All the latest UK technology news, reviews and analysis

Researchers develop SSH cracker

by James Middleton

20 Aug 2001

Be the first to comment

  • Tweet this

Researchers at the University of California at Berkeley have discovered more vulnerabilities in Secure Shell (SSH) which allow an attacker to learn significant information about what data is being transferred in SSH sessions, including passwords.

SSH was designed as a secure channel between two machines, based on strong encryption and authentication. But by observing the rhythm of keystrokes, and using advanced statistical techniques on timing information collected, attackers can pick up significant details.

Further reading

Each keystroke from a user is immediately sent to the target machine as a separate IP packet. By performing a statistical study on a user's typing patterns, and applying a key sequence prediction algorithm, the researchers managed to successfully predict key sequences from inter-keystroke timings.

A password cracker program, dubbed Herbivore, was developed on the back of the research. Herbivore is capable of learning a user's password by monitoring SSH sessions.

"Unfortunately, SSH is not as bullet proof as one would hope. Our attack shows that an eavesdropper can learn sensitive information about a user's data, such as passwords, over SSH," said Dawn Xiaodong Song, one of the researchers.

Another vulnerability allowing remote access to SSH accounts with two character passwords was also discovered last week.

A white paper, entitled Timing Analysis of Keystrokes and Timing Attacks on SSH, is available here.

Do you agree?

Add your comment
 

Add your comment

We won't publish your address
By submitting a comment you agree to abide by our Terms & Conditions. Your comment will be moderated before publication.
Submit your comment

Latest stories from Security

Concept image of broken USB representing a data leak

Nuclear watchdog loses USB containing data on power plant in Hartlepool

Related white papers

Related articles

Related jobs

Today's top stories

Microsoft Windows 8 start screen

Top 10 Microsoft Windows 8 features to be excited about

Barclays Pingit Application in use on an iPhone

Barclays launches Pingit mobile payment service for iPhone, Android and BlackBerry

V3 reporter Dan Worth

World-changing CERN experiments highlight humanity’s intrinsic curiosity

Poll

IT priorities for 2012

What is the most important IT priority for your company this year?

99%

0%

1%

0%

0%

Features

V3 reporter Dan Worth

World-changing CERN experiments highlight humanity’s intrinsic curiosity

V3 and The INQUIRER editor Madeline Bennett

BBC and Sky News show tough love with Twitter policies

V3's Rosalie Marshall

World indulges in a Facebook facts fest as firm prepares to float

facebook-new

Top five most interesting figures from Facebook’s IPO

More features

Connect with V3.co.uk

Sign up to our daily or weekly newsletters

Case studies and reports

Accurev

Top 5 software development challenges

This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes

Talend

Rubbish in, rubbish enterprise

Why good data management at all levels is essential in the modern business (video, 6mins)

Technology jobs

Business Analyst - Telecoms

Business Analyst urgently required with a background...

Business Architect - Financial Services

We have an opportunity for an experienced Business Architect...

DBA - Unix Systems Support - Investment Management

Leading Institutional Investment Manager require an individual...

Senior Manager - IT Project Management - Fund Mgt

Leading Institutional Fund Manager require a Senior IT...

To send to more than one email address, simply separate each address with a comma.