DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
May 15, 2008
Debian and Ubuntu OpenSSL generates useless crypto keys
On Tuesday, the Debian project admitted that security expert Luciano Bello had discovered that an update to Debian's OpenSSL package in 2006 weakened the system's Random Number Generator, making SSH and SSL encryption and authentication — used to secure communications for applications such as Internet banking — useless.
"Because this vulnerability affects the OpenSSL package, which is used for generating various keys including SSH keys, session keys for SSL/TLS connections, OpenVPN and DNSSec keys and others, the implications are quite significant," Nishad Herath, chief executive officer of security consultancy Novologica, told ZDNet.com.au.
The vulnerability primarily affects Debian and Debian-derived systems, such as Ubuntu, according to Metasploit founder, H. D. Moore. However non-Debian systems are also exposed, said Herath.
"Non-Debian systems are also made vulnerable if they were using key material generated on an affected Debian system. To make matters worse, all DSA keys used for signing and authentication purposes on an affected Debian system is also made vulnerable — the Debian official security advisory recommends that such keys be considered compromised," said Herath.
Metasploit's Moore, yesterday told IT Radio's Risky Business that patching won't fix the problem either.
"Patching the vulnerability does not remove the vulnerability — it just prevents it from happening from that point on," he said.
Gabriel Haythornthwaite, information security consultant for Castelain, told ZDNet.com.au this means: "An attacker, who is predicting what a key would have been at the time, can break into a session or can retrospectively gather information from the session."
Novologica's Herath said this is a "spectacular screw up" on the part of the maintainers of the Debian system.
"It is quite commonplace that package maintainers of certain Linux distributions modify the source code of a given package to suit the specificities of a particular distribution. However, these changes are often not submitted to the original developers of the package for scrutiny," he said.
The changes made to the Debian OpenSSL package ... is in my view a spectacular screw up that clearly demonstrates the dangers of this modification process, where changes are not reviewed by the original authors of the package let alone any third-party experts prior to being made available to the public."
The Debian project has published a detector for known weak key material, which also provides instructions for rolling over encryption keys.
Source: ZDNet Australia
All news for July, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
