Some French and Singaporean researchers recently demonstrated a practical attack against SHA-1 hashing by performing a PGP/GnuPG impersonation attack. The team used an Nvidia GTX 970 at an estimated rental cost of $11,000 USD for a collision and $45,00 USD for a chosen-prefix collision. In total the attack took about two months to complete.
Such news is similar to the practical attacks shown in 2009 against MD5. Signature schemes and handshake security in “secure” protocols such as TLS and SSH are now known vulnerable.
It is recommended to remove SHA-1 from your selected hash choice from any tool or protocol you are using. Legacy GnuPG still uses SHA-1 by default for identity certifications.
CVE-2019-14855 was assigned to this demonstration.
The FBI has asked Apple to help it unlock two iPhones that belonged to the murderer Mohammed Saeed Alshamrani, who shot and killed three young US Navy students in a shooting spree at a Florida naval base last month.
Late on Monday, FBI General Counsel Dana Boente sent the letter to Apple’s general counsel.
The FBI argued the same case after the San Bernardino shooting.
Namely, the bureau says that it’s asked for help from other federal agencies – it sent the iPhones to the FBI’s crime lab in Quantico, Virginia – and from experts in other countries, as well as “Familiar contacts in the third-party vendor community.”
The dog and pony show continues for the FBI, whom always pretends it does not have access to 0day or publicly updated jailbreaking methods such as checkm8 or Checkra1n.