Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Linux security flaw verified by Fortify

Fortify : 20 May, 2008  (Technical Article)
Cryptographic key vulnerability in Debian and Ubuntu Linux operating systems represents serious security flaw
Fortify Software has confirmed the findings of a research posting to the Debian security list last week, which details a critical security vulnerability in the OpenSSL packages within the Debian and Ubuntu Linux operating systems.

Fredrick Lee, a researcher with Fortify's Security Research Group, said that the posting understates the potential seriousness of the flaw, which affects the Open Secure Sockets Layer elements of the two Linux operating systems.

'We're calling this vulnerability `insecure randomness' since it allows an attacker to predict the SSL cryptographic keys used for supposedly secure online transactions,' he said.

According to Lee, the serious flaw could, for example, allow a malicious user to intercept an ostensibly secure online banking session between a customer and their bank.

'What's worse is the fact our researchers calculate this flaw has been available to hackers for more than two years,' he said.

The problem, Lee went on to say, stems from a bug fix issued by Debian programmers that effectively emasculates the randomness engine required to ensure true security within the SSL module.

'Had we been contacted as part of the release strategy, as a number of other developers do, then the flaw would have been immediately identified by our research team, before the insecure update was released to the public,' he said.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo