Weekly security and privacy news review: SHA1, connected cars, SSL update, G Suite, unprotected server, drones and LEDs, Amazon Echo.
I’m experimenting with compiling a list of interesting articles each week. I’m trying to keep this quick maintain a high signal-to-noise ratio.
This is huge news for the crypto community. Long deprecated, the SHA1 hash function now has a demonstrated hash collision. The collision took 110 GPU years to compute – we don’t yet have a way to produce arbitrary SHA1 hash collisions, and it still may be years until we do.
The SHA1 collision also broke the WebKit repository, due to problems in SVN. Perhaps the biggest question about SHA1 is how git will evolve – git uses SHA1 to compute unique hashes that identify versions. Git is not at risk today and will likely not be at risk for many tomorrows, but when the hammer falls it’ll fall hard.
Crackers in an organized operation used Microsoft Word documents to infect PCs with malware, record audio and export it via Dropbox.
Have a connected car? If it had a previous owner, that owner may still be able to control it via an app.
Good news, everyone (whew)! Half the web is now running over SSL.
G Suite administrators can now mandate the use of physical USB keys as a second factor for account access.
This is a hefty subject but put simply, your security doesn’t help if you don’t use it. Make sure you’re actually using it! Unfortunately, Stewart International Airport in New York didn’t and a server backup was left open to the Internet for a year. First of all, test your security! And second, encrypt your backups.
This is actually a pretty awesome hack. It’s really not likely to affect you, though if your computer starts blinking weirdly and you hear a drone over your shoulder, watch out! But it is very clever.
Amazon is fighting a legal attempt to subpoena audio collected by an Echo.