#SHA-1

Maybe you've heard of it, and maybe you haven't. But Google just impressed the world again by producing the first successful SHA-1 collision attack ever. And that means it's officially time for services to migrate to safer cryptographic hashes. 

Let's back up. SHA-1, Secure Hash Algorithm 1, is a very popular cryptographic hashing function designed in 1995 by the NSA as a part of the Digital Signature Algorithm. Similar to other hashes, SHA-1 converts any input message to a long string of numbers and letters, operating as a cryptographic fingerprint for that particular message. For about a decade, researchers have been warning about the lack of security of SHA-1, but it still remains widely used. Now, SHA-1 is officially dead after a team of researchers from Google and the CWI Institute in Amsterdam completed the first ever successful SHA-1 collision attack. A collision attack appears when the same hash value is produced for two different messages, and those can be exploited to forge digital signatures, allowing attackers to break communications.

The Google and CWI published research detailing their successful SHA-1 collision attack, named 'SHAttered.' The findings present two PDF files that have the same SHA-1 hash, but show different messages. The attack cost around $110,000 to carry out on Amazon's cloud computing platform. Spare change for the big G. According to The Hacker News, "Google is planning to release the proof-of-concept (PoC) code in 90 days, which the company used for the collision attack, meaning anyone can create a pair of PDFs that hash to the same SHA-1 sum given two distinct images with some pre-conditions." That means any organization who still relies on  SHA-1 algorithm has 90 days to replace it with the more secure one. Luckily, Google and researchers have released a free detection tool that can tell if files are part of a collision attack.

This attack required over 9,223,372,036,854,775,808 SHA-1 computations. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations -researcher on the project

Interested in digging digitally deeper on hashes? Check out 'Using Kali Linux to Identify Hashes.'

#stethoscope

Netflix is recommending more than just TV series these days. Our binge-watching buddies released 'Stethoscope,' an open source web application that gives users specific recommendations for securing their computers, smartphones, and tablets. Because Netflix and chill is much harder when your device has a virus. As an extreme BYOD company, Netflix wants to help employees self-diagnose their devices. Stethoscope scans the devices and provides recommendations on security measures that should be taken, but allows employees to perform the tasks on their own time. But make no mistake, this isn't a consumer product. It's a web-based tool that any organization can compile itself from the code that Netflix has provided on GitHub. It works by analyzing a device’s disk encryption, firewall, automatic updates, operating system and software updates, screen lock, jailbreaking or rooting, and installed security software. Then, each recommendation is assigned a rating to show how important it is.

Part of  Netflix's “user focused security” approach, the company operates on the theory that it is better to provide employees actionable information and tools, rather than relying on heavy policy enforcement. In a recent post by Security Week, they say "Stethoscope is not the only open source security tool released by Netflix. The company has made available the source code for several of the applications it uses, including the XSS discovery framework Sleepy Puppy, and the threat monitoring tools Scumblr and Sketchy."

It’s important to us that people understand what simple steps they can take to improve the security state of their devices, because personal devices–which we don’t control–may very well be the first target of attack for phishing, malware, and other exploits -Jessy Kriss and Andrew White of Netflix’s information security team

The interview 'Professor Angela Sasse on Human-Centered Security' discusses why improving the usability of security can positively impact an organization’s profits.

#robottax

We're not in the middle of a Sci-Fi film. No, the idea of imposing a robot tax is real, and it comes from Microsoft founder Bill Gates while discussing how artificial intelligence could affect the job market. 

There is a growing concern over automation making many jobs obsolete, and as a hotly debated topic, is one that comes with many opinions. Elon Musk has suggested governments are going to have to start providing a universal basic income to every citizen. On the other end of the spectrum is Gates, who said in a recent interview with Quartz editor-in-chief Kevin Delaney that it may not be a bad idea to tax companies who replace human labor. Critics of this idea say it could slow innovation. A point which Gates has combated saying that may be necessary as people transition to an artifical intelligence filled future.

Is there a right answer to this growing concern? Not at the moment it seems, but Gates' thinking is this: “Right now, the human worker who does, say, $50,000 worth of work in a factory, that income is taxed and you get income tax, security tax, all those things,” said Gates. “If a robot comes in to do the same thing, you’d think that we’d tax the robot at a similar level.” This isn't a new idea, however. A similar proposal on robot tax was recently rejected in the European parliament.

45% of America’s occupations will be automated within the next 20 years -Oxford researchers

Want to form a stronger opinion on the artificial intelligence debate? Read 'Artificial Intelligence in the Cyber Domain.'

#factbyte

A new study from the Information Systems Audit and Control Association (ISACA), has found that less than 25% of cyber security job applicants are qualified for the job. 

#certspotlight

One of the biggest struggles in the field of application security is trying to convince customers and clients to pay attention to the security of public facing sites that do not transmit sensitive data.Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.