Go Back   Comunidades de PulsoRock.com > Foros Principales > Foro de Tema Libre (NO Música)
Reload this Page Weakness in Debian undermines crypto
Register FAQForum Rules Calendar Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 18th May 2008, 11:19 AM
cabra de monte's Avatar
cabra de monte cabra de monte is offline
Registered User
  
Join Date: Jun 2003
Posts: 1,510
Weakness in Debian undermines crypto
http://www.securityfocus.com/brief/739


A flaw in the way that OpenSSL is implemented in the Ubuntu and Debian distributions of Linux have earned the software an unenviable adjective in the world of encryption: Predictable.
On Tuesday, the team behind the popular Ubuntu distribution of Linux announced that it had issued a patch to fix a flaw inadvertently added to the OpenSSL code which dramatically reduced the number of possible keys generated by the software. While the flaw is in OpenSSL, the same code is used to generate keys for a number of other popular programs, including OpenSSH, OpenVPN and SSL certificates.
"All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied," the advisory stated.
Underscoring the danger of the attack, security research HD Moore posted tools on Wednesday to help researchers -- and attackers -- brute force the key combinations in a matter of hours.
"Any SSH server that uses a host key generated by a flawed system is (subject) to traffic decryption and a man-in-the-middle attack would be invisible to the users," Moore stated on a page set up to explain the attack. "This flaw is ugly because even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."
The Ubuntu Linux distribution -- perhaps the most popular flavor of the open-source operating system -- has had a number of security issues in the past three years. In 2006, a programmer found that the Ubuntu installer left behind passwords used during installation, stored in plain text on the disk. Last year, the Ubuntu project had to shut down five of eight community run servers, when attackers exploited the outdated operating systems on the servers to compromised the machines.
The latest flaw was introduced in the system because developers removed a line of code that had caused warnings about the use of uninitialized data when any program was linked to the OpenSSL library, Moore said.
Reply With Quote
PUBLICIDAD DE PULSOROCK.COM
  #2  
Old 18th May 2008, 11:46 AM
El Emo Jisjoper.'s Avatar
El Emo Jisjoper. El Emo Jisjoper. is offline
après moi le déluge
  
Join Date: Mar 2007
Posts: 8,164
Me quede en las primeras 7 palabras.
Reply With Quote
  #3  
Old 18th May 2008, 12:01 PM
Gaignun Gaignun is offline
Ugh?!
  
Join Date: May 2008
Location: En el c@r@j0
Posts: 215
Another hole in Ubuntu.Crap! Brute force seems the way to break things. Está fácil romper Ubuntu, parece. Estaba viendo un nuevo tipo de malware, que se guarda en la parte privilegiada del cpu y esté empieza atacar la PC.
Last edited by Gaignun; 18th May 2008 at 12:29 PM.
Reply With Quote
  #4  
Old 18th May 2008, 12:23 PM
Super Kanky Tony's Avatar
Super Kanky Tony Super Kanky Tony is offline
Caused by the Flight
  
Join Date: Jan 2004
Location: Mayawest
Posts: 4,689
Quote:
Originally Posted by El Emo Jisjoper. View Post
Me quede en las primeras 3 palabras.
Reply With Quote
  #5  
Old 18th May 2008, 01:17 PM
brb's Avatar
brb brb is offline
:B!!!!!!!!!!!!!!!!!!!!!!! !!!!
  
Join Date: Jan 2008
Posts: 5,501
Hazte un resumen de ese resumen
Reply With Quote
Reply

Bookmarks

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -4. The time now is 01:45 PM.