<!--DEBUG:--><!--DEBUG:dc3-united-states-software-in-english-pdf-2--><!--DEBUG:--><!--DEBUG:dc3-united-states-software-in-english-pdf-2--><!--DEBUG-spv-->{"id":1945520,"date":"2021-07-14T15:14:00","date_gmt":"2021-07-14T13:14:00","guid":{"rendered":"http:\/\/nhub.news\/?p=1945520"},"modified":"2021-07-14T17:03:41","modified_gmt":"2021-07-14T15:03:41","slug":"microsoft-fixes-serious-windows-hello-security-flaw","status":"publish","type":"post","link":"http:\/\/nhub.news\/de\/2021\/07\/microsoft-fixes-serious-windows-hello-security-flaw\/","title":{"rendered":"Microsoft fixes serious Windows Hello security flaw"},"content":{"rendered":"<p style=\"text-align: justify;\"><b>Windows Hello vulnerability could allow threat actors to impersonate any user.<\/b><br \/>\nCybersecurity experts have shared a proof-of-concept to bypass the Windows Hello biometric authentication system. Threat actors can exploit the bypass, demonstrated by identity and access management (IAM) vendor CyberArk, to access an organization\u2019s sensitive data by impersonating a privileged account. Leaning on official figures from Microsoft that suggest that over 84% of Windows 10 users sign-in to their devices using Windows Hello, CyberArk argues that the bypass poses a grave security risk for businesses transitioning to password-less authentication. \u201cWhile our research was specific to Windows Hello and more so the enterprise offering, Windows Hello for Business, it\u2019s important to note that potentially any authentication system that allows a pluggable third-party USB camera to act as biometric sensor could be susceptible to this attack without proper mitigation,\u201d writes CyberArk\u2019s Security Researcher, Omer Tsarfati. The exploit, which CyberArk likens to the one used by Tom Cruise in hit film Minority Report, involves using a custom USB device to steal an infrared image of the target\u2019s face they want to impersonate. The criminal can then use this image to compromise any facial recognition product which relies on a USB camera, such as Windows Hello. CyberArk responsibly disclosed the issue to Microsoft, who fixed it as part of its July Patch Tuesday update. However, based on preliminary testing, CyberArk researchers believe that while the mitigation does limit the attack surface, it relies on users having specific cameras. \u201cInherent to system design, implicit trust of input from peripheral devices remains. To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it,\u201c says Tsarfati.<\/p>\n<script>jQuery(function(){jQuery(\".vc_icon_element-icon\").css(\"top\", \"0px\");});<\/script><script>jQuery(function(){jQuery(\"#td_post_ranks\").css(\"height\", \"10px\");});<\/script><script>jQuery(function(){jQuery(\".td-post-content\").find(\"p\").find(\"img\").hide();});<\/script>","protected":false},"excerpt":{"rendered":"<p>Windows Hello vulnerability could allow threat actors to impersonate any user. Cybersecurity experts have shared a proof-of-concept to bypass the Windows Hello biometric authentication system. Threat actors can exploit the bypass, demonstrated by identity and access management (IAM) vendor CyberArk, to access an organization\u2019s sensitive data by impersonating a privileged account. Leaning on official figures [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1945519,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[93],"tags":[],"_links":{"self":[{"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/posts\/1945520"}],"collection":[{"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/comments?post=1945520"}],"version-history":[{"count":1,"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/posts\/1945520\/revisions"}],"predecessor-version":[{"id":1945521,"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/posts\/1945520\/revisions\/1945521"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/media\/1945519"}],"wp:attachment":[{"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/media?parent=1945520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/categories?post=1945520"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/nhub.news\/de\/wp-json\/wp\/v2\/tags?post=1945520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}