Tools circulate that crack Debian, Ubuntu keys
Newly found flaw yields tools that brute-force digital keys, certificates
Computerworld - A recently disclosed vulnerability in widely used Linux distributions can be exploited by attackers to guess cryptographic keys, possibly leading to the forgery of digital signatures and theft of confidential information, a noted security researcher said today.
HD Moore, best known as the exploit researcher who created the Metasploit penetration testing framework, called the vulnerability in Debian and Ubuntu systems "ugly" and said it will be a big job for administrators to find every flawed key, then reissue them.
The bug, noted Tuesday by the Debian Project, is in the random number generator used to produce a variety of digital keys, including SSH (Secure Shell) keys and SSL (Secure Socket Layer) certificates. The latter are widely used to secure traffic between users and secure sites on the Internet.
According to Moore, the bug makes it relatively easy to "guess" keys. In a blog post yesterday, Moore claimed he was able to generate 1024- and 2048-bit keys in about two hours.
Stronger keys, however, take considerably longer to create. He estimated that an 8192-bit RSA key set would take some 3,100 hours (about 129 days) to generate.
Moore also published several key-generating tools -- collectively dubbed "Toys" -- that included a shared library and a key generation script.
With that information out in the wild, other researchers banged the warning drum. "This is very, very, very serious and scary," said Bojan Zdrnja, an analyst at the Internet Storm Center (ISC) in a warning posted on the organization's site today.
Symantec Corp. also warned customers of its DeepSight threat network of the vulnerability and Moore's follow-on information and tools disclosures. The California-based company also noted that another hacker, "Markus M," published a tool that automates brute-force attacks of the key weakness to the Full Disclosure security mailing list.
That revelation pushed the ISC to up its INFOCon threat status to "yellow," a relatively rare occurrence. "The development of automated scripts exploiting keys looks like a real threat to SSH servers around the world," said Zdrnja in a later posting to the group's site.
It's not just users running Debian-based systems -- which includes the popular Ubuntu Linux distribution -- who are at risk, Moore cautioned, but virtually anyone. If data copied to other platforms has been secured by keys generated on a Debian distribution, that data could be snatched.
"There's a lot of different areas that you're going to have to look, not just within Debian," Moore said. "Administrators will have to audit every single key. Even systems that do not use the Debian software need to be audited in case any key is being used that was created on a Debian system."
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!