Jul 3 2014

Backdoor SSH Root Key Snafus Much More Common Than You Think

It appears as though a hard-wired Secure Shell private key has created a bit of a kerfuffle for folks running Cisco's VoIP manager. This one made it in the headlines but because the affected system was identified and limited in scope to a single product line, remediation steps can be quickly undertaken and the impact minimized. Now imagine if an entire data center had unknown or misplaced private keys floating about. Well, it is more common than you think and the risks are far greater because it’s not just a single product that has the issue, every server in your environment has the issue.

We work with a large share of F500 organizations and they all have the same key management problem – they just don’t make it into the headlines because nothing bad enough has happened that they are required to disclose it….yet.

In one case we found more than 1.5 million keys in a roughly 15,000-server environment. 10% granted a high level of administrative access, some as high as root. There were more keys than employees and who knows how many copied keys were floating around on personal laptops or in email threads.

Often these keys were facilitating critical financial transactions, carrying sensitive payloads – such as credit card information – and, in many cases, a single private key was being used across a number of different processes & systems. Keep in mind, the vast majority of major enterprises have this exact same problem – that gives you an idea of the size and scope of the situation. 

Here is a link to our white paper on Secure Shell key remediation. It’s a good read and when you understand the risks associated with a single instance of a Secure Shell private key being compromised (as in the case reported this week), imagine this happening on a much wider scale like in your data center. Imagine the amount of time and money it would take to manually rotate 1 million keys to get an environment back to a secure state. Ill do the math on this one, its 166,667 man hours if you can do a key set up and deployment process in 10 minutes. That is a long time to have critical systems in a vulnerable state.

The message is simple. You probably have a problem. The good news is there is a solution. Don’t wait to be a headline. Try and create some urgency around the issue. A good place to start is a risk assessment…and as it so happens here is a free tool you can use to get started. 

Jason Thompson by Jason Thompson Vice President of Worldwide Marketing
Jason serves as Vice President of Worldwide Marketing and is responsible for all analyst & public relations, demand-generation and sales development. He brings over 10 years of experience in early stage and hyper-growth companies. Prior to joining the company, he led online marketing at Q1 Labs, a market leading SIEM provider, where he helped build awareness around security intelligence. Earlier in his career, Jason served in a number of management positions with increasing levels of responsibility. Jason holds a BA from Colorado State University and an MA from the University of North Carolina at Wilmington.