- The Washington Times - Tuesday, December 25, 2012

A widely used method of computer encryption has a little-noticed problem that could allow confidential data stored by almost all Fortune 500 companies and everything stored on U.S. government classified computers to be “fairly easily” stolen or destroyed.

The warning comes from the inventor of the encryption method, known as Secure Shell or SSH.

“In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out,” Tatu Ylonen, chief executive officer of SSH Communications Security Corp., told The Washington Times.

Mr. Ylonen said a computer programmer could create a virus that would exploit SSH’s weaknesses and spread throughout servers to steal, distort or destroy confidential data.

“It would take days, perhaps only hours,” to write such a virus, he said.

What’s more, the same security vulnerabilities plague the U.S. government’s classified networks, say the contractors who build them.

“I would venture to say that there is a very similar situation [in classified networks] to the one in the commercial space,” said Don Fergus, a senior vice president at Patriot Technologies Inc., an information technology and security firm in Frederick, Md.

Mr. Ylonen said encryption methods’ vulnerabilities prevent companies from honestly passing an audit for compliance with U.S. cybersecurity standards for government or the private sector.

He said that all of the “major audit protocols” for federal financial regulations and cybersecurity require that network managers know who can access their systems.

About “90 percent of U.S. companies are out of compliance with regulations governing financial institutions because of this issue,” Mr. Ylonen said.

A key problem

Since Mr. Ylonen invented SSH in 1995, it has become the gold standard for encryption and secure computing systems.

SSH scrambles data so it can be unlocked and understood only with the use of a special code — a string of numbers and letters about five lines long called a key.

When computers need to communicate with each other securely over the Internet or other networks, for instance from one bank office to another, SSH creates a key that scrambles and unscrambles the data.

SSH is used “deep inside the back-end systems” Mr. Ylonen said, referring to programs that run in the background on large computer systems, unnoticed by the average user.

Story Continues →