Are you using Zoom? Your personal data is being leaked and you could be vulnerable to being hacked

Zoom is dealing with one hot potato after one another. They recently got out of a situation where its iOS app was found to be sharing data with Facebook secretly by updating the iOS app.

Now, they are dealing with another problem due to how the software’s Company Directory feature works.

Zoom groups users who signed up using the same company email domain together to make searches and calls easier with colleagues. So when users signs up with their private email address to join Zoom, they have had thousands of strangers added to their contact list as they were perceived to be working under the same organisation. With this, you can get insight to all subscribed users of that provider, which include their full name, physical address, profile picture and status.

However, there is a little bit of good news. Users of standard email providers such as Gmail, Hotmail and Yahoo are not affected as Zoom blacklisted them. Furthermore, the company officially requires users to submit a request for their non-standard domains to be blacklisted.

But that is not the end of bad news for the company.

It is also found that Zoom also converts any URLs into hyperlinks. This could then be used maliciously where cybercriminals could send you a Universal Naming Convention (UNC) path instead of a web link.

UNC paths are typically used for networking and file sharing. An unsuspecting user could click on the link sent via Zoom, which will then make Windows try to connect to the remote host using Server Message Block (SMB) network file-sharing protocol. By default, Windows will send the user’s login name and their NTLM password hash to this host. The NTLM password hash could easily be cracked and put your computer at risk from hacking.

Advertisement

What is Object-Oriented Programming?

Object-oriented programming (OOP) is a programming paradigm that organise a piece of software based on the concept of objects or data rather than by function and logic.

In OOP, software is designed by using data modelling to identify the various objects that makes up the system and how these objects interact with each other. These objects can range from physical entities such as a human being that is described by a set of attributes/properties like name, height and age to small computer programs such as widgets.

Once an object is identified, an extensible program-code template will then be created to generalise the object. This template will contain properties or attributes that the object can use to store data. In addition, it also contain functions or methods that define the logic sequences or statements to manipulate these data.

Features of OOP language

An OOP language usually come with support for code extensibility in the form of classes or prototypes and code reuse through inheritance. This kind of support ultimately give rise to two styles of OOP—one is class-based programming and the other is prototype-based programming.

Class-based programming languages support two main concepts: classes and objects.

A class is a program-code template that defines the data format and available procedures for that class. On the other hand, an object is an instance of the class, or in other words, an object is the realisation of a class.

Prototype-based programming languages on the other hand has no concept of classes. Objects are the primary entities. Generalised objects are typically used in these type of languages where the objects can subsequently be cloned and extended to form the foundation of future objects.

These languages also share certain features that are found in other programming languages that adhere to other types of programming paradigm such as procedural programming or functional programming. The two most common features are variables and procedures.

A variable is used to store information formatted based on a small number of data type like integer and alphanumeric characters that are built-in most languages.

A procedure, also known as function, methods, routines or subroutines, is simply a construct in code that takes some inputs, manipulate data and/or generate output. In addition, other programming constructs like loops and conditionals are also included in any OO language.

Furthermore, there are also four common mechanisms or features, if you will, that OOP language have that set them apart from other type of programming languages. These four mechanisms are Abstraction, Encapsulation, Inheritance and Polymorphism.

Abstraction

Abstract means an idea or concept that is not tied to an instance or realisation. In OOP, an abstract class or interface allows programmers to express the intent of the class instead of the actual implementation. In a way, this hides the inner working of a class from other calling classes that do not need to know in order to use it.

For example, a driver only need to know how to drive a car but does not need to know in detail of how the engine and gearbox works. In this context, the car has abstracted away the inner workings from the driver.

In an example below, we have a Vehicle class that is abstract that has implemented some logic for its move method. Another class called SedanCar is a non-abstract class but extends from Vehicle, which is a concept related to Inheritance (please see below). Then a driver gets a SedanCar by instantiating it and decides to drive it. The drive method calls the move function on the instantiated vehicle without ever needing to know what are the operations or steps needed to be executed to move the vehicle.

public abstract class Vehicle
{
        public void move(){
                //Logic to engage the engine
                //Logic to spin the axle
                //Logic to spin the wheel
        }
}

public class SedanCar extends Vehicle
{

}

public class Driver{

        Vehicle vehicle;
        
        public void getASedanCar()
        {
                vehicle = new SedanCar();
        }
        

        public void drive()
        {
            vehicle.move();
        }
}


Encapsulation

Encapsulation is related to abstraction in the sense that it hides the inner working. The difference lies in that encapsulation hides the data implementation of a class from other classes— data are made private or have restricted visibility from the outside. Through this mechanism, only the host class can change its internal data while other classes has to do it via either the provided public accessors or methods that perform actions that ultimately effect a change in the data.

Below is an example of a Person class written in Java. Similar to an actual person, the person class contains both name and age properties that are private to it. Once the class is instantiated as an object, no other objects can access the properties or make changes to it.

As described earlier, these other objects have to do it via the provided accessor methods (functions) get either the name or age and use the setter methods to set the name and age of the person object.

public class Person
{
    private String name;
    private int age;

    public void setAge(int age)
    {
        this.age = age;
    }

    public int getAge()
    {
        return age;
    }

    public void setName(String name)
    {
        this.name = name;
    }

    public String getName()
    {
        return name;
    }
}

Inheritance

Inheritance in OOP is a mechanism that allows a class or object to be based upon another class or object and retain similar implementations. In a sense, it is similar in biology where the makeup of an organism such as a human being is based on the sum of their parents’ genes. These genes determine how they and their body react and behave in different circumstances, how they look and whether they will ultimately develop medical conditions such as diabetes, high blood pressure and heart failure.

With inheritance, original codes implemented in the parent class can be reused and help shorten the amount of codes needed. Furthermore, if there is any changes to be made to the original code, the programmer/developer only need to change the one in the parent class and all child classes will get the updated implementation.

Polymorphism

Polymorphism refers to the ability of an object to take on many forms. There are two types of polymorphism in practice and are generally applied to methods and functions instead of classes.

The first type of polymorphism is compile time polymorphism. It also goes by another term called overloading. This means that there can be multiple methods with the same name but different type of parameters.

An example of compile time polymorphism is as follows where there are two methods named move. One of the move method takes no parameter as input and the other takes an object as an input.

public class Vehicle
{
    public void move(){
    }
    
    public void move(Object object){
        }
}

The second type of polymorphism is run-time polymorphism. It also goes by another term called overriding. With this type of polymorphism, there is only one move method but different classes will implement it differently based on the context.

Below is an example where there are three classes that implements the same move method. Since both Sedan and Bus extends from Vehicle, when either of them gets instantiated and their versions of the move method gets called, then the respective move method will be executed instead of the one in Vehicle.

public class Vehicle
{
    public void move()
    {
            //some code here
    }
}

public class Sedan extends Vehicle
{
    public void move()
    {
        //some code here
    }
}

public class Bus extends Vehicle
{
    public void move()
    {
            //some code here
    }
}

Apple updates Mac mini with double the storage

The Apple Mac mini (2018) sees a nice update today (Mar 18,2020) in the form of increased storage capacity for the standard configurations that you can buy from Apple store.

The S$1,139 model sees a storage increase of 128GB to 256GB for its SSD drive from the original 128GB while the $1,579 model sees an increase of 256GB to 512GB from the original 256GB.

These Mac minis are made from 100% recycle aluminium and are available from Apple now.

A personal opinion on writing on a touchscreen device

Writing is still writing no matter the platform. It’s all about getting the words out, to give them a physical form be it on the screen or on paper. You can write on a piece of paper using a pen. You can write using your smartphone. You can write on your laptop or a desktop computer.

But what I have discovered is that writing on a touchscreen just feel weird and difficult. Some people no doubt won’t have any problems. It’s just not the thing for me.

I got the iPhone X. With its 5.8 inch, nearly edge-to-edge display, it’s way bigger than the iPhone 6s and 7 plus display I used in the past. That means with apps like iA Writer, I can see way more of the text with the keyboard below. The Super Retina HD display meant that text are sharp and clear. Writing on that device had been a joy.

Yet, whenever I tried to write long form, like a short story, my fingers do get really tired from attempting to hit the keys. My fingers are rather fat. Combine that with hyperhidrosis, it means either wrong keys are pressed and I need to hit delete or that the key presses aren’t registered like it should. It slows down my writing by a lot, which is irritating in a way if your thoughts is faster than the words appearing on the screen.

The other issue I have with typing on a touchscreen was the lack of tactile feedback. This is one of the reason why I prefer to write using a keyboard. The sound my finger hitting the keys and the clacky feel when you press the key just feels so good. I know you could enable haptic feedback on the phone such that every key pressed will give you a vibration. But that vibration is missing when you set the phone to silent mode via that switch. Not only that, vibration requires the motors in the phone to work hard and cause faster battery drainage. For the iPhone X, that vibration mode is no more and what you get is simulated keyboard clicks, something that you won’t hear if your phone is on permanent silent mode.

The third issue I have is having to deal with the weight of the device while typing. I know smartphones are small and consider rather light. After all you carry it in your pockets everyday. But it does become heavy when you are holding it in your hands for long period of time as you type. And that particular use case happens quite often if you are writing a long article, an essay or stories. Notes taking is fine actually because those are short burst action and probably won’t be doing it over 1 or 2 hours.

So those three reasons are why I will always prefer to write on a keyboard. And in order to do writings on the go, a portable typing machine is needed. Thus, I decided to reuse the 13inch MacBook Pro (2015) that was in storage. The 15inch MacBook Pro that I’m currently using is just a tad bigger and heavier than what I would like. You know what? Without the keyboard cover, typing on that classic chiclet keyboard is rather delightful. I could type equally fast on it.

And now I’m curious about what’s the primary device that you use to write everyday? And why.

Billions of Wi-Fi devices are vulnerable to eavesdropping due to

At the RSA security conference, security researchers announced that there is a Wi-Fi vulnerability that affects billions of devices. This vulnerability allows nearby attackers to decrypt sensitive data that are sent over the air.

Eset, the security company that discovered vulnerability, named it Kr00k and it is tracked as CVE-2019-15126. Kr00k affects the Wi-Fi chips made by Cypress Semiconductor and Broadcom. FullMAC WLAN chips from both companies are especially affected according to Eset. These chips are used in billions of devices and some of the devices include the following:

  • iPhones
  • iPad
  • Apple Macs
  • Amazon Echos
  • Amazone Kindles
  • Android devices
  • Raspberry Pi 3
  • Wi-Fi routers from Asus and Huawei

Most of the affected devices have patches made available by manufacturers but it is not clear how many of them installed the patches. Routers have the biggest concern because they often go unpatched indefinitely.

How does the vulnerability work?

When a wireless device disassociate from a wireless access point, unsent data frames will be placed in a transmit buffer and then sent over the air. Kr00k exploits this weakness. If either the device or the wireless access point has the flaw, these data frames will be encrypted with a key consisting of all zeroes instead of the session key negotiated earlier by the wireless device and the wireless access point. The use of a key consisting of all zeroes to encrypt data is equivalent to having no key.

The following diagram from ArsTechnica shows what would happen when a device disassociate from a wireless access point if either one is vulnerable.

A disassociation typically happens when a client device roams from one Wi-Fi access point to another, encounters signal interference, or has its Wi-Fi turned off. Hackers within range of a vulnerable device or access point can easily trigger this vulnerability by sending disassociation frames since they are not authenticated. From there, hackers could then capture and decrypt the transmitted data. They could trigger multiple disassociation to improve their chance of obtaining useful data.

The following diagram from ArsTechnica shows how the attack would happen.

What are the devices affected?

Eset researchers identified a variety of mobile devices that are vulnerable, including:

  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S

In addition, the following routers are also vulnerable:

  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321

The researchers also tested Wi-Fi chips from other manufacturers, including Qualcomm, Realtek, Ralink, and Mediatek and did not find any evident of them being vulnerable. However, since it was impossible to test all devices, it is possible that other devices using Cypress and Broadcom chips are affected.

For Apple, the vulnerabilities were patched in October 2019 as part of macOS Catalina 10.15.1, Security Update 2019-001 for macOS Mojave, Security Update 2019-006 for macOS High Sierra, iOS 13.2 and iPadOS 13.2 More information on the patches could be found here for macOS and here for iOS and iPadOS.

Amazon also state that Amazon Echo and Kindle devices listed in the security research have received automatic security update over the internet in a separate statement to ArsTechnica.

Which Option is Best for you? VPS Hosting or Shared Hosting

You have decided to start a business or a blog, and you know it needs an online presence such as a website. You have decided also that it is preferable to go with a service provider that can host the website at a reasonable price and allow you have more control.

And so, you went with a quick google search. From the search results, you realised that there are so many options such as Shared Hosting, VPS Hosting and dedicated server.

So which do you choose?

Here is an article at VantageVPS that could help you decide.

D-Link Covr 2202 Mesh WIFI Review

How often does your device lose connection to the internet when you enter a spot in your home despite you having bought and setup a powerful WIFI router somewhere in the middle?

It’s frustrating, right?

Now, that’s just the reality of WIFI technology as radio signals do have a hard time penetrating walls or other objects. It’s just physics.

And this is a problem that mesh network technology is here to solve. Mesh network technology is basically the use of multiple connected network devices to provide consistent WIFI coverage for a large area and eliminate blindspots. And when the connected device move from one area of the house to the next, the mesh network knows how to pass the connection to the router that provide the best connection.

In this review, we will be looking at D-Link’s latest WIFI mesh network product for home users, the Covr-2202.

The Covr-2202 is a tri-band WIFI mesh networking product that uses two units to cover 550 sqm of space with WIFI signal. Unlike the dual-band implementation found in other WIFI mesh solution, the Covr-2202 uses a third 5Ghz WIFI band for communication and data exchange between the two units. This frees up the 2.4Ghz and 5Ghz bands for devices to use to connect to the network. This means the connected devices can still stream 4K content, handle large downloads and browse the web without any drop in performance.

The marketing material and the specifications made it to be the WIFI solution to go for. But those weren’t the reasons that I got it.

For me, I got the device because it was an alternative purchase. Initially, I was looking for the Asus Blue Cave WIFI router to replace my previous Asus RT-AC68U WIFI router. I wanted something nicely designed that will complement my new desk, perform well and take up less space. The three antennas of the RT-AC68U were just ugly.

And if Apple didn’t discontinue their networking products and make new ones, I would have gone with their AirPort-series of networking devices.

Sadly, according to the salesperson, Asus Blue Cave was discontinued. He suggested that I go for Covr-2202 because it costs about the same, won awards and performs better. During the conversation, I asked about the Covr-1203 because it looked interesting and fulfilled my requirement for a small router. It turns out the performance wasn’t as good and was an older generation, which kind of defeat the purpose of buying a new WIFI router.

Before I made the purchase, I asked to see the physical product. Lucky for me, there was a display set on hand and the salesperson showed me what it looked like. I find myself liking it and made the decision to buy.

Unboxing

This is the box after removing the plastic. I got to admit it definitely look enticing and cool when compared to other networking products sold by other companies. Most networking companies don’t really bother with making nice packages.

Once you open it, you are greeted to the following sight.

Now that definitely remind me of the packagings used by certain brand of cosmetic products. And after you remove the cover, the two Covr-2202 units greet you. They are welcoming you to take them out of the box.

The white overall and the bronze-like band at the bottom definitely complement my desk that features light wood colour with white metal struts.

And the small size definitely help freed up more space on my desk that I can use for other purpose. Overall, my desk just look less cluttered.

Installation and set up

Router installation and setup is really easy and simple.

Within the box, D-link provided a small card containing instruction on where to download the their official WIFI mobile app. When you launched the app, it comes with instructions that you can follow step-by-step to install and power on the device.

At a specific stage of the setup process, the app will ask for the network name and passwords. You can do it manually or scan the QR code located on the small card. However, it is advisable to set a different network name and password after the setup process is completed.

Although I encountered some issue during the setup process due to my lack of understanding how mesh networking works, I was able to recover from the mistakes and redo the whole setup again within minutes. This is definitely helpful for those who are mostly clueless about networking and simply needed their WIFI up and running in no time.

Performance

My home subscribes to 1Gbps fibre broadband. Therefore, it’s important that we can maximise our use of the bandwidth if not it would be a waste of money. Compared to the old Asus router, the WIFI performance of this new router is so much better. On WIFI alone, I’m able to achieve download speeds that’s more than 500mbps and upload speed of slightly more than 300mbps. And that’s taking into account the overall residential broadband bandwidth tend to be lower since many people are home and using the internet.

With speeds at 500mbps, I can watch YouTube video or Netflix with relative ease and no lag. And I do have at least 5 other devices connected to the same mesh network. So the performance is definitely there.

So for the price I paid, I would say it’s worth it.

Emotet now hacks nearby Wi-Fi network to spread like a worm

Emotet has evolved multiple times since its initial discovery in 2014 by security researchers. Recently, a sample of Emotet malware was found to have gained the ability to spread itself through insecure Wi-Fi networks that are near an infected device.

Once the malware gains access to the Wi-Fi networks, it will then attempt to infect all the connected devices. It is a tactic that can dramatically escalate Emotet’s spread.

The Wi-Fi spreading binary was only discovered being delivered for the first time on 23 January 2020 by researchers but further analysis suggested that the executable file has a timestamp of 16 April 2018, which hints that the behaviour has been running unnoticed for almost two years.

This Wi-Fi spreading capability further raises the threat level of the already-prevalent Emotet.

Before this discovery, the malware was found to have gained new obfuscation and anti-virus detection capabilities in November 2019. These capabilities enable Emotet to better escape detection. Meanwhile, its authors have also changed their social engineering tactics to keep in line with current events, sending out malicious emails that claimed to be Edward Snowden’s new memoir or with Halloween-themed lures.

What is Emotet?

Emotet is a malware that begin life as a banking trojan in 2014. Its primary goal is to sneak into your computer in order to steal sensitive and private information.

It has gone through a few iterations. Early versions arrived as malicious Javascript files. Subsequently, it evolved to use macro-enabled documents that will retrieve the virus payload from command and control (C&C) servers run by the attackers.

A malware is mostly useless to the attackers if it is detected early or when security researchers can analyse it to determine how it works. In order to prevent that, Emotet comes with a few tricks up its sleeves.

Most notably, it knows if it is running inside a virtual machine (VM) and will lay dormant when that happens. This is because cybersecurity researchers use VMs to observe malware within a safe and controlled space. I

Emotet is also able to use Command and Control (C&C) servers to receive updates, much like the operating system (OS) updates on your PC and could happen seamlessly and without any outward signs. This way, attackers can install updated version of the malware or deliver and install additional malwares on the target. In addition, the C&C servers can also serve as a dumping ground for stolen information such as financial credentials, usernames and password, and email addresses.

How does Emotet spread?

Emotet spreads itself primarily through spam emails (malSpam). It will go through your contact lists and send itself to your friends, family, coworkers and clients. The emails look less like spam because they are coming from your hijacked account, which in turn make the recipients feel safe and more likely to click on the bad URLs in the emails and download infected files.

In order to increase the likelihood recipients click on the bad URLs or open the attachments, the emails may come with contents that contains familiar branding or tempting languages such as ‘Your invoice’ and ‘Payment Details’. In some cases, the content may be about an upcoming shipment from well-known delivery companies.

Furthermore, if there is a connected network present, Emotet attempts to spread through it and gained access to other connected system by using a list of common passwords and brute forcing its way.

For Emotet to spread via Wi-Fi, it first infects the initial system with a self-extracting RAR file containing two binaries (worm.exe and service.exe). Once the RAR file is extracted, worm.exe executes automatically.

The main purpose of worm.exe is to profile wireless networks. Then it would go through each Wi-Fi network to identify their SSID, signal, encryption and authentication methods. After which, the malware will begin to connect to each of the network by brute forcing the passwords.

Once the malware gains access into the network, it will make a request to its command and control (C2) server and establishes a connection to the Wi-Fi network. Next, it will attempt to brute-force the passwords for all users on the newly-infected network. If the brute force is successful and the malware gains access into the device, worm.exe will install the service.exe onto the device.

Finally, once service.exe is installed onto the infected device, it will communicate back to the C2 server and then begin dropping the embedded Emotet executable. The whole spreading and infection process will repeat again in an attempt to infect as many devices as possible.

How do you protect your devices from Emotet?

In order to prevent Emotet from using the Wi-Fi spreading capability and infect connected devices, it is recommended that wireless networks are secured using longer and more complex passwords.

Preventing infection by Emotet is only one part of the solution. Active monitoring of endpoints for new installation of services and subsequent investigation of suspicious services or processes running from temporary folders and application data folders within user profile is equally important. This way, Emotet and its associated malwares can be identify early and be eliminated before they cause any further damage to the rest of the systems.

Furthermore, computers and endpoints should be kept up-to-date with the latest software patches to eliminate as many vulnerabilities in the system as possible. This will prevent the other malwares associated with Emotet infection such as TrickBot from exploiting these said vulnerabilities.

Last but not least, it is important to be aware not to download or open any suspicious attachments or links respectively. This way, Emotet will not be able to gain any initial foothold in the system or network.

IoT and surveillance devices that use Xiongmai Tech firmware discovered to have zero-day backdoor mechanism

Russian security researcher Vladislav Yarmak discovered a backdoor mechanism integrated into DVR/NVR devices built on top of HiSilicon SoC. He published a full-disclosure report on Habr, a Russian IT and Computer Science blog.

The backdoor mechanism is implemented using a mix of exploits that take advantage of bugs discovered years ago, with some dating as early as March 2013.

HiSilicon, a fabless semiconductor Chinese company fully owned by Huawei, was inferred to be responsible for the backdoor mechanism. An earlier version of the HiSilicon firmware came with telnet access enabled using a static root password that can be easily recovered from the firmware image.

In 2017, Istvan Toth did a comprehensive and detailed analysis of the firmware and discovered multiple vulnerabilities with the firmware and the built-in webserver.

He also published a list of brands with the affected firmwares on this GitHub page: https://github.com/tothi/pwn-hisilicon-dvr#summary. From the list, there are hundreds of products across at least a dozen of brands.

Subsequent versions of the firmware had their telnet access and the debug port (9527/tcp) disabled by default. Another port, 9530/tcp, was opened instead to receive a special command to start the telnet daemon and enable shell access with the same static password. This was intentionally baked into the firmware.

Huawei published an official media statement stating that they are not responsible for the discovered vulnerabilities. In addition, they said that they and their affiliates, including HiSilicon have long committed that they will not and have not install backdoors nor will they allow their vendors to do the same.

It was later determined by other security researchers that only devices using Xiongmai firmwares are affected by the vulnerabilities.

Xiongmai (Hangzhou Xiongmai Technology Co, XMtech) is a Chinese technology company founded in 2009 that develops IoT and surveillance devices such as DVR, NVR and IP Cameras.

Given that the vulnerabilities remained unpatched and the company is not responding to the disclosure, it is advised that devices using Xiongmai software are replaced. If the replacement of these devices is not possible, then it is best to restrict network access to these devices to only trusted users. Ports involved in this vulnerability are 23/tcp, 9530/tcp and 9527/tcp, and they should be blocked from external access.

What is the difference between Authentication and Authorisation?

If you have been working as a member of the tech community (System Administrator, Software Engineer, etc.), you might have heard of the terms Authentication and Authorisation. Even though they are often used together when the security of a computer system or application is involved, they are two completely different security processes.

What is Authentication?

Authentication in the security context refers to the act or process that validates if a user of a software, computer or system is who they claim to be. The most common way to do this via the use of a password. If the user enters the correct password, the system assumes the identity is valid and allows access.

The use of password-based authentication is also known as single-factor authentication.

However, it is no longer sufficient to rely on password alone to validate a user’s identity in recent times. Improvements in computer performance have led to the reduction in the time needed to brute force a password (or in layman terms, trying out every combination of letters, numbers and symbols) and gain access into a system. Furthermore, it is human nature to use something short and/or familiar such as birthdays, social security numbers, national identity numbers and names as passwords.

In order to increase the level of security of a system, multi-factor authentication is becoming a norm and highly recommended for systems that process sensitive information.

Two-factor authentication is one of the more common multi-factor authentication scheme employed by companies such as Apple, Google and Microsoft. Under this scheme, the following two factors are commonly used for authentication:

  1. Something that you know (e.g. password)
  2. Something you own (e.g. smart card, smart phone)

This is based on the premise that even if some malicious actors manage to get a hold of a password to a system, they remain unable to log into a system because they do not have access to a registered hardware such as a smart card, security token or smart phone to further prove they are a valid user.

What is Authorisation?

Authorisation takes place after the user has verified their identity. It refers to the act or process that verifies if the authenticated user has the rights or permission to access or use a particular resource. In this context, a resource can refer to a file, a folder, a particular room within a building or an area.

The most common implementation of authorisation is role-based access control (RBAC). It is based on the premise that different users have different roles to play in a given organisation. Their roles ultimately determine the type of information they can access and the amount of responsibility they have.

However, RBAC may not be fine-grain enough to control access to specific resources—a role typically comes with a set of permissions. This is where attribute-based access control (ABAC) comes into the picture. In addition to using the roles and groups a user belongs in to determine the access, additional attributes such as a user’s citizenship, the action performed or the time at which the access is requested can be used to control access.

Conclusion

Both authentication and authorisation are fundamentals of system/information security. Without them or when they are implemented poorly, malicious actors could gain access to the system and extract sensitive information such as personal information and company secrets easily. Then, these actors could use what they acquired to mount further attacks that could include identity fraud or helping the competitors of a business to gain an edge. Even if the attacks do not come from outside the organisation, employees within could accidentally or intentionally access or change information that they are not permitted to.