If you’re an SSH and Linux user, this is not a good week for you. Not only did Debian announce that a flaw in its OpenSSL implementation allows attackers to easily guess cryptographic keys, but now HD Moore has posted a list of SSH keys that he was able to brute-force by reverse engineering the list of blacklisted keyspace that Debian published. Oh, and there also is a large spike in the volume of active SSH probes at networks around the world, which may or may not be related to the Debian situation.

The OpenSSL flaw is the more serious of the two problems at this point, with experts recommending that affected users regenerate both their SSH keys and their SSL certificates immediately. The bottom line with this vulnerability is that any SSH key or SSL certificate generated between September 2006 and May 13, 2008, should be considered compromised.

“The situation with web certificates is even worse – the public key is really that: public. So, for a weak key generated on Debian, an attacker could derive the private key and construct a Man-In-The-Middle attack without any problems in the browser,” the folks at the Internet Storm Center wrote in a post about the problem. “Very very scary. Makes one wonder how many people used Debian to generate their SSL keys.“

The increase in SSH probes seems to be a separate issue at this point, as those brute-force attempts mostly involve password guessing. A number of posts on the Unisog security mailing list described spikes of 10 or 20 times the normal number of login attempts per day, beginning sometime in April. These attacks are mainly classic dictionary attacks, in which the attacker runs a script that attempts a remote login to an SSH server using a large list of possible passwords.

In other words, run, don’t walk, to the console and update those keys and certificates. If the good guys have already developed scripts and tools for brute-forcing the keys, you have to assume the crackers have as well.

Anne Bonaparte, a veteran security industry executive, is taking over the top job at change-management vendor Solidcore Systems. Bonaparte has spent time at a number of security vendors, including VeriSign, MailFrontier, SonicWall and Tablus. She takes over as CEO at Solidcore, as founder and former CEO Rosen Sharma steps asides to take the CTO job. Bonaparte most recently held the CEO job at Tablus, one of the numerous companies scratching and clawing for a piece of the data-loss prevention market, before RSA Security acquired Tablus last summer.

Before her stint at Tablus, Bonaparte was CEO of MailFrontier, an email security company, which she led through its acquisition by SonicWall in 2006. Her experience in leading start-ups through their second phase as they look for either an acquisition partner or major investors will come in handy at Solidcore, a vendor that is smack in the middle of that stage in its growth right now. The company started out as a provider of software for companies looking to prevent admins from making unauthorized changes to servers. It has since evolved into a player in the security market, mainly as a result of its role in compliance efforts.

The trend toward large-scale attacks against Web sites through the use of SQL injection is continuing, as experts at both the SANS Internet Storm Center and Shadowserver Foundation are tracking a newly discovered SQL injection worm that appears to be exploiting a RealPlayer flaw and dropping malware on vulnerable sites. The attacks are focusing on ASP pages and are using the familiar iFrame exploitation method that has been involved in a number of the recent mass SQL injection attacks. After a successful exploitation of a vulnerable PC, the infected Web site installs a binary on the user’s PC. The analysis of the attack done by the folks at Shadowserver shows that the binary is named “test.exe” and is just one link in a long chain of downloaders and malware.

“This binary that is download by this attack appears to be part of a kit we have seen in the Chinese malware family for some time now. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next. In our instance it [tells it] to download yet another file and to report in to a URL,” the Shadowserver analysis says.

Fun for the whole family. Shadowserver also has a good list of some of the malicious sites and IP addresses that are serving the malware, for your filtering pleasure.

If you’ve been dying to get your hands on Microsoft’s NAP (Network Access Protection) technology, but just somehow haven’t gotten around to deploying Vista yet, today is your lucky day. Microsoft released Service Pack 3 for Windows XP today and one of the major components of the massive update is NAP, the company’s network access control system. However, you do need to be running Windows Server 2008 in order to use the NAP capability. Along with NAP, SP3 also includes every update, security-related and otherwise–that Microsoft has released since it pushed out SP2 in 2004.

There are a handful of other security updates included in SP3, and Microsoft has a good description of all of the new features in Windows XP SP3. Here are some highlights:

• IPSec Simple Policy Update for Windows Server 2003 and Windows XP. This is a tool to help simplify the creation of IPSec filters.
• Digital Identity Management Service. This allows users on any PC that’s a member of a domain to access all of their digital certificates and encryption keys for applications and services on that domain.
• Support for the WPA2 wireless security standard.
• Black hole router detection turned on by default.

The other major news with Windows XP SP3 is the fact that it does not include Internet Explorer 7. Some users have complained about IE 7 being pushed to their PCs as a critical update and Microsoft even went so far as to release a special toolkit to block the delivery of the browser last year. For users who don’t update their machines regularly, SP3 is a good opportunity to get back on the right track all at once.

Anonymizer, the pioneering online privacy company, was acquired Thursday by a highly specialized national-security technology provider. Anonymizer began in 1995 as a provider of technology to help consumers, and later enterprises, protect their identities online. The company has a variety of products now that enable users to avoid spam, surf Web sites anonymously and protect their email addresses. It is probably best known for its Anonymous Surfing product, which redirects users’ Web traffic through a proxy, hiding their actual IP addresses. But it also offers products that provide users with disposable email addresses and offerings for enterprises that enable executives to check out competitors’ sites anonymously.

The company acquiring Anonymizer, Abraxas, is a provider of technology and risk management services to the national security community and was founded by Richard H. Helms, a former CIA officer (no relation to Richard M. Helms, former director of CIA). The two companies, both based in San Diego, already share some similarities. Lance Cottrell, the founder and chief scientist at Anonymizer, is also chief scientist at Abraxas. Abraxas’ board of advisers includes former DHS secretary Tom Ridge, and Alan Wade, the former CIO of CIA.

There has been a lot of interesting work going on in the research community of late on a handful of really specialized and esoteric application attacks, like Mark Dowd’s NULL pointer attack and David Litchfield’s lateral SQL injection technique. These two methods have a few things in common, specifically the fact that they both exploit things that were thought to be unexploitable. One other similarity is that some people seem to be dismissing these techniques as theoretical or purely academic thought exercises that will never see the light of day. Proponents of this line of thinking say that enterprises don’t need to worry about crazy, multi-step attacks that are hard to understand. It’s things like buffer overflows and worms that really need your attention, they say.

This is, ah, how should I put it, ridiculous. These new attacks are exactly the kind of things that should worry you if you’re charged with protecting a corporate network. Hackers pay good money for reliable attack methods like this, particularly when they are brand new and not well understood. Security specialists know what a buffer overflow attack looks like, and there are any number of products out there that are capable of stopping these attacks. But the complex techniques like Litchfield’s and Dowd’s are the ones that find the cracks in network defenses and by the time they’re recognized for what they are, it’s game over. And who’s to say that some hacker in the Ukraine or Brazil or China hasn’t been using the same techniques for months?

Sure, worms and viruses and phishing are still threats, but to ignore new attacks because they look difficult or complex is foolish at best and negligent at worst.

Richard Stiennon, the well-traveled vendor executive and industry analyst, has taken up a new post as the CEO of new MSSP Seccom Global, an offshoot of Seccom Networks, an Australian company. Stiennon is a former Gartner analyst who probably is best known for a research study he was involved with in 2003 declaring that IDS was dead and encouraging enterprises to spend whatever money they had allocated for the technology on things like multi-function firewall appliances. “Intrusion detection systems are a market failure,” he said at the time. Most recently Stiennon was the chief marketing officer at Fortinet, which is a partner of Seccom. He also has spent time at independent analyst firm IT-Harvest, Webroot and PriceWaterhouseCoopers.

Seccom’s Australian operation provides a number of managed security services, including mail and network monitoring. Stiennon’s appointment as CEO coincides with the company’s entry into the U.S. market, which already has its fair share of MSSPs. Large players such as VeriSign and Symantec have staked out the high end of the market and many ISPs, such as AT&T, have gotten into the business of offering security services in the cloud, as well. It will be interesting to see how an unknown company such as Seccom goes about competing with the big established MSSPs here. One would guess that Stiennon’s name recognition and extensive experience in the industry will help open a few doors at the very least.

Once upon a time, the RSA Conference was known for its deep technical content and the quality of its speakers. But, as the security industry has changed and matured over the last few years, the sessions at the show have become more focused on soft, fuzzy themes such as risk management and compliance. This is probably just a natural evolution and a reflection of the direction of the industry as a whole, but many of the security professionals I’ve talked to here this week have complained about the lack of serious educational content and the proliferation of marketecture-type sessions. And the few really deep sessions have been so crowded that many attendees have been turned away at the door. The hard core cryptographers’ sessions are still here and there are some good ones on new attacks as well, but it seems that the days of walking out of the conference at the end of the week with a notebook full of great ideas are past.

Apple is claiming that it’s new Air is the world’s thinnest notebook PC. Luckily, it didn’t make any claims about the new machine’s security, because it only took Charlie Miller of Independent Security Evaluators a few minutes on Thursday to gain control of a new Air in the annual Pwn2Own hacking contest at CanSecWest. Miller was able to exploit an unpatched vulnerability in Apple’s Safari browser to compromise the notebook, winning himself a $10,000 prize, as well as the Air itself. Not a bad haul for a few minutes of work.

This year’s contest is a bit different from last year’s edition, in that there are three separate machines up for grabs. In addition to the Air, TippingPoint, which sponsors the contest, put up two other machines, one each running Vista and Ubuntu. After Miller cracked the laptop, he turned over details of the attack to TippingPoint, which disclosed it to Apple.

The cybersecurity group at the Department of Homeland Security has had a hard time hanging onto its leaders, for various reasons, since the department started five years ago. DHS officials have tried a number of approaches in trying to find the right man for the job, going first to government veterans such as Howard Schmidt and Amit Yoran, who had both government and industry experience, and then landing on Greg Garcia, the current assistant secretary for cyber security and telecommunications, who was a lobbyist before he joined the department.

Now, with its recent appointment of Rod Beckstrom as director of the nascent National Cyber Security Center at DHS, officials are trying a completely different approach: bringing in someone with no security or government experience. Beckstrom is a serial entrepreneur who has founded a number of successful companies and also has written a book on leaderless organizations. All kidding about how his knowledge of leaderless organizations will serve him well at DHS aside, I think the DHS folks deserve a bit of credit for going outside the playbook and giving a shot to an outsider such as Beckstrom. His role will not necessarily be a technical one, as he was brought in specifically to encourage better communication and information-sharing among the various components of the federal government that handle cybersecurity.

Former officials who have worked in the National Cyber Security Division at DHS and those in the private sector who work with the department have consistently criticized DHS for its poor communication on security issues and lack of willingness to share intelligence on attacks and vulnerabilities. What can it hurt to try a different approach? The ones they’ve tried in the past clearly haven’t worked, so maybe a little new blood and some unconventional thinking will jump-start things.