Dormant, unsecured SSH keys leave enterprises widely exposed to attack
Organizations must oversee, manage protocol used to link servers or risk major breach
By Byron Acohido, ThirdCertainty
A nightmarish new exposure affecting virtually all major networks is just beginning to get the attention of the security community.
It involves a fundamental networking protocol—Secure Shell, or SSH. Invented in 1995 by a Finnish programmer named Tatu Ylönen, SSH is an encrypting routine that enables one software application to securely connect and transfer data to the next. Currently, Ylönen is CEO of SSH Communications Security, which develops advanced security solutions that enable, monitor and manage encrypted networks.
Because SSH derives from the open-source coding community and is thus license-free, it got baked deep into the plumbing that enables digital systems to interconnect.
The problem is no one has ever stepped forward to establish procedures for monitoring and managing something called SSH keys, essentially the passwords enabling all those automated connections.
Astoundingly, most big organizations have lost track of millions of SSH keys created in the early iterations of business networks—keys that still exist in a functional state but lie dormant in their respective networks.
This means all a malicious actor—be it an untrustworthy insider or an off-premises hacker—needs to do is wrangle possession of just one SSH key to wreak havoc.
ThirdCertainty recently sat down with Ylönen to drill down on this new attack vector. The text has been edited for clarity and length.
Third Certainty: How widespread is this exposure?
Ylönen: It’s everywhere. It’s in every data center. It’s in every significant company. SSH is used for managing networks and servers. It’s inside systems management applications. There is an authentication mechanism that’s not widely known that is used extremely widely, called SSH keys. And that, I think, is the main topic today.
3C: And the problem is?
Ylönen: SSH keys automatically gain secure access. You don’t need to have a person type in a password. Because of that convenience, this is extremely widely used within enterprises. We are finding more than 10 times more SSH keys in enterprises than user names and passwords.
3C: So how can a person with malicious intent take advantage?
Ylönen: Old keys that haven’t been used for 10 years can still grant access. They can be used to install back doors that are virtually undetectable. They can also be used to spread an attack all through the enterprise, and even to back up data centers, and possibly scrape data from every server in the organization.
3C: Is there any evidence that bad guys have begun to do that?
Ylönen: There have been multiple instances, both public and confidential. There have been banks that have reported compromises to the police; typically these aren’t made public. We haven’t yet seen a Fortune 500 company taken down using these keys. My biggest worry is that that could happen.
3C: It’s like there is a layer of high-access accounts just lying in the weeds throughout corporate networks.
Ylönen: We worked with one Wall Street bank for three years, going through 500 of their critical business applications on 15,000 servers. We found 3 million SSH keys in that environment. So they had about 15 times as many keys as they had people. And 90 percent of these keys were never used. Ten percent, 300,000 keys, granted root access that allowed doing anything on those servers.
3C: Just lying there not being used?
Ylönen: They didn’t even know how many they had. And all it takes is one key to get into a server, to steal data or modify data. Imagine a bank where somebody goes in and modifies the account balances in a database.
3C: That’s pretty scary access.
Ylönen: That’s the kind of access that these keys often provide. We’ve seen many cases where Oracle system administrators have access from their personal accounts into the database accounts using these keys—totally bypassing all controls, getting direct access to the database, bypassing all security mechanisms.
3C: At this point in time, what is the awareness level?
Ylönen: Many finance organizations have already done something. In other verticals, awareness is still low. Auditors are becoming more aware of this and are starting to recognize that you cannot ignore 90 percent of access credentials. Identity and access management professionals are slowly starting to be aware of this. But awareness is still fairly limited.
3C: What about the awareness level among the criminal elite?
Ylönen: There have been well-publicized cases where hackers have, for instance, purchased SSH keys to gain access to organizations to steal digital currencies or to steal information or to be able to infiltrate and do whatever they want to do, whether it’s for cyber warfare or information stealing or for extortion or other purposes.
3C: Sounds like a nightmare scenario.
Ylönen: It is a major risk. I just hope that we don’t see a Fortune 500 company taken down for months using this. It could happen. So far, I’m glad it hasn’t. But it is a massive risk. It’s a systemic risk to the financial system, to retail, to logistics, and even to government operations. It pretty much affects every vertical, every organization that’s dependent on its information systems.
3C: Is this another example of open-source protocols coming back to haunt us, like Heartbleed and Shellshock?
Related video: Heartbleed bug proves difficult to squash
Ylönen: No, it differs from those. This is not a bug. It’s not a vulnerability. It’s lack of management, lack of oversight, and lack of processes. Properly configured, properly managed, SSH is perfectly safe and extremely helpful to organizations. But there has to be proper management of key-based access.
More stories related to emerging best practices:
Data security best practices should begin with federal government
Proxy servers tapped as gatekeepers to protect security and privacy
Be selective about what data you store and access from the cloud