This Week in Security: SHA-1 Finally Shatters

Empowering Users To Be Secure

Netflix has announced Stethoscope, a device security awareness tool designed to empower users to make informed decisions to improve their security.

The tool takes an educational, user-focused approach to device security. Instead of simply being an admin tool to enact changes on devices, Stethoscope tracks security-critical device configurations like disk encryption and software versions, then provides the user with actionable information to fix problems.

Focusing on education gives the user the information they need to keep non-work devices secure, and even give their friends useful security tips. The effect is to improve corporate security on the front-line while allowing users more autonomy. 

If you’re interested in trying it out or contributing, you can check it out here on GitHub.

SHA-1 Finally Shatters

Cryptographic hash functions are one of the basic building blocks in information security. Whether used within larger cryptographic schemes, or simply to verify downloaded files, they’re everywhere. But as MD5 has taught us, no single hash function is good forever. Now that Google has found a collision, it’s SHA-1’s turn to be put out to pasture. More good reading on that here.

In practice, a secure cryptographic hash function should never produce collisions. So the ability to craft two different files that produce the same digest demonstrates that the hash function is broken.

That may sound academic, but SHA-1 hashes are used in Git source control, OpenPGP, and to sign many SSL certificates. The OpenPGP issue is particularly concerning. While the industry has already been moving away from SHA-1 in critical applications like SSL certificates, this attack demonstrates that using stronger hash functions should be a priority. The attack will only become easier and will have far-reaching consequences.

Here are some things you can do to help:

  • Use stronger hash functions in new projects and infrastructure, like SHA-256 or SHA-3.
  • Scan your systems for certificates using SHA-1 for their signatures and replace them.
  • Check existing projects and software for SHA-1 usage, and plan on upgrading to SHA-256 or SHA-3 as soon as you can.

Persistent Popups

Everyone’s favorite web nuisance has made a bit of a comeback. While browsers have been blocking annoying popups for years, an interesting new attack may bring them back. The trick allows an attacker to open an infinite number of popup dialogs without allowing the user to block further dialogs. Think of the pranking you can do *cough* we mean, this can actually become a serious problem!

Persisting the miscreant JavaScript in the browser’s tab allows the attacker’s code to lie in wait, even after the user surfs to another page or site, so long as they don’t close the tab. For example, a user may visit a site with the malicious JavaScript, then decide to search Google for something but have the popup from the first site appear after they’ve reached Google’s page. This could result in pop-ups that seem legitimate, which then try to phish the user.

Thankfully, this issue only affects IE11. If you’re using IE11, you can always close the tab hosting the malicious code, but it may not be possible to even tell if a tab has become a zombie like this. Now is a good time to upgrade to Edge, or consider using other browsers, such as Google Chrome.

When Slacking Becomes Snitching

Real-time chat software is no stranger to the workplace. Since the dawn of the instant messenger, tools like AIM and IRC have been standard issue for workers everywhere. The latest iteration are products like HipChat and Slack, cloud-hosted chat software with very impressive UI and features, originally meant to replace email.

But the cloud convenience often comes at a privacy cost. Many services store users’ chat logs by design to provide conversation history, and to make using multiple devices easier. However, this can also leave them vulnerable to attackers that compromise the service. Depending on the organization and the conversation, this could mean a PR nightmare or legal disaster.

There are a few things that can be done to limit this risk:

  • Be very careful to not have sensitive conversations on services that store and can access your conversations. Train employees how to use these communication methods and when to use another method, such as phone calls or in-person conversation.
  • Have strict data retention policies to limit exposure of stored information; the longer the data is kept, the longer it can become a liability. Many organizations archive only for the legally required minimum.
  • Use end-to-end encrypted chat services, such as Semaphor, Signal, or Wickr Professional.