SHA-1 (Secure Hash Algorithm 1) Hash Function Broken Again by Researchers
SHA-1 (Secure Hash Algorithm 1) Hash Function Broken Again by Researchers
Researchers from Google and the CWI Institute revealed that they had found a consistent way to break the cryptographic hash function SHA-1 (Secure Hash Algorithm 1) during a recent demonstration.
The Secure Hash Algorithm is a family of cryptographic hash functions published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS) which includes:
- SHA-1: A 160-bit hash function which resembles the earlier MD5 algorithm. This was designed by the National Security Agency (NSA) to be part of the Digital Signature Algorithm. Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved for most cryptographic uses after 2010.
- SHA-2: A family of two similar hash functions, with different block sizes, known as SHA-256 and SHA-512. They differ in the word size; SHA-256 uses 32 byte words where SHA-512 uses 64 byte words. There are also truncated versions of each standard, known as SHA-224, SHA-384, SHA-512/224 and SHA-512/256. These were also designed by the NSA.
- SHA-3: A hash function formerly called Keccak, chosen in 2012 after a public competition among non-NSA designers. It supports the same hash lengths as SHA-2, and its internal structure differs significantly from the rest of the SHA family.
Even though SHA-1 has been considered out-of-date for a while now, and many browser vendors had planned on suspending SHA-1 based certificates this year due to its weaker crypto structure than the newer SHA-2 and SHA-3 standards. This recent news should enforce the need to not use SHA-1 as part of security operations.
Google and CWI engineered a collision attack against SHA-1, demonstrating two PDF files with the same SHA-1 hash and different content as a proof-of-concept of their findings.
Cyber Security Predictions for 2017
Whether it was a billion compromised Yahoo accounts or state-sponsored Russian hackers muscling in on the US election, this past year saw hacks of unprecedented scale and temerity. And if history is any guide, next year should yield more of the same.
It’s hard to know for certain what lies ahead, but some themes began to present themselves toward the end of 2016 that will almost certainly continue well into next year. And the more we can anticipate them, the better we can prepare. Here’s what we think 2017 will hold.
Consumer Drones Get Weaponized
Given how frequently the US has used massive flying robots to kill people, perhaps it’s no surprise that smaller drones are now turning deadly, too—this time in the hands of America’s enemies. In October the New York Times reported that in the first known case, US-allied Kurdish soldiers were killed by a small drone the size of a model airplane, rigged with explosives. As drones become smaller, cheaper, and more powerful, the next year will see that experiment widened into a full-blown tactic for guerrilla warfare and terrorism. What better way to deliver deadly ordnance across enemy lines or into secure zones of cities than with remote-controlled accuracy and off-the-shelf hardware that offers no easy way to trace the perpetrator? The US government is already buying drone-jamming hardware. But as with all IEDs, the arms race between flying consumer grade bombs and the defenses against them will likely be a violent game of cat-and-mouse.
Another iPhone Encryption Clash
When the FBI earlier this year demanded that Apple write new software to help crack its own device—the iPhone 5c of dead San Bernadino terrorist Rizwan Farook—it fired the first shots in a new chapter of the decades-long war between law enforcement and encryption. And when it backed off that request, saying it had found its own technique to crack the phone, it only delayed any resolution. It’s only a matter of time until the FBI or other cops make another legal demand that an encryption-maker assist in cracking its protections for users, setting the conflict in motion again. In fact, in October the FBI revealed in October that another ISIS-linked terrorist, the man who stabbed ten people in a Minnesota mall, used an iPhone. Depending on what model iPhone it is, that locked device could spark Apple vs. FBI, round two, if the bureau is determined enough to access the terrorist’s data. (It took three months after the San Bernadino attack for the FBI’s conflict with Apple to become public, and that window hasn’t passed in the Minnesota case.) Sooner or later, expect another crypto clash.
Russian Hackers Run Amok
Two months have passed since the Office of the Director of National Intelligence and the Department of Homeland Security stated what most of the private sector cybersecurity world already believed: That the Kremlin hacked the American election, breaching the Democratic National Committee and Democratic Congressional Campaign Committee and spilling their guts to WikiLeaks. Since then, the White House has promised a response to put Russia back in check, but none has surfaced. And with less than a month until the inauguration of Putin’s preferred candidate—one who has buddied up to the Russian government at every opportunity and promised to weaken America’s NATO commitments—any deterrent effect of a retaliation would be temporary at best. In fact, the apparent success of Russia’s efforts—if, as CIA and FBI officials have now both told the Washington Post, Trump’s election was the hackers’ goal—will only embolden Russia’s digital intruders to try new targets and techniques. Expect them to replicate their influence operations ahead of elections next year in Germany, the Netherlands, and France, and potentially to even try new tricks like data sabotage or attacks on physical infrastructure.
A Growing Rift Between the President and the Intelligence Community
Though the US intelligence community—including the FBI, NSA, and CIA—has unanimously attributed multiple incidents of political hacking to Russian government-sponsored attackers, President-elect Donald Trump has remained skeptical. Furthermore, he has repeatedly cast doubt on digital forensics as an intelligence discipline, saying things like, “Once they hack, if you don’t catch them in the act you’re not going to catch them. They have no idea if it’s Russia or China or somebody.” Trump has also caused a stir by declining daily intelligence briefings. Beyond just the current situation with Russia, Trump’s casual dismissal of intelligence agency findings is creating an unprecedented dissonance between the Office of the President and the groups that bring it vital information about the world. Current and former members of the intelligence community told WIRED in mid-December that they find Trump’s attitude disturbing and deeply concerning. If the President-elect permanently adopts this posture, it could irrevocably hinder the role of intelligence agencies in government. President Obama, for one, says he is hopeful that the situation is temporary, since Trump has not yet felt the full responsibility of the presidency. “I think there is a sobering process when you walk into the Oval Office,” Obama said recently in a press conference. “There is just a whole different attitude and vibe when you’re not in power as when you are in power.” If Trump does eventually embrace the intelligence community more fully, the next question will be whether it can move on from what has already transpired.
The Top 5 Free Network Security Vulnerability Security Scanners
A vulnerability scanner is software application that assesses security vulnerabilities in networks or host systems and produces a set of scan results. However, because both administrators and attackers can use the same tool for fixing or exploiting a system, administrators need to conduct a scan and fix problems before an attacker can do the same scan and exploit any vulnerabilities found. This article provides a general overview of vulnerability scanners
There are a number of free products available to conduct the task, SecurityOrb.com has provided our top 5 free network vulnerability security scanners for your review.
[pjc_slideshow slide_type=”the-top-5-free-network-vulnerability-security-scanners”]
American vigilante hacker sends Russia a warning
By
An American vigilante hacker — who calls himself “The Jester” — has defaced the website of the Russian Ministry of Foreign Affairs in retaliation for attacks on American targets.
On Friday night, the Jester gained access to the Russian government ministry’s website. And he left a message: Stop attacking Americans.
“Comrades! We interrupt regular scheduled Russian Foreign Affairs Website programming to bring you the following important message,” he wrote. “Knock it off. You may be able to push around nations around you, but this is America. Nobody is impressed.”
MID.ru is the official website of the Russian agency that is in charge of maintaining that country’s international diplomacy — equivalent to the U.S. Department of State.
His hacking of the website included this gag: Visitors are subjected to the ear-piercing sound of an American civil alert message — that shrieking dial tone that accompanies emergency weather broadcasts.
Read more here.
Internet of Things comes back to bite us as hackers spread botnet code
An article by
SAN FRANCISCO – Consumers around the world could see their home Internet speeds slow in the coming weeks due to a recent release of software that allows hackers to use Internet-connected devices to attack websites.
The source code for Mirai, a tool that creates what are known as botnets, has been released on the so-called dark web, sites that require specific software or authorization to access and that operate as a sort of online underground for hackers. The release was announced Friday on Hackforums, a hacker discussion board. Two security experts contact by USA TODAY looked at the source code and confirmed it was this botnet tool.
Mirai is an easy-to-use program that allows even unskilled hackers to take over online devices and use them to launch distributed denial of service, or DDoS attacks. The software spreads via the Internet, taking over DVRs, cable set-top boxes, routers and even Internet-connected cameras used by stores and businesses for surveillance.
Once a device is hijacked, so much of its bandwidth goes towards doing the botnet’s work that it can run slowly or suffer intermittent failures, and it’s very difficult for the consumer to know the cause.
The code is “a gift to cyber criminals,” said Thomas Pore, director of IT and services for Plixer International, a Kennebunk, Maine-based malware incidence response company.
Mirai was used to knock computer security writer Brian Krebs offline on September 13.
Expect more and more such attacks in the future, says Roland Dobbins, a DDoS expert with Arbor Networks. “We’re seeing more attackers becoming aware that embedded devices are an easy way to launch these attacks,” he said.
DDos attacks from the Internet of Things
DDos attacks have existed since at least 1999. They involve using a network of computers to bombard a website with millions of messages, so many that the system cannot cope and shuts down.
Read more here.
Clinton, Trump Debate ‘Twenty-First Century War’ Of Cyberattacks
An interesting article by Kelly Jackson Higgins of DarkReading.com:
A long-standing inside joke in the security community is to tweet “drink” when the word “cybersecurity” is uttered by the President at the State of the Union Address or by candidates during a Presidential debate. During Monday’s televised debate between Presidential candidates Hillary Clinton and Donald Trump, there were plenty of opportunities to imbibe (um, tweet).
The very first question about the nation’s security was about hacking. Debate moderator and NBC news anchorman Lester Holt posed the question to the candidates at the top of the third and final section of the debate, Securing America:
“We want to start with a twenty-first century war happening every day in this country. Our institutions are under cyberattack, and our secrets are being stolen. So my question is, who’s behind it? And how do we fight it?” Holt asked.
Both Clinton and Trump stressed the importance of cybersecurity for the next administration. “Well I think cybersecurity … cyberwarfare, will be one of the biggest challenges to the next President because clearly we’re facing at this point two different kinds of adversaries,” nation-state actors and cybercriminals, Clinton said.
Clinton also called out Russia’s recent hacking activity. “There’s no doubt now that Russia has used cyberattacks against all kinds of organizations in our country and I am deeply concerned about this.”
The US needs to “make it very clear” to nations who engage in cyberattacks against the US that “the US has much greater capacity and we are not going to sit idly by and permit state actors to go after our information: our private-sector information or our public sector information,” she said. “And we’re going to have to make it clear that we don’t want to use the kinds of tools that we have. We don’t want to engage in a different kind of warfare. But we will defend the citizens of this country, and the Russians need to understand that.”
Read More Here.
