A complete guide for SSL, TLS and certificates

Latest — Nov 30, 2022

In contrast to other forms of verification, such as passwords or tokens, biometric authentication relies on an individual's distinct biological traits to confirm their identity. Indeed, it’s harder to fake and is typically more user-friendly since users do not have to memorize passwords or carry about a physical token that may easily be lost or stolen. Additionally, it is more difficult to counterfeit. An essential component of identification is the authenticator.

Analysis of a person's speech may be used for identity verification using a process known as voice recognition, which is sometimes referred to as speech recognition or voice authentication. Airways and soft tissue cavities, in addition to the shape of the mouth and the movement of the jaw, all have an effect on speech patterns and help create a person's distinctive "vocal print."

There’s a kind of speech recognition technology available known as speaker recognition. It’s not the same as voice recognition, which is a technique that is utilized in applications that convert speech to text and in virtual assistants such as Siri and Alexa. Although speech recognition can comprehend spoken words, it cannot verify a speaker's identity based on the speaker's vocal characteristics; however, voice biometrics can.

Methods for recognizing the speaker

There are primarily two methods that may be used for voice authentication:

  • Text independent
    Any spoken passphrase or other types of speech material may be used to achieve voice authentication
  • Text-dependent
    In both the registration process and the verification process, you will use identical passphrases. This implies that the speaker will be asked to repeat a sentence that has already been decided upon, rather than being allowed to say anything that they would want to affirm. When using static text voice authentication, the password that is used for one verification is utilized for all of the verifications. The user is provided with a passphrase that is completely random, such as a series of numbers, through dynamic text-based voice authentication. Additionally, registration is required for this content.

Registration and confirmation of identity

It is necessary to capture the biometric speech sample and then register it with the microphone in order to generate a reference template that can be used for comparison with samples during subsequent authentication attempts. After that, distinctive aspects of the vocal performance are observed, such as:

  • Duration
  • Intensity
  • Dynamics
  • Innings

Examples of voice authentication

The hands-free mobile authentication use case is the most common use for voice authentication. This kind of identification is perfect for use on mobile phones or in other situations where other types of biometric verification, such as face recognition, fingerprint recognition, or iris recognition, are impractical. in automobiles.

Voice authentication may also be beneficial for voice recognition devices like Amazon Alexa and Google Home. There has been a recent uptick in the usage of virtual assistants to carry out activities such as placing orders and doing other tasks that would traditionally demand some kind of verification.

During help desk conversations, speaker recognition may also serve as an authenticator for callers. When compared to supplying personal information to verify identification, such as a driver's license or credit card number, users may discover that this method is not only more secure but also more convenient.

Advantages of voice recognition

Low operational costs

Voice authentication may result in cost savings for call centers as well as financial institutions. They are able to save millions of dollars because of the fact that this technology does away with many of the stages required by conventional verification procedures. During an end-to-end conversation, it is able to validate the customer's identification just by recognizing their voice, eliminating the need for the routine questions that are often asked.

Improved quality of life for the end customer

Voice biometric systems provide a number of benefits, one of which is that they have the potential to significantly enhance the customer experience. However, this potential is sometimes overlooked. It is no longer necessary for callers to provide passcodes, PINs, or answers to challenge questions in order to have their identities verified.

Because of this, speech biometrics are ideal for omnichannel and multichannel deployments. Once a client has been registered, their voiceprint may be utilized across all of a company's support channels, making speech biometrics suitable for omnichannel and multichannel deployments.

Increased accuracy

Voice authentication is more reliable and accurate than using passwords, which are simple to forget, change, or guess. Passwords are also easier to compromise. It's kind of like how fingerprints are the only thing that can identify you. To put it another way, in contrast to passwords, a voice is impossible to forget or imitate. In spite of the fact that the sound might be influenced by a number of factors, it is much more dependable and handy.

Technology that is simple to put into action

The ease of use and implementation that speech recognition biometrics provide is very valuable to a lot of different companies. It may be difficult to implement some forms of biometric technology inside an organization and to get started with these systems. However, due to the fact that speech biometric systems need so little, it is often possible to install them without the need for extra hardware or software.

Because this technology is so easy to use, businesses often have the ability to redeploy employees to other areas of the organization in order to improve both their efficiency and the level of pleasure they provide to their customers.

Conclusion

Voice authentication is an excellent method for verifying a user's identity since it offers extra levels of security, which manual passcodes may not be able to give. Voice authentication is a wonderful approach to verifying a user's identity. Voice authentication is advantageous for both the company and its consumers since it eliminates the annoyance that is associated with laborious login procedures.

The technologies behind voice recognition

Nov 24, 2022 — 4 min read

There is no good reason, from a technical standpoint, why passwords can't contain scripts in Chinese, Japanese, Korean, or any other language for that matter. If you are able to write in this script, then it is entirely appropriate for you to employ it in whatever endeavors you undertake.

However, if you put this theory to the test, you will discover that many websites, including well-known ones like Google, prevent you from entering a password that contains characters other than A-Z, 0-9, and common special characters.

This brings to mind the early days of the internet when certain websites forbade the use of capitalization and prohibited the use of Latin letters for no discernible reason.

Site issues with passwords including Chinese characters

Users often make use of passwords that are longer than 30 characters, include all of the various character kinds that are usually suggested, and are created at random. If you use a password manager, you should probably make the password as difficult and as lengthy as it can possibly be.

However, if you visit more than 150 websites and change your password each time, you may find that many websites have password rules that do nothing but lower their level of security rather than increase it. This is because these rules are designed to protect users from themselves.

For instance, several websites impose arbitrary restrictions on the maximum length of passwords. They will typically demand passwords with less than 20 characters, in many instances. In certain cases, you can only use a maximum of 12 characters.

Even though it makes the password less secure, certain websites require that you include a number and a special character. This is despite the fact that doing so decreases the entropy of the password. On other pages, one may be restricted to using just the Latin letters; numerals and punctuation are not allowed. On certain websites, one may use punctuation, but you have to choose it from a drop-down menu first, and characters like "&" are not permitted.

This last point ought to give you significant cause for worry. Are these websites capable of sanitizing the password before inserting it into the database? Your database should not be used to store passwords in any way. I'm curious how many times this has been the cause when we consider severe breaches of privacy. You are required to hash the password before saving it.

In any event, the end effect of all of this is that a significant number of websites still verify passwords in an erroneous manner, excluding characters that really should be fully allowed. There is no valid reason why "您未设置安保问题" can’t serve as your password.

So, how safe is such a password?

Entropy is a term used to describe both the difficulty of breaking a password and the complexity of the password itself. In the next paragraphs, we will examine how to compute the entropy of a password.

If we expand the character set to cover everything from a to Z, digits from 0 to 9, punctuation marks, and so on, then we have a pool of 90 characters. This results in an entropy per character of log2(90), which is equivalent to 6.49 bits. If, on the other hand, we expand our character pool to include all Chinese, Japanese, and Korean (CJK) characters (presuming that our character pool has 74,605 characters), then we can calculate the entropy of each character as log2 (74605) = 16.19 bits of entropy per character.

Therefore, a 7-character CJK password such as "正确的马电池钉" would give you 16.19 bits of entropy times 7, which equals 113.33 bits total. I would need a password consisting of 18 characters if I wanted to match this using Latin letters, numbers, and special characters.

The vast majority of people are Chinese-illiterate. They have decided against using any characters that include CJK in their passwords. On the other hand, the effectiveness of a complicated password is comparable to that of vaccination in that it confers herd immunity. Crackers will only conduct brute force or dictionary attacks based on the letter az if individuals only use passwords that include those letters. If people have a habit of using numbers and punctuation, it forces attackers to incorporate those elements into their vocabulary, which in turn slows down their attack. The attacker needs to try all of these additional possible combinations, regardless of whether or not your own password used any of them.

Because roughly one-third of the world's population is able to read and write CJK characters (the populations of China and Japan are enormous), if we permit people to use CJK characters in their passwords, then even if I don't use CJK characters myself, we can all benefit from the increased complexity that this provides.

To reiterate, knowledge of Chinese is not required in order to work with CJK characters. You can keep track of all of your passwords by using a password manager, as was previously suggested. It does not matter whether you are unable to read or write the password as long as the password manager is able to save it and accurately copy and paste it into the password box when it is required.

Conclusion

We’d like to remind everyone that your name, birth date, or any other identifying information should never be used as a password, regardless of the language you use.

In addition, the passwords that are established on other websites might somewhat vary from one another, which makes them easier to remember and prevents the same issue from occurring. In this scenario, it is essential to connect your mobile phone number or email address so that you may easily recover the account in the event that the mobile phone number is lost or stolen.

On the other hand, many people feel that passwords are becoming outdated and that there are now more efficient methods to handle computer security and authentication than by using passwords. Perhaps now is the moment for people to begin shifting their attention to other approaches. In the not-too-distant future, we will find out.

How secure is a password that uses Chinese characters?

Nov 23, 2022 — 1 min read

In the new version of Passwork, we have completely redesigned the System settings. They are now divided into three sections:

  1. Global — organization settings that determine the operations of most of the Passwork functions
  2. Default — the values of the settings that will be used if no other custom settings are specified
  3. Custom — settings that can be set for individual users and roles

Now you can set up different interface languages, configure authorization methods, and enable mandatory two-factor authentication for individual users and roles.

To do this, click "Create a new settings group" in Сustom settings, add users or roles and select your desired settings. The newly created group will be added to the top of the list and will get the highest priority.

The following settings are now available:

  • Ability to create organization vaults and private vaults
  • Ability to create links to passwords
  • Mandatory 2FA
  • Time of automatic logout when inactive
  • Authorization method (by local password, LDAP password or SSO)
  • API usage
  • Interface language

We're already working to add new settings.

If you are already using Passwork — update your Passwork
Or request a free demo at passwork.pro

Introducing Custom settings

Nov 10, 2022 — 5 min read

Multi-factor authentication (often known as MFA for short), refers to the process of confirming the identity of a user who is attempting to log in to a website, application, or another type of resource using more than one piece of information. Indeed, multi-factor authentication is the difference between entering a password to gain access to a resource and entering a password plus a one-time password (OTP), or a password plus the answer to a security question. Another example of multi-factor authentication is entering a password plus the answer to a security question.

Multi-factor authentication provides greater assurance that individuals are who they claim to be by requiring them to confirm their identity in more than one way. This, in turn, reduces the risk of unauthorised access to sensitive data. Multi-factor authentication requires individuals to confirm their identity in more than one way. After all, entering a stolen password to get access is one thing; it is quite another to enter a stolen password and then be needed to additionally input an OTP that was sent to the smartphone of the real user.

Multi-factor authentication can be achieved through the use of any combination of two or more factors. Two-factor authentication is another name for the practice of using only two factors to verify a user's identity.

How Does MFA work?

MFA is effective because it necessitates the collection of extra verification information (factors). One-time passwords are one of the multi-factor authentication mechanisms that consumers encounter most frequently (OTP). OTPs are the four-digit to eight-digit codes that you frequently receive through email, SMS, or a mobile application of some kind. When using OTPs, a fresh code will be created at predetermined intervals or whenever an authentication request is sent in. The code is created based on a seed value that is assigned to the user when they first register and some other component, which might simply be a counter that is incremented or a time value. This seed value is used in conjunction with some other factor to generate the code.

The three categories of multi-factor authentication methods

Generally speaking, a technique of multi-factor authentication will fall into one of these three categories:

•  Something you are familiar with: a PIN, password, or the solution to a security question

•  Something you own: an OTP, a token, a trusted device, a smart card, or a badge

•  Something you are, such as your face, fingerprint, retinal scan, or other biometric information

Methods of multi-factor authentication

In order to accomplish multi-factor authentication, you will need to utilise at least one of the following methods in addition to a password.

Biometrics

A method of verification that depends on a piece of hardware or software being able to recognize biometric data, such as a person's fingerprint, facial characteristics, or the retina or iris of their eye.

Push to approve

A notice is shown on someone's smartphone that prompts the user to tap their screen in order to accept or deny a request for access to their device.

One-time password (OTP)

A collection of characters that are created automatically and are used to authenticate a user for a single login session or transaction only.

An SMS

A method for sending a One-Time Password (OTP) to the user's smartphone or other devices.

Hardware token

A compact, portable OTP-generating device that is sometimes referred to as a key fob.

Software token

A token that does not exist in the form of a physical token but rather as a software program that can be downloaded onto a smartphone or other device.

The advantages of multi-factor authentication

Enhancing the level of safety

Authentication that takes into account many factors is more secure. After all, when there is only one mechanism defending a point of access, such as a password, all a malicious actor needs to do to get admission is figure out a means to guess or steal that password. This is the only thing that needs to be done in order to acquire access. However, if admittance additionally needs a second (or perhaps a second and a third) element of authentication, then it becomes far more difficult to obtain access, particularly if the requirement is for something that is more difficult to guess or steal, such as a biometric characteristic.

Providing support for various digital initiatives

Multi-factor authentication is a key enabler in today's business world, where more companies are keen to deploy remote workforces, more customers want to purchase online rather than in shops, and more companies are migrating apps and other resources to the cloud. In this day and age, it can be difficult to ensure the safety of organisational and e-commerce resources. Multi-factor authentication can be an extremely useful tool for assisting in the protection of online interactions and financial transactions.

Are there any disadvantages to multi-factor authentication?

It is feasible to establish a less easy-to-access environment while building a more secure one — and this might be a disadvantage (this is especially true as zero trust, which sees everything as a possible threat, including the network and any apps or services running on it, gains acceptance as a safe access basis). No employee wants to spend additional time each day dealing with several impediments to getting on and accessing resources, and no consumer wants to be slowed down by multiple authentication procedures. The objective is to strike a balance between security and convenience so that access is secure but not so onerous that it causes excessive hardship for those who legitimately require it.

The role of risk-based authentication in multi-factor authentication

One technique to achieve a balance between security and convenience is to increase or decrease authentication requirements based on the risk associated with an access request. This is what risk-based authentication entails. The risk might be associated with either what is being accessed or who is requesting access.

The risk presented by what is accessed

For example, if someone seeks digital access to a bank account, is it to initiate a money transfer or simply to verify the status of an existing transfer? Or, if someone interacts with an online shopping website or app, is it to place an order or to monitor the progress of an existing purchase? For the latter, a username and password may be sufficient, but multi-factor authentication makes sense when a high-value item is at stake.

The risk is presented by the person requesting access

When a remote employee or contractor seeks access to the corporate network from the same city, on the same laptop, day after day, there's little reason to assume it's not that person. But what happens when a request from Mary in Minneapolis arrives from Moscow unexpectedly one morning? A request for extra authentication is warranted due to the possible danger – is it really her?

The future of Multi-Factor Authentication: AI, Machine Learning and more

Multi-factor authentication is always improving to provide enterprises with access that is both more secure and less unpleasant for individuals. Biometrics is an excellent example of this concept. It's more secure, since stealing a fingerprint or a face is difficult, and it's more convenient because the user doesn't have to remember anything (such as a password) or make any other substantial effort. The following are some of the current advancements in multi-factor authentication.

Machine learning (ML) and artificial intelligence (AI)

AI and ML may be used to identify characteristics that indicate if a particular access request is "normal" and as such, does not require extra authentication (or, conversely, to recognize anomalous behaviour that does warrant it).

Online Quick Identity (FIDO)

The FIDO Alliance's free and open standards serve as the foundation for FIDO authentication. It facilitates the replacement of password logins with safe and quick login experiences across websites and applications.

Authentication without a password

Rather than utilising a password as the primary means of identity verification and complementing it with alternative non-password methods, passwordless authentication does away with passwords entirely.

Be certain that multi-factor authentication will continue to evolve and develop in the pursuit of methods for individuals to show they are who they say they are — reliably and without having to jump through an endless number of hoops.

What exactly is multi-factor authentication (MFA) and how does it work?

Nov 10, 2022 — 4 min read

It's possible that you've become familiar with the term "time-based one-time passwords" (TOTP) in relation to "two-factor authentication" (FA) or "multi-factor authentication" (MFA).

However, do you really understand TOTP and how they work?

The Meaning of TOTP

"Time-Based One-Time Passwords” refer to passwords that are only valid for 30-90 seconds after they have been formed with a shared secret value and the current time on the system.

Passwords are almost always composed of six-digit sequences that are changed every thirty seconds. On the other hand, some implementations of TOTP make use of four-digit codes that become invalid after a period of 90 seconds.

An open standard is used in the TOTP algorithm, and this standard is detailed in RFC 6238.

What is a shared secret?

TOTP authentication uses a shared secret in the form of a secret key that is shared between the client and the server.

To the naked eye, the Shared Secret seems to be a string with a representation in Base32 that is similar to the following:

KRUGS4ZANFZSAYJAONUGC4TFMQQHGZLDOJSXIIDFPBQW24DMMU======

Computers are able to comprehend and make sense of information even if it is not legible by humans in the manner in which it is presented.

The client and the server both have a copy of the shared secret safely stored on their respective systems after a single transmission of the secret.

If an adversary is able to discover the value of the shared secret, then they will be able to construct their own unique one-time passcodes that are legitimate. Because of this, every implementation of TOTP needs to pay particular attention to securely storing the shared secret in a safe manner.

What is system time?

There is a clock that is integrated into every computer and mobile phone that measures what is referred to as Unix time.

Unix time is measured in terms of the number of seconds that have passed since January 1, 1970, at 00:00:00 UTC.

Unix time appears to be nothing more than a string of numbers:

1643788666

This small number, however, is excellent for the generation of an OTP since the majority of electrical devices using Unix time clocks are sufficiently synced with one another.

Implementations of the TOTP Authentication Protocol

The use of passwords is not recommended. However, you may increase security by combining a traditional password with a time-sensitive one-time password (TOTP). This combination is known as two-factor authentication or 2FA, and it may be used to authenticate your accounts, virtual private networks (VPNs), and apps securely.

TOTP can be implemented in hardware and software tokens:

•  The TOTP hardware token is a physical keychain that displays the current code on a small screen

•  The TOTP soft token is a mobile application that displays a code on a phone’s screen

It makes no difference whether you use software tokens or hardware tokens. The purpose of using two different forms of authentication is to increase the level of protection afforded to your online accounts. You have access to a one-time password generator that you may use during two-factor authentication to obtain access to your account. This generator is available to you regardless of whether you have a key fob or a smartphone with an authentication app.

How does a time-based one-time password work?

The value of the shared secret is included in the generation of each time-based one-time password (TOTP), which is dependent on the current time.

To produce a one-time password, the TOTP method takes into account both the current Unix time and the shared secret value.

The counter in the HMAC-based one-time password (HOTP) method is swapped out for the value of the current time in the time-based one-time password algorithm, which is a version of the HOTP algorithm.

The one-time password (TOTP) technique is based on a hash function that, given an input of indeterminate length, generates a short character string of fixed length. This explanation avoids getting too bogged down in technical language. If you simply have the result of a hash function, you will not be able to recreate the original parameters that were used to generate it. This is one of the hash function's strengths.

It is essential to keep in mind that TOTP offers a higher level of security than HOTP. Every 30 seconds, a brand new password is produced while using TOTP. When using HOTP, a new password is not created until after the previous one has been entered and used. The fact that the one-time password for HOTP continues to work even after it has been used for authentication leaves hackers with a significant window of opportunity to mount a successful assault.

Authentication using Multiple Factors (MFA)

A user must first register their TOTP token in any multi-factor authentication (MFA) system that supports a time-based one-time password before they can use the device to connect to their account.

Some TOTP soft tokens need the registration of a different OTP generator for each account. This effectively implies that if you add two accounts to your authenticator app, the program will produce two temporary passwords, one for each account, every 30 seconds. A single TOTP soft token (authenticator program) may support an infinite number of one-time password generators. Individual one-time password generators safeguard the security of all other accounts in the case where the security of an account is compromised.

To use 2FA, a secret must be created and shared between the TOTP token and the security system. The security system's secret must then be passed to the token.

How is the shared secret sent to the token?

Typically, the security system creates a QR code and requests that the user scan it using an authenticator app.

A QR code of this type is a visual depiction of a lengthy string of letters. The shared secret is, roughly speaking, part of this lengthy sequence.

The software will string the image and extract the secret when the user scans the QR code using the authenticator app. The authenticator program may now utilize the shared secret to generate one-time passwords.

When registering a TOTP token, the secret is only sent once. Many of the concerns about stealing the private key are alleviated. An adversary can still steal the secret, but they must first physically steal the token.

It works even when you're not connected to the internet!

To use the TOTP technique, you do not need an active internet connection on your smartphone or a physical key.

The TOTP token only needs to obtain the shared secret value once. The security system and the OTP generator may thus produce successive password values without needing to communicate. As a consequence, time-based one-time passwords (TOTP) operate even when the computer is turned off.

All about Time-Based One-Time Passwords (TOTP)

Oct 27, 2022 — 5 min read

Facial recognition is a technology-based method of identifying a human face. Such a recognition system maps facial characteristics from an image or video using biometrics. To identify a match, it compares the information gained to a database of known faces. Facial recognition may aid in the verification of a person's identification, but it also presents privacy concerns.

The facial recognition industry is predicted to expand from $4 billion in 2017 to $7.7 billion in 2022. This is due to the fact that such technology holds several business uses including monitoring and marketing.

But here's where things become difficult. If you value your privacy, you undoubtedly want some say over how your personal information (your data) is utilised. The truth is, your "faceprint" is your personal information.

How does facial recognition work?

You might be adept at identifying people's faces. You probably have no trouble recognizing the face of a family member, friend, or acquaintance. You recognize their facial characteristics — their eyes, nose, and mouth and their facial movements.

That is exactly how a face recognition system operates but on a much larger, computational scale. Recognition technology sees data where you see a face. That information may be saved and retrieved. According to Georgetown University research, half of all American adults have their photos recorded in one or more facial-recognition databases that law enforcement authorities may consult should they wish to.

So, how does facial recognition really work? Although certain technologies differ, most follow a standard procedure:

•  A photograph or video of your face is obtained. Your face might be scanned alone or in a crowd. Your photo might show you gazing straight ahead or almost in a profile view.

•  The geometry of your face is scanned by facial recognition software. The distance between your eyes and the distance from your forehead to your chin are important considerations. The program recognizes facial landmarks — one system even recognizes 68 of them – which are all important in differentiating your face. As a consequence, your facial signature is created.

•  A database of known faces is matched to your facial signature, which is a mathematical formula. Consider the following: At least 117 million people in the United States have photos of their faces in one or more police databases. The FBI has access to 412 million of such pictures for searches, according to a May 2018 report.

•  A decision is made. Your faceprint could match one in a database bringing back a positive result.

How effective is facial recognition?

Experts are concerned that face recognition might result in incorrect identifications. What if a police agency wrongly identifies someone smashing a shop window during a riot as someone who was nowhere near the incident using facial recognition technology? How probable is it that such an incident will occur?

It depends. According to the National Institute of Standards and Technology tests, the top face recognition algorithm has an error rate of under 0.08% as of April 2020. This is a significant improvement from 2014 when the best algorithm on the market had an error rate of 4.1%.

According to a 2020 report by the Centre for Strategic & International Studies (CSI), accuracy is greater when identification algorithms are used to match persons to clear, static photos, such as passport photos and mugshots. When applied in this manner, face recognition algorithms achieved up to 99.97% accuracy on the National Institute of Standards and Technology's Facial Recognition Vendor Test.

In practice, however, accuracy rates are often lower. According to the CSI report, the Facial Recognition Vendor Test discovered that the mistake rate for one algorithm increased from 0.1% when faces were matched to high-quality mugshots to 9.3% when faces were matched against images of people caught in public. When individuals were not looking straight at the camera or were partly concealed by shadows or objects, error rates increased.

Another issue is ageing. According to the Facial Recognition Vendor Test, middle-tier facial recognition algorithms exhibited mistake rates that increased by roughly a factor of ten when attempting to match photographs of participants shot 18 years earlier.

Who employs facial recognition?

Many individuals and organisations utilise face recognition in a variety of settings. Here are a few examples:

Airport administration

In airports, facial recognition technologies can monitor persons entering and exiting. The technology has been utilised by the Department of Homeland Security to identify persons who have overstayed their visas or are under criminal investigation.

Product manufacturers of mobile phones

Apple originally employed facial recognition to unlock the iPhone X, and since, the technology has been carried over to all subsequent models. Face ID authenticates — it ensures that you are who you say you are when you access your phone. According to Apple, the likelihood of a random face unlocking your phone is one in one million.

Websites for social networking businesses

When you post a picture to Facebook, an algorithm is used to detect faces. If you wish to tag others in your images, the social media firm will ask you. If you answer yes, a connection to their profiles is created. Facial recognition on Facebook is 98 percent accurate.

Entrance businesses and restricted zones

Some businesses have abandoned security badges in favour of facial recognition technologies.

Religious congregations at places of worship

Face recognition has been used by churches to scan their congregations to see who is there. It's a fantastic method to keep track of regulars and irregulars, as well as to adapt contribution requests.

Campaign marketers and advertisers

When targeting groups for a product or concept, marketers often consider factors such as gender, age, and ethnicity. Even during a performance, facial recognition may be used to determine such audiences.

The use of facial recognition in police enforcement

Today, facial recognition databases play an important role in law enforcement. According to an Electronic Frontier Foundation investigation, law enforcement agencies frequently collect mugshots from jailed people and compare them to local, state, and federal face recognition databases.

Law enforcement organisations may use these mugshot databases to identify persons in images collected from a number of sources, including closed-circuit television cameras, traffic cameras, social media, and photos taken by police officers themselves.

According to the Electronic Frontier Foundation, police officers may also use their mobile phones, tablets, or other devices to take images of cars or pedestrians and instantaneously match their photos to the faces in one or more facial recognition databases.

In addition, police enforcement has utilised face recognition to identify persons who may be sought in connection with crimes at huge events such as concerts, sports events, or the Olympics.

Several face recognition technologies are available to the federal authorities. Its primary database, however, is the FBI's Next Generation Identification system. This collection comprises over 30 million images.

Conclusion

Opponents of face recognition systems argue that although they give some protection, it is not enough to outweigh a feeling of independence and freedom. Many people believe that the usage of these technologies violates their privacy, but their worries don't stop there. They also emphasise the dangers of identity theft. Even face recognition companies recognize that as the technology becomes more widely used, the probability of identity theft or fraud increases.

As with many emerging technologies, the enormous promise of facial recognition has its downsides, but manufacturers are working to improve the usability and accuracy of their systems every day.

All about facial recognition

Oct 20, 2022 — 4 min read

Over the last several years, Chinese smartphones have gained a very lousy reputation when it comes to privacy, owing to a variety of factors including a lack of customer trust and the fact that global political events have not been particularly kind to China. China's worldwide image improved significantly in the mid-2010s, owing mostly to China's entry into the smartphone market and developments in 4G and 5G technology.

The market for smartphones is now one of the most rapidly developing areas of the technology sector worldwide. The number of mobile devices sold around the globe has skyrocketed from 100 million in 2007 to over 1.5 billion, which saw the advent of the smartphone revolution. Because smartphones are the most frequent way of connecting to the internet, companies that operate in this sector are vital to the development of the technology sector.

We saw the original Apple iPhone debut 14 years ago in 2007, which surely signaled the beginning of a new era of information. We've seen huge players like Samsung join the market throughout the years, and more lately, Chinese competitors like Huawei and Xiaomi have been eating up worldwide market share with their low-cost handsets. Moreover, Oppo and Vivo, which have a tiny but consistent market share and are even gaining popularity in the United States, should not be overlooked.

Apple has never been as successful in China as it is elsewhere, owing to the country's preference for domestic produce and local brand loyalty. Having said that, Apple has always been in demand there. Outside of China, however, Apple has controlled the smartphone industry for a long time, and the whole globe often lies in anticipation of their next news conference and the release of their next iPhone. For many years, market supremacy was exchanged between Apple and Samsung, with Samsung ruling the majority of the time.

However, the worldwide smartphone market has shifted recently. With such strong competition (Samsung, Xiaomi, Huawei) on the horizon, as well as Apple's extremely expensive pricing for its current products, Chinese competitors have adapted and established a stable market hold for the foreseeable future. Chinese smartphone manufacturers are now a serious rival for the established giants, offering the similar minimalist design approaches that Apple is renowned for, as well as entirely redesigning their marketing efforts. Finally, the US and EU markets are the most significant target markets for Chinese smartphones.

However, there seem to be severe privacy concerns that are impeding Chinese smartphones and their image.

What is the issue with Chinese smartphones?

There are a number of Chinese companies that are now producing smartphones on the market, with Huawei and Xiaomi being the most well-known and popular brands in countries other than China. The majority of customers may not be acquainted with some of the other "cheaper" businesses, such as Honor and Realme. There are a great number of other Chinese smartphone manufacturers, perhaps too many to list here.

What difference does it make whether you want to buy a Chinese smartphone or if you already own one, given the amount of political tension that exists between the United States and China? Unhappily, Chinese smartphones have been afflicted with a number of privacy and security issues, which may be broken down into the following categories:

•  Spyware already installed

•  Vulnerabilities when it comes to malware

•  Data theft

•  "Backdoors" in Hardware

•  Encryption-related flaws

Moreover, there are extra hazards involved with downloading particularly popular Chinese social networking applications, in addition to the malware that comes pre-installed on Chinese devices. Some examples of these risks include:

•  TikTok

•  WeChat

Conclusions for your smartphone's overall security

Let's not forget, now that we've covered the reasons why there is such a lot of bad buzz about Chinese smartphones and the privacy issues they pose, that a large part of this has to do with the political tensions that exist between China and the United States. Allegations of espionage, hacking, and danger to data have been made an extremely high number of times. In addition to that, there is an additional fact that is more significant for the typical user. Android, which has a far bigger user population and is thus more vulnerable to assaults because of the size of its user base, is the foundation upon which Chinese phones are built.

Let us highlight one thing: certainly, it is difficult to declare that these technologies are safe; but, the question is: what really is safe in this day and age? Should this make you, the regular person, think twice about purchasing a smartphone made in China? It is difficult to say what constitutes "security" at this time, and whether or not governments will try to gain access to your phone depends heavily on who you are and how sensitive your data is.

However, if you are concerned about your privacy, there are a few steps you should take for your own protection and peace of mind, regardless of the device you are using or the nation in which it was manufactured; the following is a list of these steps, which you may read below:

•  Always utilize a reputable virtual private network (VPN)

•  Consider the possibility that iOS is more secure than Android in general

•  Make sure your phone is protected by a strong password

•  Ensure that multi-factor authentication is used at all times

•  If at all possible, avoid sharing critical information online

•  Keep your smartphone's software up to date at all times

•  Never use suspicious applications or access third-party app marketplaces

How secure are Chinese smartphones?

Oct 16, 2022 — 4 min read

Most of web3's security is based on the blockchain’s unique ability to be resistant to human intervention. However, because of the associated feature of finality, where transactions are generally irreversible, these software-driven networks are an attractive target for attackers. Likewise, as the value of blockchains — the distributed computer networks that underpin Web3 — grows, they become increasingly appealing.

While web3 differs from previous web iterations, we have seen similarities with prior software security patterns. In many cases, the most serious issues stay unchanged. Advocates, whether they are builders, security teams, or everyday crypto users, can better secure themselves, their projects, and their wallets by learning these areas. Based on people's experiences, we've compiled a list of recurring themes and predictions.

Chase the money

Typically, attackers seek to maximise their return on investment. Because the potential return is bigger, they may devote more time and effort to attacking protocols with a higher "total value locked," or TVL for short.

Hacking groups with the highest amounts of resources are more likely to target high-value systems. New, more valuable exploits are also more likely to target these important targets.

Low-cost assaults, such as phishing, will never go away, and we expect them to become more prevalent in the near future.

Fixing a hole

As developers learn from tried-and-true assaults, they can improve web3 software to the point where it is "safe by default." This frequently entails tightening up application programming interfaces (APIs) to make it more difficult for people to add vulnerabilities by mistake.

Because security is always a work in progress, and nothing is ever immune to hacking, defenders and developers may make attacks more expensive by removing most of the low-hanging fruit for attackers.

The success of the following attacks may be considerably reduced as security policies and tools improve: control attacks, price oracle manipulation, and re-entry problems.

Platforms that cannot provide "perfect" security will have to employ exploit mitigation methods to decrease the possibility of losses. This can deter attackers by lowering the "benefit" or possible benefit component of their cost-benefit analysis.

Attack classification

Attacks on various systems can be categorised based on their similarities. The sophistication of the attack, the extent to which attacks can be automated, and the preventive measures available to fight against them are all defining aspects.

The following are some of the types of assaults that users have observed in the most recent hacks. We've also included our thoughts on the current threat landscape and what we anticipate from web3 security in the future.

Top predators in APT Operations

Advanced attackers, often known as advanced persistent threats (APTs), are a security nightmare. Their motivations and talents vary significantly, but they are usually well-endowed and, as the term suggests, persistent; unfortunately, they are likely to constantly be present. APTs carry out a wide range of operations, but these threat actors are the most likely to actively assault a company's network layer to achieve their objectives.

We know that certain advanced groups are actively pursuing web3 initiatives, and assume that there are others who have yet to be discovered. The people behind the most serious APTs typically reside in countries with no extradition accords with the US and EU, making it harder to punish them for their actions. Lazarus Group, a North Korean gang responsible for the greatest сryptocurrency heist on record, is one of the most well-known APT attackers.

We anticipate that APTs will continue to operate as long as they can monetize their activities or achieve various political objectives.

Social engineers engage in customer phishing

Phishing is a well-known and prevalent issue. Phishers attempt to trick their victims into falling into a trap by delivering bait messages over numerous channels such as instant messengers, email, Twitter, Telegram, Discord, and compromised websites. If you look through your spam folder, you're sure to find hundreds of efforts to deceive you into disclosing personal information or stealing money.

Phishing efforts are targeting web3 users now that it allows people to directly exchange assets like tokens or NFTs quickly. These assaults are the simplest way for persons with little to no technical knowledge to profit from cryptocurrency theft. They remain, however, a viable technique for organised teams with serious goals or advanced groups looking to undertake large-scale wallet-emptying attacks, such as website hijacking.

We anticipate a rise in these attacks because phishing is inexpensive and phishers seek to adapt to and circumvent the most recent security features. Increased education and awareness, better filtering, clearer warning banners, and tighter wallet restrictions can all help to improve user protection.

Third-party software libraries expose a significant surface for attack. This has long been a security concern for pre-Web3 systems, as evidenced by the log4j hack that compromised a popular web server’s software in December. Attackers will search the Internet for known vulnerabilities in order to locate unpatched flaws to attack.

Although the imported code was not built by your engineering team, it must be maintained. Teams must keep an eye out for vulnerabilities in their software components, ensuring that updates are deployed, while staying up to speed on the dynamics and progress of the projects on which they rely. The real and immediate cost of exploiting web3 software vulnerabilities makes communicating these issues to library users challenging. The decision on how and where the teams communicate this in a way that does not mistakenly jeopardise users' monies is still pending.

We expect Supply Chain Vulnerabilities to rise as the dependency and complexity of software systems grow. Random hacking assaults are expected to rise as well until solid, standardised ways for exposing web 3 security flaws are created.

Web3 Security: Types of attack

Oct 14, 2022 — 4 min read

GPS devices have been made accessible to a wider market as technology advances, and the degree to which our daily lives rely on precise location and timing has also increased. For tourists to navigate effectively from one location to another, the use of a global positioning system (GPS) has become standard.

Businesses and people now have access to possibilities that were previously unavailable because of GPS. On the other hand, this is not always a positive thing since spoofing might make GPS systems susceptible to cyber assaults. Let's find out the main things about spoofing and how to keep your GPS safe.

How does GPS spoofing work and what is it?

GPS signal spoofing occurs when an attacker imitates the original GPS signal by substituting a phoney GPS satellite signal. The "false" signal indicates a change in location, navigation, or time to the recipient.

Have you ever driven to the local mall, but your GPS said that you were at the library? If your GPS has ever told you that you are at an incorrect location, you have likely been the victim of GPS signal spoofing.

How does it work?

To understand how spoofing works, we must first understand how global navigation satellite systems operate. The satellites transmit communication signals to our devices while orbiting the Earth in a medium earth orbit at a height of approximately 20,400 kilometres.

Satellite signals are sometimes rather weak as they must travel such a long distance to reach your device. GPS communications are not encrypted and may be read. As a result, they are an apparent target for anybody wishing to record, transmit, or modify them.

The terrestrial radio transmitter imitates GPS signals with a signal strength that exceeds what the genuine system can handle in a GPS spoofing attack. This replaces authentic GPS signals with fake ones.

But how can a GPS signal be tampered with? This usually includes the utilisation of a GPS spoofing device or spoofing technology, such as an app. They change GPS signals; to spoof, the transmitter must be near the GPS-enabled device. It then imitates the signal to fool the GPS receiver into reporting a different location.

Spoofing technology was formerly difficult to get a hold of. It was once a costly technology only accessible to the military. Now, a transmitter of this kind is already widely accessible. GPS jammers can be found online for as little as 100 USD. As a result, nearly anybody can impersonate GPS signals.

Who falsifies GPS signals and why?

Any satellite navigation-based technique is susceptible to spoofing. The technique of spoofing is practically free, readily accessible, and immensely popular. Virtually everyone uses spoofing, from privacy advocates to Uber drivers, and teenagers.

Since GPS is essentially accessible to everyone, its security has become a big problem. There are several reasons to alter the GPS signal. These consist of:

•  Accessibility to country characteristics

Some individuals use spoofing to alter their device's receivers in order to get access to country-restricted material, services, games, applications, and even television programs and movies.

For instance, certain programs on Hulu, Netflix, and other streaming services are only accessible in particular regions. Since it is impossible to fly to another country in order to view programs, spoofing allows you to modify your true location and access country-restricted content. Many individuals utilise VPNs for this reason.

•  For military purposes

Initial plans were for the military to use GPS equipment. Ironically, the military was the first to falsify GPS. The majority of armed forces may utilise GPS to simulate their position and conceal their activity. For tactical navigation, guided weaponry, and command and control operations, the military may also perform GPS spoofing assaults.

•  To avoid motion tracking and conceal locations

Numerous individuals use spoofing to generate a false GPS position, preventing applications from precisely tracking their activities. Most individuals use this to keep some sense of control over their data by instructing their applications to show an incorrect location.

Additionally, teenagers use spoofing to conceal their whereabouts from their parents. This is how easy spoofing has become.

•  To conceal unlawful conduct

Criminals may also employ spoofing to conceal fraudulent acts such as kidnappings, car thefts, and evidence tampering, or to induce public panic by causing accidents by interfering with automobiles. They may even fake a GPS to send victims to online or physical danger zones.

GPS safety suggestions

Here is some advice on how to prevent GPS spoofing attacks:

•  Install phone antennae

Install bogus antennae in a visible location, away from the genuine ones. This guarantees that spoofing attacks do not disrupt real transmissions. A reasonable distance should be at least 300 metres.

•  Carefully consider where to place your antenna

The antenna's optimum placement should offer an unobstructed view of the sky. Signals from the ground or neighbouring public areas are blocked by buildings and other objects.

Install antennas in areas where they are not visible to the general public, or use barriers such as plastic fencing to hide their position while not interfering with GPS signals.

•  Follow internet hygiene guidelines

Individuals and companies should change and update passwords regularly, install security patches and updates, utilise firewalls and virus protection, and consider adopting multi-factor authentication and other cyber defences to avoid spoofing attacks.

•  Turn off any GPS-enabled gadgets that are not in use

Individuals and businesses that utilise GPS-enabled devices should keep them turned off when not in use. This will keep spoofing attempts at bay.

Install two or more antennae at opposite ends of a building or ship to identify faults and switch to backup navigation systems instantly.

GPS monitoring and location sharing offer significant privacy risks. GPS spoofing may be very dangerous for people, corporations, and governments. Regardless, it enables users to safeguard themselves against security risks and dangers. So, a balance must be achieved.

How secure is GPS?