Security Week 03: the sunset of SHA-1 continues, a bug or feature in Whatsapp, vulnerabilities in routers are not repaired

SHA-1 is everything. Or not? It is easy and pleasant to follow the developments around this hashing algorithm: despite the obvious seriousness of the problem, it remains inapplicable for practical attacks, at least - for mass attacks. For the first time I mentioned SHA-1 in digest as of October 2015. Problems with it appeared due to the fact that computing resources fell in price somewhat faster than expected. An expert on cryptography Bruce Schneier in 2012 predicted that after three years to create a collision when generating hashes, it would take 11 years of computing on a conditional server. Three years have passed, and it turned out that in fact (due to the development of parallel computing technologies, and thanks to new research in the field of cryptography) this period is much less - only 49 days.

Since hashing using SHA-1 is used in highly demanding operations, for example, when establishing a secure connection with websites, software developers rather quickly began to share plans for decommissioning an unreliable algorithm. Starting January 24 (for Firefox, for other browsers a bit later), visiting a site that does not support the more robust SHA-2 algorithm (usually SHA-256 modifications) will result in various threatening warnings from users.

According to Facebook, at the end of 2015, 7% of their audience, mostly residents of developing countries, continued to use browsers or applications that do not support SHA-2. A more recent study shows that unreliable SHA-1s use 35% of sites in the IPv4 address space, but there are almost no truly popular ones among them. The most serious problems arose not from sites and users, but from payment systems and mobile application developers. The main conclusion of a rather detailed review on Threatpost: despite the early detection of the problem, public discussion of solutions, joint efforts, and so on, in 2017 SHA-1 will become a niche problem that is hardly ever definitively resolved. It means there will always be a risk of malicious manipulations with a forgotten server, which we either forgot to update or could not. You can not just take and eradicate the unreliable algorithm.


')
Whatsapp found a message encryption vulnerability. Or not found.
News Blogpost with details.

On Friday, the 13th, an article was published in the Guardian newspaper that the vulnerability in Whatsapp allows messenger developers to eavesdrop on users in the presence of encrypted correspondence. The vulnerability details are as follows: The Signal protocol, on which Whatsapp encryption is based, generates unique keys for communication between two users. If the user is offline, Whatsapp can change the keys, and quietly, without notifying users - if you do not enable the corresponding function in the settings.

That is, if you change the keys, then this is for some reason necessary, but why else is it necessary, except for eavesdropping? The developer of Open Whisper Systems, responsible for the Signal protocol, Morley Marlinspike tried to break this iron logic of the media. The situation of replacing the encryption key in question occurs if the server has nowhere to deliver the message. For example, there was a replacement smartphone or application was reinstalled. In this case, a new key is generated on the server to ensure the delivery of the message when the user returns to the network.

In short, the bug turned out to be a feature. The question is why users are not notified about the change of encryption keys? Whatsapp developers decided that users, most of whom do not understand anything in encryption, should not be scared once again. In Signal messenger, for example, they think it's worth the scare, and in Whatsapp this setting can be turned on manually. Then you will be able to turn on the paranoid mode: if (not important for some reason) you see that the keys have changed, you can change them again, presumably by securing the maximum privacy mode.



Although paranoid it does not help. Interesting news about the need for accurate interpretation of aspects of cybersecurity.

Thai ISP's routers remain vulnerable six months after the discovery of vulnerabilities
News Research

Traditional news from the world of "unreal IoT". The Thai Internet provider TrueOnline found vulnerable routers manufactured by the little-known Billion company and the well-known Zyxel, in which the researchers found a lot of ways to unauthorizedly intercept control via the web interface (including outside). Apparently, we are talking about vulnerabilities in custom firmware - vendors have nothing to do with it, although options are possible (Zyxel reported that we are talking about routers that have long been discontinued)

Vulnerabilities were found back in July of this year, but they were published only now for a simple reason: the Internet provider completely ignored the reports of the researchers. In general, the routine news looks good in context. At the end of last year, Laboratories experts discovered ( news and research ) the Android Trojan Switcher, which has the function of spoofing DNS records in routers, that is, it is used as a stepping stone to capture the victim’s entire home network.

Antiquities

"Nina-1600"

A resident very dangerous virus, infects .COM-, .EXE- and .SYS-files that it searches in the current directory for each call to int 21h. .COM- and .EXE-files infect standard. When infecting .SYS files, appends its body to the end of the file and modifies the Interrupt and Strategy programs of the driver being infected.

It is activated only in the absence of anti-virus blockers. When you try to pass the virus codes with a debugger, it deletes some of the data on the disk. It contains the texts: “Dear Nina, you make me write this virus; Happy new year! ”,": \ COMMAND.COM ".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 41.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.