Weblog entry #2 for gouki
See all weblog entries made by gouki.
#2
(OpenSSL) The problem, with facts
Posted by gouki on Thu 15 May 2008 at 20:45
Well, things have finally calmed down regarding the OpenSSL problems. Not that it's necessarily bad to see that many posts and news. One can actually think it's a good things problem are addressed and discussed, but I was starting to get tired of reading nothing more than a bunch of complaints.
News flash: Shit happens!
I actually had a big text about the package maintainer, the severity of the problem, etc, etc, etc written, but it's better to just be quiet, since I can't do it any better.
Exploitation
After reading so much about it, I was intrigued on how <em>super-easy-because-of-the-32,767-possible-outcomes</em> to crack attack would work, and hdm (from Metaploit) answered them on a great paper:
http://metasploit.com/users/hdm/tools/debian-openssl/
The keys were generated and made available:
http://sugar.metasploit.com/debian_ssh_dsa_1024_x86.tar.bz2
http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
And a script to use them has been published to Metasploit:
http://milw0rm.com/exploits/5622
After giving it a try on a unpatched virtual machine, I understood the real severity of the problem.
News flash: Shit happens!
I actually had a big text about the package maintainer, the severity of the problem, etc, etc, etc written, but it's better to just be quiet, since I can't do it any better.
Exploitation
After reading so much about it, I was intrigued on how <em>super-easy-because-of-the-32,767-possible-outcomes</em> to crack attack would work, and hdm (from Metaploit) answered them on a great paper:
http://metasploit.com/users/hdm/tools/debian-openssl/
The keys were generated and made available:
http://sugar.metasploit.com/debian_ssh_dsa_1024_x86.tar.bz2
http://sugar.metasploit.com/debian_ssh_rsa_2048_x86.tar.bz2
And a script to use them has been published to Metasploit:
http://milw0rm.com/exploits/5622
After giving it a try on a unpatched virtual machine, I understood the real severity of the problem.
Comments on this Entry
Your right it's really important to understand that all software is buggy and even if you use the best software, on the best distro, of the best Unix of the best type of operating system, then problems still happen.
The attitude of I use "XZY" and it's not Windows so I'm okay is dangerous.
Security is a process not a state and is best approached with a breadth and depth strategy. Just because you use SSH does not make you instantly and permanently secure. SSH is more secure than Telnet but if it's incorrectly configured or buggy then can potentially offer no security at all.
For example, I've long held a view that while a firewall is a useful tool it has also become a dangerous "safety blanket" that people cling to without thinking through exactly what it and what it really does.
Broken SSL is bad, but it's a good opportunity to fix things and do them better.
--
"It's Not Magic, It's Work"
Adam
The attitude of I use "XZY" and it's not Windows so I'm okay is dangerous.
Security is a process not a state and is best approached with a breadth and depth strategy. Just because you use SSH does not make you instantly and permanently secure. SSH is more secure than Telnet but if it's incorrectly configured or buggy then can potentially offer no security at all.
For example, I've long held a view that while a firewall is a useful tool it has also become a dangerous "safety blanket" that people cling to without thinking through exactly what it and what it really does.
Broken SSL is bad, but it's a good opportunity to fix things and do them better.
--
"It's Not Magic, It's Work"
Adam
[ Parent | Reply to this comment ]