DNSSEC – Debunking Myths 

DNSSEC drastically improves the security of the internet and systems that rely on it. Sadly, there is a lot of FUD out there and we wanted to both debunk that FUD and explain why DNSSEC is vital to the security of the internet.

DNSSEC makes DNS verifiable: it allows domain owners to sign their DNS records and client to verify their authenticity.  Securing domains with DNSSEC and deploying validating resolvers on the client side would eliminate most DNS spoofing attacks and a wide range of MITM attacks.

Continue Reading

A Brief Analysis SSH on the Web

A very interesting and in some ways telling analysis on the current state of 16,532,281 SSH configurations on the internet.

Out of all the IPv4 addresses we found:

  • 9,423,225 are affected by the CVE-2015-5600 – “The kbdintnextdevice function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumption) via a long and duplicative list in the ssh -oKbdInteractiveDevices option, as demonstrated by a modified client that provides a different password for each pam element on this list.”

  • 1,530,566 are affected by the CVE-2013-4421 – “The buf_decompress function in packet.c in Dropbear SSH Server before 2013.59 allows remote attackers to cause a denial of service (memory consumption) via a compressed packet that has a large size when it is decompressed.”

  • 83,357 are affected by the CVE-2015-6565 – “sshd in OpenSSH 6.8 and 6.9 uses world-writable permissions for TTY devices, which allows local users to cause a denial of service (terminal disruption) or possibly have unspecified other impact by writing to a device, as demonstrated by writing an escape sequence.”

Source: SSH – A brief analysis of the internet

Continue Reading