Re: Glitch imperils swath of encrypted records

[Corey Quinn <corey () sequestered net>]

Holy alarmist reporting, Batman!

Drilling down into the technical aspects of the article, we come up with:

> Without careful monitoring and management, SSH goes on creating keys and storing them in easily identifiable 
> directories where hackers can find and use them to access secure computers.

Which, yes, it does if you run ssh-keygen willy-nilly, but… those keys aren't actually added to the user's 
authorized_keys file by default.  This strikes me as a non-story.

And then:
> Mr. Bodmer described how a hacker could use abandoned keys to move through a supposedly secure computer network by 
> hopping from server to server.

So this comes down to the already well-established best practice of "use configuration management to manage 
authorized_keys, and make sure you kick out old credentials when they're not needed anymore." 

If there's a deeper SSH flaw that they're alluding to, I'm not seeing it.

-- Corey

On Dec 26, 2012, at 7:51 AM, Erica Absetz <eabsetz () opensecurityfoundation org> wrote:

> http://www.washingtontimes.com/news/2012/dec/25/glitch-imperils-swath-of-encrypted-records/?page=all#pagebreak
>
> A widely used method of computer encryption has a little-noticed
> problem that could allow confidential data stored by almost all
> Fortune 500 companies and everything stored on U.S. government
> classified computers to be “fairly easily” stolen or destroyed.
>
> The warning comes from the inventor of the encryption method, known as
> Secure Shell or SSH.
>
> “In the worst-case scenario, most of the data on the servers of every
> company in the developed world gets wiped out,” Tatu Ylonen, chief
> executive officer of SSH Communications Security Corp., told The
> Washington Times.
>
> Mr. Ylonen said a computer programmer could create a virus that would
> exploit SSH’s weaknesses and spread throughout servers to steal,
> distort or destroy confidential data.
>
> “It would take days, perhaps only hours,” to write such a virus, he said.
>
> What’s more, the same security vulnerabilities plague the U.S.
> government’s classified networks, say the contractors who build them.
>
> “I would venture to say that there is a very similar situation [in
> classified networks] to the one in the commercial space,” said Don
> Fergus, a senior vice president at Patriot Technologies Inc., an
> information technology and security firm in Frederick, Md.
>
> Mr. Ylonen said encryption methods’ vulnerabilities prevent companies
> from honestly passing an audit for compliance with U.S. cybersecurity
> standards for government or the private sector.
>
> He said that all of the “major audit protocols” for federal financial
> regulations and cybersecurity require that network managers know who
> can access their systems.
>
> About “90 percent of U.S. companies are out of compliance with
> regulations governing financial institutions because of this issue,”
> Mr. Ylonen said.
>
> A key problem
>
> Since Mr. Ylonen invented SSH in 1995, it has become the gold standard
> for encryption and secure computing systems.
>
> SSH scrambles data so it can be unlocked and understood only with the
> use of a special code — a string of numbers and letters about five
> lines long called a key.
>
> When computers need to communicate with each other securely over the
> Internet or other networks, for instance from one bank office to
> another, SSH creates a key that scrambles and unscrambles the data.
>
> SSH is used “deep inside the back-end systems” Mr. Ylonen said,
> referring to programs that run in the background on large computer
> systems, unnoticed by the average user.
>
> Without careful monitoring and management, SSH goes on creating keys
> and storing them in easily identifiable directories where hackers can
> find and use them to access secure computers.
>
> For example, one major bank that Mr. Ylonen’s company audited had used
> SSH in more than 5,000 applications on as many as 100,000 servers.
>
> He said the auditors found in “a fraction of the bank’s environment”
> more than 1 million unaccounted-for keys — 10 percent of which granted
> root access, or control of the server at the most basic level.
>
> “The deeper we dig, the more we find,” Mr. Ylonen said of the audits
> that the company is undertaking of major users of SSH.
>
> It is not just in the private sector where hackers could use the keys
> for illicit purposes.
>
> SSH is “the de rigueur method” for encryption in classified computer
> systems used by the U.S. government, Mr. Fergus said.
>
> “One of the biggest challenges the federal agencies face [in
> encryption] is key management,” he said.
>
> Mr. Fergus noted that federal rules for classified computer networks
> cover the “issuance and assignment and storage of keys” but do not
> dictate what should be done with used keys.
>
> “There’s nothing in the standards or the protocols,” he said.
>
> ‘Domino effect’
>
> As a teenager in the 1990s, Sean M. Bodmer hacked government computers
> and was arrested by the FBI. Today, he is a top researcher at the
> computer security firm CounterTack, based in Waltham, Mass.
>
> “It’s quite horrific what access you can get with an SSH key,” Mr.
> Bodmer told The Times.
>
> Mr. Bodmer described how a hacker could use abandoned keys to move
> through a supposedly secure computer network by hopping from server to
> server.
>
> “It’s a domino effect” security breach, he said.
>
> Mr. Ylonen said that neither the government nor the private sector has
> come to realize the danger of having unaccounted-for keys fall into
> the wrong hands.
>
> The theft by hackers, or even disgruntled insiders, of SSH keys can
> create a crisis of trust for a company, Mr. Ylonen said.
>
> “No company that we know of systematically changes or deletes these
> keys,” he said. Unless companies employ “a rigorous policy to manage
> the production and storage of keys, how can they know who has access
> to their secure systems, as required by federal audit standards?”
>
> A company unable to be certain about who can access its secure systems
> would be in violation of federal regulations governing finances,
> information security and privacy, Mr. Ylonen said.
>
> He said the problem does not lie in the SSH encryption method itself.
>
> “It’s a problem with the implementation,” he said, adding that
> unaccounted-for keys are results of “sloppy” information technology
> management.
>
> Nonetheless, he acknowledged that he feels “a moral responsibility,”
> which is why he came out of retirement to offer a solution to the
> problem that poor management of his invention has created.
>
> Mr. Ylonen retired in 2005, and for seven years was not an employee of
> the company he founded, although he remained a director.
>
> “I decided I had to come back to do this,” he said.
> _______________________________________________
> Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
> Archived at http://seclists.org/dataloss/
> Unsubscribe at http://datalossdb.org/mailing_list
>
> Supporters:
>
> Risk Based Security (http://www.riskbasedsecurity.com/)
> Risk Based Security equips organizations with security intelligence, risk
> management services and on-demand security solutions to establish
> customized risk-based programs to address information security and
> compliance challenges. 
>
> Tenable Network Security (http://www.tenable.com/)
> Tenable Network Security provides a suite of solutions which unify real-time
> vulnerability, event and compliance monitoring into a single, role-based, interface
> for administrators, auditors and risk managers to evaluate, communicate and
> report needed information for effective decision making and systems management.

_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges. 

Tenable Network Security (http://www.tenable.com/)
Tenable Network Security provides a suite of solutions which unify real-time
vulnerability, event and compliance monitoring into a single, role-based, interface
for administrators, auditors and risk managers to evaluate, communicate and
report needed information for effective decision making and systems management.