
2FA. Cyber Security Microsoft Azure Plaintext Windows 10 Windows Hello

Microsoft Azure Credentials Exposed in Plaintext by Windows 365

 

Mimikatz has been used by a vulnerability researcher to dump a user's unencrypted plaintext Microsoft Azure credentials from Microsoft's new Windows 365 Cloud PC service. Benjamin Delpy designed Mimikatz, an open-source cybersecurity software that allows researchers to test various credential stealing and impersonation vulnerabilities.

Microsoft's Windows 365 cloud-based desktop service went live on August 2nd, allowing customers to rent Cloud PCs and access them via remote desktop clients or a browser. Microsoft offered free virtual PC trials, which rapidly sold out as consumers hurried to receive their two-month free Cloud PC. 

Microsoft announced their new Windows 365 cloud-based virtual desktop experience at the Inspire 2021 conference, which allows organizations to deploy Windows 10 Cloud PCs, as well as Windows 11 eventually, on the cloud. This service is built on top of Azure Virtual Desktop, but it has been modified to make managing and accessing a Cloud PC easier. 

Delpy told that he was one of the lucky few who was able to receive a free trial of the new service and began testing its security. He discovered that the brand-new service allows a malicious programme to dump logged-in customers' Microsoft Azure plaintext email addresses and passwords. The credential dumps are carried out using a vulnerability he identified in May 2021 that allows him to dump plaintext credentials for Terminal Server users. While a user's Terminal Server credentials are encrypted when kept in memory, Delpy claims he could decrypt them using the Terminal Service process. 

To test this technique, BleepingComputer used a free Cloud PC trial on Windows 365. They entered the "ts::logonpasswords" command after connecting through the web browser and started mimikatz with administrative privileges, and mimikatz promptly dumped their login credentials in plaintext. 

While mimikatz was designed for researchers, threat actors frequently use it to extract plaintext passwords from the LSASS process' memory or perform pass-the-hash attacks utilizing NTLM hashes due to the power of its different modules. Threat actors can use this technique to spread laterally across a network until they gain control of a Windows domain controller, allowing them to take control of the entire Windows domain.

To protect against this method, Delpy recommends 2FA, smart cards, Windows Hello, and Windows Defender Remote Credential Guard. These security measures, however, are not yet accessible in Windows 365. Because Windows 365 is oriented toward enterprises, Microsoft is likely to include these security protections in the future, but for the time being, it's crucial to be aware of the technique.
Read more »
Windows Hello
Passwordless Vulnerabilities and Exploits Windows Windows Hello

BHUSA: Windows Hello Passwordless Bypass Disclosed

 

Passwords are usually a vulnerable spot in security, which is why alternatives like Microsoft Hello, which gives a passwordless approach to authentication, are gaining popularity. While Windows Hello promises to provide a more protected experience than conventional passwords, it's a method that might have been circumvented. 

Speaking at the Black Hat USA on August 5, Omer Tsarfati, a security researcher from CyberArk, described a comprehensive attack chain that he used to circumvent Windows Hello. The problems of using regular passwords, according to Tsarfati, are well understood. They are frequently weak and readily crackable, are vulnerable to phishing attempts, and many users reuse passwords across different sites. 

The central point behind passwordless is that instead of using a password, another kind of authentication technology is used to log on to a system. Biometrics, such as fingerprint scanning or face recognition, can be used in passwordless methods. 

Windows Hello is Microsoft's version of a passwordless approach, which launched in Windows 10. Users may utilize face recognition to get access to a system, among other things, with Windows Hello. 

Tsarfati determined that he would need a separate camera to figure out how to get around Windows Hello's face recognition. To that purpose, he purchased an NXP evaluation board, which can connect to a Windows PC through USB and give camera capability. 

Tsarfati's objective was to have the USB device replicate what a genuine Windows system camera would offer to Windows Hello in order to discover what the system is actually processing as it decides whether or not to grant access. 

He found that Windows Hello requires cameras to have an infrared (IR) sensor. In order for Windows Hello to work, the camera must be capable to transmit both a color image and IR frames. 

"Windows Hello doesn't really pay attention to anything that you're sending in the color frames. It's only relying on the infrared, I sent frames of SpongeBob and it worked," Tsarfati stated. 

An attacker would just need a customized USB device that imitates a camera to bypass Windows Hello. That USB gadget would then have to be capable of transmitting an infrared picture, which could be acquired from a victim. 

Tsarfati did not go into considerable detail about how a probable attacker would proceed about capturing an IR image from a victim, but he did show with his own IR image how the Windows Hello bypass works. 

The vulnerability was officially recognized as CVE-2021-34466, which Microsoft patched in July after Tsarfati and CyberArk responsibly revealed it to Microsoft in March of this year.
Read more »
Subscribe to: Posts (Atom)