What Are Brute Force Attacks, and How to Protect Your APIs?

0
[ad_1]
What Are Brute Force Attacks

Brute force attacks have been one of the most common attack types. In Q1 2022, brute force made up 51% of all attacks! These attacks often pave the way for other types of threats and have devastating consequences for the organization.

Brute force on APIs is a bigger problem since APIs programmatically expose data, functionalities, and business logic. You need to act urgently to stop these attacks and keep your digital assets secure from attackers.

Want to know how? Keep reading to find out more about brute force attacks and ways to protect your APIs, apps, and websites against them.

Table of Contents

What is a Brute Force Attack?
Brute Force in APIs
Brute Force vs. Other Cracking Techniques
Types of Brute Force Attacks
How Do Brute Force Attacks Work? 
Real-life Examples
What Factors Lead to Brute Force Attacks?
Who Are Common Targets for Brute Force Attacks?
What Makes Brute Force API Attacks Dangerous?
Protecting Against Brute Force API Attacks
Brute Force Attack Detection
Access violations
Strong Password Policies & Multifactor Authentication
Robust Access Control and Authorization Policies
Lockout Policies
Progressive Delays
Implement CAPTCHA Challenges Intelligently
Use Hashing to Secure Passwords
Bot Mitigation
Conclusion

What is a Brute Force Attack?

Brute force attacks are common, simple, and easy-to-orchestrate credential cracking/ password guessing attack types. In these attacks, the threat actor uses trial and error to decode passwords, login credentials, API keys, SSH logins, encryption keys, hidden web pages, and content. Thereon, they gain unauthorized access to apps, APIs, accounts, systems, and networks.

Attackers keep guessing usernames and passwords till they find valid combinations. They systematically try all possible combinations of letters, numbers, and symbols until they crack the credentials. Attackers may use manual or automated methods to inject username passwords and find the right credentials.

Brute Force in APIs

Brute force in APIs is an attack where the threat actors leverage tools to continuously send requests to APIs to guess correct combinations of credentials. The end goal may be anything from stealing an account by brute forcing API authentication forms to exfiltrate sensitive data by brute forcing logins.

Brute Force vs. Other Cracking Techniques

Brute force attacks don’t use an intellectual strategy to crack credentials; they use a simple trial-and-error method instead. They try exhaustively to break credentials by trying various combinations of characters till they find a combination that allows them to enter. This is the main difference between brute force and other stuffing & cracking methods.

In credential stuffing attacks, attackers throw bona fide login credentials to fool the API/ app into believing they are legitimate users. To this end, they use stolen credentials and keys.

In brute force attacks, attackers repeatedly attempt different character combinations until they gain access to the API or app.

Types of Brute Force Attacks

  • Simple brute force attacks where attackers use a simple, systematic approach to guess and crack credentials without relying on intellectual strategy or logic. Automated tools and scripts are typically used to automate guessing credentials.
  • Dictionary attacks are where attackers use a common database of words, strings, and phrases – a dictionary. They start with a word/ phrase from the dictionary and try combinations of letters and characters to determine the login credentials.
  • Hybrid brute force attacks are where attackers combine aspects of simple and dictionary attacks. They use external logic to determine password variations that may have a higher probability of success and then amend those to try various combinations.
  • Rainbow table attacks where attackers use a rainbow table – a precomputed table/ dictionary of plaintext passwords and hash functions corresponding to them. Using the rainbow table, they try to reverse cryptographic hash functions.
  • Reverse brute force attacks where attackers use common/known passwords or collections of passwords against possible usernames/ account numbers by trying different combinations.
  • Password spraying attacks where attackers take commonly used passwords like admin or 123456 and use them across different accounts instead of trying different password combinations. This is used in cases where account lockout policies are in place, and attackers have only limited attempts to crack credentials.
  • Botnet brute force attacks where attackers leverage powerful bots to brute force APIs, apps, and networks. One of the biggest drawbacks of brute force for attackers is that it takes days, even months, to crack credentials, especially more complex ones. With additional security measures like rate limiting and account lockout policies, the challenges are even bigger. But botnets help overcome these challenges. They provide high computing power to attackers and help them evade traditional defenses while infusing speed and efficiency into the process.

How Do Brute Force Attacks Work? 

Traditional brute force attacks typically use exhaustive manual effort to crack credentials. But given the security measures at play and the time it takes to crack a single complex password, attackers today leverage automated tools, scripts, and powerful botnets to brute force APIs, apps, and networks.

These tools and bots can send voluminous server requests and make hundreds of thousands of login attempts per hour. They can guess and find combinations that work in minutes rather than weeks or months.

There are 3 broad steps in brute force attacks that use automated tools and bots.

  1. Attackers identify the target URLs of the APIs, apps, or sites they want to attack and preconfigure parameter values in the brute force tool.
  2. They run the brute force processes using the tool/ bot, which attempts to identify all valid credentials.
  3. Upon identifying successful login credentials, attackers log in and do their bidding.

Here are some of the common tools attackers use for brute forcing:

  • THC-Hydra runs a large number of password combinations using simple or dictionary-based methods to crack network password protocols.
  • Aircrack-ng uses a dictionary of widely used passwords to breach wireless networks.
  • John the Ripper is a tool that exhaustively runs possible combinations using a dictionary.
  • Hashcat is the fastest CPU-based cracking tool that runs simple brute force, rule-based, and hybrid attacks.
  • Ncrack helps crack network authentication and supports various attack types.
  • RainbowCrack is one of the fastest cracking tools that leverage rainbow tables.

Real-life Examples

The Canadian Revenue Agency faced a brute force attack in 2020, compromising 11,000 accounts of CRA and other government-related services. Attackers used previously stolen credentials to brute force the agency.

In 2018, Magneto, an e-commerce platform, was a victim of a brute force attack that compromised its admin panels. No less than 1,000 account credentials were exposed on the dark web.

In 2018, the Northern Ireland Parliament was brute forced, exposing the accounts of some of its members. Hackers are known to have used several combinations to crack passwords and access the mailboxes of these members.

TaoBao, an Alibaba e-commerce site, was brute forced in 2016, compromising 21 million accounts (1/5th of all TaoBao accounts). Attackers used a database of 99 million usernames and passwords to orchestrate this brute-force attack.

What Factors Lead to Brute Force Attacks?

One of the top causes of brute force attacks is poor password practices.

Users, including admin accounts, use simple or generic passwords like 123456, abdce, 111111, or admin. These are easy to crack.

Even when users use stronger passwords, they reuse them across accounts and platforms. So, if their credentials were stolen from one account, all their other accounts using the same credentials are at risk of exposure.

Organizations use predictable taxonomies for the login credentials, creating patterns that are easy to detect. For instance, the employee’s initial and last names followed by the company name for login IDs are commonly used.

Many organizations continue to store credentials, API keys, encryption keys, and passwords in plaintext or poorly encrypted databases. So, attackers can exfiltrate these databases and use them for brute forcing APIs and apps.

Organizations continue to rely on passwords or keys as their only authentication mechanism. Even when organizations use MFA (multifactor authentication), they are still at risk if they don’t have proper authorization and role-based access control measures.

Furthermore, organizations often overlook the importance of implementing multi-layered security measures such as account lockout and rate limiting to prevent brute force attacks.

Who Are Common Targets for Brute Force Attacks?

If your website/ API/ app/ system requires user authentication, it will be targeted by threat actors. Brute force attacks are much easier to orchestrate than other attacks since attackers don’t have to scan for and develop ways to exploit vulnerabilities.

However, e-commerce APIs, apps, and sites are the most common targets of these attacks. This is because they process payments and have access to large volumes of sensitive customer data such as PII, banking information, credit card details, and so on. Suppose an attacker gains access to an e-commerce API or site. In that case, they can easily perform data breaches, financial theft, identity theft, sell user information on the dark web, and so on. This causes distrust among users and affects the reputation of the organization.

What Makes Brute Force API Attacks Dangerous?

Impact

The impact of brute force on APIs is severe and damaging. Because APIs expose data and functionalities by their very nature, attackers brute force them to discover login credentials and API keys to access user accounts and the app to find more vulnerabilities.

By brute forcing APIs, attackers can also cause downtimes and crashes for other users. They could lock out legitimate users by brute forcing APIs with a lockout mechanism for failed logins.

Successful login attempts enable attackers to exfiltrate user information, keys, and so on that they can sell on the dark web. They could also spread malware, engage in account takeover, and perform other attacks.

Other Reasons Why They Are Dangerous

  • They are easy and simple to orchestrate, especially with the easy availability of automation tools and bots for hire.
  • The weak password problem still exists.
  • Even if attackers don’t find or can’t use other vulnerabilities, brute force attacks work.

Protecting Against Brute Force API Attacks

Brute Force Attack Detection

Before knowing how to prevent them, you need to understand how to detect brute-force attacks.

Firstly, you need to continuously monitor incoming traffic and user behavior using an API-specific, fully managed, intuitive security solution. AppTrana API protection uses behavioral and pattern analysis to identify anomalous behaviors and patterns. Some examples :

  • Serious failed login attempts
  • Unusual patterns of failed logins
  • Unusual user behavior after successful login
  • One successful login followed numerous failed attempts
  • Successful login coming in from an unusual IP address
  • Successful login into different accounts from the same IP address
  • Unusual network activity
  • Unusually high number of login requests to APIs

Access violations

The security solution must provide real-time alerts and triggers when unusual activities happen. Only then you can take instant action to stop attacks.

Your API-specific security solution must include automated scanning tools equipped with AI-ML and threat intelligence to find authentication flaws that allow brute-force attacks proactively.

You must use manual pen-testing to find authentication flaws and other weaknesses that enable brute forcing of your APIs. To ensure a comprehensive assessment, following an API penetration testing checklist is essential, which will guide you through the systematic evaluation of your API’s security measures.

Strong Password Policies & Multifactor Authentication

This is the most important way to prevent brute force API and other attacks.

  • Create complex passwords containing a combination of alphanumeric and special characters.
  • Reject generic and weak passwords for enhanced security.
  • Avoid common patterns when crafting usernames and passwords.
  • Ensure password expiration at regular intervals and disallow the reuse of prior passwords.
  • Educate users on the significance of crafting distinct passwords for individual accounts or platforms.
  • Explore the adoption of a password manager or embrace passwordless authentication.
  • Prevent storing passwords, keys, and credentials in plaintext.
  • Implement 2FA or MFA as mandatory measures for APIs and websites, particularly for those granting access to sensitive data and features. These steps provide supplementary safeguards for your APIs and accounts.

Robust Access Control and Authorization Policies

Even when a successful login happens, the attacker shouldn’t be able to access too much sensitive information. This is why role-based access control and strong authorization policies are necessary. Also, ensure that unused accounts, especially high-permission accounts, are closed.

Lockout Policies

The account should automatically be locked if the number of failed attempts exceeds the preset limit. Only the administrator should be able to unlock the account after verification from the user.

Remember, there is a possibility that competitors brute force you to lock out your legitimate users. By doing so, they can create mistrust and a loss of reputation for your organization. This is why you need to prohibit multiple login attempts from the same IP address for different accounts.

Progressive Delays

You can also lockout accounts temporarily after failed login attempts and implement progressive delays between each failed login. This slows down brute force attacks.

Implement CAPTCHA Challenges Intelligently

Brute force tools and bots cannot perform CAPTCHA challenges. So, you can create hurdles for attackers by implementing these challenges. Your security solution must implement these challenges intelligently based on real-time insights.

Use Hashing to Secure Passwords

Randomized password hashing is a vital rest API brute force protection measure. Password hashing protects the systems even when it is compromised owing to successful attacks.

Bot Mitigation

Since modern-day brute force attacks widely leverage bots and automated tools, you must use a security solution that offers intelligent, fully managed bot mitigation capabilities.

Conclusion

With an API-specific, fully managed, comprehensive security solution like AppTrana, you can proactively hunt down brute force threats and prevent attackers from brute forcing your APIs.


[ad_2]
Source link

Samsung readying a special version Galaxy Z Fold 5, seven new products

0
[ad_1]

Samsung launched seven new Galaxy products during its Galaxy Unpacked event in late July. The company debuted two foldables, three flagship tablets, and two smartwatches at the event. However, it may not be done for the year yet. The Korean firm has eight more Galaxy devices lined up for launch in the coming months, including a special version of the Galaxy Z Fold 5.

Galaxy Z Fold 5 Thom Browne Edition is coming soon

Over the years, Samsung has launched Thom Browne Editions of several Galaxy foldables. It teamed up with the New York City-based fashion designer for customized versions of the Galaxy Z Flip, Galaxy Z Fold 2, Galaxy Z Flip 3, and Galaxy Z Fold 3. However, the company didn’t launch Thom Browne Editions of last year’s Galaxy Z Flip 4 and Galaxy Z Fold 4.

With that in mind, there has been little hope of Samsung teaming up with the designer again for its latest foldables. However, it turns out the partnership hasn’t ended. The company recently took to X to tease a new book-like foldable with the iconic Thom Browne stripes. It doesn’t require rocket science to determine that we are looking at a customized Galaxy Z Fold 5 here.

Samsung didn’t reveal when the Galaxy Z Fold 5 Thom Browne Edition will arrive. However, we may not have to wait for much longer. Note that it’s the same foldable phone that arrived in stores a couple of weeks back. However, its external appearance has been customized with unique colors. If history is any indication, Samsung will offer the device in a special package consisting of other goodies. Naturally, it will cost more than the standard version, which starts at $1,800.

Samsung has seven more new Galaxy products in the pipeline

The Galaxy Z Fold 5 Thom Browne Edition may not be a completely new product, but Samsung does have more in the pipeline. As pointed out by X tipster @TheGalox, the company is readying at least seven new Galaxy devices. These include the Galaxy S23 FE, Galaxy Tab S9 FE, Galaxy Tab S9 FE+, Galaxy Tab A9, Galaxy Tab A9+, Galaxy Buds 3, and Galaxy SmartTag 2.

Rumors about these devices have been around for a long time now. Some of them have even received regulatory approvals and picked up support pages on Samsung’s official website. It remains to be seen whether the Korean behemoth will unveil them all together. In that case, we could have a major Samsung launch event next month. The Galaxy S23 FE is rumored to arrive in September.


[ad_2]
Source link

Samsung partnered up with ‘MINI’ to unveil ‘MINI Incubator’

0
[ad_1]

MINI and Samsung Display jointly unveiled the ‘MINI Incubator’ sculpture at Gamescom 2023 in Cologne, Germany. Samsung Display’s 9.4-inch round OLED display takes the spotlight, getting attention from gamers and tech enthusiasts.

It is prominently positioned within the MINI exhibition space. This cylindrical display tower proudly showcases ten 9.4-inch round OLEDs, drawing inspiration from iconic science fiction laboratories. The design highlights the pivotal role of cutting-edge display technology in shaping MINI’s visionary mobility solutions.

In perfect harmony with the MINI Incubator, Samsung Display seizes the opportunity to showcase its OLED mastery, emphasizing automotive displays. A standout feature is their commitment and efforts to environmental sustainability via means of reduced plastic components. The details and features is that the displays offer true black rendering, infinite contrast, and adaptable flexible designs. Moreover, advanced technology effectively reduces blue light emission. Samsung Display further enhances the experience with an engaging OLED Finder Experience Zone, captivating avid gamers and tech enthusiasts attending Gamescom.

Head of Samsung display’s views on the collaboration

Brad Jung, VP and Head of Samsung Display’s Mobile Display Marketing Team, expresses excitement about the collaboration. Leveraging Samsung Display’s unrivaled expertise in OLED technology within realms of mobility, Brad Jung eagerly anticipates empowering customers with captivating visual experiences. With most of the main experience of most customers being based on the visual appeal. The Head of Samsung Display aims to improve on the visual aspects with this solution.

Building on tradition, MINI proudly returns to Gamescom as an official sponsor and dedicated mobility partner for the second consecutive year. The ‘MINI Lab’ theme of their exhibition booth curates a mobility experience tailored to young gamers. By seamlessly blending innovation and mobility, MINI effectively underscores its commitment to shaping the future of gaming-related encounters and beyond.


[ad_2]
Source link

Say goodbye to Messenger Lite: Meta is killing the app in September

0
[ad_1]

About 7 years ago, Meta introduced a lite version of its Messenger app to give users the choice to save storage space on their phones. In 2020, the Messenger Lite app was removed from the App Store, becoming unavailable for iOS users. Now, Meta is discontinuing it for Android users as well.

As spotted by 9to5Google, the app is no longer available in the Play Store for new users to download. And some of you who use the Messenger Lite app might have already received the message when opening the app that “Messenger Lite is going away, and will not be available after September 18.” What’s important to know is that chat history will not be lost; it will remain accessible within the Messenger app.

Messenger Lite, as the name suggests, is a lighter version of Messenger that is stripped down of many features such as stories, animated stickers, dark mode, or changing a chat’s theme. Not having all these features means you can save up on storage space since the size of the app is smaller.

However, it appears that Meta has decided to discontinue this lightweight app and focus solely on the full version. This move might disappoint many users who believe that Messenger drains their battery too quickly or who simply prefer an app version that only enables sending and receiving messages and does not have any additional features or ads, for that matter.

In September, not only will Messenger Lite disappear, but Messenger will stop supporting SMS, which was also not met with a lot of excitement. On the other hand, Meta lets more people enjoy end-to-end encryption on Messenger.

The company began working on end-to-end encryption in 2019 but still tests it and has not introduced it to all its users. Meta’s engineers realized that they would need to essentially rewrite the entire messaging and calling code base from scratch, which sure takes time.


[ad_2]
Source link

Lapsus$ Teen Hackers Convicted

0
[ad_1]

In recent times, the world of cybersecurity has been rocked by a series of audacious cyberattacks. At the heart of these attacks is the notorious Lapsus$ teen hackers group, primarily composed of teenagers. Their high-profile hacks, especially the leak of the unreleased Grand Theft Auto 6 details, have sent shockwaves through the industry.

The Rise of Lapsus$ and Their Noteworthy Exploits

The Lapsus$ group, believed to be primarily based in the UK and possibly Brazil, has been responsible for a series of high-profile cyberattacks on major tech firms such as Nvidia. Their audacious methods and the sheer scale of their operations have made them a significant concern for cybersecurity experts worldwide.

One of the group’s key members, 18-year-old Arion Kurtaj, was recently found guilty of hacking into the systems of Grand Theft Auto developer Rockstar Games, among other companies. His involvement in leaking clips of the unreleased Grand Theft Auto 6 game while on bail further highlighted the group’s brazen approach to cybercrime.

Grand Theft Auto 6 Leak: A Shock to the Gaming Community

The gaming community was left in disbelief when details of the highly anticipated Grand Theft Auto 6 were leaked online. Arion Kurtaj, a key member of the Lapsus$ group, was found to have downloaded the company’s internal files about the game. These files, which hadn’t been announced and weren’t expected to be released for another year or more, were later leaked, causing significant disruption to Rockstar Games.

Other High-Profile Attacks: Uber, Revolut, and More

But the Grand Theft Auto 6 leak was just the tip of the iceberg. The Lapsus$ group’s hacking spree extended to other major companies, including Uber and fintech firm Revolut. Their method of operation often involved tricking employees of these companies into sharing their login credentials, granting the hackers unprecedented access to sensitive data.

In one instance, the group demanded a whopping $4 million ransom from telecoms company BT and mobile operator EE. While no ransom was paid, the audacity of the demand showcased the group’s confidence in their operations.

The Conviction and the Aftermath

The recent conviction of Arion Kurtaj and another unnamed 17-year-old member of the Lapsus$ group marks a significant milestone in the fight against cybercrime. While Kurtaj, diagnosed with autism, was deemed unfit to stand trial, the jury was tasked with determining whether he conducted the alleged acts.

The trial, which lasted for seven weeks at Southwark Crown Court in London, shed light on the group’s operations, their motivations, and the extent of their cyberattacks.

FAQs

Q: Who are the Lapsus$ hackers?
A: Lapsus$ is a notorious hacking group believed to be primarily composed of teenagers based in the UK and possibly Brazil. They have been responsible for a series of high-profile cyberattacks on major tech firms.

Q: What is the Grand Theft Auto 6 leak?
A: Arion Kurtaj, a member of the Lapsus$ group, hacked into Rockstar Games’ systems and leaked details of the unreleased Grand Theft Auto 6 game.

Q: Were the Lapsus$ hackers arrested?
A: Yes, Arion Kurtaj and another unnamed 17-year-old member of the Lapsus$ group were arrested and recently convicted for their involvement in the cyberattacks.

Q: How did the Lapsus$ group hack into companies?
A: The group often used a combination of computer hacking and con-man like tricks to gain access to companies. They would sometimes trick employees into sharing their login credentials.

Conclusion

The conviction of the Lapsus$ teen hackers serves as a stark reminder of the evolving threats in the world of cybersecurity. As the digital landscape continues to grow, so do the challenges posed by hackers and cybercriminals. It’s imperative for companies and individuals alike to stay informed, vigilant, and proactive in safeguarding their digital assets.


[ad_2]
Source link

Facebook Messenger encrypted chats getting full rollout; Lite app going away

0
[ad_1]

Meta announced two Messenger-related changes. All Facebook Messenger users will get encrypted chats later this year, while the Messenger Lite app is going away entirely.

Encrypted chats are getting a full rollout on Facebook Messenger

The company has already started expanding end-to-end encryption in Messenger, and it will complete that rollout by the end of this year. The standard was first rolled out about a year ago, to some users.

Meta said that the transition was not easy, saying that it was “an incredibly complex and challenging engineering puzzle”. The change is very welcomed, however, as every messaging service should be end-to-end encrypted.

What does that mean, exactly? Well, when conversations are end-to-end encrypted, they’re basically fully safe. Nobody can eavesdrop on them, or intercept them. Well, not even law enforcement can get ahold of them.

It is worth noting that your Messenger message history will also be encrypted. Once the rollout finishes, Messenger will finally come to the same playing field as WhatsApp, another Meta service.

The Messenger Lite app will become a thing of the past next month

That’s not all, however. Meta also announced that the Messenger Lite app is going away. This app has been available on Android since 2016, but Meta has now decided to pull the plug.

It will kill off the app in September, so next month. The exact date is September 18, in case you were wondering. Your conversation history is safe, however, as everything will still be available in (regular) Messenger.

In fact, if you go and look for that app in the Play Store now, you will not find it. It’s no longer available, unless you’ve installed it before. In other words, new users cannot see it.

Meta did not explain why this is happening. We are, however, presuming that the company wants to cut down on the number of products, on top of the fact that smartphones are plenty powerful to run the regular Messenger app these days.

It is also worth noting that Meta is looking to remove SMS support from Messenger, that change will also come next month. That was announced not long ago.


[ad_2]
Source link

Future Apple Watch could be able to adapt its watch face to your clothes

0
[ad_1]

Yes, you read it right, a future Apple Watch could be able to automatically adapt its watch face to match your clothes and its watch band. How? Well, it’s not as complicated as it may seem, but it would be cool to see.

Future Apple Watch could be able to match its watch face colors to your clothes

Apple seems to be considering adding color sampling sensors to its future Apple Watch devices, Apple Insider reports. The publication got this info from a patent Apple submitted.

The patent submitted to the U.S. Patent and Trademark Office (USPTO) is titled “Electronic Devices with Color Sampling Sensors”. Those light sensors would be placed under the display, and be able to figure out the colors of surrounding objects.

Apple goes even further to explain things. An optical sensor, such as a camera, proximity sensor, ambient light sensor, fingerprint sensor, and other light-based under-screen sensors can sample colors by emitting a sequence of red, green, and blue lights towards external objects.

Apple’s algorithm would take information from the sensors and do the job

Following that, the watch would run a band-specific algorithm and match colors with a predetermined list of watch band colors. A clothing-specific algorithm would do the same with your clothing.

That sure is interesting, as it would be an automatic process. Many people would find this cool, probably, even though it’s a bit gimmicky at the same time. It would be a seamless process, as you wouldn’t really need to lift a finger. Your watch face would always match your band and/or clothes.

Do note that this is just a patent, for now. Chances are this won’t become a reality anytime soon, but it could, at some point. We’ll have to wait and see. Companies do submit tons of patents every year, but only a small percentage of them turn into actual products, so… we’ll see.


[ad_2]
Source link

Google rolls out stronger security protection for certain actions in Gmail

0
[ad_1]

Google has just announced that the protection for additional sensitive actions taken in Gmail that were introduced last year has been extended to specific actions. All these actions will get a “Verify it’s you” prompt if Google deems them risky enough.

This will provide an additional layer of security for Gmail users that are taking sensitive actions in the app, specifically actions related to:

  • Filters: creating a new filter, editing an existing filter, or importing filters.
  • Forwarding: Adding a new forwarding address from the Forwarding and POP/IMAP settings.
  • IMAP access: Enabling the IMAP access status from the settings. (Workspace admins control whether this setting is visible to end users or not)

After getting the prompt, Gmail users will be able to confirm the validity of the action via a 2-step verification code or another similar trusted factor. More importantly, Google says that if a verification challenge is failed or not completed, Gmail users will receive a “Critical security alert” notification on their devices.It’s important to mention that this additional security feature only supports users that use Google as their identity provider and actions taken within Google products (SAML users are not supported).

End users won’t have to look for this feature in the app’s settings, although it’s recommended to enable 2-step verification. The stronger protection for sensitive actions in Gmail will be available to all Google Workspace customers and users with personal Google Accounts.

According to Google, the rapid release domain will be getting the new security feature in the next two weeks, while scheduled release domains will get it in up to 3 days starting September 6.


[ad_2]
Source link

Enterprise Device Management With QR Codes

0
[ad_1]

Corporate mobile devices have become essential to everyday tasks for employees, but this convenience also comes with security risks.

The challenge lies in managing and securing multiple devices, especially without a proper solution. This is where mobile device management (MDM) comes into play, providing a centralized solution to remotely manage, monitor, and secure mobile devices.

Table of Contents

Device onboarding
What is QR code enrollment?
How can enrollment templates be tailored to the varying uses of different devices?
What are the benefits of QR code enrollment?

Device onboarding

The process of enrolling a large number of devices can be time-consuming and cumbersome. However, there are several enrollment methods available to simplify this process.

Android’s zero-touch enrollment and Apple Business Manager enrollment are great options for devices purchased from verified resellers, while Knox Mobile Enrollment streamlines enrollment for Samsung Knox devices.

But what about devices that are not purchased from verified resellers or are employee-owned? This is where QR code enrollment comes in, providing an efficient way to bulk enroll Android devices.

What is QR Code enrollment?

This article will focus specifically on QR code enrollment, a bulk enrollment method for devices running Android 6.0 or above.

With this method, the administrators can just scan the QR code that’s provided by the MDM server for the Android device and onboard it to the server.

This approach for bulk enrollment is more seamless than other methods because the administrator can set up enrollment templates in advance, which include the required users, policies, and configurations based on their intended use or purpose.

This means that the administrators can easily enroll many devices at once, and each will automatically have the correct user assigned and the right policies in place.

How can Enrollment Templates be Tailored To the Varying Uses of Different Devices?

Enrollment templates are the first step in the device enrollment process, can be tailored to meet an organization’s specific needs and hold essential information, such as user, group, and naming patterns.

A naming pattern systematically assigns unique names to devices, such as a serial number, UDID, or IMEI. It helps avoid confusion by preventing identical names from being transferred to different devices.

When users want to set up a new device, they can easily enroll it in the MDM server by scanning the QR code from the prepared templates.

The device then follows the policies and configurations set in the enrollment template so that minimal manual intervention is required. Once enrolled, the device is ready for use.

By customizing enrollment templates, you can save time and eliminate repetitive tasks. Plus, you can ensure your devices are enrolled and secured according to your organization’s policies.

Let’s say the organization uses dedicated frontline devices and wants to assign them to the floor manager responsible for them.

Using the template’s QR code, you can create a custom template that assigns all devices onboarded to the floor manager.

This eliminates the need to assign each device individually, and your organization saves time and money.

Imagine the organization has integrated directory services, and the admin wants to allow users to enroll their devices themselves.

You can create a template that enables users to enroll using their directory credentials, eliminating the need for manual intervention by an admin. Here, too, your organization saves time and money by reducing the involvement of help desk personnel.

Document
FREE Trial

A comprehensive MDM solution tailored to organizations of all sizes to Manage and secure devices, apps and data from a unified console

What are the Benefits of QR Code Enrollment?

Using QR code enrollment with enrollment templates, you can:

  1. Simplify the bulk enrollment process and eliminate the need for manual intervention.
  2. Automate user assignments, allowing IT admins to assign devices to tagged users and groups automatically.
  3. Associate a naming pattern with devices for easy identification.
  4. Assign multiple devices to a single user to avoid individual device tagging and further streamline enrollment.
  5. Ensure that the necessary policies and configurations assigned to the template are applied to the devices automatically.

MDM helps simplify the management of mobile devices within your organization. ManageEngine Mobile Device Manager Plus is a comprehensive MDM solution tailored to organizations of all sizes.

Mobile Device Manager Plus ensures devices are secure and productive with a wide range of features, including device configuration management, policy enforcement, and application management.

With Mobile Device Manager Plus, you can streamline your device management processes and unlock the full potential of your organization’s mobile devices.

Learn more about this comprehensive mobile device management solution, and discover how to streamline the administration of your mobile workforce devices today.


[ad_2]
Source link

Pixel 8a has already surfaced on Geekbench, along with specs

0
[ad_1]

The Google Pixel 8a won’t launch anytime soon, and yet it just surfaced on Geekbench. That listing actually reveals some of the phone’s specs, along with its early performance benchmarks.

The Pixel 7a was launched back in May this year, during Google I/O. Chances are the Pixel 8a will do the same next year, so probably in May 2024. That’s a long time away from now, so it’s a bit odd this phone already appeared on Geekbench.

The Pixel 8a has already appeared on Geekbench, with some of its specs

Having said that, the phone surfaced with the ‘Akita’ codename. It managed to score 1,218 points in the single-core, and 3,175 points in the multi-core benchmark test. Do take those numbers with a grain of salt, though.

The phone seems to be running an underclocked version of the Google Tensor G3. The Tensor G3 is the chip that is expected to fuel the Pixel 8 and Pixel 8 Pro handsets. Those two phones are expected to launch later this year.

Android 14 is also listed on Geekbench, as is 8GB of RAM. That is basically all the information that the listing shared. As far as the rest of its specs are concerned, well, your guess is as good as ours.

It’s still way too early to know such things. The Pixel 8a info has not surfaced just yet. Considering that the Pixel 8 and Pixel 8 Pro designs did appear, however, the Pixel 8a could resemble its predecessor.

The phone is expected to include a fullHD+ OLED display, wireless charging & more

Aside from the specs mentioned here, we are expecting a fullHD+ display, which will likely offer a 90Hz refresh rate, if not a 120Hz refresh rate. That will be an OLED display, by the way.

The Pixel 7a also brought wireless charging to the Pixel A series, so this phone will hopefully retain that functionality. An under-display fingerprint scanner will be included too, of the optical variety. We’re also expecting some sort of IP rating, probably an IP67 rating for water and dust resistance.


[ad_2]
Source link