Risky Business NEWSFLASH -- Debian disaster more serious than first thought... interview with H D Moore

Previously on Risky Business...
14 May 2008 » Risky Business

(UPDATE: H D Moore's PRNG Debian toys can be found here.)

This is a special newsflash edition of Risky Business, posting at 4pm on Wednesday May 14. Most listeners would be aware that a serious bug in Debian's random number generator has been patched overnight. Unfortunately, all keys generated by Debian systems (and by the looks of things Ubuntu systems as well) are completely useless and need to be regenerated.

That means you SSH and SSL content encryption AND authentication has been rendered ineffective. Not only are your server generated keypairs ineffective, any user-generated keypair made with a Debian or Ubuntu box and accepted by an SSH server is vulnerable.

H D Moore is currently working on what sounds like a rainbow table-style attack which will allow him to brute force authentication over SSH in 2.5 to 6 hours. Because of the rainbow table nature of the attack, it also means he can decode intercepted packets in a matter of seconds.

Risky Business spoke to H D Moore via a VoIP line to his mobile phone in Texas, where he's pulling a late night working on this...

UPDATE: Here's a quick script to re-generate your ssh keys, and display the fingerprint (dont forget to update your openssl first!!)