Newsflash at 4pm on Wednesday May 14. This is a Risky Business special broadcast -- we have broken our regular programming schedule to bring you this special report. Download it from:
Most listeners would be aware that a serious bug in Debian's random number generator has been patched overnight. Unfortunately, all keys generated by Debian systems (and by the looks of things Ubuntu systems as well) are completely useless and need to be regenerated.
That means you SSH and SSL content encryption AND authentication has been rendered ineffective. Not only are your server generated keypairs ineffective, any user-generated keypair made with a Debian or Ubuntu box and accepted by an SSH server is vulnerable.
H D Moore is currently working on what sounds like a rainbow table-style attack which will allow him to brute force authentication over SSH in 2.5 to 6 hours. Because of the rainbow table nature of the attack, it also means he can decode intercepted packets in a matter of seconds.