Morons oppose security

[t3knomanser]

Today, ImageShack was hacked by some anonymous children seeking to get their manifesto out there. If nothing else, it does a good job of showing off that the differently-abled can still master basic computer security tools

Comments

[dreamingkat]

speaking of vulnerabilities, did you hear about the possible ssh vulnerability?

[t3knomanser]

I didn't, but after a quick Googling, it doesn't look likely. Scary thought, though.

[dreamingkat]

to contribute to the rumor mill, the one that got the buzz started appears to have been the result of a very stupid admin leaving a list of his passwords in his google account.

However, a friend of mine says that his buddy (who I know well enough to know that he's actually a fairly decent hacker and knows enough about kernels to do this) says that they know of an exploit. From what he said (and honestly it was a bit over my head) and the research I did, it seems to be based on these buffer overflow bugs from 2002 and 2003, and it's probable that the only vulnerable versions are based on the Red Hat ssh, since they've been backporting security features instead of updating the version in their releases. This means CentOS is also vulnerable, which is what a lot of web hosts use. He did say that in order to actually use the pointer returned by the exploit to do anything useful, you would practically have to have a clone of the system your attacking set up. Otherwise, the connection just drops. On the other hand, for a farm with a

[t3knomanser]

Fortunately that's a nasty one to pull off. Sadly, any vulnerability in SSH is going to pose a serious problem for Internet security.

I do remember reading about those buffer overrun bugs, but I thought they were properly patched- but I'm not surprised that RedHat is slow on the uptake.