Security
Tools circulate that crack Debian, Ubuntu keys
A recently disclosed vulnerability in widely used Linux distributions can be exploited by attackers to guess cryptographic keys, possibly leading to the forgery of digital signatures and theft of confidential information, a noted security researcher said Thursday.
Related links
No results were found for your search.
Your query is too restrictive.
You might want to try: security
Story tools
Sponsored by:
E-Mail article
|
|
Print article
|
|
Contact author
|
|
AIM article
|
del.icio.us |
Reddit
|
Digg
|
Stumble
|
Slashdot It!
|
HD Moore, best known as the exploit researcher who created the Metasploit penetration testing framework, called the vulnerability in Debian and Ubuntu systems "ugly" and said it will be a big job for administrators to find every flawed key, then reissue them.
The bug, noted Tuesday by the Debian Project, is in the random number generator used to produce a variety of digital keys, including SSH (Secure Shell) keys and SSL certificates. The latter are widely used to secure traffic between users and secure sites on the Internet.
According to Moore, the bug makes it relatively easy to "guess" keys. In a posting to his blog Wednesday, Moore claimed he was able to generate 1024- and 2048-bit keys in about two hours.
Stronger keys, however, take considerably longer to create. He estimated that an 8192-bit RSA keyset would take some 3,100 hours (about 129 days) to generate.
Moore also published several key-generating tools -- collectively dubbed "Toys" -- that included a shared library and a key generation script.
With that information out in the wild, other researchers banged the warning drum. "This is very, very, very serious and scary," said Bojan Zdrnja, an analyst at the Internet Storm Center (ISC) in a warning posted on the organization's site Thursday.
Symantec also warned customers of its DeepSight threat network of the vulnerability and Moore's follow-on information and tools disclosures. The California-based company also noted that another hacker, "Markus M," published a tool that automates brute force attacks of the key weakness to the Full Disclosure security mailing list.
That revelation pushed the ISC to up its INFOCon threat status to "yellow," a relatively rare occurrence. "The development of automated scripts exploiting keys looks like a real threat to SSH servers around the world," said Zdrnja in a later posting to the group's site.
| Use this form to start a public discussion with other Linux World users on this article. Log In | Register for an account (Why you should) |
Note: Register to have your user name appear; otherwise your comment will show up as "Anonymous."
*Anonymous comments will only appear once they are approved by the moderator.
• Dell puts Linux and Atom in Vostro PCs
• Mozilla names best Firefox 3 add-ons
• Torvalds: Fed up with the 'security circus'
• Dell Latitude ON - big win for Linux
• Open source advocates hail appeals court ruling
LinuxWorld Conference and Expo San Francisco, August 4-7, 2008.
Linux Plumbers Conference Portland, OR, Sept. 16-19, 2008.
FreedomHEC Santa Monica, November 8-9, 2008.