Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Malicious App Infects 60,000 Android Devices – But Still Saves Their Batteries

Threatpost - 1 hodina 27 min zpět
A battery-saving app enables attackers to snatch text messages and read sensitive log data - but it also holds true to its advertising.
Kategorie: Hacking & Security

Supreme Court Bolsters Mobile-Phone Privacy Rights

Threatpost - 2 hodiny 56 min zpět
Supreme Court decision requires law enforcement to obtain a warrant to gain access to cellphone records for tracking citizens.
Kategorie: Hacking & Security

DDoS-Happy ‘Bitcoin Baron’ Sentenced to Almost 2 Years in Jail

Threatpost - 3 hodiny 23 min zpět
Far from being a simple hacktivist filled with an impulse for social justice, a different picture emerges when his activity is collated together.
Kategorie: Hacking & Security

What Does Compliance With OWASP Really Mean for Financial Institutions?

InfoSec Institute Resources - 4 hodiny 46 min zpět

The latest Cost of Cyber Crime study by Accenture found financial services among the most targeted and vulnerable industries, with breaches tripling over the past five years. The financial services industry faces a multitude of cybersecurity challenges, one being the myriad of applications used and developed containing valuable transactional data and PII. Improper application development […]

The post What Does Compliance With OWASP Really Mean for Financial Institutions? appeared first on InfoSec Resources.

What Does Compliance With OWASP Really Mean for Financial Institutions? was first posted on June 22, 2018 at 10:50 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Roku TV, Sonos Speaker Devices Open to Takeover

Threatpost - 5 hodin 48 sek zpět
The Roku streaming video device and the Sonos Wi-Fi speakers suffer from the same DNS rebinding flaw reported in Google Home and Chromecast devices earlier this week.
Kategorie: Hacking & Security

Chytrý reproduktor Google Home může prozradit, kde bydlíte

Zive.cz - bezpečnost - 6 hodin 6 min zpět
Chytré reproduktory se pomalu ale jistě stávají součástí domácností. Jejich majitelé dobrovolně akceptují fakt, že prakticky neustále „poslouchají“, aby byly schopné reagovat na jejich požadavky. Málokdo by ale čekal, že mohou prozradit polohu, jak odhalil výzkum bezpečnostního experta Craiga ...
Kategorie: Hacking & Security

“WannaCrypt” ransomware scam demands payment in advance!

Sophos Naked Security - 6 hodin 37 min zpět
To avoid the need for actual ransomware, just insist on payment up front...

Kyberzločinci zneužívají fotbalovou horečku. Útočí na fanoušky

Novinky.cz - bezpečnost - 9 hodin 5 min zpět
Na fanoušky právě probíhajícího Mistrovství světa ve fotbale v Rusku 2018 se zaměřili kyberzločinci. Důvěřivce lákají na aktuální rozpis a výsledky jednotlivých utkání, soubor je však zavirovaný. Před novou hrozbou varovali bezpečnostní experti z antivirové společnosti Check Point.
Kategorie: Hacking & Security

Holy Potatoes! Popular games remove “spyware” after gamers revolt

Sophos Naked Security - 9 hodin 14 min zpět
Whether what Red Shell does is an invasion of privacy or a harmless tool seems to depend on whether you’re a developer or a gamer.

Flightradar24 pod útokem hackerů. Pokud službu využíváte, změňte si heslo

Zive.cz - bezpečnost - 9 hodin 36 min zpět
Web Flightradar24 napadli hackeři. Podařilo se jim získat e-mailové adresy a hesla – ta naštěstí nikoli v čitelné, ale v zahashované podobě. Problém se prý týká „jen malé části uživatelů“. Na švédské webové stránce Flightradar24 mohou uživatelé už dvanáct let sledovat reálnou polohu pohyb ...
Kategorie: Hacking & Security

ICE staff doxxed on Twitter, GitHub, Medium amid child separation furore

Sophos Naked Security - 9 hodin 44 min zpět
Major websites took steps to protect ICE staff as tension over the US family separation policy ratcheted up.

Hackers Steal $31m+ From South Korean Crypto-Exchange

LinuxSecurity.com - 12 hodin 10 min zpět
LinuxSecurity.com: South Korean exchange Bithumb has been targeted by hackers for the second time in a year, this time losing over $31m in cryptocurrency.
Kategorie: Hacking & Security

Destructive Nation-State Cyber Attacks Will Rise, Say European Infosec Pros

LinuxSecurity.com - 12 hodin 30 min zpět
LinuxSecurity.com: Incidents like last year's WannaCry attacks by suspected North Korean threat actors and the more recent news about Russian hackers taking control of hundreds of thousands of network routers worldwide have clearly spooked the enterprise infosec community.
Kategorie: Hacking & Security

Thousands of Mobile Apps Expose Their Unprotected Firebase Hosted Databases

The Hacker News - 12 hodin 30 min zpět
Mobile security researchers have discovered unprotected Firebase databases of thousands of iOS and Android mobile applications that are exposing over 100 million data records, including plain text passwords, user IDs, location, and in some cases, financial records such as banking and cryptocurrency transactions. Google’s Firebase service is one of the most popular back-end development
Kategorie: Hacking & Security

Android Gets New Anti-Spoofing Feature to Make Biometric Authentication Secure

The Hacker News - 12 hodin 37 min zpět
Google just announced its plan to introduce a new anti-spoofing feature for its Android operating system that makes its biometric authentication mechanisms more secure than ever. Biometric authentications, like the fingerprint, IRIS, or face recognition technologies, smoothen the process of unlocking devices and applications by making it notably faster and secure. Although biometric systems
Kategorie: Hacking & Security

Sneaky Web Tracking Technique Under Heavy Scrutiny by GDPR

Threatpost - 21 Červen, 2018 - 22:47
Don’t expect tracking methods such as browser fingerprinting to disappear anytime soon, even with GDPR, warns the EFF.
Kategorie: Hacking & Security

Getting Paid for Breaking Things: The Fundamentals of Bug Bounty

InfoSec Institute Resources - 21 Červen, 2018 - 22:16

According to the latest Software Fail Watch report released by Tricentis, companies all over the world lost $1,7 trillion last year over software failures and vulnerabilities. Such tremendous losses incentivize businesses to increase spending on software testing. Companies are expanding their staff with professional testers and invest significant amounts of money in automated testing systems. […]

The post Getting Paid for Breaking Things: The Fundamentals of Bug Bounty appeared first on InfoSec Resources.

Getting Paid for Breaking Things: The Fundamentals of Bug Bounty was first posted on June 21, 2018 at 3:16 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Does the GDPR Threaten the Development of Blockchain?

InfoSec Institute Resources - 21 Červen, 2018 - 21:29

1. Introduction In the last two years, there has been a steady increase in the number of discussions around two important topics. Namely, the new EU law called the General Data Protection Regulation (GDPR) and the technological developments in the field of the blockchain. While data protection authorities clarified many aspects of the GDPR and […]

The post Does the GDPR Threaten the Development of Blockchain? appeared first on InfoSec Resources.

Does the GDPR Threaten the Development of Blockchain? was first posted on June 21, 2018 at 2:29 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com
Kategorie: Hacking & Security

Better Biometrics in Android P

Google Security Blog - 21 Červen, 2018 - 20:46
Posted by Vishwath Mohan, Security Engineer

[Cross-posted from the Android Developers Blog]

To keep users safe, most apps and devices have an authentication mechanism, or a way to prove that you're you. These mechanisms fall into three categories: knowledge factors, possession factors, and biometric factors. Knowledge factors ask for something you know (like a PIN or a password), possession factors ask for something you have (like a token generator or security key), and biometric factors ask for something you are (like your fingerprint, iris, or face).

Biometric authentication mechanisms are becoming increasingly popular, and it's easy to see why. They're faster than typing a password, easier than carrying around a separate security key, and they prevent one of the most common pitfalls of knowledge-factor based authentication—the risk of shoulder surfing.
As more devices incorporate biometric authentication to safeguard people's private information, we're improving biometrics-based authentication in Android P by:
  • Defining a better model to measure biometric security, and using that to functionally constrain weaker authentication methods.
  • Providing a common platform-provided entry point for developers to integrate biometric authentication into their apps.
A better security model for biometricsCurrently, biometric unlocks quantify their performance today with two metrics borrowed from machine learning (ML): False Accept Rate (FAR), and False Reject Rate (FRR).
In the case of biometrics, FAR measures how often a biometric model accidentally classifies an incorrect input as belonging to the target user—that is, how often another user is falsely recognized as the legitimate device owner. Similarly, FRR measures how often a biometric model accidentally classifies the user's biometric as incorrect—that is, how often a legitimate device owner has to retry their authentication. The first is a security concern, while the second is problematic for usability.
Both metrics do a great job of measuring the accuracy and precision of a given ML (or biometric) model when applied to random input samples. However, because neither metric accounts for an active attacker as part of the threat model, they do not provide very useful information about its resilience against attacks.
In Android 8.1, we introduced two new metrics that more explicitly account for an attacker in the threat model: Spoof Accept Rate (SAR) and Imposter Accept Rate (IAR). As their names suggest, these metrics measure how easily an attacker can bypass a biometric authentication scheme. Spoofing refers to the use of a known-good recording (e.g. replaying a voice recording or using a face or fingerprint picture), while impostor acceptance means a successful mimicking of another user's biometric (e.g. trying to sound or look like a target user).
Strong vs. Weak BiometricsWe use the SAR/IAR metrics to categorize biometric authentication mechanisms as either strong or weak. Biometric authentication mechanisms with an SAR/IAR of 7% or lower are strong, and anything above 7% is weak. Why 7% specifically? Most fingerprint implementations have a SAR/IAR metric of about 7%, making this an appropriate standard to start with for other modalities as well. As biometric sensors and classification methods improve, this threshold can potentially be decreased in the future.
This binary classification is a slight oversimplification of the range of security that different implementations provide. However, it gives us a scalable mechanism (via the tiered authentication model) to appropriately scope the capabilities and the constraints of different biometric implementations across the ecosystem, based on the overall risk they pose.
While both strong and weak biometrics will be allowed to unlock a device, weak biometrics:
  • require the user to re-enter their primary PIN, pattern, password or a strong biometric to unlock a device after a 4-hour window of inactivity, such as when left at a desk or charger. This is in addition to the 72-hour timeout that is enforced for both strong and weak biometrics.
  • are not supported by the forthcoming BiometricPrompt API, a common API for app developers to securely authenticate users on a device in a modality-agnostic way.
  • can't authenticate payments or participate in other transactions that involve a KeyStore auth-bound key.
  • must show users a warning that articulates the risks of using the biometric before it can be enabled.
These measures are intended to allow weaker biometrics, while reducing the risk of unauthorized access.
BiometricPrompt APIStarting in Android P, developers can use the BiometricPrompt API to integrate biometric authentication into their apps in a device and biometric agnostic way. BiometricPrompt only exposes strong modalities, so developers can be assured of a consistent level of security across all devices their application runs on. A support library is also provided for devices running Android O and earlier, allowing applications to utilize the advantages of this API across more devices .
Here's a high-level architecture of BiometricPrompt.

The API is intended to be easy to use, allowing the platform to select an appropriate biometric to authenticate with instead of forcing app developers to implement this logic themselves. Here's an example of how a developer might use it in their app:

ConclusionBiometrics have the potential to both simplify and strengthen how we authenticate our digital identity, but only if they are designed securely, measured accurately, and implemented in a privacy-preserving manner.
We want Android to get it right across all three. So we're combining secure design principles, a more attacker-aware measurement methodology, and a common, easy to use biometrics API that allows developers to integrate authentication in a simple, consistent, and safe manner.
Acknowledgements: This post was developed in joint collaboration with Jim Miller
Kategorie: Hacking & Security
Syndikovat obsah