Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Weakness in Debian undermines crypto

A flaw in the way that OpenSSL is implemented in the Ubuntu and Debian distributions of Linux has earned the software an unenviable adjective in the world of encryption: Predictable.

Recently, the team behind the popular Ubuntu distribution of Linux announced that it had issued a patch to fix a flaw inadvertently added to the OpenSSL code which dramatically reduced the number of possible keys generated by the software. While the flaw is in OpenSSL, the same code is used to generate keys for a number of other popular programs, including OpenSSH, OpenVPN and SSL certificates.

"All OpenSSH and X.509 keys generated on such systems must be considered untrustworthy, regardless of the system on which they are used, even after the update has been applied," the advisory stated.

Underscoring the danger of the attack, security research HD Moore posted tools on Wednesday to help researchers-and attackers-brute force the key combinations in a matter of hours.

The latest flaw was introduced in the system because developers removed a line of code that had caused warnings about the use of uninitialized data when any program was linked to the OpenSSL library.

US military to build botnet?

A colonel in the US Air Force argued in a recent opinion piece that the United States needs to build its own collection of computers able to digitally "carpet bomb" enemies with a denial-of-service attack.

The capability to overwhelm attackers would help the nation deter attacks against its systems, Col. Charles Williamson III, a staff judge advocate for the US Air Force Intelligence, Surveillance and Reconnaissance Agency, stated in an opinion piece in the Armed Forces Journal. Military bases could use outdated PCs as nodes on its "botnet," replacing their hard drives with a simple flash drives.

The US military has grown more worried about cyber attacks. A year ago, online protesters attacked the northern European country of Estonia, essentially cutting off online contact to many of the nation's businesses and government agencies. Other denial of service attacks have shut down news sites and even forced an Israeli company to go out of business. While the degree to which nation-states take part in such attacks is unknown, the US military has flagged China as a major future threat in cyberspace.

In his column, Col. Williamson acknowledges that using a botnet against attackers could pose serious legal issues in international circles. Botnets frequently use compromised systems owned by private groups and US allies.

In the past, governments have been able to take selective military actions against threats operating in neutral, or on the edge, of another nation's territory, Col. Williamson stated.