Wednesday
May142008

Let the Brute Forcing Begin - Vulnerable SSH Keys Publicly Released

Yesterday I posted about a vulnerability in OpenSSL that limited the entropy used to generate encryption keys. HD Moore did some research on this topic and discovered the only variable used to generate a key on a vulnerable system was the PID of the process generating the key. The default maximum number of PIDs on a Linux system is 32,767. Which means there are 32,767 possible keys that can be generated for each algorithm and key size. Yikes!

Next HD generated all possible 1024-bit DSA and 2048-bit RSA keys for SSH and posted them online for folks to download. His cluster is presently working on generating the 4096-bit keys.

So what can be done with these keys? Someone could use them to brute force SSH accounts that allow public key authentication using a key generated on a vulnerable system. Today someone would have to write their own tool to perform this attack but HD will soon release a tool to perform this task.

Earlier this week the ISC reported an increase in SSH brute force attacks? I wonder if someone beat HD to the punch and generated the keys and started brute forcing systems last week.

Again if you run Debian or Ubuntu patch your systems and be sure to regenerate your keys!

Cheers,
Matt

Update: The ISC did a write-up on this as well. http://isc.sans.org/diary.html?storyid=4420

Wednesday
May142008

New Penetration Testing Webcast by Ed Skoudis

Those crazy enough to be up for a red-eye SANS webcast this morning got a real treat. Today at 7:00 AM EDT Ed Skoudis gave a presentation on “Evolving Computer Attack Tools and Techniques.” This was the second part in a multi-part serious Ed is giving on penetration testing techniques. Tom did a great write-up on the first webcast.

Today's webcast covered the Nmap Scripting Engine (NSE), Cain and pass the hash attacks. The webcast concluded with an overview of Intelguardians' research on the cold boot attack.

Folks who listened to the webcast also got a discount code for SANs 560, SANs new penetration testing class written by Ed.

The audio and slides for the webcast available here.

Cheers,
Matt

Tuesday
May132008

Critical Ubuntu and Debian Vulnerability

Ubuntu and Debian users take note. Today Ubuntu and Debian released patches to the OpenSSL package to fix a critical vulnerability in how the package generates encryption keys. Roughly two years ago the maintainers removed the call to the system's random number generator. This makes all keys generated on affected systems predictable. This vulnerability affects SSH keys, OpenVPN keys, DNSSEC keys, SSL/TLS session keys and key material in X.509 certificates.

Any Ubuntu or Debian users should download and install the updated packs and regenerate any keys made in the past two years.

Here is a link to the advisory:
http://www.debian.org/security/2008/dsa-1571
http://www.ubuntu.com/usn/usn-612-1

Cheers,
Matt

P.S. Special thanks to Chris for bringing this to my attention.

Monday
Apr282008

Twitter

Its official, I am now a Twit!

A week or so ago I gave in and joined Twitter. After being on it for a week I must admit I am hooked. As cheesy as it sounds I do have a better connection with my friends but I also have a better connection with the security subculture that is starting to us Twitter. That is the real value I see in Twitter.

At Notacon I talked with a bunch of folks regarding how they keep up to date on security. A number of them mentioned they use Twitter for this, two folks even said they stopped RSSing blogs all together and just used Twitter to keep up to date. That is actually the main reason I joined, also Tom and I made a pact to join if the other one did.

For those of you on Twitter here is my profile. Here are some of the security Twits I follow: Agent0x0, Pauldotcom, Martin McKeay, McGreySecurity, Window and Spacerog.

If you are already on Twitter follow me. If you aren't on Twitter give it a try! You might be surprised how useful it can be.

Cheers,
Matt

P.S. The Twitter Fan Wiki is an excellent source if you need a hand getting up and running.

Saturday
Apr262008

Shout Out

Shout out to Morningstar at the Shadows and Dust blog.

Cheers,
Matt