ASSA ABLOY Helps Organizations To Adopt Mobile Access Control

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

The smartphone is changing access control and security management at every scale and level, from global corporations to small companies. Making the switch to mobile access control, however, can seem daunting. Questions may arise around cost, practicality and the potential need for new door hardware. Yet going mobile is actually a lot simpler and quicker than many think, as one new guide explains.

Data from the recent Wireless Access Control Report 2021 suggests almost two-thirds of organizations have already adopted mobile access control, or plan to do so within two years. Industry analysts Omdia estimate that downloads of mobile credentials grew by 220% between 2018 and 2019 alone.

Mobile access control

The main benefits of mobile access control, the report suggests, are convenience, cost and security. All three of these advantages apply for any scale of organization. The user convenience of replacing plastic key-cards with secure ‘mobile keys’ on a smartphone is obvious. Identical benefits have already brought a mobile-first ethos to banking, travel booking, food delivery and many more sectors.

The ability to get the job done efficiently from anywhere is becoming essential

From a business perspective, too, the option for facilities managers to use their own smart device to issue, amend or revoke an employee’s mobile key brings added flexibility. It frees security staff from the desk and its dedicated admin PC. As the work patterns become fluid — IBM estimates 1.87 billion people will be mobile workers by 2022 — the ability to get the job done efficiently from anywhere is becoming essential. Access management via smartphone offers this.

Reissuing mobile credential

Secondly, mobile credentials are simpler and quicker to administer than key-cards, which brings significant cost savings. Deploying mobile keys on employee smartphones removes any need to purchase plastic cards or pay for their printing. Any missing plastic credential needs replacing; canceling and reissuing a mobile credential is essentially costless. Mobile access control also enables a business to reduce its use of non-recyclable plastics.

Third, the…


New algorithm helps BYU team put best face forward in security | Education

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

A group of students and professor Dr. D.J. Lee at BYU have come together to build an algorithm that could possibly bring two-factor authentication to facial recognition technologies in everything from cell phones to surveillance systems.

The project started almost two years ago as Lee and some students tried to think of an interesting research project. The group started looking into facial motion and how it could be analyzed.

That evolved into seeing if students are paying attention in class and it eventually morphed into improved security for facial recognition with the use of facial motion.

With the world of security constantly changing and hackers adapting to those changes, Lee acknowledged that nothing is perfect in terms of security.

“Fingerprinting is easy to do and people even make fake fingerprints,” Lee said. “The most common one is facial recognition and the biggest problem is, all of these can be used when the user is not aware. When you’re sleeping or unconscious, someone could use your biometrics to get into the system. It’s difficult, people come up with all kinds of ideas to hack into the system.”

He added that a company in Japan makes facial masks that look like people and some access social media pages to unlock devices needing facial recognition. Even algorithms can be fooled by photos and this technology can address the biggest concern, which is unintentional identity verification.

Two-factor authentication is not new technology, as companies like Apple and social media apps use it to verify someone’s identity, but integrating it into facial recognition is.

Lee said it is called Concurrent Two-Factor Identity Verification.

“Meaning you show your face and make the facial motion just once, you don’t have to do it twice,” Lee said. “With the facial motion, if people want to use your photo they cannot fool the system since the photo is not moving.”

The technology first uses facial recognition and then a secret phrase is mouthed, a movement with one’s lips is made, or a facial motion is made to satisfy the second step of authentication.

Even if a video is used, the chances of that video matching the secret facial…


Milton Argos Platform (MAP) 2.0 Helps Customers Locate Potential Exchange Attacks

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

BREA, Calif., March 9, 2021 /PRNewswire/ — Milton Security, a leading provider of Threat Hunting as a Service, XDR & MDR (MxDR) SOC Services, announced today the Milton Argos Platform (MAP) 2.0 is successful in locating potential Exchange Server attacks, including the four recent zero-day vulnerabilities that have been actively exploited on over 30,000 servers. The AI assisted threat hunting tool uses Artificial Intelligence and Machine Learning coupled with human expertise to detect, deter, and mitigate threats in real time.

The MAP 2.0 platform can analyze millions of security events every second which allows the highly-trained Threat Hunting Team at Milton Security to focus on the most relevant instances. The Exchange Server vulnerabilities allow cyberattackers to gain access to the admin controls in order to install additional malware or stealing data. These web shells are password protected remote interfaces with the purpose of allowing access from anywhere in the world.

The zero-day vulnerabilities impact on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019, however, Exchange Online is not affected.

  • CVE-2021-26855: CVSS 9.1: a Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
  • CVE-2021-26857: CVSS 7.8: an insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. However, this vulnerability needs to be combined with another or stolen credentials must be used.
  • CVE-2021-26858: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.
  • CVE-2021-27065: CVSS 7.8: a post-authentication arbitrary file write vulnerability to write to paths.

“Our team at Milton Security has been working closely with industry partners, including Microsoft, to understand the nature of these vulnerabilities, how they are being used, and where the attacks are originating from,” said James McMurry, Milton Security CEO. “Our clients entrust us to be efficient and effective when it comes to retro hunting and…


Apple’s Increasingly High Walled Garden Helps Hackers Avoid Capture

A new report highlights how despite Apple’s increasingly high walled garden ecosystem, hackers are finding more ways inside.

According to a new exposé from MIT Technology Review, Apple’s effort to increase security in both hardware and software is experiencing a downside — the Cupertino company’s walled garden approach is making it easier for hackers to hide.

“It’s a double-edged sword,” says Bill Marczak, a senior researcher at the cybersecurity watchdog Citizen Lab. “You’re going to keep out a lot of the riffraff by making it harder to break iPhones. But the 1% of top hackers are going to find a way in and, once they’re inside, the impenetrable fortress of the iPhone protects them.”

Marczak’s primary concern is that as Apple builds increasingly locked-down devices, it’s becoming more difficult for security researchers to discover hacking activity:

He argues that while the iPhone’s security is getting tighter as Apple invests millions to raise the wall, the best hackers have their own millions to buy or develop zero-click exploits that let them take over iPhones invisibly. These allow attackers to burrow into the restricted parts of the phone without ever giving the target any indication of having been compromised. And once they’re that deep inside, the security becomes a barrier that keeps investigators from spotting or understanding nefarious behavior—to the point where Marczak suspects they’re missing all but a small fraction of attacks because they cannot see behind the curtain.

And while Apple regularly updates its devices with software that fixes security flaws, these same updates can also hinder the various tools used by security researchers:

Sometimes the locked-down system can backfire even more directly. When Apple released a new version of iOS last summer in the middle of Marczak’s investigation, the phone’s new security features killed an unauthorized “jailbreak” tool Citizen Lab used to open up the iPhone. The update locked him out of the private areas of the phone, including a folder for new updates—which turned out to be exactly where hackers were hiding.

Faced with these blocks, “we just kind of threw our hands…