Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever.

Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure.

Although biometric systems also have some pitfalls that are not hidden from anyone, as it has been proven multiple times in the past that most biometric scanners are vulnerable to spoofing attacks, and in most cases fooling them is quite easy.

Google announced today a better model to improve biometric security, which will be available from Android P, allowing mobile app developers to integrate an enhanced mechanism within their apps to keep users’ data safe.

New Biometric Metrics to Identify Spoofing and Imposter Attacks

Currently, the Android biometric authentication system uses two metrics—False Accept Rate (FAR) and False Reject Rate (FRR)—in combination with machine learning techniques to measure accuracy and precision of the user's input.

In brief, 'False Accept Rate' defines how often the biometric model accidentally classifies an incorrect input as belonging to the targeted user, while 'False Reject Rate' records how often a biometric model accidentally classifies the user's biometric as incorrect.

Moreover, for user convenience some biometric scanners also allow users to authenticate successfully with higher false-acceptance rates than usual, leaving devices open to spoofing attacks.

Google says none of the given metrics is capable enough to precisely identify if biometric data entered by a user is an attempt by an attacker to make unauthorized access using any spoofing or impostor attack.

In an attempt to resolve this issue, in addition to FAR and FRR, Google has now introduced two new metrics—Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR)—that explicitly account for an attacker in the threat model.

"As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme," Vishwath Mohan, a security engineer with Google Android team, says.

"Spoofing refers to the use of a known-good recording (e.g., replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g., trying to sound or look like a target user)."

Cortana Software Could Help Anyone Unlock Your Windows 10 Computer

Cortana, an artificial intelligence-based smart assistant that Microsoft has built into every version of Windows 10, could help attackers unlock your system password.

With its latest patch Tuesday release, Microsoft has pushed an important update to address an easily exploitable vulnerability in Cortana that could allow hackers to break into a locked Windows 10 system and execute malicious commands with the user's privileges.

In worst case scenario, hackers could also compromise the system completely if the user has elevated privileges on the targeted system.

The elevation of privilege vulnerability, tracked as CVE-2018-8140 and reported by McAfee security researchers, resides due to Cortana's failure to adequately check command inputs, which eventually leads to code execution with elevated permissions.

"An Elevation of Privilege vulnerability exists when Cortana retrieves data from user input services without consideration for status," Microsoft explains. "An attacker who successfully exploited the vulnerability could execute commands with elevated permissions."

Microsoft has classified the flaw as "important" because exploitation of this vulnerability requires an attacker to have physical or console access to the targeted system and the targeted system also needs to have Cortana enabled.

Cedric Cochin of McAfee's Advanced Threat Research (ATR) team has published technical details of the flaw, and also provided a step-by-step proof-of-concept video tutorial, showing how he hijacked a locked Windows 10 computer by carrying out a full password reset using Cortana.

"Cochin discovered that by simply typing while Cortana starts to listen to a request or question on a locked device, he could bring up a search menu. Cochin didn’t even have to say anything to Cortana, but simply clicked on the "tap and say" button and started typing in words," a blog post on McAfee explained.

Cochin represents three different attack vectors, demonstrating how the Cortana flaw could be used for various nefarious purposes, such as retrieving confidential information, logging into a locked device and even run malicious code from the locked screen.

McAfee recommends users to turn off Cortana on the lock screen in order to prevent such attacks. Although Microsoft has patched the vulnerability with its latest security updates released yesterday, many PCs will not be running the latest updates just yet.

Microsoft June 2018 Patch Tuesday Pushes 11 Critical Security Updates

Microsoft today released security patch updates for more than 50 vulnerabilities, affecting Windows, Internet Explorer, Edge, MS Office, MS Office Exchange Server, ChakraCore, and Adobe Flash Player—11 of which are rated critical and 39 as important in severity.

Only one of these vulnerabilities, a remote code execution flaw (CVE-2018-8267) in the scripting engine, is listed as being publicly known at the time of release. However, none of the flaws are listed as under active attack.

Discovered by security researcher Dmitri Kaslov, the publicly known vulnerability is a remote memory-corruption issue affecting Microsoft Internet Explorer.

The flaw exists within the IE rendering engine and triggers when it fails to properly handle the error objects, allowing an attacker to execute arbitrary code in the context of the currently logged-in user.

Microsoft has also addressed an important vulnerability in its Cortana Smart Assistant that could allow anyone to unlock your Windows computer. You can head on to this article to learn how the bug can be used to retrieve confidential information from a locked system and even run malicious code.

The most critical bug Microsoft patched this month is a remote code execution vulnerability (CVE-2018-8225) exists in Windows Domain Name System (DNS) DNSAPI.dll, affecting all versions of Windows starting from 7 to 10, as well as Windows Server editions.

The vulnerability resides in the way Windows parses DNS responses, which could be exploited by sending corrupted DNS responses to a targeted system from an attacker-controlled malicious DNS server.

Successful exploitation of this vulnerability could allow an attacker to run arbitrary code in the context of the Local System Account.

Another critical bug is a remote code execution flaw (CVE-2018-8231) in the HTTP protocol stack (HTTP.sys) of Windows 10 and Windows Server 2016, which could allow remote attackers to execute arbitrary code and take control of the affected systems.

This vulnerability originates when HTTP.sys improperly handles objects in memory, allowing attackers to send a specially crafted packet to an affected Windows system to trigger arbitrary code execution.

Google Blocks Chrome Extension Installations From 3rd-Party Sites

It's a great way for users to install an extension, but now Google has decided to remove the ability for websites to offer "inline installation" of Chrome extensions on all platforms.

Google announced today in its Chromium blog that by the end of this year, its Chrome browser will no longer support the installation of extensions from outside the Web Store in an effort to protect its users from shady browser extensions.

"We continue to receive large volumes of complaints from users about unwanted extensions causing their Chrome experience to change unexpectedly — and the majority of these complaints are attributed to confusing or deceptive uses of inline installation on websites," says ​James Wagner, Google's extensions platform product manager.

Google's browser extensions crackdown will take place in three phases:


Starting today, the inline installation will no longer work for newly published extensions.

Starting September 12th, the company will disable the inline installation feature for all existing extensions and automatically redirect users to the Chrome Web Store to complete the installation.

By December 2018, Google will also completely remove the inline install API method from Chrome 71. Developers using one-click install buttons on their websites are advised to update their links to point to the Web Store.

U.S. Builds World's Fastest Supercomputer – Summit

China no longer owns the fastest supercomputer in the world; It is the United States now.

Though China still has more supercomputers on the Top 500 list, the USA takes the crown of "world's fastest supercomputer" from China after IBM and the U.S. Department of Energy's Oak Ridge National Laboratory (ORNL) unveiled "Summit."

Summit is claimed to be more than twice as powerful as the current world leader with a peak performance of a whopping 200,000 trillion calculations per second—that's as fast as each 7.6 billion people of this planet doing 26.3 million calculations per second on a calculator.

Until now the world's most powerful supercomputer was China's Sunway TaihuLight with the processing power of 93 petaflops (93,000 trillion calculations per second).

Since June 2012, the U.S. has not possessed the world's most powerful supercomputer, but if Summit performs as claimed by IBM, it will be made straight to the top of the Top500 supercomputer list which will be published later this month.

In the most recent Top500 list of the world's top supercomputers, published in November 2017, China still has more supercomputers with the US owned 143 of the top 500 while China owned 202.

Housed at Oak Ridge National Laboratory (ORNL) in Tennessee, Summit is developed by IBM in collaboration with Nvidia, RedHat, and InfiniBand networking specialists Mellanox and cost $200 million to build.

Summit consists of 4,608 compute servers, each of which has two IBM Power9 CPUs running at 3.1GHz with 22 processing cores running in parallel. That's over 200,000 CPU cores across all of Summit.

Each pair of Power9 chips is connected to six Nvidia Tesla V100 graphics chips (GPUs). In total, the system also features more than 10 petabytes of memory (RAM).

The ORNL team says Summit is the first supercomputer made bespoke for use in artificial-intelligence (AI) applications, like machine learning and neural networks.

"Summit's AI-optimized hardware also gives researchers an incredible platform for analyzing massive datasets and creating intelligent software to accelerate the pace of discovery," Jeff Nichols, ORNL associate laboratory director for computing and computational sciences, said in today's announcement.

However, the ORNL team says Summit's initial uses will include work on astrophysics, cancer research, fusion energy, and addiction treatment.

IBM is also building a smaller version of Summit called Sierra, which is scheduled to go online this year at the Lawrence Livermore National Laboratory. Sierra is less powerful than Summit with only four V100 GPUs per node for maximum processing capacity of around 125 petaflops.

2018 Ransomware Hostage Rescue Manual

Request Your Free Manual Now:

"2018 Ransomware Hostage Rescue Manual"

What You Need to Know To Prepare and Recover from a Ransomware Attack.

Ransomware is vicious malware that locks users out of their devices or blocks access to files until a sum of money or ransom is paid. Attacks cause downtime, data loss, possible intellectual property theft, and in certain industries an attack is considered a data breach. 

Phishing emails, compromised websites and free software are just a few ransomware tools hackers can use to extort you.

Ransomware can take many different forms, but when you boil it down, it's a simple concept to understand: ransomware is a hostage situation.

This Ransomware Hostage Rescue Manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with ransomware. You will also receive a Ransomware Attack Response Checklist and Ransomware Prevention Checklist.

Offered Free by: KnowBe4
See All Resources from: KnowBe4

Hackers Can Hijack, Sink Ships: Researchers

Insecure configurations and vulnerabilities in communications and navigation systems can allow hackers to remotely track, hijack and sink ships, according to researchers at penetration testing and cybersecurity firm Pen Test Partners.

Pen Test Partners presented its research into vulnerabilities affecting the satellite communications (satcom) systems used by vessels. The company has continued to analyze software and hardware used in the maritime industry and found that they are affected by serious flaws.

It has also created an interactive map that can be used to track vulnerable ships. The tracker combines data from Shodan with GPS coordinates and it can show vulnerable ships in real time. However, the company will only periodically refresh the data shown on the map in an effort to prevent abuse.

Satellite communications is the component that exposes ships to remote hacker attacks, as shown by Pen Test Partners last year and, at around the same time, by researchers at IOActive.

While there are some vulnerabilities in these systems themselves, the main issue is that many satcom terminals continue to use default credentials, allowing unauthorized users to gain admin-level access.

Many of the security holes disclosed this week by Pen Test Partners can be mitigated by setting a strong administrator password on the satcom terminal. Other serious issues discovered by researchers have been reported to Cobham, whose Fleet One terminal was used in experiments, and have not been disclosed.

According to researchers, once an attacker gains access to the terminal, they can replace the firmware due to the lack of proper validation checks or downgrade it to an older and more vulnerable version, and they can edit the web application running on the terminal. Experts also discovered poorly protected admin passwords in configuration files.

Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

An even bigger problem, researchers warn, is that once an attacker gains access to the satcom terminal, they can move laterally to other systems. One of them is the Electronic Chart Display and Information System (ECDIS), which is used by vessels for navigation.

Since the ECDIS can be connected directly to the autopilot feature, hacking this system can allow an attacker to take control of a ship.

“We tested over 20 different ECDIS units and found all sorts of crazy security flaws. Most ran old operating systems, including one popular in the military that still runs Windows NT,” explained Pen Test Partners researcher Ken Munro.

In one case, the ECDIS had a poorly protected configuration interface that allowed an attacker to spoof the position of the GPS receiver on the ship and make the vessel “jump” to a slightly different location.

Reconfiguring the ECDIS can also allow an attacker to change the size of the targeted ship as seen by other nearby vessels via the automatic identification system (AIS) tracker.

“So, simply spoof the ECDIS using the vulnerable config interface, ‘grow’ the ship and ‘jump’ it in to the shipping lanes,” Munro explained. “Other ships’ AIS will alert the ship’s captain to a collision scenario. It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding. Block the English Channel and you may start to affect our supply chain.”

Another attack scenario described by Pen Test Partners targets the operational technology (OT) systems on board a ship. These systems are used to control steering, engines, ballast pumps and other components, and they communicate via the NMEA 0183 protocol.

Since messages sent over NMEA 0183 don’t use any authentication, encryption or validation, a man-in-the-middle (MitM) attacker can modify the data and, for example, inject small errors that would cause the ship to alter its course when autopilot is engaged, researchers warn.

“The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality,” Munro concluded.