Microsoft and Bad Security
-
Here is why Microsoft continues to add unpopular features to Windows
Microsoft plans to release two feature updates for its Windows operating systems later this year. Work on future feature updates continues unhindered as well, and the first builds of the 2023 feature update version are already available.
[...]
Web addresses may be entered directly to open sites, but any other input is redirected to Microsoft's Bing search engine. All requests are opened in Microsoft's Edge web browser when the search widget is used.
-
Microsoft drops emergency patch after Patch Tuesday screw up
Microsoft has issued an out-of-band patch fixing an issue that caused server or client authentication failures on domain controllers after installing the 10 May 2022 Patch Tuesday updates.
The Patch Tuesday issue was identified by users shortly after the monthly update was issued, and affected services including Network Policy Server (NPS), Routing and Remote Access Service (RRAS), Radius, Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP).
-
Password policy guidance | Pen Test Partners
Passwords are securely stored by using a one-way hashing algorithm to generate a representation of the original password. Authentication mechanisms then compare the hash of an entered password with the stored hash value to determine if the password is correct. Because these hashing algorithms are not reversible, the only way to crack a password is to guess passwords and see if there is a hash match. It is therefore important to make the password resistant to cracking so that if a hashed password is compromised, either by gaining access to the database or capturing it from the network, the original password cannot be retrieved and used by an attacker. The way to do that is by using strong passwords.
-
Dvuln Labs
This file is encrypted using AES-256-CBC encryption combined with Base64 encoding.
A 4-digit application PIN (which gets set during the initial onboarding when a user first instals the application) is the encryption password used to protect or encrypt the licence data.
The problem here is that an attacker who has access to the encrypted licence data (whether that be through accessing a phone backup, direct access to the device or remote compromise) could easily brute-force this 4-digit PIN by using a script that would try all 10,000 combinations….
[…]
The second design flaw that is favourable for attackers is that the Digital Driver Licence data is never validated against the back-end authority which is the Service NSW API/database.
This means that the application has no native method to validate the Digital Driver Licence data that exists on the phone and thus cannot perform further actions such as warn users when this data has been modified.
As the Digital Licence is stored on the client’s device, validation should take place to ensure the local copy of the data actually matches the Digital Driver’s Licence data that was originally downloaded from the Service NSW API.
As this verification does not take place, an attacker is able to display the edited data on the Service NSW application without any preventative factors.
- Login or register to post comments
- Printer-friendly version
- 1680 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
digiKam 7.7.0 is releasedAfter three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. |
Dilution and Misuse of the "Linux" Brand
|
Samsung, Red Hat to Work on Linux Drivers for Future TechThe metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. |
today's howtos
|
Recent comments
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago
1 year 11 weeks ago