Authentication | Breaking Cybersecurity News | The Hacker News

Researchers have discovered an inexpensive attack technique that could be leveraged to brute-force fingerprints on smartphones to bypass user authentication and seize control of the devices. The approach, dubbed  BrutePrint , bypasses limits put in place to counter failed biometric authentication attempts by weaponizing two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework. The flaws, Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), leverage logical defects in the authentication framework, which arises due to insufficient protection of fingerprint data on the Serial Peripheral Interface (SPI) of fingerprint sensors. The result is a "hardware approach to do man-in-the-middle (MitM) attacks for fingerprint image hijacking," researchers Yu Chen and Yiling He  said  in a research paper. "BrutePrint acts as a middleman between fingerprint sensor and  TEE  [Trusted Execution Environment]." The goal, at its core, is to be

The U.S. National Institute of Standards and Technology (NIST) has announced that a family of authenticated encryption and hashing algorithms known as Ascon will be standardized for  lightweight cryptography  applications. "The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad tiny sensors and actuators," NIST  said . "They are also designed for other miniature technologies such as implanted medical devices, stress detectors inside roads and bridges, and keyless entry fobs for vehicles." Put differently, the idea is to adopt security protections via lightweight cryptography in devices that have a "limited amount of electronic resources." That said, NIST still recommends the Advanced Encryption Standard ( AES ) and SHA-256 for general use. Ascon is  credited  to a team of cryptographers from the Graz University of Technology, Infineon Technologies, Lamarr Security Researc

Wing Security finds and ranks all SaaS applications completely for free, removing unnecessary risk.

Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious  OAuth  applications as part of a phishing campaign designed to breach organizations' cloud environments and steal email. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting permissions to the fraudulent apps," the tech giant  said . "This phishing campaign targeted a subset of customers primarily based in the U.K. and Ireland." Consent phishing is a  social engineering attack  wherein users are tricked into granting permissions to malicious cloud applications, which can then be weaponized to gain access to legitimate cloud services and sensitive user data. The Windows maker said it became aware of the campaign on December 15, 2022. It has since alerted affected customers via email, with the company noting that the threat actors abused the conse

A group of academics at South Korea's Gwangju Institute of Science and Technology (GIST) have utilized natural silk fibers from domesticated silkworms to build an environmentally friendly digital security system that they say is "practically unbreachable." "The first natural physical unclonable function (PUF) […] takes advantage of the diffraction of light through natural microholes in native silk to create a secure and unique digital key for future security solutions," the researchers said . Physical unclonable functions or  PUFs  refer to devices that leverage inherent randomness and microscopic differences in electronics introduced during manufacturing to generate a unique identifier (e.g., cryptographic keys) for a given set of inputs and conditions. In other words, PUFs are non-algorithmic one-way functions derived from uncopiable elements to create unbreakable identifiers for strong authentication. Over the years, PUFs have been widely used in smartca

Microsoft on Wednesday announced a new passwordless mechanism that allows users to access their accounts without a password by using Microsoft Authenticator, Windows Hello, a security key, or a verification code sent via SMS or email. The change is expected to be rolled out in the coming weeks. "Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords,"  said  Vasu Jakkal, Microsoft's corporate vice president for Security, Compliance, and Identity. "But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords." "Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives," Jakkal added. Over the years, weak passwords have emerged as the entry point for a vast majority of attacks across enterprise and cons

Zero Trust is increasingly being adopted as the best strategy to maintain application security and prevent data breaches. To help achieve progress on Zero Trust, there is now a new, easy way to implement continuous user verification by connecting directly to the authentication systems used by mobile operators – without the overhead of processing or storing user data.  Before we show you how it works and how to integrate it, let's start with the fundamental challenge. Zero Trust and Authentication The Zero Trust model of identity verification essentially means never trusting that a returning user is whom they claim to be, regardless of their location or previous successful attempts. Zero Trust is a strategic approach to access management that is vital for keeping out bad actors.  As the world moves to the cloud, with an increasingly distributed network of employees, partners, and clients, tighter auth journeys become even more important.  But with greater security comes greate