Nov 30 2016

Farewell to the SHA-1 Hash Algorithm

encrypted_laptop650

Rest in peace SHA-1. Like all security controls, they are valuable only for a certain time. SHA-1, a legacy hashing algorithm once used heavily in secure web browsing, has outlived its usefulness; it is time for its permanent retirement. Microsoft, Mozilla, and Google just announced they will finally drop all support for SHA-1 early next year. The risks of using a weak hashing algorithm in browsers include the possibility of man-in-the-middle attacks, spoofed content, and even phishing against victims.

This security hashing algorithm has been around since circa 1995 and heavily used in protecting web content. Hashing algorithms provide a vital role in verifying the integrity of files and are used when making a secure web connection (i.e., https:// sites) to ensure you are visiting the correct location and not a spoofed site looking to harvest your data. The problem arose in 2005 when researchers from Princeton University published a paper showing it was possible to find collisions much easier than previously thought. For hashing, collisions represent the ability to duplicate the verification with a different source, thus invalidating the security of the system.

The National Institute of Standards and Technology has recommended since 2012 switching to the upgraded SHA-2 variant. But removing embedded algorithms is not an easy or convenient process for website administrators. Thus outdated versions tend to linger on well after their useful life. Ultimately, such legacy support becomes more caustic over time and lends itself to progressively weaker security.

So, the end of SHA-1 is good news for everyone, except attackers. Farewell SHA-1. The industry has finally stood up and collectively voted you out.

 

Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

 

The post Farewell to the SHA-1 Hash Algorithm appeared first on McAfee Blogs.

Nov 30 2016

Mozilla Releases Security Updates

Original release date: November 30, 2016

Mozilla has released security updates to address a vulnerability in Firefox, Firefox ESR, and Thunderbird. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 50.0.2
  • Firefox ESR 45.5.1
  • Thunderbird 45.5.1

US-CERT encourages users and administrators to review the Mozilla Security Advisory and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Nov 30 2016

Tor releases urgent update for Firefox 0-day that’s under active attack

Developers with Tor have published a browser update that patches a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.

"The security flaw responsible for this urgent release is already actively exploited on Windows systems," a Tor official wrote in an advisory published Wednesday afternoon. "Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."

The Tor browser is based on the open source Firefox browser developed by the Mozilla Foundation. Mozilla officials said on Tuesday they were in the process of developing a fix that presumably included mainstream versions of Firefox, but at the time this post was being prepared, a patch was not yet available. Mozilla representatives didn't respond to an e-mail seeking comment for this post.

Read 3 remaining paragraphs | Comments

Nov 30 2016

Tor releases urgent update for Firefox 0-day that’s under active attack

Developers with Tor have published a browser update that patches a critical Firefox vulnerability being actively exploited to deanonymize people using the privacy service.

"The security flaw responsible for this urgent release is already actively exploited on Windows systems," a Tor official wrote in an advisory published Wednesday afternoon. "Even though there is currently, to the best of our knowledge, no similar exploit for OS X or Linux users available, the underlying bug affects those platforms as well. Thus we strongly recommend that all users apply the update to their Tor Browser immediately."

The Tor browser is based on the open source Firefox browser developed by the Mozilla Foundation. Mozilla officials said on Tuesday they were in the process of developing a fix that presumably included mainstream versions of Firefox, but at the time this post was being prepared, a patch was not yet available. Mozilla representatives didn't respond to an e-mail seeking comment for this post.

Read 3 remaining paragraphs | Comments