- Hank Aaron steps to fundraising plate for Democrat Michelle Nunn
- ISIL terrorists blow up burial site of Jonah, vow more of same
- Impeach Obama, say 35 percent in new poll
- Taliban yank 14 Shiites off bus, bind and shoot them on Afghan road
- Obama takes aim at ‘corporate deserters’
- Dick’s Sporting Goods lays off 478 PGA golf pros
- Senators: Cease-fire must allow Israel to defend against rockets, tunnels
- Sierra Leone doctor fighting Ebola catches disease
- Iraq welcomes Russian fighter jets, helicopter gunships into ISIL fight
- John McCain laments: Obama’s ‘self-pity … is really kind of sad’
Glitch imperils swath of encrypted records
Data destruction easy, inventor warns
Question of the Day
A widely used method of computer encryption has a little-noticed problem that could allow confidential data stored by almost all Fortune 500 companies and everything stored on U.S. government classified computers to be “fairly easily” stolen or destroyed.
The warning comes from the inventor of the encryption method, known as Secure Shell or SSH.
“In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out,” Tatu Ylonen, chief executive officer of SSH Communications Security Corp., told The Washington Times.
“It would take days, perhaps only hours,” to write such a virus, he said.
What’s more, the same security vulnerabilities plague the U.S. government’s classified networks, say the contractors who build them.
“I would venture to say that there is a very similar situation [in classified networks] to the one in the commercial space,” said Don Fergus, a senior vice president at Patriot Technologies Inc., an information technology and security firm in Frederick, Md.
Mr. Ylonen said encryption methods’ vulnerabilities prevent companies from honestly passing an audit for compliance with U.S. cybersecurity standards for government or the private sector.
He said that all of the “major audit protocols” for federal financial regulations and cybersecurity require that network managers know who can access their systems.
About “90 percent of U.S. companies are out of compliance with regulations governing financial institutions because of this issue,” Mr. Ylonen said.
A key problem
SSH scrambles data so it can be unlocked and understood only with the use of a special code — a string of numbers and letters about five lines long called a key.
When computers need to communicate with each other securely over the Internet or other networks, for instance from one bank office to another, SSH creates a key that scrambles and unscrambles the data.
Without careful monitoring and management, SSH users go on creating keys, often storing them in easily identifiable directories where hackers can find and use them to access secure computers.
He said the auditors found in “a fraction of the bank’s environment” more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level.
It is not just in the private sector where hackers could use the keys for illicit purposes.
“One of the biggest challenges the federal agencies face [in encryption] is key management,” he said.
Mr. Fergus noted that federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys.
“There’s nothing in the standards or the protocols,” he said.
As a teenager in the 1990s, Sean M. Bodmer hacked government computers and was arrested by the FBI. Today, he is a top researcher at the computer security firm CounterTack, based in Waltham, Mass.
“It’s quite horrific what access you can get with an SSH key,” Mr. Bodmer told The Times.
Mr. Bodmer described how a hacker could use abandoned keys to move through a supposedly secure computer network by hopping from server to server.
“It’s a domino effect” security breach, he said.
“No company that we know of systematically changes or deletes these keys,” he said. Unless companies employ “a rigorous policy to manage the production and storage of keys, how can they know who has access to their secure systems, as required by federal audit standards?”
A company unable to be certain about who can access its secure systems would be in violation of federal regulations governing finances, information security and privacy, Mr. Ylonen said.
He said the problem does not lie in the SSH encryption method itself.
“It’s a problem with the implementation,” he said, adding that unaccounted-for keys are results of “sloppy” information technology management.
Nonetheless, he acknowledged that he feels “a moral responsibility,” which is why he came out of retirement to offer a solution to the problem that poor management of his invention has created.
Mr. Ylonen retired in 2005, and for seven years was not an employee of the company he founded, although he remained a director.
“I decided I had to come back to do this,” he said.
© Copyright 2014 The Washington Times, LLC. Click here for reprint permission.
About the Author
Shaun Waterman is an award-winning reporter for The Washington Times, covering foreign affairs, defense and cybersecurity. He was a senior editor and correspondent for United Press International for nearly a decade, and has covered the Department of Homeland Security since 2003. His reporting on the Sept. 11 Commission and the tortuous process by which some of its recommendations finally became ...
- Senator's memo shows Iran links in Homeland Security's troubled immigration program
- Help wanted: Homeland Security plagued by vacancies at the top
- Dems back bill to fix problems in investor visa program
- Democrats proceed with Mayorkas vote despite pending investigation
- NSA monitored 'World of Warcraft' players
Latest Blog Entries
TWT Video Picks
Second- and third-stringers eye 2016 if front-runner stumbles
- 'We're coming for you, Barack Obama': Top U.S. official discloses threat from ISIL terrorists
- Obama orders Pentagon advisers to Ukraine
- NAPOLITANO: What if our democracy is a fraud?
- Michelle Obama says money in politics is bad, asks donors for 'big, fat check'
- PRUDEN: The Democratic-wannabe mice under Hillary Clinton's feet
- Hamas rejects Kerry's call for cease-fire; Fears grow others could join fight against Israel
- Presidents of Honduras, Guatemala blame U.S. for border children crisis
- Evidence shows Russia firing artillery into Ukraine: Pentagon
- Norway expects imminent 'concrete threat' from ISIL terrorists 'within days'
- Obama takes aim at 'corporate deserters'
Obama's biggest White House 'fails'
Celebrities turned politicians
Athletes turned actors
20 gadgets that changed the world
Fighting in Iraq