Hackin9

InfoSec News

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Proof-of-concept code targets Microsoft Dynamics Great Plains platform and can enable an attacker to transfer funds to accounts of their choosing.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
More Americans read e-books in the last year, with 23% of those ages 16 and over going digital, compared to 16% last year, according to a Pew Internet and American Life Project survey.
 
It's easy enough to cut and paste text between apps, but these days, much of my iOS-composed text starts out in the aptly named Drafts, a stellar app from Agile Tortoise. Available for both the iPad ($3) and the iPhone ($2), Drafts is a catch-all bucket for typing messages, jotting down ideas, storing templates, and--just as useful--doing things with that text when it and you are ready.
 
G-Technology's G-Drive mobile is a portable, bus-powered external hard drive designed to compliment your Apple laptop. It has an attractive aluminum case, a three-year warranty, and boasts USB 3 and FireWire 800 connectivity. The drive comes formatted as HFS+, so it's ready to use right out of the box with Macs new and old.
 
Lyman E Bertsch needs to run an application on a relative's computer. Installing the program isn't an option. Can Lyman run the program off a flash drive?
 

An article that may have gone overlooked since it was published on Christmas by the Washington Times highlights the risks of SSH (or really any public key encryption) when you dont manage the keys and permissions those keys get you. The article interviews Tatu Ylonen who invented SSH in 1995. In essence, the problem isnt the technology but the management of the technology where those who deploy keys simply dont manage them. The private keys are both in predictable locations and easily recognizable (i.e. begins with -----BEGIN RSA PRIVATE KEY-----) if you have the correct permissions on the machine.

The risk comes in that after keys are no longer used, they generally sit on the machine and still have access to whatever servers they were originally granted access for. In the Linux world, combine this with .history files (for instance) and you can very quickly traverse an entire infrastructure. Unlike digital certificates, there is no expiration date on an SSH key.

The example given in the article is essentially a data-destroying piece of malware automatically deleting data on a machine as it traverses in an intelligent way through an environment with SSH keys. The problem is particularly acute when using keys that do not have passphrases (which is the norm). As there is no way to know if a passphrase is required on the private key, there isnt a good policy-based way to require a passphrase-based key for access as well.

Some mitigations are requiring users to use passphrases on their private keys (and if you have the means to scan them, so much the better), regularly scanning your environment for the presence of SSH keys (grep is your friend) and limiting the locations where the private key is stored. Of course, this only takes you so far.

If it were an easy problem to solve, (or more accurately, a solution that is not labor-intensive) it would be fixed by now.

What do you do to manage your SSH keys (or do you not manage them)?

--

John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Polycom® HDX® Video End Points Web Management Cross Site Scripting (XSS) vulnerability
 
[ MDVSA-2012:184 ] libtiff
 
[SECURITY] [DSA 2590-1] wireshark security update
 
Open-Realty CMS 3.x | Persistent Cross Site Scripting (XSS) Vulnerability
 
Open-Realty CMS 3.x | Cross Site Request Forgery (CSRF) Vulnerability
 
Toshiba is preparing a 20-megapixel image sensor for digital cameras that it says will be the highest resolution of its kind.
 
With just a week left in the month, Windows 8's usage uptake has slipped behind Vista's at the same point in its release, according to data from Net Applications.
 
In the first of three parts, The H looks are what people were reading in 2012, month by month. From Anonymous weapons to fresh Linux kernels and from updated Ubuntu to open source hardware, it's all in The H Roundup of 2012


 
An Iranian news agency has reported that a cyber-attack on industrial targets has been repulsed with the help of hackers. Now, however, the agency spokesperson cited in the reports is saying that that's not quite what they said
 
NetBSD 6.0.1 fixes three denial of service problems with XML parsing, a crashing issue with the BIND DNS server and several minor kernel problems


 
The year 2012 saw innovation, litigation, disruption and accomplishment. Of them all, what was the biggest tech story of 2012?
 
A jury in Pennsylvania has ordered chip maker Marvell Technology to pay $1.17 billion for patent infringement in one of the largest awards of its kind.
 
In Lost and Found this week: the return of macro viruses, malicious apps in store, malicious modules in Apache servers, tapjacking, cracking encrypted drives through firewire, btrfs and hashing with cats


 
An Iranian news agency has reported that a cyber-attack on industrial targets has been repulsed with the help of hackers. Now, however, the agency spokesperson cited in the reports is saying that that's not quite what they said


 

IT PRO

Infosec ignorance is not an option for enterprises
IT PRO
Reports suggest more than half of enterprises lack infosec knowledge and a third admit to not being aware of recent business cyber security epidemics. What's gone wrong? Davey Winder tries to answer that very question. By Davey Winder, 27 Dec 2012 at ...

and more »
 
Internet Storm Center Infocon Status