Cobalt’s fifth edition of “The State of Penetration Testing Report” taps into data from 3,100 pen tests and more than 1,000 responses from security practitioners.
Related Posts
Microsoft’s Windows Hello for Business Flaw Let Attackers Bypass Authentication
Microsoft’s Windows Hello for Business Flaw Let Attackers Bypass Authentication
A recently discovered vulnerability in Microsoft’s Windows Hello for Business (WHfB) authentication system allowed attackers to bypass the supposedly phishing-resistant login method, raising concerns about the security of this widely adopted passwordless solution.
This flaw allows attackers to bypass the system’s robust authentication mechanisms, posing a serious risk to organizations relying on this technology to protect sensitive data.
Security researcher Yehuda Smirnov uncovered a design flaw that enabled malicious actors to downgrade the authentication process from the more secure Windows Hello biometric or PIN-based login to less secure, phishable methods.
Windows Hello for Business is designed to enhance security by using biometric data or a PIN instead of traditional passwords. It leverages key-based or certificate-based authentication, which is inherently more secure than password-based systems because it eliminates the risk of password theft or phishing attacks.
However, a recent discovery by cybersecurity researchers has revealed a method to downgrade this secure authentication process to a less secure, phishable method.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Microsoft’s Windows Hello for Business Flaw
The attack involves intercepting and altering authentication requests. By modifying specific parameters in the POST request to the Microsoft online login service, attackers can force the system to revert to a traditional password-based authentication method.
This is achieved by changing the isFidoSupported parameter to false or altering the User-Agent header to an unsupported value, thus bypassing the intended secure authentication mechanism of Windows Hello for Business.
Smirnov demonstrated the exploit using a modified version of the EvilGinx phishing framework, showcasing how an attacker could automate the process of bypassing Windows Hello authentication. The proof-of-concept highlighted the potential risks for organizations relying on WHfB as a primary means of secure authentication
Technical Details
The attack process is relatively straightforward for skilled attackers. It involves the following steps:
Intercepting the Authentication Request: Using tools like Burp Suite, attackers can intercept the POST request sent to https://login.microsoftonline.com/common/GetCredentialType.
Modifying Request Parameters: The intercepted request is then altered to set the isFidoSupported parameter to false or change the User-Agent header to a non-supported value.
Downgrading Authentication: These modifications trick the system into downgrading the authentication method from Windows Hello for Business to a less secure method, such as a simple password or a non-phishable method.
This vulnerability highlights a critical oversight in the authentication process, where the system consistently fails to enforce phishing-resistant methods.
The ability to bypass Windows Hello for Business authentication poses significant risks, particularly for enterprises that rely on this system to secure access to sensitive information and critical systems. This flaw could allow attackers to gain unauthorized access to corporate networks, exfiltrate data, and perform further malicious activities if successfully exploited.
Mitigation Strategies
To mitigate this vulnerability, Microsoft recommends several measures:
Implement Conditional Access Policies: Organizations should create conditional access policies that enforce the use of phishing-resistant authentication methods. This can be achieved by leveraging the newly added “authentication strength” feature in Microsoft Entra ID.
Enable Strong, Phishing-Resistant Authentication: Ensure that all cloud applications require strong, phishing-resistant multi-factor authentication (MFA) methods.
Audit and Monitor Authentication Requests: Regularly audit and monitor authentication requests to detect any anomalies or attempts to downgrade authentication methods.
The discovery of this vulnerability in Windows Hello for Business underscores the ongoing challenges in securing authentication systems. While Windows Hello for Business offers significant security advantages over traditional password-based systems, this flaw demonstrates the importance of continuous security assessments and the need for robust mitigation strategies to protect against evolving threats.
Organizations using Windows Hello for Business should promptly implement the recommended mitigation measures to safeguard their systems and data from potential exploitation.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
The post Microsoft’s Windows Hello for Business Flaw Let Attackers Bypass Authentication appeared first on Cyber Security News.
UK Researchers Find AI Chatbots Highly Vulnerable to Jailbreaks
UK Researchers Find AI Chatbots Highly Vulnerable to Jailbreaks
Advanced AI Safety Institute (AISI) researchers have recently discovered substantial vulnerabilities in popular AI chatbots, indicating that these systems are highly susceptible to “jailbreak” attacks.
The findings, published in AISI’s May update, highlight the potential risks advanced AI systems pose when exploited for malicious purposes.
The study evaluated five large language models (LLMs) from major AI labs, anonymized as the Red, Purple, Green, Blue, and Yellow models.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
These models, which are already in public use, were subjected to a series of tests to assess their compliance with harmful questions under attack conditions.
Compliance Rates of AI Models Under Attack
Figure 1 illustrates the compliance rates of the five models when subjected to jailbreak attacks. The Green model showed the highest compliance rate, with up to 28% of harmful questions being answered correctly under attack conditions.
The researchers employed a variety of techniques to evaluate the models’ responses to over 600 private, expert-written questions. These questions were designed to test the models’ knowledge and skills in areas relevant to security, such as cyber-attacks, chemistry, and biology. The evaluation process included:
Task Prompts: Models were given specific questions or tasks to perform.
Scaffold Tools: For certain tasks, models had access to external tools, such as a Python interpreter, to write executable code.
Response Measurement: Responses were graded using both automated approaches and human evaluators.
Vulnerabilities and Risks
The study found that while the models generally provided correct and compliant information in the absence of attacks, their compliance rates with harmful questions increased significantly under attack conditions. This raises concerns about the potential misuse of AI systems in various harmful scenarios, including:
Cyber Attacks: AI models could be used to inform users about cyber security exploits or autonomously attack critical infrastructure.
Chemical and Biological Knowledge: Advanced AI could provide detailed information that could be used for both positive and harmful purposes in chemistry and biology.
Potential Risks of AI Misuse
Figure 2 outlines the potential risks associated with the misuse of AI systems, emphasizing the need for robust safety measures.
Conclusion and Recommendations
The AISI’s findings underscore the importance of continuous evaluation and improvement of AI safety protocols. The researchers recommend the following measures to mitigate the risks:
Enhanced Security Protocols: Implementing stricter security measures to prevent jailbreak attacks.
Regular Audits: Conducting periodic evaluations of AI systems to identify and address vulnerabilities.
Public Awareness: Educating users about the potential risks and safe usage of AI technologies.
As AI continues to evolve, ensuring the safety and security of these systems remains a critical priority. The AISI’s study serves as a crucial reminder of the ongoing challenges and the need for vigilance in the development and deployment of advanced AI technologies.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The post UK Researchers Find AI Chatbots Highly Vulnerable to Jailbreaks appeared first on Cyber Security News.