Security Watch

I'm Thinking of a Number

OpenSSH flaw in Debian and derivatives not as serious -- yet. Also, IE printing flaw; Belgium and India attack China; more.

Passing Random Numbers vis OpenSSH
Debian and Debian derivatives such as Ubuntu introduced a relatively predictable random number generator into their distribution of OpenSSH. The flaw, introduced almost two years ago, has resulted in numerous encryption keys being generated that should have been unique and which were, in fact, identical. The most likely attack would be that a criminal manages to use a user certificate that wasn't issued to him or her. Patches are available but may be onerous.

SSH has been under heavy attack for quite some time, long before knowledge of this vulnerability was made public. Those attacks have not been attempts at exploiting this vulnerability. Instead, attempts have been made to find relatively insecure implementations using guessable or known passwords. As such, anyone with an OpenSSH implementation has likely already taken steps to minimize exposure to untrusted sources, and tools included with OpenSSH such as fail2ban are available to mitigate such attacks.

We believe the likelihood of exploitation is largely overstated. Certainly this is an important issue and a serious vulnerability and you should take the appropriate steps to mitigate it by applying patches and regenerating keys. However, this should be done from the standpoint of reinstating the trust you thought you had in this area of critical security infrastructure, more so than because there's a fear the vulnerability may be attacked. Should attacks change to target this vulnerability, sufficient monitoring is being done around the Web to alert you.

IE Printing Flaw Can Let Crooks In
Yes, IE has a vulnerability in the way it handles HTML when it produces its own copy of a Web page for printing with the "Table of Links" option chosen. IE creates an HTML copy that is formatted in such a way that the links contained on the page printed at the bottom after the regular HTML. In that process, IE does not parse the links but merely takes their inner value "as is." A criminal can craft a page with links in them that, when rendered by this printing process, will actually execute in the Local Machine Zone while printing. No updates are available.

Well, this one is interesting from the perspective that an attempt to create a hard copy of HTML may, in fact, cause malicious code to execute. Beyond that, it's highly unlikely to be used. Not only do I have to get you to the criminally crafted site, I have to convince you to print it and then get you to print it with the list of links included. Nobody is suggesting people don't print pages with lists of links on them, but the criminal's HTML is likely going to get picked up by either a phishing filter or your AV if it's truly malicious. That said, Microsoft really needs to do a good double-check on everything they consider to be in the Local Computer Zone.

Belgium, India Point Fingers at China
Several reports claim that the Belgium Justice Minister and "unnamed government sources" in India have lately claimed attacks on government servers from IP addresses originating in China, once again leading to the speculation that the Chinese Liberation Army or Chinese government itself are behind the attacks.

This really is getting awfully boring. Did I ever tell you that at one time, during the peak of NTBugtraq, I actually blocked huge ranges of Asian IP addresses? I was totally fed up with the amount of spam, and at the same time wondered "who would I be preventing access to if I did so?" Well, clearly it was a dumb idea for NTBugtraq and it wasn't long before a good friend in New Zealand asked why I was preventing him access to the site. Oops!

The point is, you can look into your logs and do a Whois and decide; "Well, that IP comes from China, so it must be a Chinese criminal!" However, it may just be a criminally controlled server, and how do you know where the criminal is who is controlling it? There are ways to be more deterministic about who is actually sending the packets to you, but there's no small amount of effort involved. If that server in China is getting connections from many sources, any one of them could be the criminal who is controlling it -- but of course, it may very well be someone at the keyboard.

The bottom line is that it is impossible, strictly from your own logs, to determine who is actually behind the attacks you receive. It takes more than that. This speculation is far from helpful.

Hacker with a Hacksaw?
Hopefully another copper criminal has bitten the dust. A 12,000 volt line on a hydro poll was cut, apparently with a hacksaw, ensuing in a fire and power outage. The criminal has not been found. PG&E, the power company who owned the line, said that their copper is of such high quality that anyone offering it for purchase should easily be able to identify it as belonging to PG&E.

A hacksaw was found nearby, charred! So too were a pair of burnt up gloves!! Ergo, stands the reason the criminal's hands, at least, have severe burns too. Great, another one bites the dust! I don't know about you, but I get a kick out of thinking about a criminal so dumb as to think they can somehow cut such a wire while it's live and live to tell about it.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular