Kaspersky analysis of the backdoor in XZ
Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process.
Public SSH keys can leak your private infrastructure
This article describes a minor security flaw in the SSH authentication protocol that can lead to unexpected private infrastructure disclosure. It also provides a PoC written in Python.
Malicious NPM Packages Exfiltrate Hundreds of Developer SSH Keys via GitHub
Did you download Warbeast2000 or Kodiak2k from npm? If so, your SSH keys might be compromised! These packages steal keys & upload them to GitHub.
SSH protects the world’s most sensitive networks. It just got a lot weaker
Novel Terrapin attack uses prefix truncation to downgrade the security of SSH channels.
Terrapin attacks can downgrade security of OpenSSH connections
Academic researchers developed a new attack called Terrapin that manipulates sequence numbers during the handshake process to breaks the SSH channel integrity when certain widely-used encryption modes are used.
In a first, cryptographic keys protecting SSH connections stolen in new attack | Ars Technica
An error as small as a single flipped memory bit is all it takes to expose a private key. The vulnerability occurs when there are errors during the signature generation that takes place when a client and server are establishing a connection. It affects only keys using the RSA cryptographic algorithm, which the researchers found in roughly a third of the SSH signatures they examined. That translates to roughly 1 billion signatures out of the 3.2 billion signatures examined. Of the roughly 1 billion RSA signatures, about one in a million exposed the private key of the host.