Security Market Segment LS
Monday, 27 February 2017 08:38

More SHA-1 attacks likely after script, website come online Featured

By

More attacks on SHA-1 can be expected after a security researcher took apart the PDFs which were released last week to illustrate the means of breaking the algorithm detailed by a Dutch team and Google.

When the Dutch team and Google released partial details of the attack method they had devised, they also released as proof two PDFs that had the same hash but different content.

Soon after this, the version control system used by the WebKit browser engine became corrupted after these two proof-of-concept PDF files were uploaded to its repository.

WebKit uses the Apache SVN to keep track of code submissions and uses SHA-1 to track files and avoid duplication, as do many other projects.

A means of exploit is now available on a website. The researcher in question has released a script written in the Python programming language that can create two PDFs with different content and the same hash.

The security researcher, who said he took apart the two PDFs to understand the means of attack better, did so because he found that the explanation offered by the Dutch team and Google was "not very helpful in understanding how they produced the PDFs".

He managed to recreate the attack in practice and wrote the Python script which could be used to create two files that could be used in an attack.

Meanwhile, Subversion developers have now released a script using which sysadmins can prevent this glitch; it will reject both the proof-of-concept PDFs and any others that attempt the same hack.

When the question of whether the distributed version control system git, created by Linux creator Linus Torvalds, was susceptible to an attack similar to that on Apache SVN, he said he had released two patches to mitigate against any likely attacks.

He also said that git was more secure against such attacks even in its unpatched state.


BACK TO HOME PAGE

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

INVITE DENODO EXECUTIVE VIRTUAL ROUNDTABLE 9/7/20 1:30 PM AEST

CLOUD ADOPTION AND CHALLENGES

Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.

REGISTER HERE!

BACK TO HOME PAGE
Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

BACK TO HOME PAGE

Webinars & Events

VENDOR NEWS

REVIEWS

Comments