Tatu ylonen_ bad ssh security practices are exposing enterprises

While Ylonen had developed SSH as a way to authenticate and secure communications over the internet, poor SSH security practices have essentially created the opposite effect for enterprises today. Data recovery iphone According to Ylonen, companies have generated so many SSH keys that they’ve lost track of them — and these keys, if fallen into the wrong hands, could lead to devastating data breaches.

Ylonen, founder of SSH Communications Security, spoke with SearchSecurity recently about his creation and how the cryptographic network protocol’s use has evolved and expanded over the last 20 years. Ease use data recovery He also talked about the current state of SSH security within enterprises, Akamai Technologies’ recent discovery of a major OpenSSH flaw , and how his company is trying to help companies track down and better manage all of those keys before attacks take advantage of them.


Here are excerpts of the conversation with Ylonen. Free database software For the audio version of the interview, listen to this episode of the Risk & Repeat podcast.

What is your take on the current state of SSH? How has SSH use evolved over the last 10 years and how you see it being used today? And has that led to some of the problems?

Tatu Ylonen: Well, the one big change is that it comes automatically with many devices. Raid 0 data recovery software All Linux, all Unix, all Macs, even Android has SSH that you can enable. Mail database It comes in pretty much all embedded devices. Hdata recovery master It comes in BIOS firmware, in most server hardware nowadays with IPMI [Intelligent Platform Management Interface] ports and so on. In database It’s so everywhere. Drupal 7 database query Airplane entertainment systems — I’ve seen them boot from SSH. Data recovery usa You can see the messages during the boot. Data recovery business It’s everywhere. Database visualization So, that’s been a change.

Another change is that it’s being used in a number of places that aren’t regularly updated, like security cameras that don’t have firmware update features. Data recovery qatar I think that has to change about IoT [internet of things]. Data recovery no root I just think that society will collapse if we have devices that just start pushing data at somebody for DDoS [distributed denial-of-service] attacks. Database keywords And I see a few avenues for fixing that.

One: liability. Normalization in database You force [device manufacturers] to do things properly and securely, or go out of business. Database 3nf Two: Use really good updating systems, which is part of what liability can force them to do. Database server Just have them provide software upgrades so that the devices get them and they fix them quickly when there’s a problem. Data recovery wd passport Three: Brick them.

Ylonen: Yes. Relational database management system Use the same vulnerabilities to shut them down permanently. Database generator And that, of course, probably involves liability for vendors and so on and probably, right now, is not legal. Database 3nf example But if you think of it from society’s perspective, if it’s going to shut down the networks, probably shut down telecommunications in some cases, or cause deaths because emergency services don’t get on site because you can’t even call 911 on your systems, we can’t take that. Data recovery hard drive software Something has to be done.

Ylonen: Many of the device breaches were using default passwords. Iphone 4 data recovery That, I think, is the easiest fix for vendors to do. Database logo Don’t have default passwords. Moto g data recovery Use [a] unique password for each device right on the bottom of the device. Database analyst salary Often, security starts from pretty simple things. Data recovery engineer A unique password and operating mechanism takes you pretty far, but folks haven’t done it. Gt m database But SSH is being used in these devices increasingly.

The Akamai [ SSHowDowN Proxy attack] report showed millions of security cameras and satellite dish control systems and so on were vulnerable because of a configuration error. In databases information is organized in It’s trivial to fix if you have an upgrade mechanism. Data recovery tools iphone If you don’t, you lose your reputation. A database driver is software that lets the You might have liability. 7 data recovery suite key I actually think that there might be reasonable theories of liability for IoT manufacturers if the device is designed using principles that are known to be very likely to cause harm to others or their owners.

But then we have SSH in data centers. Data recovery linux It’s in every data center for router management, for switch management, for virtualization management and so on. Database modeling tools And in data centers, the biggest problem is SSH keys, which are just an authentication mechanism. G info database search You have a cryptographic key in a file, and you configure on a server. Database administrator salary And with the key, you are able to log in without having to type a password. Database triggers And that’s used for all the automated processes: automated confirmation management, automated provisioning, automated audits, emergency response, copying data to disaster recovery data centers and so on.

And it’s turned out those keys haven’t been managed. Data recovery recuva And the access they give is basically like passwords on the operating system. Data recovery texas They give you a shell access typically. Database resume We found in a bank 10% of SSH keys granted root access — the highest-level administrative access, which lets you read any files, modify any files, install new kernel drivers or reprogram the firmware on the device. Data recovery external hard drive mac You can brick all the disk drives and the BIOS and the machine won’t boot. Database management systems And you can, theoretically, do that to tens of thousands of servers, which could affect multiple enterprises and critical infrastructure simultaneously could be disrupted.

And we went to a Wall Street bank [that] went through about 15,000 servers, which were about a quarter of the infrastructure, and 500 applications, which were some of the most critical production applications. 7 data recovery review From those, we found 3 million SSH keys. Mode s database Three million, and 10% or 300,000 of those keys granted root access. Windows 8 data recovery Some of them granted access to disaster recovery data centers, which are supposed to take over if one data center goes down. Java 8 database But if somebody hacks into a data center, and this password allows the hacker access to another data center that’s being used to copy data to backup systems and the hacker gets your backup system, then you’re sort of screwed a bit.

Ylonen: In many cases, these were installed for good purposes and good intentions, like an Oracle admin just wanting to be able to log in from his personal account to the different Oracle database accounts in the enterprise and be able to do admin operations or monitoring in an automated fashion.

The trouble was those are pretty critical accounts that normally would require going through privileged access management systems and so on. Database tools And these keys bypassed all the access management systems they had in place. Drupal 7 database api So, they could access the databases without recourse. Raid 6 data recovery And I think it’s a problem, especially for a bank with such critical data: account balances, stock holdings, etc.

You mentioned how SSH has become ubiquitous. Database architecture In terms of exposed SSH keys, is the lack of key management the bigger issue than the ubiquitous nature of SSH?

Ylonen: I think the biggest cause of the problem was that identity and access management professionals didn’t know about SSH keys. Iphone 4 data recovery software They typically came from a Windows background, or they were kind of retrained ex-military veterans or others who didn’t have the Unix admin background and didn’t know that these sort of credentials exist. Database java And it wasn’t described in books. Data recovery android It still isn’t described in most books on identity and access management. C database tutorial They talk about passwords and two-factor authentications, they talk about single sign-on, but they don’t talk about SSH keys.

I think that’s the big educational thing. Data recovery services cost Therefore, because they didn’t know it, it wasn’t written in the policies. Data recovery professional And OpenSSH in default configuration allows any user who logs into an account [to] configure additional credentials for that account — additional permanent credentials. Data recovery images It’s the only credential that, typically, users are able to provision themselves.

Now, you can configure it to lock down those keys so that only the root of an automated system can install keys. Database management system But, by default, anybody can install new credentials. Sony xperia z data recovery Therefore, sys admins [system administrators] install them for convenience, or they install them whenever they needed to transfer data between two information systems.

And, in most cases, it was done with good purposes, but turned out that in that bank, 90% of those 3 million keys were never used. Note 3 data recovery We monitored the environment for years. Database image And 90% of them were never used. S note data recovery Think of usernames and passwords that were provisioned to somebody, then that person left and went to do something else and nobody ever removed the keys.

Ylonen: Yes. Database 4d One of our presales guys went to a healthcare organization recently that he consulted for 10 years ago and tried [an] old key. List of data recovery software And it still worked. Types of data recovery So, that’s where we are. Data recovery android app So, now, almost all large enterprises find themselves in a situation where they have hundreds of thousands, even millions of credentials that grant access to their servers. Z a r data recovery They have little visibility into where that access goes to and the sort of the connections in that access, who has those keys and who’s been able to obtain those keys over the years. Database hacking Yet, their systems are entirely dependent on the access and automation implemented due to these keys.

In that bank, there were about 5 million daily SSH logins, mostly automated using SSH keys. Data recovery las vegas They would kick off back-end operations on other servers, like log data transfers, transaction batch transfers, configuration file transfers, data file transfers like pricing data and those sorts of things. Data recovery micro sd They basically closed doors if a key was removed.

banner