- GOP to Obama: Take your ‘golf cap off’ and get down to coal country
- Hamas cleric tells Jews: ‘We will exterminate you’
- San Diego Costco, Target shoppers shocked by plane crash in parking lot
- George W. Bush penning biography of father
- Israel vows to destroy Hamas tunnels
- Spain evacuates staff from embassy in Libya
- Peace Corps evacuates over Ebola fears; 2 volunteers isolated
- House overwhelmingly approves $16 billion cash infusion for VA overhaul
- Obama admin to blame for HealthCare.gov woes, $840M cost: GAO
- Al Gore’s climate-changers at EPA hearings foiled by cool temperatures
Glitch imperils swath of encrypted records
Data destruction easy, inventor warns
Question of the Day
A widely used method of computer encryption has a little-noticed problem that could allow confidential data stored by almost all Fortune 500 companies and everything stored on U.S. government classified computers to be “fairly easily” stolen or destroyed.
The warning comes from the inventor of the encryption method, known as Secure Shell or SSH.
“In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out,” Tatu Ylonen, chief executive officer of SSH Communications Security Corp., told The Washington Times.
“It would take days, perhaps only hours,” to write such a virus, he said.
What’s more, the same security vulnerabilities plague the U.S. government’s classified networks, say the contractors who build them.
“I would venture to say that there is a very similar situation [in classified networks] to the one in the commercial space,” said Don Fergus, a senior vice president at Patriot Technologies Inc., an information technology and security firm in Frederick, Md.
Mr. Ylonen said encryption methods’ vulnerabilities prevent companies from honestly passing an audit for compliance with U.S. cybersecurity standards for government or the private sector.
He said that all of the “major audit protocols” for federal financial regulations and cybersecurity require that network managers know who can access their systems.
About “90 percent of U.S. companies are out of compliance with regulations governing financial institutions because of this issue,” Mr. Ylonen said.
A key problem
SSH scrambles data so it can be unlocked and understood only with the use of a special code — a string of numbers and letters about five lines long called a key.
When computers need to communicate with each other securely over the Internet or other networks, for instance from one bank office to another, SSH creates a key that scrambles and unscrambles the data.
Without careful monitoring and management, SSH users go on creating keys, often storing them in easily identifiable directories where hackers can find and use them to access secure computers.
He said the auditors found in “a fraction of the bank’s environment” more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level.
It is not just in the private sector where hackers could use the keys for illicit purposes.
“One of the biggest challenges the federal agencies face [in encryption] is key management,” he said.
Mr. Fergus noted that federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys.
“There’s nothing in the standards or the protocols,” he said.
As a teenager in the 1990s, Sean M. Bodmer hacked government computers and was arrested by the FBI. Today, he is a top researcher at the computer security firm CounterTack, based in Waltham, Mass.
“It’s quite horrific what access you can get with an SSH key,” Mr. Bodmer told The Times.
Mr. Bodmer described how a hacker could use abandoned keys to move through a supposedly secure computer network by hopping from server to server.
“It’s a domino effect” security breach, he said.
“No company that we know of systematically changes or deletes these keys,” he said. Unless companies employ “a rigorous policy to manage the production and storage of keys, how can they know who has access to their secure systems, as required by federal audit standards?”
A company unable to be certain about who can access its secure systems would be in violation of federal regulations governing finances, information security and privacy, Mr. Ylonen said.
He said the problem does not lie in the SSH encryption method itself.
“It’s a problem with the implementation,” he said, adding that unaccounted-for keys are results of “sloppy” information technology management.
Nonetheless, he acknowledged that he feels “a moral responsibility,” which is why he came out of retirement to offer a solution to the problem that poor management of his invention has created.
Mr. Ylonen retired in 2005, and for seven years was not an employee of the company he founded, although he remained a director.
“I decided I had to come back to do this,” he said.
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
Shaun Waterman is an award-winning reporter for The Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. His reporting on the Sept. 11 Commission and the tortuous process by which some of its recommendations finally became ...
- Senator's memo shows Iran links in Homeland Security's troubled immigration program
- Help wanted: Homeland Security plagued by vacancies at the top
- Dems back bill to fix problems in investor visa program
- Democrats proceed with Mayorkas vote despite pending investigation
- NSA monitored 'World of Warcraft' players
Latest Blog Entries
TWT Video Picks
By Ted Cruz
Israel saves its enemies; Hamas endangers its friends
- Geraldo Rivera: Matt Drudge 'doing his best to stir up a civil war'
- Al Gore's climate-changers at EPA hearings foiled by cool temperatures
- Chicken pox outbreak puts illegal immigrant facility on lockdown
- EDITORIAL: The real Lois Lerner exposed in newly released emails
- NAPOLITANO: Is the president incompetent or lawless?
- House votes to sue President Obama over claims of presidential power
- 'Big Bang' star Mayim Bialik helps send bulletproof vests to IDF
- Lois Lerner hated conservatives, new emails show
- Star witness in Bob McDonnell corruption trial refutes 'crush' defense
- CRUZ: A tale of two hospitals: One in Israel, one in Gaza
Obama's biggest White House 'fails'
Celebrities turned politicians
Athletes turned actors
20 gadgets that changed the world