Tech
Microsoft Confirms New Windows 10 Login Bypass Threat: Here’s The Fix
Security researchers have found a way to bypass the Windows Hello facial recognition that is used by hundreds of thousands of Windows 10 users to login.
The latest batch of ‘Patch Tuesday’ security updates from Microsoft has landed with a hefty thump. With 116 vulnerabilities fixed, 12 of which were rated as critical and two already being exploited, the usual advice to install those updates as soon as possible applies. Not least as one of them fixes the PrintNightmare vulnerability in the Windows print spooler service that could lead to a remote takeover of your system.
However, the vulnerability that really caught my attention is one with the potential to impact a massive 85% of all Windows 10 consumers: a way for an attacker to bypass the Windows Hello facial recognition login authentication system.
Here’s what we know and what you need to do next.
The Windows 10 facial recognition vulnerability explained
Security researchers at CyberArk Labs have discovered a vulnerability within the Windows Hello facial authentication process, CVE-2021-34466, that could allow an attacker to gain access to a Windows 10 computer. Scary sounding stuff, but how worrying is this in a real-world setting for the average Windows 10 user?
Let’s start by looking at what the vulnerability is. The full technical explanation has been published on the CyberArk website but here’s the brief version. The Windows Hello facial recognition process requires a camera with two separate sensors, namely an infra-red and RGB one.
However, the researchers found that only the output from one of these, the infra-red images, was processed during authentication. Indeed, they replaced the RGB user image with that of SpongeBob to prove the point.
The vulnerability, then, being that an attacker would only need a single, valid, infra-red frame to bypass the system.
Complexity of exploitation lessens the impact considerably for most users
Well, sort of, and this is where the scariness starts to fade a little. The exploitation of the vulnerability is far from an easy process. For a start, the attacker needs that infra-red image of the user. The researchers say that this can be achieved by walking past someone, placing a camera in an elevator, etc. So already, this is starting to sound like a somewhat unlikely risk to the average user.
And it gets even more unlikely when you realise that even if the attacker got that infra-red image of your face, they would still require physical access to your computer for stage two.
Stage two is the insertion of a custom-built USB device that can then inject the spoofed image.
So, should Windows 10 users stop using Windows Hello authentication?
In an email addressing the vulnerability status, a CyberArk Labs spokesperson wrote that “the bypass would be of particular use to a criminal launching a targeted espionage attack, with targeted attacks having increased in popularity over the past three years as nation-states and organised groups realise their potential.”
This is true enough, but most Windows 10 users are not on the nation-state espionage radar. Moreover, even if they were, I suspect much easier methods that didn’t require physical access to a computer would be higher on the attack menu.
“When I see these sorts of announcements of security authentication bypass by either 3D printing, high-resolution digital photography or Tom Cruise descending on wires to ‘hack in,’ the hype machine is always deflated by the words requires physical access,” Ian Thornton-Trump, the chief information security officer at threat intelligence experts Cyjax, told me. “Mission Impossible operatives as a threat model aside, “Thornton-Trump concludes, “I think we can all rest comfortably on this issue.”
What does Microsoft have to say?
Microsoft has stated that “customers with Windows Hello Enhanced Sign-in Security are protected against such attacks which tamper with the biometrics pipeline.” As the name suggests, this is a more robust biometric system requiring factory-installed hardware and drivers for the computer.
You can see if this is enabled for you by opening the Windows Security app and heading for Device Security. Unfortunately, if there’s no Enhanced Sign-in Security section displayed, you don’t have it.
But don’t despair because Microsoft also stated that it “released a security update on July 13 that mitigates this issue.”
Tuesday, July 13, to be precise. Patch Tuesday. So, install those updates and don’t worry unduly about this one.
Tech
Google Unveils AI-Powered Pixel 9 Lineup Ahead of Apple’s iPhone 16 Release
Google has launched its next generation of Pixel phones, setting the stage for a head-to-head competition with Apple as both tech giants aim to integrate more advanced artificial intelligence (AI) features into their flagship devices. The unveiling took place near Google’s Mountain View headquarters, marking an early debut for the Pixel 9 lineup, which is designed to showcase the latest advancements in AI technology.
The Pixel 9 series, although a minor player in global smartphone sales, is a crucial platform for Google to demonstrate the cutting-edge capabilities of its Android operating system. With AI at the core of its strategy, Google is positioning the Pixel 9 phones as vessels for the transformative potential of AI, a trend that is expected to revolutionize the way people interact with technology.
Rick Osterloh, Google’s senior vice president overseeing the Pixel phones, emphasized the company’s commitment to AI, stating, “We are obsessed with the idea that AI can make life easier and more productive for people.” This echoes the narrative Apple is likely to push when it unveils its iPhone 16, which is also expected to feature advanced AI capabilities.
The Pixel 9 lineup will be the first to fully integrate Google’s Gemini AI technology, designed to enhance user experience through more natural, conversational interactions. The Gemini assistant, which features 10 different human-like voices, can perform a wide array of tasks, particularly if users allow access to their emails and documents.
In an on-stage demonstration, the Gemini assistant showcased its ability to generate creative ideas and even analyze images, although it did experience some hiccups when asked to identify a concert poster for singer Sabrina Carpenter.
To support these AI-driven features, Google has equipped the Pixel 9 with a special chip that enables many AI processes to be handled directly on the device. This not only improves performance but also enhances user privacy and security by reducing the need to send data to remote servers.
Google’s aggressive push into AI with the Pixel 9 comes as Apple prepares to unveil its iPhone 16, which is expected to feature its own AI advancements. However, Google’s decision to offer a one-year free subscription to its advanced Gemini Assistant, valued at $240, may pressure Apple to reconsider any plans to charge for its AI services.
The standard Pixel 9 will be priced at $800, a $100 increase from last year, while the Pixel 9 Pro will range between $1,000 and $1,100, depending on the model. Google also announced the next iteration of its foldable Pixel phone, priced at $1,800.
In addition to the new Pixel phones, Google also revealed updates to its Pixel Watch and wireless earbuds, directly challenging Apple’s dominance in the wearable tech market. These products, like the Pixel 9, are designed to integrate seamlessly with Google’s AI-driven ecosystem.
Google’s event took place against the backdrop of a significant legal challenge, with a judge recently ruling that its search engine constitutes an illegal monopoly. This ruling could lead to further court proceedings that may force Google to make significant changes to its business practices, potentially impacting its Android software or other key components of its $2 trillion empire.
Despite these legal hurdles, Google is pressing forward with its vision of an AI-powered future, using its latest devices to showcase what it believes will be the next big leap in technology. As the battle for AI supremacy heats up, consumers can expect both Google and Apple to push the boundaries of what their devices can do, making the choice between them more compelling than ever.
News
Microsoft Outage Hits Payment Processors
When major payment processing systems have problems, the issues impact many critical systems that society depends on. In this article, we’ll explain the cause of the Microsoft outage and discuss the impact computer networking issues had on Canada. We’ll also examine whether or not Microsoft was at fault and what businesses can do to prevent further outages.
What Happened With the Microsoft Outage?
The outage with Microsoft’s Azure payment processor resulted from a buggy security update from an outside company, CrowdStrike. CrowdStrike offers information technology security services for many Microsoft Windows computers. The company’s software developers sent a new update out, but instead of patching up minor issues with the existing software, the code within conflicted with Windows and prevented computers from booting up. Users expecting to start their computers for a typical day were instead faced with the dreaded “Blue Screen of Death” error message.
So, how does this produce a problem and a payment processor issue? Many computers running payment processing, among many other kinds of software used for airlines, banks, retail, and other essential services, couldn’t start and were unable to let payments through. This is a catastrophic issue for companies that are heavily reliant upon the speed and ease of an electronic transaction.
In Canada, the outage impacted critical computer systems for air travel. Flights couldn’t be paid for and booked, which caused major problems for customers unable to make transactions while flights remained grounded. Travellers stuck waiting for flights to take off made their way over to the airports’ Starbucks and other vendors, only to discover unusually long lines due to payment issues. Even online gamblers looking to take their minds off the situation couldn’t take full advantage of one of the fastest payment options out there because of the outage.
Aside from payments, hospitals for major health systems had to use paper to complete important tasks like ordering lab work and getting meals to patients. Emergency dispatch lines were temporarily unable to function correctly while their computer systems were down.
How Was the Outage Fixed?
Thankfully, CrowdStrike fixed the problem on their end quickly, mostly via an additional reboot that allowed CrowdStrike to send over unflawed code. Unfortunately, for some business and private customers, rebooting wouldn’t be enough with command-line level adjustments needed for the operating system to run correctly.
The Good and Bad of Outages
First, we’re thankful that the outage was not caused by hackers accessing and stealing a mountain of personal data. A recent outage with an automotive software provider went on for much longer and ended much worse for software provider CDK, which likely paid an undisclosed sum north of $20 million to get data back and systems restored.
By some chance, Microsoft is reported to have experienced its own outage, and many information technology professionals blame Microsoft in part for their issues because of how their systems attempted to fix the problem by rebooting over and over again, though some of Microsoft’s PCs needed to warn users to make a change manually. Unfortunately, any computer that required manual intervention took longer to recover, as a knowledgeable person had to access each computer affected by the issue. In some cases, between dealing with several hours of backlogged tasks and slow recovery processes, some businesses took days, not hours, to get back online.
The outage brings up another major point in the cybersecurity and computer industry. CrowdStrike and Microsoft are both big companies in their respective fields. As a result, the effects of bad code spread much further than they could have if there were more competitors making security products or if there were more software companies making operating systems like Windows. While only 8 million computers were believed to be affected out of a much larger global network, those are essential computers for worldwide communication and payment processing. Perhaps companies should be putting their eggs in more than one basket?
The testing methods for the outage are unclear—did CrowdStrike test the routine software update enough to detect the potential for a major outage? Apparently not.
What Should Businesses Do Next?
Software like Microsoft Azure’s payment systems come from what information technology professionals call ‘the cloud.’ The software is remotely managed over the internet, meaning that the computer that runs the system is not physically present at the location. Unfortunately, this also means that an issue with the internet can take critical systems out of service.
Businesses ranging from major airlines and banks to mom-and-pop stores would be well served by backup systems at their locations. These don’t have to be as primitive as the old-fashioned credit-card carbon-copy slide, but there are options available with consistent service that don’t repeatedly rely on the same networks.
Conclusion
There were certainly challenging moments for Canadian businesses and emergency services during the CrowdStrike and Microsoft outage. As they scrambled to understand the problem and waited, albeit briefly, for issues to resolve, many companies learned the importance of having local and reliable backup for their computer systems.
Tech
New photos reveal more details about Google’s Pixel 9 Pro Fold
Google’s secret new line of Pixel 9 phones isn’t that big of a secret anymore. Taiwan’s National Communications Commission (NCC) released new photos of the phones including the Pixel 9 Pro Fold from almost every conceivable angle.
Android Authority found the photos in the NCC archives and uploaded galleries of each of the four phones including the Pixel 9, 9 Pro, 9 Pro XL and 9 Pro Fold. They reveal some interesting details about the new Pixel phones.
The charging rates will be a little faster than the last generation of Pixel phones: Taiwanese authorities measured 24.12W for the base model, 25.20W for the Pro and 32.67W for the 9 Pro XL. The Pixel 9 Pro Fold, however, was the slowest of all of them at 20.25W. These numbers don’t often match up perfectly with the advertised ratings, so expect Google to be promoting higher numbers at its event.
Speaking of chargers, it looks like Google needed a bigger charger to power its new phones. Photos included in the NCC leak show each phone will come with a wall charger that’s around 45W depending on which model you purchase. The charger’s plug moved from the middle to the top of the brick.
The latest photo dump also shows the 9 Pro Fold unfolded for the first time. Google has moved the selfie camera to the inside screen for a wider field of view. The 9 Pro Fold also has a slimmer top and bottom, a reduced fold crease on the display and a full 180 degree unfolding angle to make a screen that’s just over 250mm or just under 10 inches.
These photos are the latest in a very long list of leaks of Google Pixel 9 photos. The last Pixel 9 leak came down yesterday showing two prototype models of the base and XL models. Google might look into buying a new combination lock for the high school locker where they apparently keep all their unreleased gear.
-
Politics23 hours ago
N.B. Liberals officially launch election bid before official start of fall campaign
-
Politics20 hours ago
Bloc Québécois ready to extract gains for Quebec in exchange for supporting Liberals
-
News18 hours ago
Calgary official compares strain on water system to revving car’s engine for too long
-
News15 hours ago
Mediation aimed at resolving Metro Vancouver accessible transit strike underway
-
Health8 hours ago
Clickbank Nourished Mamas Guide to Postpartum | Birth Education Class in Holland
-
Health23 hours ago
NEUROFUEL® Free Trial
-
News8 hours ago
Canadian Medical Association calls for more tracking of health care funds
-
News5 hours ago
CanadaNewsMedia news September 9, 2024: Liberal caucus gathers for retreat in Nanaimo