Microsoft offers completely passwordless authentication for online apps

Phone-based authentication is the way forward instead.

Article intro image

Applications using Azure Active Directory (AD) to authenticate—a category that includes Office 365, among other things—will soon be able to stop using passwords entirely.

Azure AD accounts can already use the Microsoft Authenticator app for two factor authentication, combining a password with a one-time code. With the new passwordless support, authentication is handled entirely by the app; the app itself represents "something you have," and this is combined with either biometric authentication or a PIN. Passwords have a long, problematic history; while they can be very strong, if suitably long and suitably random, human passwords are often short, non-random, and reused across multiple sites. App-based authentication avoids this long-standing weakness.

Enabling two-factor authentication is just one of the things that organizations can do to improve their security. To that end, Microsoft has extended "Microsoft Security Score," a tool used to assess organizational policy and provide guidance on measures that can be taken to harden an organization against attack. Secure Score already spans Office 365 and Windows security features; to these, Microsoft has added Azure AD, Azure Security Center, and Enterprise Mobility Suite, covering a wider range of settings and options.

Read 2 remaining paragraphs | Comments

New modification of the old cold boot attack leaves most systems vulnerable

The defenses put in place to thwart the 2008 attack turn out to be very weak.

Footprints in the snow.

Enlarge (credit: rabiem22 / Flickr)

Cold boot attacks, used to extract sensitive data such as encryption keys and passwords from system memory, have been given new blood by researchers from F-Secure. First documented in 2008, cold boot attacks depend on the ability of RAM to remember values even across system reboots. In response, systems were modified to wipe their memory early during the boot process—but F-Secure found that, in many PCs, tampering with the firmware settings can force the memory wipe to be skipped, once again making the cold boot attacks possible.

The RAM in any commodity PC is more specifically called Dynamic RAM (DRAM). The "dynamic" here is in contrast to the other kind of RAM (used for caches in the processor), static RAM (SRAM). SRAM retains its stored values for as long as the chip is powered on; once the value is stored, it remains that way until a new value is stored or power is removed. It doesn't change, hence "static." Each bit of SRAM typically needs six or eight transistors; it's very fast, but the high transistor count makes it bulky, which is why it's only used for small caches.

DRAM, on the other hand, has a much smaller size per bit, using only a single transistor paired with a capacitor. These capacitors lose their stored charge over time; when they're depleted, the DRAM no longer retains the value it was supposed to remember. To handle this, the DRAM is refreshed multiple times per second to top up the capacitors and rewrite the values being stored. This rewriting is what makes DRAM "dynamic." It's not just the power that needs to be maintained for DRAM; the refreshes also need to occur.

Read 11 remaining paragraphs | Comments

Windows 10 support extended again: September releases now get 30 months

And Microsoft is offering enterprises dedicated app compatibility support.

Article intro image

Enlarge / Licensing is not really the easiest topic to illustrate. (credit: Peter Bright)

In its continued efforts to encourage corporate customers to make the switch to Windows 10, Microsoft is shaking up its support and life cycle plans again. Support for some Windows 10 releases is being extended, and the company is offering new services to help detect and address compatibility issues should they arise.

The new policy builds on and extends the commitments made in February this year. Microsoft has settled on two annual feature updates (the "Semi-Annual Channel," SAC) to Windows 10, one finalized in March (and delivered in April) and the other finalized in September (and delivered in October). Initially, the company promised 18 months of support for each feature update, a policy that would allow customers to defer deployment of feature updates or even skip some updates entirely. Going forward, the September releases are going to see even longer support periods; for Windows 10 Enterprise and Windows 10 Education, each September release will receive 30 months of servicing. In principle, an organization that stuck to the September releases could go two years between feature updates.

Customers of Windows 10 Home, Pro, and Pro for Workstations will continue to receive only 18 months of updates for both March and September releases.

Read 9 remaining paragraphs | Comments

Google wants to get rid of URLs but doesn’t know what to use instead

Their complexity makes them a security hazard; their ubiquity makes replacement nigh impossible.

Article intro image

Enlarge / This is how a Chrome 57 displays https://www.xn--80ak6aa92e.com/. Note the https://www.apple.com in the address bar.

Uniform Resource Locators (URLs), the online addresses that make up such an important part of the Web and browsers we use, are problematic things. Their complex structure is routinely exploited by bad actors who create phishing sites that superficially appear to be legitimate but are in fact malicious. Sometimes the tricks are as simple as creating a long domain name that's too wide to be shown in a mobile browser; other times, such as in the above picture, more nefarious techniques are used.

It's for this reason that a number of Chrome developers want to come up with something new. But what that new thing should be is harder to say.

Browsers are already taking a number of steps to try to tame URLs and make them less prone to malicious use. Chrome's use of "Not Secure" labels instead of showing the protocol name (http or https) replaces a piece of jargon with something that anyone can understand. Most browsers these days use color to highlight the actual domain name (printed in black type) from the rest of the URL (printed in grey type); Apple's Safari goes a step further, with its address bar suppressing the entire URL except for the domain name, revealing the full text only when the address box is clicked. Microsoft's Edge (and before it, Internet Explorer) dropped support for URLs with embedded usernames and passwords, because their legitimate uses were overwhelmed by malicious ones.

Read 3 remaining paragraphs | Comments