Hello, welcome to the Wednesday, May 27th, 2020 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Well, by now, everybody who is using hashes in order to verify the integrity of files is typically using SHA-2 or

SHA-256 and SHA-2512 as their hashing algorithms. Sha-1, MD-5-5, all their hashing algorithms

haven't really been used for quite a while. And back in 2015, NIST actually came up

with Shah 3 and Jim, who is doing a lot of malvary analysis, is wondering why Shah 3 really

hasn't sort of caught on yet. Virus Total, for example, which does offer various hashes to verify that

you have to correct sample, does not do Shah 3 now. Well, probably the main reason for this lack

of Shah 3 support is that there is sort of no real burning weakness in Shah 2 that would force people

to switch. Back when NIST actually put out the competition for Shah 3, there was some criticism

that this new hashing algorithm just isn't needed. But then again, the idea here was to

have this hashing algorithm ready and in use before any weaknesses in Shah to show up.

Now, for password hashing, where we have a very different threat model than for these file integrity

checks usually we have better algorithms now in play other than the Shaw family and as expected

we got an update for macOS catalina today so now we're up to macOS 10.15.5 and security update 2023.

The security content was also released for Mojave as well as for High Sierra.

And while we got last week updates for other operating systems like most notably iOS,

we didn't get any of the security details until today, because again, as expected,

there's a lot of overlap between these different Apple operating systems, so they always wait

until they have patches released for all of their operating systems.

Nothing sort of outrageously big here, I would say lots of privilege escalation, denial of service,

vulnerabilities, some sort of data leakage issues.

...