Skip to main content

Another nail in the coffin for MD5

While collisions in MD5 hashes are nothing new, this most recent study by Wegner, Stevens, Lenstra (Article Link ) adds even more concern to the trustworthiness of an MD5 hash. If you can't trust a signed executable, what can you trust? I think nothing. Their technique however requires much premeditation. Its not as if you can create a collision on an existing executable. To be effective in a malicious way, it would require that you create two executables up front with the same hash. This is done by appending 832 bytes of useless data to the existing executables. As you can imagine, this would make it very easy for a criminal to create two versions of software, one with a backdoor, that have the exact same MD5 hash. Of course, it would be easy for them to get the good one signed and then create a download site with the malicious one. While this is somewhat sophisticated, i could definitely see this being utilized by the hack for money crews. It doesn't take much to get your software posted on some shareware download site. Also, I could see elite crews even trying to get drivers signed in this method. So what are we supposed to do about it? The authors of the paper suggest that SHA-1 is much more resistant to collisions and is a better alternative. Despite that, I think a search for a better hashing and signing algorithm get underway if it already hasn't. I don't think the threat is imminent by any means, but we will need something stronger in place within the next 2-3 years.
Labels:

Comments

Post a Comment

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...
2 comments
Read more

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...
Post a Comment
Read more

The Growing Divide: InfoSec Practitioners vs. Climbers

The Problem In our current age, where sound bytes, marketing reports, and short term quarterly focus rule the day, it’s getting tougher for the average corporate IT Security team to sort through the useless noise. One line of thought, which is particularly misguided and out of touch, is the belief that IT Security needs to be a “partner with the business”. What does that mean anyway? If you ask a dozen CISOs, you will likely get many different answers none of which the adversary would care about. Despite that, it has been the rallying cry for the types of vendors and consultants that focus on manipulating the C-suite to further their interests. What follows, will explain in detail why this concept is diverting IT Security from its true purpose of protecting the business in a narcissistic attempt to make heroes (aka promotions, bonuses, etc) out of paper IT Security leaders (aka PISOs) The Reality First things first, I’m a realist ™ . There are both positive and negative c...
Post a Comment
Read more