Connect with us

Technology

Adopt Modern Auth now for Exchange Online • The Register

Voice Of EU

Published

on

The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

In an advisory [PDF] this week, Uncle Sam’s Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

“Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth,” CISA wrote. “After completing the migration to Modern Auth, agencies should block Basic Auth.”

The agency adds that Basic Auth is often used by legacy applications or custom-built business software, and that many user-facing applications, such as Outlook Desktop and Outlook Mobile App, already have been moved to Modern Auth via Microsoft security updates.

“This is a big deal,” John Gunn, CEO of authentication outfit Token, told The Register. “Security-conscious organizations have already made the switch, but many have not, and they are needlessly exposing themselves and others to attack. Hopefully this message will accelerate the process and motivate the stragglers.”

Basic Auth is a legacy authentication method that doesn’t naturally support multifactor authentication (MFA) and requires a user’s password be sent with each authentication request. There are numerous protocols that can use Basic Auth, including the Post Office Protocol/Internet Message Access Protocol (POP/IMAP), Exchange Web Services, ActiveSync, and Remote Procedure Call over HTTP (RPC over HTTP), the agency said.

MFA is required of FCEBs per President Joe Biden’s May 2021 Executive Order 14028 to improve the country’s cybersecurity capabilities.

Ray Kelly, a fellow at Synopsys Software Integrity Group, reminded us that Basic Auth simply sends one’s username and password in a plaintext, encoded form; you can use a Base64 decoder to view the original credentials. It needs to be encapsulated in encryption to be used securely over a network.

“Microsoft’s move to disable basic authentication in Exchange Online is a great thing for securing the Microsoft cloud ecosystem, as we have seen legacy protocols relying on basic authentication used to bypass multi-factor authentication controls,” Aaron Turner, CTO at AI cybersecurity vendor Vectra, told The Register.

“By moving to a posture of disabling basic authentication by default, it essentially hardens all email users who rely on Microsoft Exchange Online. This will make it more difficult for attackers to simply scrape a username and password from a vulnerable mobile device or browser session.”

Speaking of passwords, Microsoft has long been a vocal advocate for doing away with these passphrases for authentication, saying they are unreliable and a weak link in the cybersecurity chain. The Windows giant also has promoted MFA as a way of reducing by 99 percent the likelihood that a user will be compromised.

Moving away from legacy authentication

In a document dated 2020, two senior Microsofties said an analysis of Azure Active Directory traffic showed that 99 percent of password spray attacks and more than 97 percent of credential-stuffing attacks leveraged legacy authentication protocols. In addition, Azure AD accounts in organizations that disabled such authentication methods saw 67 percent fewer compromises than those still using legacy authentication.

Microsoft last year announced it will disable Basic Auth in Exchange Online starting October 1, 2022.

Garret Grajek, CEO of identity specialist YouAttest, called the use of two-factor (2FA) or multifactor authentication “table stakes” in the modern IT world.

“There is no excuse for use of single authentication in 2022,” Grajek told The Register. “The major vendors – Amazon, Microsoft, Google – have made it an option in their offerings. 2FA should be turned on for all resources. The attacks via zero-day flaws, source-code injections and supply chain vulnerabilities need to be monitored.”

He added that “to get hacked by simple username/password hacks on identities is unacceptable. The real challenge going forward is implementing a zero-trust architecture and real identity governance across all users and systems.”

CISA recommends several steps for moving to Modern Auth, with the first one being to review Azure AD sign-in logs to find the applications and users that are authenticating with Basic Auth.

Next is developing a plan to move those applications and users to Modern Auth by following Microsoft’s documentation and Exchange Team blog post about the shift. After that’s done, organizations can use authentication policies to block Basic Auth before authentication occurs, setting the policy per-mailbox or across the business.

Taking these steps means a significant improvement in security, Token’s Gunn adds.

“The advantages of Modern Auth include using MFA [and] not letting apps save credentials,” he said. “Auth has a defined lifetime and the scope of permissions can be limited. All of these make a big difference in stopping attacks.” ®

Source link

Technology

Let there be ambient light sensing, without data theft • The Register

Voice Of EU

Published

on

Six years after web security and privacy concerns surfaced about ambient light sensors in mobile phones and notebooks, browser boffins have finally implemented defenses.

The W3C, everyone’s favorite web standards body, began formulating an Ambient Light Events API specification back in 2012 to define how web browsers should handle data and events from ambient light sensors (ALS). Section 4 of the draft spec, “Security and privacy considerations,” was blank. It was a more carefree time.

Come 2015, the spec evolved to include acknowledgement of the possibility that ALS might allow data correlation and device fingerprinting, to the detriment of people’s privacy. And it suggested that browser makers might consider event rate limiting as a potential mitigation.

By 2016, it became clear that allowing web code to interact with device light sensors entailed privacy and security risks beyond fingerprinting. Dr Lukasz Olejnik, an independent privacy researcher and consultant, explored the possibilities in a 2016 blog post.

Olejnik cited a number of ways in which ambient light sensor readings might be abused, including data leakage, profiling, behavioral analysis, and various forms of cross-device communication.

He described a few proof-of-concept attacks, devised with the help of security researcher Artur Janc, in a 2017 post and delved into more detail in a 2020 paper [PDF].

“The attack we devised was a side-channel leak, conceptually very simple, taking advantage of the optical properties of human skin and its reflective properties,” Olejnik explained in his paper.

“Skin reflectance only accounts for the 4-7 percent emitted light but modern display screens emit light with significant luminance. We exploited these facts of nature to craft an attack that reasoned about the website content via information encoded in the light level and conveyed via the user skin, back to the browsing context tracking the light sensor readings.”

It was this technique that enabled the proof-of-concept attacks like stealing web history through inferences made from CSS changes and stealing cross origin resources, such as images or the contents of iframes.

Snail-like speed

Browser vendors responded in various ways. In May 2018, with the release of Firefox 60, Mozilla moved access to the W3C proximity and ambient light APIs behind flags, and applied further limitations in subsequent Firefox releases.

Apple simply declined to implement the API in WebKit, along with a number of other capabilities. Both Apple and Mozilla currently oppose a proposal for a generic sensor API.

Google took what Olejnik described his paper as a “more nuanced” approach, limiting the precision of sensor data.

But those working on the W3C specification and on the browsers implementing the spec recognized that such privacy protections should be formalized, to increase the likelihood the API will be widely adopted and used.

So they voted to make the imprecision of ALS data normative (standard for browsers) and to require the camera access permission as part of the ALS spec.

Those changes finally landed in the ALS spec this week. As a result, Google and perhaps other browser makers may choose to make the ALS API available by default rather than hiding it behind a flag or ignoring it entirely. ®



Source link

Continue Reading

Technology

4 supports that can help employees outside of work

Voice Of EU

Published

on

Everyone has different situations to deal with outside of the workplace. But that doesn’t mean the workplace can’t be a source of support.

Employers and governments alike are often striving to make workplaces better for everyone, whether it’s workplace wellbeing programmes or gender pay gap reporting.

However, life is about more than just the hours that are spent in work, and how an employer supports those other life challenges can be a major help.

Family-friendly benefits

Several companies have been launching new benefits and policies that help families and those trying to have children.

Job site Indeed announced a new ‘family forming’ benefit package earlier this year, which is designed to provide employees with family planning and fertility-related assistance.

The programme includes access to virtual care and a network of providers who can guide employees through their family-forming journey.

Vodafone Ireland introduced a new fertility and pregnancy policy in February 2022 that includes extended leave for pregnancy loss, fertility treatment and surrogacy.

And as of the beginning of 2022, Pinterest employees around the world started receiving a host of new parental benefits, including a minimum of 20 weeks’ parental leave, monetary assistance of up to $10,000 or local equivalent for adoptive parents, and four weeks of paid leave to employees who experience a loss through miscarriage at any point in a pregnancy.

Helping those experiencing domestic abuse

There are also ways to support employees going through a difficult time. Bank of Ireland introduced a domestic abuse leave policy earlier this year, which provides a range of supports to colleagues who may be experiencing domestic abuse.

Under the policy, the bank will provide both financial and non-financial support to colleagues, such as paid leave and flexibility with the work environment or schedule.

In emergency situations where an employee needs to immediately leave an abusive partner, the bank will help through paid emergency hotel accommodation or a salary advance.

In partnership with Women’s Aid, the company is also rolling out training to colleagues to help recognise the symptoms of abuse and provide guidance on how to take appropriate action.

Commenting on the policy, Women’s Aid CEO Sarah Benson said employers who implement policies and procedures for employees subjected to domestic abuse can help reduce the risk of survivors giving up work and increase “feelings of solidarity and support at a time when they may feel completely isolated and alone”.

A menopause policy

In 2021, Vodafone created a policy to support workers after a survey it commissioned revealed that nearly two-thirds of women who experienced menopause symptoms said it impacted them at work. A third of those who had symptoms also said they hid this at work. Half of those surveyed felt there is a stigma around talking about menopause, which is something Vodafone is seeking to combat through education for all staff.

Speaking to SiliconRepublic.com last year, Vodafone Ireland CEO Anne O’Leary said the company would roll out a training and awareness programme to all employees globally, including a toolkit to improve their understanding of menopause and provide guidance on how to support employees, colleagues and family members.

In Ireland, Vodafone employees are able to avail of leave for sickness and medical treatment, flexible working hours and additional care through the company’s employee assistance programme when going through the menopause.

Support hub for migrants

There are also initiatives to help people get their foot on the employment ladder.

Earlier this year, Tánaiste Leo Varadkar, TD launched a new service with education and employment supports for refugees, asylum-seekers and migrants.

The Pathways to Progress platform is part of the Open Doors Initiative supporting marginalised groups to access further education, employment and entrepreneurship in Ireland.

As part of the initiative, member company Siro offered a paid 12-week internship programme for six people who are refugees. The internships include job preparation, interview skills and access to the company’s online learning portals.

Open Doors Initiative CEO Jeanne McDonagh said the chance to land a meaningful job or establish a new business is key to people’s integration into Ireland, no matter what route they took to get here.

“Some are refugees, some are living in direct provision, some will have their status newly regularised, and others will come directly for work,” she said. “Our new service aims to support all migrants in finding a decent job as they prepare to enter the Irish workforce, and to support employers as they seek to build an inclusive culture in their workplaces.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Source link

Continue Reading

Technology

The final Fifa: after 30 years, the football sim plans to go out with a bang | Games

Voice Of EU

Published

on

Earlier this year, at the famed La Romareda stadium in Zaragoza, Spain, EA Sports organised two football matches, one each for male and female pro players. During these competitive 90-minute fixtures, all participants, including subs and officials, wore advanced Xsens motion capture suits that recorded their every movement, shot, tackle and celebration. Involving more than 70 people it was, according to gameplay producer Sam Rivera, the largest number of players ever motion-captured in a single session.

Every year, the developers of Fifa tell us that their key aim is authenticity. This year, Fifa 23 – the final product of EA Sports and Fifa’s 30-year partnership – is about making key moments more intelligible, detailed and dramatic, zooming in ever closer to the action at pitch level. That grand Zaragoza mo-cap session provided 10m frames of animation – twice as much match capture as Fifa 22 – allowing for more than 6,000 authentic player animations, a wealth of which are female-specific.

Fifa 23 - Vini Jr v Lores.
Fifa 23 – Vini Jr v Lores. Photograph: Electronic Arts

That data has also been fed through Hypermotion 2, EA Sports’ machine learning engine, which uses the mo-cap data to create new, highly authentic animations on the fly, seamlessly filling in the gaps between mo-cap moments. This should mean smoother, more controllable movement on the ball. “Dribbling is getting more responsive,” says Rivera. “The personality of the players really shines through. We got the feedback in Fifa 22 that dribbling felt slidey; players were skating sometimes when turning. With the new system, they’re a lot more grounded, turning feels good, and the steps in between every single dribble touch are created by the algorithm. This means every step matches the path, creating better visuals.”

The designers are also enhancing dribbling’s defensive counter-action: jockeying. The machine learning system has been trained to detect which player is between the advancing player and the goal, and then governs their movements. They’ll usually approach the attacker from an angle rather than face-to-face, letting them tackle effectively. “They even put their hands behind their backs when they’re inside the box,” enthuses Rivera.

Players will accelerate differently, too: controlled, lengthy or explosive. This means a player such as Erling Haaland or Vinícius Júnior will burst away at speed, but will then slow more quickly, while someone with lengthy acceleration such as Virgil van Dijk won’t be quite as quick off the mark, but will gain speed. The idea is to break up the predictability of one-on-ones: it’ll no longer be quite as clear who’ll get to a loose ball first, or who will outrun an opponent down the wing.

Another new feature is the power shot: when players hit both bumpers while pressing the shoot button, the game brings up power and positioning options for a controlled, pinpoint strike. “It’s a risk v reward system,” says gameplay design director, Kantcho Doskov. “You can try it at any time, but if there’s a defender nearby, they’re going to tackle you. You really have to carve out that space, and even when you do, you have to aim precisely. Aiming at the top corner of the goal takes a bit of skill! When I try power shots, most of the time I don’t score, but it’s fun to test the keeper. And sometimes, just because the shot is so powerful, he’s forced to parry the goal back to my striker, who taps it in.”

Elsewhere, EA is telling us to expect redesigned set-pieces, with aiming on the right analogue stick, aided by a preview projection line – and defenders can now lie behind the wall to block low shots. And impact physics have been improved, so a player’s foot might be knocked sideways by a ball travelling at velocity, affecting their touch. The virtual grass now has individual blades, and the surface degrades as the match goes on: sliding tackles and knee-slide celebrations will tear up the turf, leaving scars that remain for the whole game. “At the moment, it’s purely visual,” says senior art director, Fab Muoio.” But we’ve had discussions about whether or not it will impact play and that’s something we’ll think about in the future.”

Fifa 23 - Signal Iduna Park.
Fifa 23 – Signal Iduna Park. Photograph: Electronic Arts

Muoio talks a lot about drawing inspiration from modern TV broadcast aesthetics. “Just look at the real-world use of drone cameras,” he says. ”I saw some footage from the Etihad of a drone shot going all the way through the concourse and the stadium. It looks amazing, like CG.

“We also reworked our out-of-play cameras to make them look a lot nicer when you have a corner kick, throw-in or goal kick: we’ve adjusted the depth of field and the composition, just to have the player pop a little bit more from the background. It looks more in line with what you see in modern broadcast football, with that heavy depth of field.”

An early beta demo shows all of these new details in action. Playing as Manchester City, you see the fast, insightful runs of Jack Grealish and Kevin De Bruyne and the amazing shot-stopping capabilities of Ederson. Attempting a power shot with Real Madrid’s Marco Asensio gives you a real sense of his strength and accuracy. There’s also a beautiful moment of animation fluidity when Borussia Dortmund’s Marco Reus turns and volleys in a crowded box, arching the ball into the top left corner. A couple of hours of play show up more diversity of movement and interaction between players, and although the pace is similar to Fifa 22, it feels like there are a few more milliseconds available to line up ambitious passes.

EA Sports has some big changes coming to Career mode, including interactive match highlights, which let you play the key moments from important matches instead of the whole game, making for a snappier, more dramatic narrative. There are announcements to come about the ever-popular but also hugely controversial Ultimate Team mode. EA has stated that it will not be abandoning the “loot box”-style random player packs that underpin the mode, even though several countries have either banned or are considering bans on them. Whatever EA does to improve this part of the game, including making it easier to progress without purchasing packs, the ethical quandary of the loot box will cast a long shadow over the entire game.

Work is progressing, too, on EA Sports’ post-Fifa future, which will arrive in 2024 as the awkwardly-titled EA Sports FC. It’s clear that Fifa itself is going to struggle to commission a new football sim that will get anywhere close to EA’s game in quality and detail. The development team views Fifa 23 as a good indication of where things are heading. “You can see by the amount of content this year: we want more, we want to continue going big,” says Rivera. “We’re excited about 2024 and what’s coming. There are a lot of opportunities. Responsiveness, visuals, authenticity – are what will take us there.”

He’ll only give up one specific detail: the use of machine learning animation, currently confined to very specific areas of the game, is likely to expand as EA moves into the next era of its simulation. There is a dedicated AI coding team at EA’s Vancouver studio that have been working on this tech for several years, and if this year’s implementations go down well, we might soon see the end of scripted animations. “I can’t talk about the details of where it’s going because these are huge future features, but the potential that we’re seeing is crazy,” says Rivera. “We can see how machine learning can take over animation in the future.”

It still feels kind of surreal that this is the end for Fifa as we know it. A game that began on the Mega Drive with its blocky, stylised sprites and electronically simulated crowd noises, now features lifelike motion captures taken from genuine matches, and an intelligent animation system that mimics the behaviours of real-life players. Fifa has been loved and loathed; it has seen off one great rival – the Pro Evolution Soccer series – and will soon compete against whatever licensed products Fifa can pitch against it. In embracing the women’s game, it’s doing the right thing at the right moment, while at the same time, its insistence on retaining the loot box lottery of Ultimate Team will ensure that controversy as well as fandom will follow it into the future. But that, after all, is football.

Keith Stuart attended a press trip to Electronic Arts in Vancouver with other journalists. His travel and accommodation expenses were met by Electronic Arts.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!