Theme: Blue and Green Theme: Blue and Green Theme: Red Theme: Green
Background: 1 Background: 2 Background: 3 

Last Update: 21 Jan 2018
Version 8.0.3
Windows 10 WARNING - PCs vulnerable to hack after shock security risk discovered
Posted on : 26 Dec 2017  Source of News: Express
 

 

Windows 10 users have been warned about a new security risk which could open PCs up to an attack.
Microsoft’s flagship operating system can be hacked into via the Windows Hello facial authentication system, cybersecurity experts have warned.
Windows Hello lets users unlock their device simply with their face or with a fingerprint.
But security researchers from German firm SYSS managed to defeat the face scanning feature with a printed picture.
The cybersecurity experts were able to defeat Windows Hello on Windows 10 systems that have not yet received the Fall Creators Update.
SYSS said on these systems a ”simple spoofing attack using a modified printed photo of an authorised person" can crack open Windows Hello.
The researchers claim this attack works against multiple versions of Windows 10 and on different hardware, ZDNet reported.
SYSS tested the spoofing attack against a Dell Latitude with an LilBit USB camera and against a Microsoft Surface Pro 4.
These devices were running various versions of Windows 10, including one of the first releases, version 1511.
The researchers said the attack was also successful on version 1607, which is the Anniversary Update that was rolled out during summer 2016.
The attack was successful on this version even when Microsoft’s enhanced anti-spoofing was enabled.
However, the attack only worked on the two Creators Update released this year when anti-spoofing was disabled.
These updates fixed the exploit, however security researchers said users may still be vulnerable if Windows Hello was set up on an older version of Windows 10.
If that’s the case, then SYSS said Windows 10 users with Windows Hello enabled would have to go into the settings and set it up all over again.
To carry out the spoofing exploit, an attacker would need a printed picture of the authenticated user that was taken with an infrared camera.
In a post on Full Disclosure, SYSS wrote: "According to our test results, the newer Windows 10 branches 1703 and 1709 are not vulnerable to the described spoofing attack by using a paper printout if the ‘enhanced anti-spoofing’ feature is used with respective compatible hardware.
"Thus, concerning the use of Windows Hello face authentication, SYSS recommend updating the Windows 10 operating system to the latest revision of branch 1709, enabling the ‘enhanced anti-spoofing’ feature, and reconfiguring Windows Hello face authentication afterwards."
The news comes after Windows 10 users were put on alert after a security flaw was discovered that could see your passwords stolen by cyber criminals.
The warning revolves around a password manager that recently has been bundled in with some versions of Microsoft’s flagship OS.
Google Project Zero researcher Tavis Ormandy discovered the security risk after installing Windows 10 using a fresh image from Microsoft.
He found that, as a result of the fresh Windows 10 install, Keeper Password Manager was pre-installed on his PC.
When he tested the app, he found a browser plugin the app prompted him to enable resulted in the terrifying bug.
In a blog post he said the security flaw represented "a complete compromise of Keeper security, allowing any website to steal any password."
Ormandy installed Windows 10 using an image from Microsoft Developer Network (MSDN), meaning that it is meant for developers.
However, Reddit users also claimed to have received the vulnerable copy of Keeper after clean reinstalls and even on a brand new laptop.

 

Windows 10 users have been warned about a new security risk which could open PCs up to an attack.

Microsoft’s flagship operating system can be hacked into via the Windows Hello facial authentication system, cybersecurity experts have warned.

Windows Hello lets users unlock their device simply with their face or with a fingerprint.

But security researchers from German firm SYSS managed to defeat the face scanning feature with a printed picture.

The cybersecurity experts were able to defeat Windows Hello on Windows 10 systems that have not yet received the Fall Creators Update.

SYSS said on these systems a ”simple spoofing attack using a modified printed photo of an authorised person" can crack open Windows Hello.

The researchers claim this attack works against multiple versions of Windows 10 and on different hardware, ZDNet reported.

SYSS tested the spoofing attack against a Dell Latitude with a LilBit USB camera and against a Microsoft Surface Pro 4.

These devices were running various versions of Windows 10, including one of the first releases, version 1511.

The researchers said the attack was also successful on version 1607, which is the Anniversary Update that was rolled out in summer 2016.

The attack was successful in this version even when Microsoft’s enhanced anti-spoofing was enabled.

However, the attack only worked on the two Creators Update released this year when anti-spoofing was disabled.

These updates fixed the exploit, however security researchers said users may still be vulnerable if Windows Hello was set up on an older version of Windows 10.

If that’s the case, then SYSS said Windows 10 users with Windows Hello enabled would have to go into the settings and set it up all over again.

To carry out the spoofing exploit, an attacker would need a printed picture of the authenticated user that was taken with an infrared camera.

In a post on Full Disclosure, SYSS wrote: "According to our test results, the newer Windows 10 branches 1703 and 1709 are not vulnerable to the described spoofing attack by using a paper printout if the ‘enhanced anti-spoofing’ feature is used with respective compatible hardware.

"Thus, concerning the use of Windows Hello face authentication, SYSS recommend updating the Windows 10 operating system to the latest revision of branch 1709, enabling the ‘enhanced anti-spoofing’ feature, and reconfiguring Windows Hello face authentication afterwards."

The news comes after Windows 10 users were put on alert after a security flaw was discovered that could see your passwords stolen by cybercriminals.

The warning revolves around a password manager that recently has been bundled in with some versions of Microsoft’s flagship OS.

Google Project Zero researcher Tavis Ormandy discovered the security risk after installing Windows 10 using a fresh image from Microsoft.

He found that, as a result of the fresh Windows 10 install, Keeper Password Manager was pre-installed on his PC.

When he tested the app, he found a browser plugin the app prompted him to enable resulted in the terrifying bug.

In a blog post, he said the security flaw represented "a complete compromise of Keeper security, allowing any website to steal any password."

Ormandy installed Windows 10 using an image from Microsoft Developer Network (MSDN), meaning that it is meant for developers.

However, Reddit users also claimed to have received the vulnerable copy of Keeper after clean reinstalls and even on a brand new laptop.