Security-Portal.cz je internetový portál zaměřený na počítačovou bezpečnost, hacking, anonymitu, počítačové sítě, programování, šifrování, exploity, Linux a BSD systémy. Provozuje spoustu zajímavých služeb a podporuje příznivce v zajímavých projektech.

Kategorie

Google Achieves First-Ever Successful SHA-1 Collision Attack

The Hacker News - 1 hodina 35 min zpět
SHA-1, Secure Hash Algorithm 1, a very popular cryptographic hashing function designed in 1995 by the NSA, is officially dead after a team of researchers from Google and the CWI Institute in Amsterdam announced today submitted the first ever successful SHA-1 collision attack. SHA-1 was designed in 1995 by the National Security Agency (NSA) as a part of the Digital Signature Algorithm. Like other
Kategorie: Hacking & Security

Serious Cloudflare bug exposed a potpourri of secret customer data

Ars Technica - 2 hodiny 19 min zpět

(credit: Acid the meme machine)

Cloudflare, a service that helps optimize the security and performance of more than 5.5 million websites, warned customers today that a recently fixed software bug exposed a range of sensitive information that could have included passwords, and cookies and tokens used to authenticate users.

A combination of factors made the bug particularly severe. First, the leakage may have been active since September 22, nearly five months before it was discovered, although the greatest period of impact was from February 13 and February 18. Second, some of the highly sensitive data that was leaked was cached by Google and other search engines. The result was that for the entire time the bug was active, hackers had the ability to access the data in real-time, by making Web requests to affected websites, and to access some of the leaked data later by crafting queries on search engines.

"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," Cloudflare CTO John Graham-Cumming wrote in a blog post published Thursday. "We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Announcing the first SHA1 collision

Google Security Blog - 4 hodiny 40 min zpět
Posted by Marc Stevens (CWI Amsterdam), Elie Bursztein (Google), Pierre Karpman (CWI Amsterdam), Ange Albertini (Google), Yarik Markov (Google), Alex Petit Bianco (Google), Clement Baisse (Google)
Cryptographic hash functions like SHA-1 are a cryptographer’s swiss army knife. You’ll find that hashes play a role in browser security, managing code repositories, or even just detecting duplicate files in storage. Hash functions compress large amounts of data into a small message digest. As a cryptographic requirement for wide-spread use, finding two messages that lead to the same digest should be computationally infeasible. Over time however, this requirement can fail due to attacks on the mathematical underpinnings of hash functions or to increases in computational power.

Today, more than 20 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We’ve summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.

For the tech community, our findings emphasize the necessity of sunsetting SHA-1 usage. Google has advocated the deprecation of SHA-1 for many years, particularly when it comes to signing TLS certificates. As early as 2014, the Chrome team announced that they would gradually phase out using SHA-1. We hope our practical attack on SHA-1 will cement that the protocol should no longer be considered secure.

We hope that our practical attack against SHA-1 will finally convince the industry that it is urgent to move to safer alternatives such as SHA-256.

What is a cryptographic hash collision?
A collision occurs when two distinct pieces of data—a document, a binary, or a website’s certificate—hash to the same digest as shown above. In practice, collisions should never occur for secure hash functions. However if the hash algorithm has some flaws, as SHA-1 does, a well-funded attacker can craft a collision. The attacker could then use this collision to deceive systems that rely on hashes into accepting a malicious file in place of its benign counterpart. For example, two insurance contracts with drastically different terms.

Finding the SHA-1 collision

In 2013, Marc Stevens published a paper that outlined a theoretical approach to create a SHA-1 collision. We started by creating a PDF prefix specifically crafted to allow us to generate two documents with arbitrary distinct visual contents, but that would hash to the same SHA-1 digest. In building this theoretical attack in practice we had to overcome some new challenges. We then leveraged Google’s technical expertise and cloud infrastructure to compute the collision which is one of the largest computations ever completed.

Here are some numbers that give a sense of how large scale this computation was:

  • Nine quintillion (9,223,372,036,854,775,808) SHA1 computations in total
  • 6,500 years of CPU computation to complete the attack first phase
  • 110 years of GPU computation to complete the second phase

While those numbers seem very large, the SHA-1 shattered attack is still more than 100,000 times faster than a brute force attack which remains impractical.
Mitigating the risk of SHA-1 collision attacks
Moving forward, it’s more urgent than ever for security practitioners to migrate to safer cryptographic hashes such as SHA-256 and SHA-3. Following Google’s vulnerability disclosure policy, we will wait 90 days before releasing code that allows anyone to create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions. In order to prevent this attack from active use, we’ve added protections for Gmail and GSuite users that detects our PDF collision technique. Furthermore, we are providing a free detection system to the public.
You can find more details about the SHA-1 attack and detailed research outlining our techniques here.
About the team
This result is the product of a long-term collaboration between the CWI institute and Google’s Research security, privacy and anti-abuse group.
Marc Stevens and Elie Bursztein started collaborating on making Marc’s cryptanalytic attacks against SHA-1 practical using Google infrastructure. Ange Albertini developed the PDF attack, Pierre Karpman worked on the cryptanalysis and the GPU implementation, Yarik Markov took care of the distributed GPU code, Alex Petit Bianco implemented the collision detector to protect Google users and Clement Baisse oversaw the reliability of the computations.

Kategorie: Hacking & Security

Policy Experts Push To Make Vulnerability Equities Process Law

Threatpost - 23 Únor, 2017 - 22:37
By making the Vulnerability Equities Process law, advocates of the idea argue there would be more reliability, transparency and accountability in the process of government vulnerability disclosure.
Kategorie: Hacking & Security

Frank Abagnale, world-famous con man, explains why technology won’t stop breaches

Ars Technica - 23 Únor, 2017 - 20:42

Enlarge / Frank Abagnale, as played by Leonardo DiCaprio in Catch Me If You Can, once pretended to be a doctor. Now he's teaching the health industry about the threat of identity theft. (credit: Dreamworks)

Frank Abagnale is world-famous for pretending to be other people. The former teenage con man, whose exploits 50 years ago became a Leonardo DiCaprio film called Catch Me If You Can, has built a lifelong career as a security consultant and advisor to the FBI and other law enforcement agencies. So it's perhaps ironic that four and a half years ago, his identity was stolen—along with those of 3.6 million other South Carolina taxpayers.

"When that occurred," Abagnale recounted to Ars, "I was at the FBI office in Phoenix. I got a call from [a reporter at] the local TV news station, who knew that my identity was stolen, and they wanted a comment. And I said, 'Before I make a comment, what did the State Tax Revenue Office say?' Well, they said they did nothing wrong. I said that would be absolutely literally impossible. All breaches happen because people make them happen, not because hackers do it. Every breach occurs because someone in that company did something they weren't supposed to do, or somebody in that company failed to do something they were supposed to do." As it turned out (as a Secret Service investigation determined), a government employee had taken home a laptop that shouldn't have left the office and connected it—unprotected—to the Internet.

Government breaches of personal information have become all too common, as demonstrated by the impact of the hacking of the Office of Management and Budget's personnel records two years ago. But another sort of organization is now in the crosshairs of criminals seeking identity data to sell to fraudsters: doctors' offices. Abagnale was in Orlando this week to speak to health IT professionals at the 2017 HIMSS Conference about the rising threat of identity theft through hacking medical records—a threat made possible largely because of the sometimes haphazard adoption of electronic medical records systems by health care providers.

Read 16 remaining paragraphs | Comments

Kategorie: Hacking & Security

Bang! SHA-1 collides at 38762cf7­f55934b3­4d179ae6­a4c80cad­ccbb7f0a

Sophos Naked Security - 23 Únor, 2017 - 19:57
Remember how experts have been saying, "Drop SHA-1" for years and years? Now they're saying, "Told you so."

Drones can steal data from infected PCs by spying on blinking LEDs

Sophos Naked Security - 23 Únor, 2017 - 19:51
Is that a drone hovering outside your office window snooping on your disk's flashing lights? Time to move it away from the window

News in brief: San Diego plans data-gathering smart city upgrade; Amazon says no; judge says no

Sophos Naked Security - 23 Únor, 2017 - 19:39
Your daily round-up of some of the other stories in the news

First Practical SHA-1 Collision Attack Arrives

Threatpost - 23 Únor, 2017 - 19:17
Researchers unveiled the first-ever practical collision attack the cryptographic hash function SHA-1.
Kategorie: Hacking & Security

Hacker Who Knocked Million Routers Offline Using MIRAI Arrested at London Airport

The Hacker News - 23 Únor, 2017 - 19:01
British police have arrested a suspect in connection with the massive attack on Deutsche Telekom that hit nearly 1 Million routers last November. Late last year, someone knocked down more than 900,000 broadband routers belonging to Deutsche Telekom users in Germany, which affected the telephony, television, and internet service in the country. Now, Germany's federal criminal police force (
Kategorie: Hacking & Security

Impact of New Linux Kernel DCCP Vulnerability Limited

Threatpost - 23 Únor, 2017 - 17:11
Existing mitigations and limitations around a newly disclosed Linux kernel vulnerability in the DCCP module mute the potential impact of local attacks.
Kategorie: Hacking & Security

Healthcare data breaches ‘mostly caused by insiders’

Sophos Naked Security - 23 Únor, 2017 - 16:55
With an average of one data breach a day and patchy security practises, healthcare organizations are sitting targets for hackers

How much does Facebook really know about you – and is it right?

Sophos Naked Security - 23 Únor, 2017 - 16:03
Third-party tools that show you what Facebook can piece together about you are a useful reminder of just how much data you're sharing - but they aren't always accurate

Anonymní bitcoin? Už ne. Dánsko je lídrem v odhalování praní peněz skrze kyberměny

Zive.cz - bezpečnost - 23 Únor, 2017 - 15:49
[********************] [********************] O bitcoin mají zájem nejen geekové a investoři, ale samozřejmě i šedá zóna, která se snaží využívat jeho nekontrolovaného života a vyprat skrze něj třeba peníze z ilegální činnosti. Bitcoin sám o sobě nicméně nemusí být vůbec anonymní, spíše naopak. ...
Kategorie: Hacking & Security

Lawmakers set to overturn broadband privacy rules, as ISPs requested

Sophos Naked Security - 23 Únor, 2017 - 15:37
Congress is preparing to overturn rules that require ISPs to get customers to opt in before selling data

Java, Python FTP Injection Attacks Bypass Firewalls

Threatpost - 23 Únor, 2017 - 15:19
Newly disclosed FTP injection vulnerabilities in Java and Python that are fueled by rather common XML External Entity (XXE) flaws allow for firewall bypasses.
Kategorie: Hacking & Security

Ransomware je instalován místo fontu pro Google Chrome. Útočníci jej šíří i na legitimních webech

Zive.cz - bezpečnost - 23 Únor, 2017 - 14:10
Jednu z nových cest, které mají malware dostat ke svým obětem popsal web Forbes . Je zaměřena především na uživatele nejrozšířenějšího prohlížeče Chrome a nejčastěji je uživatel napaden ransomwarem – škodlivým programem, který se postará o zašifrování souborů. Jejich znovuzpřístupnění je potom ...
Kategorie: Hacking & Security

At death’s door for years, widely used SHA1 function is now dead

Ars Technica - 23 Únor, 2017 - 14:01

(credit: Bob Embleton)

For more than six years, the SHA1 cryptographic hash function underpinning Internet security has been at death's door. Now it's officially dead, thanks to the submission of the first known instance of a fatal exploit known as a "collision."

Despite more than a decade of warnings about the lack of security of SHA1, the watershed moment comes as the hash function remains widely used. Git, the world's most widely used system for managing software development among multiple people, relies on it for data integrity. The GnuPG e-mail encryption program still deems SHA1 safe. And hundreds if not thousands of big-name software packages rely on SHA1 signatures to ensure installation and update files distributed over the Internet haven't been maliciously altered.

A collision occurs when the two different files or messages produce the same cryptographic hash. The most well-known collision occurred sometime around 2010 against the MD5 hash algorithm, which is even weaker than SHA1. A piece of nation-sponsored espionage malware known as Flame used the attack to hijack the Windows update mechanism Microsoft uses to distribute patches to hundreds of millions of customers. By forging the digital signature used to cryptographically prove the authenticity of Microsoft servers, Flame was able to spread from one infected computer to another inside targeted networks.

Read 8 remaining paragraphs | Comments

Kategorie: Hacking & Security

Publicly Disclosed Windows Vulnerabilities Await Patches

Threatpost - 23 Únor, 2017 - 14:00
Microsoft's delayed release of its February security bulletins leaves users exposed to a pair of already publicly disclosed vulnerabilities.
Kategorie: Hacking & Security

Top 8 Reverse Engineering Tools for Cyber Security Professionals

InfoSec Institute Resources - 23 Únor, 2017 - 14:00

Whether it is rebuilding a car engine or diagramming a sentence, people can learn about many things simply by taking them apart and putting them back together again. This process of breaking something down to understand it, build a copy to improve it, is known as reverse engineering. The process of reverse engineering was originally […]

The post Top 8 Reverse Engineering Tools for Cyber Security Professionals appeared first on InfoSec Resources.

Kategorie: Hacking & Security
Syndikovat obsah