Dormant, unsecured SSH keys leave enterprises widely exposed to attack

Organizations must oversee, manage protocol used to link servers or risk major breach

 
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A night­mar­ish new expo­sure affect­ing vir­tu­al­ly all major net­works is just begin­ning to get the atten­tion of the secu­ri­ty community.

It involves a fun­da­men­tal net­work­ing protocol—Secure Shell, or SSH. Invent­ed in 1995 by a Finnish pro­gram­mer named Tatu Ylö­nen, SSH is an encrypt­ing rou­tine that enables one soft­ware appli­ca­tion to secure­ly con­nect and trans­fer data to the next. Cur­rent­ly, Ylö­nen is CEO of SSH Com­mu­ni­ca­tions Secu­ri­ty, which devel­ops advanced secu­ri­ty solu­tions that enable, mon­i­tor and man­age encrypt­ed networks.

Because SSH derives from the open-source cod­ing com­mu­ni­ty and is thus license-free, it got baked deep into the plumb­ing that enables dig­i­tal sys­tems to interconnect.

The prob­lem is no one has ever stepped for­ward to estab­lish pro­ce­dures for mon­i­tor­ing and man­ag­ing some­thing called SSH keys, essen­tial­ly the pass­words enabling all those auto­mat­ed connections.

Astound­ing­ly, most big orga­ni­za­tions have lost track of mil­lions of SSH keys cre­at­ed in the ear­ly iter­a­tions of busi­ness networks—keys that still exist in a func­tion­al state but lie dor­mant in their respec­tive networks.

This means all a mali­cious actor—be it an untrust­wor­thy insid­er or an off-premis­es hacker—needs to do is wran­gle pos­ses­sion of just one SSH key to wreak havoc.

Third­Cer­tain­ty recent­ly sat down with Ylö­nen to drill down on this new attack vec­tor. The text has been edit­ed for clar­i­ty and length.

Third Cer­tain­ty: How wide­spread is this exposure?

Tatu Ylönen, SSH Communications Security CEO and SSH protocol creator
Tatu Ylö­nen, SSH Com­mu­ni­ca­tions Secu­ri­ty CEO and SSH pro­to­col creator

Ylö­nen: It’s every­where. It’s in every data cen­ter. It’s in every sig­nif­i­cant com­pa­ny. SSH is used for man­ag­ing net­works and servers. It’s inside sys­tems man­age­ment appli­ca­tions. There is an authen­ti­ca­tion mech­a­nism that’s not wide­ly known that is used extreme­ly wide­ly, called SSH keys. And that, I think, is the main top­ic today.

3C: And the prob­lem is?

Ylö­nen: SSH keys auto­mat­i­cal­ly gain secure access. You don’t need to have a per­son type in a pass­word. Because of that con­ve­nience, this is extreme­ly wide­ly used with­in enter­pris­es. We are find­ing more than 10 times more SSH keys in enter­pris­es than user names and passwords.

3C: So how can a per­son with mali­cious intent take advantage?

Ylö­nen: Old keys that haven’t been used for 10 years can still grant access. They can be used to install back doors that are vir­tu­al­ly unde­tectable. They can also be used to spread an attack all through the enter­prise, and even to back up data cen­ters, and pos­si­bly scrape data from every serv­er in the organization.

 3C: Is there any evi­dence that bad guys have begun to do that?

Ylö­nen: There have been mul­ti­ple instances, both pub­lic and con­fi­den­tial. There have been banks that have report­ed com­pro­mis­es to the police; typ­i­cal­ly these aren’t made pub­lic. We haven’t yet seen a For­tune 500 com­pa­ny tak­en down using these keys. My biggest wor­ry is that that could happen.

3C: It’s like there is a lay­er of high-access accounts just lying in the weeds through­out cor­po­rate networks.

Ylö­nen: We worked with one Wall Street bank for three years, going through 500 of their crit­i­cal busi­ness appli­ca­tions on 15,000 servers. We found 3 mil­lion SSH keys in that envi­ron­ment. So they had about 15 times as many keys as they had peo­ple. And 90 per­cent of these keys were nev­er used. Ten per­cent, 300,000 keys, grant­ed root access that allowed doing any­thing on those servers.

3C: Just lying there not being used?

Ylö­nen: They didn’t even know how many they had. And all it takes is one key to get into a serv­er, to steal data or mod­i­fy data. Imag­ine a bank where some­body goes in and mod­i­fies the account bal­ances in a database.

3C: That’s pret­ty scary access.

Ylö­nen: That’s the kind of access that these keys often pro­vide. We’ve seen many cas­es where Ora­cle sys­tem admin­is­tra­tors have access from their per­son­al accounts into the data­base accounts using these keys—totally bypass­ing all con­trols, get­ting direct access to the data­base, bypass­ing all secu­ri­ty mechanisms.

3C: At this point in time, what is the aware­ness level?

Ylö­nen: Many finance orga­ni­za­tions have already done some­thing. In oth­er ver­ti­cals, aware­ness is still low. Audi­tors are becom­ing more aware of this and are start­ing to rec­og­nize that you can­not ignore 90 per­cent of access cre­den­tials. Iden­ti­ty and access man­age­ment pro­fes­sion­als are slow­ly start­ing to be aware of this. But aware­ness is still fair­ly limited.

3C: What about the aware­ness lev­el among the crim­i­nal elite?
Ylö­nen: There have been well-pub­li­cized cas­es where hack­ers have, for instance, pur­chased SSH keys to gain access to orga­ni­za­tions to steal dig­i­tal cur­ren­cies or to steal infor­ma­tion or to be able to infil­trate and do what­ev­er they want to do, whether it’s for cyber war­fare or infor­ma­tion steal­ing or for extor­tion or oth­er purposes.

3C: Sounds like a night­mare scenario.

Ylö­nen: It is a major risk. I just hope that we don’t see a For­tune 500 com­pa­ny tak­en down for months using this. It could hap­pen. So far, I’m glad it hasn’t. But it is a mas­sive risk. It’s a sys­temic risk to the finan­cial sys­tem, to retail, to logis­tics, and even to gov­ern­ment oper­a­tions. It pret­ty much affects every ver­ti­cal, every orga­ni­za­tion that’s depen­dent on its infor­ma­tion systems.

3C: Is this anoth­er exam­ple of open-source pro­to­cols com­ing back to haunt us, like Heart­bleed and Shellshock?

Relat­ed video: Heart­bleed bug proves dif­fi­cult to squash

Ylö­nen: No, it dif­fers from those. This is not a bug. It’s not a vul­ner­a­bil­i­ty. It’s lack of man­age­ment, lack of over­sight, and lack of process­es. Prop­er­ly con­fig­ured, prop­er­ly man­aged, SSH is per­fect­ly safe and extreme­ly help­ful to orga­ni­za­tions. But there has to be prop­er man­age­ment of key-based access.

More sto­ries relat­ed to emerg­ing best practices:
Data secu­ri­ty best prac­tices should begin with fed­er­al government
Proxy servers tapped as gate­keep­ers to pro­tect secu­ri­ty and privacy
Be selec­tive about what data you store and access from the cloud