Articles about ssh

Liberating SSH from Logjam leftovers

A recent Request for Comment at the Internet Engineering Task Force calls for SSH developers to deprecate 1,024-bit moduli. RFC 8270 was authored by Mark Baushke (at Juniper Networks but working as an individual*) and Loganaden Velvindron (of Mauritian group Hackers.mu) in response to demand for a response to the 2015 Logjam …
Bug detected dialog

Top repo managers clone, then close, a nasty SSH vector

Users of the world's most popular software version control systems can be attacked when cloning a repository over SSH. When first announced by Recurity Labs' Joern Schneeweisz, the vulnerability was attributed to Git, Mercurial and Subversion; and over the weekend, Hank Leininger of Korelogic told the OSS-Sec list the issue …
T-shirt Cannon

This week on GitHub: Facebook's forecaster and a sysadmin CURSE

Repo Roundup To kick off this week's Repo Roundup, in which we trawl online code repositories so you don't have to, Facebook's emitted a prophecy, and we don't mean Mark Zuckerberg's manifesto: it's a forecasting procedure for R and Python, designed to work with the kind of datasets Facebook slurps. It's aimed at time series data, “based …

Internet of Sins: Million more devices sharing known private keys for HTTPS, SSH admin

Millions of internet-facing devices – from home broadband routers to industrial equipment – are still sharing well-known private keys for encrypting their communications. This is according to research from SEC Consult, which said in a follow-up to its 2015 study on security in embedded systems that the practice of reusing …
Shaun Nichols, 7 Sep 2016

Entropy drought hits Raspberry Pi harvests, weakens SSH security

Raspberry Pis running Raspbian – a flavor of Debian GNU/Linux tuned for the tiny computers – potentially generate weak SSH host keys. This gives man-in-the-middle attackers a sporting chance of decrypting people's secure connections to the devices. The November 2015 release of Raspbian does not use a hardware random number …
John Leyden, 2 Dec 2015

Lazy IoT, router makers reuse skeleton keys over and over in thousands of devices – new study

It's what we all assumed, but quietly hoped wasn't quite this bad. Lazy makers of home routers and the Internet of Things are reusing the same small set of hardcoded security keys, leaving them open to hijacking en masse, researchers have warned. In other words, if you can log into one gizmo remotely, you can probably log …
Shaun Nichols, 26 Nov 2015
Cisco security puff from its website

Cisco in single SSH key security stuff-up

A red-faced Cisco has pushed out a patch for a bunch of virtual security appliances that had hard-coded SSH keys. Since the keys are associated with the virty appliances' remote management interface, a successful login would let an attacker waltz through the devices. The Borg has announced that its Web Security Virtual …
Skull image

Industrial Wi-Fi kit has hard-coded credentials

The travelling side-show of industrial control kit insecurity continues, with an outfit called Red Lion being called out for hard-coded credentials on a wireless access point. ICS-CERT has issued an advisory noting that the company's N-Tron 702.-W industrial wireless access point has hard-coded private keys for SSH and HTTPS …
Developer in a rage

Compromised SSH keys used to access Spotify, UK Govt GitHub repos

CloudFlare engineer Ben Cox says the official Github repositories of the UK Government, Spotify, and Python were accessed using likely compromised SSH keys. Cox says the keys revoked this month are subject to a compromised Debian OpenSSL random number generator seed discovered and fixed in early 2008. The security bod …
Darren Pauli, 3 Jun 2015

Holy SSH-it! Microsoft promises secure logins for Windows PowerShell

Microsoft has finally decided to add support for SSH to PowerShell, allowing people to log into Windows systems and use software remotely over an encrypted connection. Users of Linux, the BSDs, and other operating systems, will know all about OpenSSH and its usefulness in connecting machines in a secure way to execute commands …
Shaun Nichols, 2 Jun 2015

Tor de farce: NSA fails to decrypt anonymised network

A new round of NSA documents snatched by master blabbermouth Edward Snowden appeared online late on Sunday, revealing spooks' internet security pet hates. The latest dump of PDFs published by Der Spiegel appeared to show what the Five Eyes surveillance buddies – the USA, the UK, Australia, Canada and New Zealand – see as …
Kelly Fiveash, 29 Dec 2014
padlock

NIST to sysadmins: clean up your SSH mess

NIST has taken a look at how companies use Secure Shell (SSH), and doesn't much like what it sees. In spite of the depth of access generally handed SSH implementations for a host of different activities – “file transfers, back-ups, software/patch management, disaster recovery, provisioning and data base updates”, as SSH (the …
Zombify Me iOS app

Emergency alert system easily pwnable after epic ZOMBIE attack prank

Hardware powering the US Emergency Alert System can be easily tricked into broadcasting bogus apocalyptic warnings from afar, say experts. Researchers at computer security biz IOActive reckon they found private encryption keys within firmware updates for the devices; miscreants armed with this information could successfully …
John Leyden, 9 Jul 2013
The Register breaking news

SSH an ill-managed mess says SSH author Tatu Ylonen

Tatu Ylonen, author of the SSH protocol, isn't afraid of criticising his own work: he's calling for a new version of the Secure Shell to make it more manageable and get rid of the problem of undocumented rogue keys. In this IETF Draft, Ylonen proposes a regime for key management, including key discovery, to overcome the …
The Register breaking news

Whoops! Tiny bug in NetBSD 6.0 code ruins SSH crypto keys

The brains behind NetBSD have warned a bug in the open-source OS creates weak cryptographic keys that can be cracked by attackers. Users attempting to secure sensitive communications, such as SSH terminal connections, using the dodgy keys could be easily snooped on and their data decrypted. The use of a cryptographically …
John Leyden, 26 Mar 2013
The Register breaking news

Silly gits upload private crypto keys to public GitHub projects

Scores of programmers uploaded their private cryptographic keys to public source-code repositories on GitHub, exposing their login credentials to world+dog. The discovery was made just before the website hit the kill switch on its search engine or, more likely, the service collapsed under the weight of curious users trawling for …
John Leyden, 25 Jan 2013
The Register breaking news

Hackers break into FreeBSD with stolen SSH key

Hackers broke into two FreeBSD project servers using an SSH authentication key* and login credentials that appear to have been stolen from a developer, it has emerged. Developers behind the venerable open-source operating system have launched an investigation and have taken a few of the servers offline during their probe, but …
John Leyden, 20 Nov 2012
The Register breaking news

SSH firm aims to untangle crypto key hairball

Infosec 2012 Secure Shell (SSH) certificate management – a key internet protocol used for remote access and file transfer for nearly 20 years now – can become quite a tangled issue if there isn't a clear management policy in place, and SSH Communications Security, one of the security exhibitors at Infosec, claims it has a solution. SSH is …
John Leyden, 25 Apr 2012

Create a news alert about ssh, or find more stories about ssh.

Biting the hand that feeds IT © 1998–2018