Lockpicking script prompts alarm By John Leyden Published Friday 16th May 2008 18:33 GMT Nail down your security priorities. Ask the experts and your peers at The Register Security Debate, April 17, 2008 Nail down your security priorities. The SANS Institute today took the highly unusual step of issuing a yellow alert over a vulnerability in the cryptographic functions of Debian, the Linux distro that underpins Ubuntu. Earlier this week Debian warned that the use of a cryptographically flawed pseudo random number generator in its implementation of OpenSSL meant that potentially predictable keys were generated. Versions of Debian's OpenSSL packages starting with 0.9.8c-1 (released in September 2006) are vulnerable. Fears that the cryptographic key (including SSH, SSL session keys, OpenVPN and others) generated on affected systems may be weak were borne out by the discovery of scripts that allow brute forcing of vulnerable SSH keys. The SAN's Institute Internet Storm Centre warns that SSL certificates should also be regenerated because of the same cryptographic flaw. More here: http://www.theregister.co.uk/2008/05/16/debian_openssl_flaw/ -- John Durham Site http://modecideas.com Server hosted on Ubuntu 4.10 Good advice is like good paint. It only works when applied. -- -------list-services-below----------- Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig> Freelists login at //www.freelists.org/cgi-bin/lsg2.cgi List archives at //www.freelists.org/archives/pchelpers PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig Good advice is like good paint- it only works if applied.