Tux Machines

Security: RC4, Clown Computing, and OpenSSL Headsup

Posted by Roy Schestowitz on Oct 27, 2022

Videos: Arch Linux, Code Comments, Linux Action News, and LibreOffice

fun with pygame – Michael Ablassmeier

↺ Ticket Granting Ticket (TGT) and an EncryptedData structure which contains the session key necessary to use the TGT to request service tickets

RC4 Is Still Considered Harmful

↺ RC4 Is Still Considered Harmful

> I've been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number 2310 with the handling of RC4 encryption that allowed you to authenticate as another user if you could either interpose on the Kerberos network traffic to and from the KDC or directly if the user was configured to disable typical pre-authentication requirements.

> This blog post goes into more detail on how this vulnerability works and how I was able to exploit it with only a bare minimum of brute forcing required. Note, I'm not going to spend time fully explaining how Kerberos authentication works, there's plenty of resources online. For example this blog post by Steve Syfuhs who works at Microsoft is a good first start.

4 Reasons Open Source Matters for Cloud Security

↺ 4 Reasons Open Source Matters for Cloud Security

> When we depend on an open commons as our computing foundation, we need it to be secure, and the most effective way to do that is through open solutions.

OpenSSL warns of critical security vulnerability with upcoming patch | ZDNET

↺ OpenSSL warns of critical security vulnerability with upcoming patch | ZDNET

> We don't have the details yet, but we can safely say that come Nov. 1, everyone -- and I mean everyone -- will need to patch OpenSSL 3.x.

gemini.tuxmachines.org