A widely used method of computer encryption has a little-noticed problem that could allow confidential data stored by almost all Fortune 500 companies and everything stored on U.S. government classified computers to be “fairly easily” stolen or destroyed.
The warning comes from the inventor of the encryption method, known as Secure Shell or SSH.
“In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out,” Tatu Ylonen, chief executive officer of SSH Communications Security Corp., told The Washington Times.
Mr. Ylonen said a computer programmer could create a virus that would exploit SSH’s weaknesses and spread throughout servers to steal, distort or destroy confidential data.
“It would take days, perhaps only hours,” to write such a virus, he said.
What’s more, the same security vulnerabilities plague the U.S. government’s classified networks, say the contractors who build them.
“I would venture to say that there is a very similar situation [in classified networks] to the one in the commercial space,” said Don Fergus, a senior vice president at Patriot Technologies Inc., an information technology and security firm in Frederick, Md.
Mr. Ylonen said encryption methods’ vulnerabilities prevent companies from honestly passing an audit for compliance with U.S. cybersecurity standards for government or the private sector.
He said that all of the “major audit protocols” for federal financial regulations and cybersecurity require that network managers know who can access their systems.
About “90 percent of U.S. companies are out of compliance with regulations governing financial institutions because of this issue,” Mr. Ylonen said.
A key problem
Since Mr. Ylonen invented SSH in 1995, it has become the gold standard for encryption and secure computing systems.
SSH scrambles data so it can be unlocked and understood only with the use of a special code — a string of numbers and letters about five lines long called a key.
When computers need to communicate with each other securely over the Internet or other networks, for instance from one bank office to another, SSH creates a key that scrambles and unscrambles the data.
SSH is used “deep inside the back-end systems” Mr. Ylonen said, referring to programs that run in the background on large computer systems, unnoticed by the average user.
Without careful monitoring and management, SSH users go on creating keys, often storing them in easily identifiable directories where hackers can find and use them to access secure computers.
For example, one major bank that Mr. Ylonen’s company audited had used SSH in more than 5,000 applications on as many as 100,000 servers.
He said the auditors found in “a fraction of the bank’s environment” more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level.
“The deeper we dig, the more we find,” Mr. Ylonen said of the audits that the company is undertaking of major users of SSH.
It is not just in the private sector where hackers could use the keys for illicit purposes.
SSH is “the de rigueur method” for encryption in classified computer systems used by the U.S. government, Mr. Fergus said.
“One of the biggest challenges the federal agencies face [in encryption] is key management,” he said.
Mr. Fergus noted that federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys.
“There’s nothing in the standards or the protocols,” he said.
As a teenager in the 1990s, Sean M. Bodmer hacked government computers and was arrested by the FBI. Today, he is a top researcher at the computer security firm CounterTack, based in Waltham, Mass.
“It’s quite horrific what access you can get with an SSH key,” Mr. Bodmer told The Times.
Mr. Bodmer described how a hacker could use abandoned keys to move through a supposedly secure computer network by hopping from server to server.
“It’s a domino effect” security breach, he said.
Mr. Ylonen said that neither the government nor the private sector has come to realize the danger of having unaccounted-for keys fall into the wrong hands.
The theft by hackers, or even disgruntled insiders, of SSH keys can create a crisis of trust for a company, Mr. Ylonen said.
“No company that we know of systematically changes or deletes these keys,” he said. Unless companies employ “a rigorous policy to manage the production and storage of keys, how can they know who has access to their secure systems, as required by federal audit standards?”
A company unable to be certain about who can access its secure systems would be in violation of federal regulations governing finances, information security and privacy, Mr. Ylonen said.
He said the problem does not lie in the SSH encryption method itself.
“It’s a problem with the implementation,” he said, adding that unaccounted-for keys are results of “sloppy” information technology management.
Nonetheless, he acknowledged that he feels “a moral responsibility,” which is why he came out of retirement to offer a solution to the problem that poor management of his invention has created.
Mr. Ylonen retired in 2005, and for seven years was not an employee of the company he founded, although he remained a director.
“I decided I had to come back to do this,” he said.