Kategorie

Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever. Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure. Although biometric systems

Don’t expect tracking methods such as browser fingerprinting to disappear anytime soon, even with GDPR, warns the EFF.

According to the latest Software Fail Watch report released by Tricentis, companies all over the world lost $1,7 trillion last year over software failures and vulnerabilities. Such tremendous losses incentivize businesses to increase spending on software testing. Companies are expanding their staff with professional testers and invest significant amounts of money in automated testing systems. […]

The post Getting Paid for Breaking Things: The Fundamentals of Bug Bounty appeared first on InfoSec Resources.

Getting Paid for Breaking Things: The Fundamentals of Bug Bounty was first posted on June 21, 2018 at 3:16 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

1. Introduction In the last two years, there has been a steady increase in the number of discussions around two important topics. Namely, the new EU law called the General Data Protection Regulation (GDPR) and the technological developments in the field of the blockchain. While data protection authorities clarified many aspects of the GDPR and […]

The post Does the GDPR Threaten the Development of Blockchain? appeared first on InfoSec Resources.

Does the GDPR Threaten the Development of Blockchain? was first posted on June 21, 2018 at 2:29 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Posted by Vishwath Mohan, Security Engineer

[Cross-posted from the Android Developers Blog]

To keep users safe, most apps and devices have an authentication mechanism, or a way to prove that you're you. These mechanisms fall into three categories: knowledge factors, possession factors, and biometric factors. Knowledge factors ask for something you know (like a PIN or a password), possession factors ask for something you have (like a token generator or security key), and biometric factors ask for something you are (like your fingerprint, iris, or face).

Biometric authentication mechanisms are becoming increasingly popular, and it's easy to see why. They're faster than typing a password, easier than carrying around a separate security key, and they prevent one of the most common pitfalls of knowledge-factor based authentication—the risk of shoulder surfing.
As more devices incorporate biometric authentication to safeguard people's private information, we're improving biometrics-based authentication in Android P by:

• Defining a better model to measure biometric security, and using that to functionally constrain weaker authentication methods.
• Providing a common platform-provided entry point for developers to integrate biometric authentication into their apps.

A better security model for biometricsCurrently, biometric unlocks quantify their performance today with two metrics borrowed from machine learning (ML): False Accept Rate (FAR), and False Reject Rate (FRR).
In the case of biometrics, FAR measures how often a biometric model accidentally classifies an incorrect input as belonging to the target user—that is, how often another user is falsely recognized as the legitimate device owner. Similarly, FRR measures how often a biometric model accidentally classifies the user's biometric as incorrect—that is, how often a legitimate device owner has to retry their authentication. The first is a security concern, while the second is problematic for usability.
Both metrics do a great job of measuring the accuracy and precision of a given ML (or biometric) model when applied to random input samples. However, because neither metric accounts for an active attacker as part of the threat model, they do not provide very useful information about its resilience against attacks.
In Android 8.1, we introduced two new metrics that more explicitly account for an attacker in the threat model: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme. Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g. trying to sound or look like a target user).
Strong vs. Weak BiometricsWe use the SAR/IAR metrics to categorize biometric authentication mechanisms as either strong or weak. Biometric authentication mechanisms with an SAR/IAR of 7% or lower are strong, and anything above 7% is weak. Why 7% specifically? Most fingerprint implementations have a SAR/IAR metric of about 7%, making this an appropriate standard to start with for other modalities as well. As biometric sensors and classification methods improve, this threshold can potentially be decreased in the future.
This binary classification is a slight oversimplification of the range of security that different implementations provide. However, it gives us a scalable mechanism (via the tiered authentication model) to appropriately scope the capabilities and the constraints of different biometric implementations across the ecosystem, based on the overall risk they pose.
While both strong and weak biometrics will be allowed to unlock a device, weak biometrics:

• require the user to re-enter their primary PIN, pattern, password or a strong biometric to unlock a device after a 4-hour window of inactivity, such as when left at a desk or charger. This is in addition to the 72-hour timeout that is enforced for both strong and weak biometrics.
• are not supported by the forthcoming BiometricPrompt API, a common API for app developers to securely authenticate users on a device in a modality-agnostic way.
• can't authenticate payments or participate in other transactions that involve a KeyStore auth-bound key.
• must show users a warning that articulates the risks of using the biometric before it can be enabled.

These measures are intended to allow weaker biometrics, while reducing the risk of unauthorized access.
BiometricPrompt APIStarting in Android P, developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device and biometric agnostic way. BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices .
Here's a high-level architecture of BiometricPrompt.

The API is intended to be easy to use, allowing the platform to select an appropriate biometric to authenticate with instead of forcing app developers to implement this logic themselves. Here's an example of how a developer might use it in their app:

ConclusionBiometrics have the potential to both simplify and strengthen how we authenticate our digital identity, but only if they are designed securely, measured accurately, and implemented in a privacy-preserving manner.
We want Android to get it right across all three. So we're combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API that allows developers to integrate authentication in a simple, consistent, and safe manner.
Acknowledgements: This post was developed in joint collaboration with Jim Miller

Attackers use the approach to look like legitimate traffic and hide data exfiltration in plain sight.

Epic Games is on the verge of releasing Fortnite for Android - so the crooks are jumping in to offer you "early access"... to malware!

In this article, we will walk through all the basic Kioptrix VMs (total 5) which are available on vulnhub.com. The difficulty level of all these machines is easy, and they are categorized into different Levels. Let’s start. Note: For all these machines I have used VMware workstation to provision VMs. Kali Linux VM will be […]

The post Kioptrix VMs Challenge Walkthrough appeared first on InfoSec Resources.

Kioptrix VMs Challenge Walkthrough was first posted on June 21, 2018 at 11:38 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Posted by Mateusz Jurczyk, Project Zero
Since early 2017, we have been working on Bochspwn Reloaded – a piece of dynamic binary instrumentation built on top of the Bochs IA-32 software emulator, designed to identify memory disclosure vulnerabilities in operating system kernels. Over the course of the project, we successfully used it to discover and report over 70 previously unknown security issues in Windows, and more than 10 bugs in Linux. We discussed the general design of the tool at REcon Montreal and Black Hat USA in June and July last year, and followed up with the description of the latest implemented features and their results at INFILTRATE in April 2018 (click on the links for slides).
As we learned during this study, the problem of leaking uninitialized kernel memory to user space is not caused merely by simple programming errors. Instead, it is deeply rooted in the nature of the C programming language, and has been around since the very early days of privilege separation in operating systems. In an attempt to systematically outline the background of the bug class and the current state of the art, we wrote a comprehensive paper on this subject. It aims to provide an exhaustive guide to kernel infoleaks, their genesis, related prior work, means of detection and future avenues of research. While a significant portion of the document is dedicated to Bochspwn Reloaded, it also covers other methods of infoleak detection, non-memory data sinks and alternative applications of full-system instrumentation, including the evaluation of some of the ideas based on the developed prototypes and experiments performed as part of this work.
Without further ado, enjoy the read:
Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking (PDF, 1.54 MB)

Want to keep shopping online? If you're using an old browser you may find yourself locked out of PCI-compliant (e-commerce) websites.

The FBI took six months to track him down - what they found was a disturbed hacker with "no skills".

Zajímáte-li se o problematiku potenciálně nebezpečných asteroidů, nejspíš jste se už setkali s pojmem DAMIEN. Jde o zkratku pro Interagency Working Group for Detecting and Mitigating the Impact of Earth-bound Near-Earth Objects, tedy pracovní skupinu tvořenou zástupci NASA a dalších amerických ...

How do Android users know whether an app is genuine?

The FTC has been battling tech support scams for years, especially ones targeting older citizens who are seen by fraudsters everywhere as susceptible to these cons.

In this article, we will learn to solve another Capture the Flag (CTF) challenge which was posted on VulnHub by “Suceava University.” As you may already know from my previous capture-the-flag articles, Vulnhub.com is a platform which provides vulnerable applications/machines to get a practical, hands-on experience in conducting pen tests on applications. You can check […]

The post USV: 2017 Part 1 CTF Walkthrough appeared first on InfoSec Resources.

USV: 2017 Part 1 CTF Walkthrough was first posted on June 21, 2018 at 8:00 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

iOS 12 users will automatically share highly-detailed location information when calling 911.

Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions. Google’s Firebase service is one of the most popular back-end development

LinuxSecurity.com: The notorious Olympic Destroyer malware which disrupted the last Winter Games has resurfaced, targeting several countries in Europe as well as Russia and Ukraine, according to Kaspersky Lab.

LinuxSecurity.com: The security tools and strategies financial services organizations use to protect their data could be leveraged by cybercriminals who sneak in undetected via "hidden tunnels" to conceal their theft, according to a new report published by Vectra.

If you are wondering how to receive latest updates for an Android app—installed via a 3rd party source or peer-to-peer app sharing—directly from Google Play Store. For security reasons, until now apps installed from third-party sources cannot be updated automatically over-the-air, as Google does not recognize them as Play Store apps and they do not show up in your Google account app list as well