Every version of the popular Openssh program -- a critical, widely used tool for secure communications -- share a critical vulnerability that was present in the program's initial 1999 release.
The defect was published last week by researchers from Qualys, who were releasing a patch that corrected it (the patch was intended to fix a different problem, and Qualys's researchers inadvertently and simultaneously discovered and fixed this very old bug).
Operating system vendors are likely to update their Openssh code quickly, but the real problem is that many embedded devices that have been orphaned, are indifferently maintained by their vendors, or whose owners never patch them are likely to remain vulnerable to exploitation via the new bug forever.
This bug allows a remote attacker to guess the usernames registered on an OpenSSH server. Since OpenSSH is used with a bunch of technologies ranging from cloud hosting servers to mandate IoT equipment, billions of devices are affected.
As researchers explain, the attack scenario relies on an attacker trying to authenticate on an OpenSSH endpoint via a malformed authentication request (for example, via a truncated packet).
A vulnerable OpenSSH server would react in two very different ways when this happens. If the username included in the malformed authentication request does not exist, the server responds with authentication failure reply. If the user does exist, the server closes the connection without a reply.
This small behavioral detail allows an attacker to guess valid usernames registered on a SSH server. Knowing the exact username may not pose an immediate danger, but it exposes that username to brute-force or dictionary attacks that can also guess its password.
Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades [Catalin Cimpanu/Bleeping Computer]
Aestetix writes, "We have good news. There will be a HOPE [ed: Hackers on Planet Earth, a beloved, NYC-based hacker con put on by 2600 Magazine] in 2020. And we expect it to be better than ever. For several months, we have been looking for a venue that would have the needed space and flexibility […]
Nest is a home automation company that Google bought in 2014, turned into an independent unit of Alphabet, then re-merged with Google again in 2018 (demonstrating that the "whole independent companies under Alphabet" thing was just a flag of convenience for tax purposes); the company has always focused on "ease of use" over security and […]
German security researchers from Security Research Lab created a suite of apps for Google and Amazon smart speakers that did trivial things for their users, appeared to finish and go dormant, but which actually stayed in listening mode, then phished the user for passwords spoken aloud to exfiltrate to a malicious actor; all their apps […]
In recent years, natural language processing technology and language translation technology have advanced greatly. The trouble is, language translation software typically comes in the form of apps. And while your mileage may vary on their usefulness, they share one thing in common: a serious drain on the battery for your smartphone, the very thing you’ll […]
Treat yourself, internet: We’ve rounded up some deals from the past week that were too good not to bring back for an encore. Take your pick from home goods, massagers and other tech, all at serious discounts. TREBLAB Z2 Bluetooth 5.0 Noise-Cancelling Headphones Get in the groove and stay that way with these headphones and […]
As cool as your smartphone is, it can’t do everything. When a job requires a little elbow grease, a multitool is a great thing to have around – and might just save your life in the right situation. Here’s a roundup of some of the latest multitool designs, which have come a long way since […]