Computer News & Safety – Harry Waldron Rotating Header Image

July 31st, 2018:

Microsoft Edge – New W3C WEBAUTH security support in latest preview

Microsoft Edge is offerning support for the new W3C “Web Authentication” as an alternative to password in its latest “beta” build.

https://redmondmag.com/articles/2018/07/30/microsoft-edge-web-authentication-support.aspx

https://blogs.windows.com/msedgedev/2018/07/30/introducing-web-authentication-microsoft-edge/#IXHA8Dz2fQTPPh0O.97

Microsoft announced on Monday that its Microsoft Edge browser now supports the Web Authentication spec at the preview stage, enabling the testing of an alternative means of carrying out user authentications besides passwords.

The Web Authentication spec is a standard for the use of public key cryptography in credentials being developed by the Fast IDentity Online (FIDO) Alliance industry coalition and the Worldwide Web Consortium (W3C) organization. Currently, the Web Authentication spec is at the W3C’s “Candidate Recommendation” stage, meaning that it’s considered stable and is one step away from being a W3C “Recommendation” and ready for implementation.

The aim of the spec is to move away from using passwords for user authentications, which is conceived as problematic because passwords are subject to information disclosure and phishing attacks. Instead, user identities get verified by a fingerprint reader, a face scan or a personal ID number. A so-called FIDO 2.0 “companion device” may be used in the process, such as a wristband with near-field communication capabilities, a card swipe or a USB drive.

Security – HP offers bounty program to better protect printing

While printing may not seem like a major security risk, there have been occasional past vulnerabilities & malware exploits.  As the “Internet of Things” further develops printers are adding more “smart” device capabilities to phone home to vendor or corporate ADMIN team when needs surface.  HP is offering up to $10,000 to researchers who can find vulnerabilities & disclose them privately — to further improve printer security controls.

https://www.cnet.com/news/hp-will-pay-hackers-up-to-10000-to-break-their-printers/

HP  isn’t asking people to smash its printers to pieces, but the company is willing to pay people to break its software apart. On Tuesday, HP announced its first bug bounty program that specifically targets its printers, offering as much as $10,000 to hackers who can find vulnerabilities on its machines.

Bug bounties are a common way for companies to find security flaws, with payouts as high as $100,000 for serious vulnerabilities. Hackers have been able to make a full-time job breaking software and reporting bugs before the vulnerabilities are used maliciously. Companies such as  Google  and Facebook have turned to bug bounties as a way to bolster their security.

HP quietly started its program in May with 34 researchers signing up. It has already paid $10,000 to a hacker who found a serious flaw with its printers, Shivaun Albright, the company’s chief technologist for printer security, said in an interview last week.  The company is focused on printer security because of the vulnerabilities of internet of things devices, she said. While there’s a heavy focus on connected devices and their security flaws, it’s often on web cameras, smart televisions or lightbulbs, not printers, Albright said.

Security – W3C Web Authentication alternative to passwords

The W3C standards committee has developed a new Web Authentication alternative to passwords where users are pre-registered & later verified using FIDO approved devices such as biometrics, one-time PIN from smartphone, etc.

Web Authentication — API for accessing Public Key Credentials

https://w3c.github.io/webauthn/

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created and stored on an authenticator by the user agent in conjunction with the web application. The user agent mediates access to public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

Relying Parties employ the Web Authentication API during two distinct, but related, ceremonies involving a user. The first is Registration, where a public key credential is created on an authenticator, and associated by a Relying Party with the present user’s account (the account MAY already exist or MAY be created at this time). The second is Authentication, where the Relying Party is presented with an Authentication Assertion proving the presence and consent of the user who registered the public key credential. Functionally, the Web Authentication API comprises a PublicKeyCredential which extends the Credential Management API [CREDENTIAL-MANAGEMENT-1], and infrastructure which allows those credentials to be used with navigator.credentials.create() and navigator.credentials.get(). The former is used during Registration, and the latter during Authentication.