Security News > 2020 > January > Exploit Fully Breaks SHA-1, Lowers the Attack Bar
A proof-of-concept attack has been pioneered that "Fully and practically" breaks the Secure Hash Algorithm 1 code-signing encryption, used by legacy computers to sign the certificates that authenticate software downloads and prevent man-in-the-middle tampering.
All of the major browsers and most applications don't recognize certificates signed with SHA-1 these days, few certificate authorities still support it, and NIST has deprecated it since 2011, but the latest PoC attack is nonetheless deeply concerning given that for all of that, it remains far from being fully deprecated.
The exploit, which focused on PGP, is yet another collision attack, but it's one that significantly lowers the bar for attackers looking to break SHA-1 compared to previous PoCs.
In practice, achieving the attack takes computational horsepower and processor resources; the researchers said that they paid $756,000 for their trial-and-error process and computations, but the cost could be as low as $50,000 using more advanced GPUs and a known attack methodology.
"GPU technology improvements and general computation cost decrease will quickly render our attack even cheaper, making it basically possible for any ill-intentioned attacker in the very near future."
News URL
https://threatpost.com/exploit-fully-breaks-sha-1/151697/
Related news
- Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks (source)
- Cybercriminals exploit file sharing services to advance phishing attacks (source)
- BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave (source)
- Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus (source)
- New PIXHELL Attack Exploits LCD Screen Noise to Exfiltrate Data from Air-Gapped Computers (source)
- Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks (source)