All the latest UK technology news, reviews and analysis
|
|
|
21 May 2008
Security experts have warned of a suspected vulnerability in the Debian and Ubuntu Linux operating systems.
Fortify Software confirmed the findings of a posting to the Debian security list last week, which detailed a critical vulnerability in the Open Secure Sockets Layer (SSL) packages within Debian and Ubuntu.
Fredrick Lee, a researcher at Fortify, claimed that the posting actually understates the potential seriousness of the flaw.
"We are calling this vulnerability 'insecure randomness' since it allows an attacker to predict the SSL cryptographic keys used for supposedly secure online transactions," he said.
Lee explained that a malicious user could intercept an ostensibly secure online banking session between a customer and their bank.
"What's worse is that our researchers calculate this flaw has been available to hackers for more than two years," he said.
The problem stems from a bug fix issued by Debian programmers that effectively "emasculates" the randomness engine required to ensure true security within the SSL module.
"Had we been contacted as part of the release strategy, as a number of other developers do, the flaw would have been immediately identified by our research team before the insecure update was released to the public," said Lee.
Latest stories from Open Source
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
We have been given the privilege of recruiting for a...
My client is a proprietary, electronic trading firm and...
Our client is looking for a Senior Project Manager (Telecoms...
Business Analysts are being sought by my leading financial...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
hmm...
"Security experts have warned of a suspected vulnerability in the Debian and Ubuntu Linux operating systems." If by "Security experts" you mean the Debian developers themselves, well yes. Its not a "suspected vulnerability" it was a vulnerability, period. And its already been fixed. Your report is out of date. Go back to sleep. "Fortify Software confirmed the findings" Did we need Fortify to confirm it ? "Fredrick Lee, a researcher at Fortify, claimed that the posting actually understates the potential seriousness of the flaw." No it doesn't. Thats just FUD. Or maybe you are confusing free software developers with a corporate interest trying to cover its own ass. "What's worse is that our researchers calculate this flaw has been available to hackers for more than two years," No, your "researchers" didn't do anything. Debian developers already freely, openly, and transparently said recently that this was in fact the case. Nobody had noticed it before. "The problem stems from a bug fix issued by Debian programmers that effectively "emasculates" the randomness engine required to ensure true security within the SSL module." This information came directly from the Debian developers themselves. "Had we been contacted as part of the release strategy, as a number of other developers do, the flaw would have been immediately identified by our research team before the insecure update was released to the public," Rubbish. Debian is a free software project which you are free to contribute to. And it is for you to contribute, not for others to beg you for help: Help which obviously has no value since all you can do is regurgitate second hand information anyway. So have you joined the Debian team ? Do you have people actively involved with Debian development ? Do you agree with Debian's Social Contract ? Are you contributing to anything at all ? From what I can see here, you're not.
Posted by: Eruaran 22 May 2008