Connect with us

Tech

Microsoft Confirms New Windows 10 Login Bypass Threat: Here’s The Fix – Forbes

Published

 on


Security researchers have found a way to bypass the Windows Hello facial recognition that is used by hundreds of thousands of Windows 10 users to login.

The latest batch of ‘Patch Tuesday’ security updates from Microsoft has landed with a hefty thump. With 116 vulnerabilities fixed, 12 of which were rated as critical and two already being exploited, the usual advice to install those updates as soon as possible applies. Not least as one of them fixes the PrintNightmare vulnerability in the Windows print spooler service that could lead to a remote takeover of your system.

However, the vulnerability that really caught my attention is one with the potential to impact a massive 85% of all Windows 10 consumers: a way for an attacker to bypass the Windows Hello facial recognition login authentication system.

Here’s what we know and what you need to do next.

The Windows 10 facial recognition vulnerability explained

Security researchers at CyberArk Labs have discovered a vulnerability within the Windows Hello facial authentication process, CVE-2021-34466, that could allow an attacker to gain access to a Windows 10 computer. Scary sounding stuff, but how worrying is this in a real-world setting for the average Windows 10 user?

Let’s start by looking at what the vulnerability is. The full technical explanation has been published on the CyberArk website but here’s the brief version. The Windows Hello facial recognition process requires a camera with two separate sensors, namely an infra-red and RGB one.

However, the researchers found that only the output from one of these, the infra-red images, was processed during authentication. Indeed, they replaced the RGB user image with that of SpongeBob to prove the point.

The vulnerability, then, being that an attacker would only need a single, valid, infra-red frame to bypass the system.

Complexity of exploitation lessens the impact considerably for most users

Well, sort of, and this is where the scariness starts to fade a little. The exploitation of the vulnerability is far from an easy process. For a start, the attacker needs that infra-red image of the user. The researchers say that this can be achieved by walking past someone, placing a camera in an elevator, etc. So already, this is starting to sound like a somewhat unlikely risk to the average user.

And it gets even more unlikely when you realise that even if the attacker got that infra-red image of your face, they would still require physical access to your computer for stage two.

Stage two is the insertion of a custom-built USB device that can then inject the spoofed image.

So, should Windows 10 users stop using Windows Hello authentication?

In an email addressing the vulnerability status, a CyberArk Labs spokesperson wrote that “the bypass would be of particular use to a criminal launching a targeted espionage attack, with targeted attacks having increased in popularity over the past three years as nation-states and organised groups realise their potential.”

This is true enough, but most Windows 10 users are not on the nation-state espionage radar. Moreover, even if they were, I suspect much easier methods that didn’t require physical access to a computer would be higher on the attack menu.

“When I see these sorts of announcements of security authentication bypass by either 3D printing, high-resolution digital photography or Tom Cruise descending on wires to ‘hack in,’ the hype machine is always deflated by the words requires physical access,” Ian Thornton-Trump, the chief information security officer at threat intelligence experts Cyjax, told me. “Mission Impossible operatives as a threat model aside, “Thornton-Trump concludes, “I think we can all rest comfortably on this issue.”

What does Microsoft have to say?

Microsoft has stated that “customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline.” As the name suggests, this is a more robust biometric system requiring factory-installed hardware and drivers for the computer.

You can see if this is enabled for you by opening the Windows Security app and heading for Device Security. Unfortunately, if there’s no Enhanced Sign-in Security section displayed, you don’t have it.

But don’t despair because Microsoft also stated that it “released a security update on July 13 that mitigates this issue.”

Tuesday, July 13, to be precise. Patch Tuesday. So, install those updates and don’t worry unduly about this one.

Adblock test (Why?)



Source link

Continue Reading

Tech

Cat simulator 'Stray' heads to PlayStation and PC in early 2022 – Engadget

Published

 on


The last time we saw Stray was in the form of a cinematic trailer Sony shared in 2020 that highlighted the game’s futuristic neon-soaked setting and adorable feline protagonist. At the time, we didn’t get to see the game in action, a fact that Annapurna Interactive has now remedied. The publisher shared a slice of gameplay footage from the title during its recent showcase and said it would release Stray sometime in early 2022.

In the opening moments of Stray, our feline protagonist finds himself injured and separated from his family. Gameplay involves using his physical abilities as a cat to navigate the environment and solve puzzles. In the time-honored tradition of duos like Ratchet and Clank, partway through the adventure, you’ll meet a drone named B-12. They will allow you to converse with the city’s other robotic inhabitants and interact with certain objects in the environment. The cat has a playful side to his personality, and you can do things like scratch furniture, interact with vending machines and rub up against the legs of the robots you meet. Good stuff.

When Stray comes out next year, it will be available on PlayStation 4, PS5 and PC. Developer BlueTwelve Studio promised to show off more of the game before then.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.

Adblock test (Why?)



Source link

Continue Reading

Tech

Cat simulator 'Stray' heads to PlayStation and PC in early 2022 – Yahoo News Canada

Published

 on


The last time we saw Stray was in the form of a cinematic trailer Sony shared in 2020 that highlighted the game’s futuristic neon-soaked setting and adorable feline protagonist. At the time, we didn’t get to see the game in action, a fact that Annapurna Interactive has now remedied. The publisher shared a slice of gameplay footage from the title during its recent showcase and said it would release Stray sometime in early 2022.

In the opening moments of Stray, our feline protagonist finds himself injured and separated from his family. Gameplay involves using his physical abilities as a cat to navigate the environment and solve puzzles. In the time-honored tradition of duos like Ratchet and Clank, partway through the adventure, you’ll meet a drone named B-12. They will allow you to converse with the city’s other robotic inhabitants and interact with certain objects in the environment. The cat has a playful side to his personality, and you can do things like scratch furniture, interact with vending machines and rub up against the legs of the robots you meet. Good stuff.

When Stray comes out next year, it will be available on PlayStation 4, PS5 and PC. Developer BlueTwelve Studio promised to show off more of the game before then.

Adblock test (Why?)



Source link

Continue Reading

Tech

Sony’s new PS5 beta update also fixes one of its silliest flaws – The Verge

Published

 on


The first major system update for Sony’s PlayStation 5 is arriving in beta form today, finally letting you expand the console’s 667GB of usable storage by adding your own PCIe Gen 4 SSD as well as testing new UI options and expanding 3D Audio support. But the full changelog also includes a few features that Sony didn’t highlight to press — including a way to easily update your DualSense controller if you press the wrong button!

You see, the PS5 currently has a very silly flaw: the only time you can update your controller is when you boot the console. And if you say no or accidentally press the O button instead of X, you can’t trigger that update until 24 hours have passed (or you tweak your PS5’s internal clock to cheat it).

But in Beta 2.0, there’s now a dedicated menu for that under Settings > Accessories > Controllers called Wireless Controller Device Software. Please forgive my grainy photo.

You’ll still see controller update prompts when you launch the console, too — and hitting the circle button will still instantly dismiss them.

The beta also makes one of our other UI frustrations slightly better: the ability to easily turn off the console. It’s still a mystery why Sony switched away from letting you long-press the PS button to requiring extra taps, but at least now you can change how many taps it takes. Pressing the hamburger / start button in the PS5’s quick actions menu now lets you drag any of them (including the PS5’s digital power button) to a different position in that menu.

Separately, did you know the PS5 lets you set up all kinds of parental controls for your kid on what they can play, watch, and do, and it lets you remotely approve their requests over the web? I didn’t realize that, and the beta update now lets you see and respond to those asks through the latest version of the mobile PlayStation App, not just via email.

Frankly, it still needs work: it’s a convoluted process that kicks you out to a web browser for setup, requires your kid to be signed into a PlayStation Network account (not just a local profile), has you set up all kinds of limits, and kicks you out to a web browser again (requiring you to log in) when you want to approve a request. And once you let your kid play a particular game, they get to keep playing until you remove it from the whitelist.

What I want is a simple rich phone notification that effectively lets me tap “yes, you can play this for 30 minutes” or “not right now, kid” and be done with it right away. Perhaps there’s time before the 2.0 software goes gold? Or perhaps in a future update.

Adblock test (Why?)



Source link

Continue Reading

Trending