SSH Blog

Showing Articles: 115 of 32

Dec 8 2014

Cooler Heads Will Prevail

When thinking of IT security trends, I don’t think I would be on the wrong track if I would dub the year 2014 as “The Year of Open Source Vulnerability”. In the same vein, past couple of years could be called “The Year of Snowden” and “The Year of Multiple Web Site Breaches which Resulted in Millions of Stolen Credit Card Numbers”, in no particular…

Keep Reading

Nov 27 2014

Do You Fulfill Hong Kong Monetary Authority’s General Principles for Technology Risk Management?

The commencement of Shanghai-Hong Kong Stock Connect represents not only increasing cross-border trading, but also continuously growing data exchange between financial institutions such as stock exchange authorities, banks, and brokerage firms.

The machine-to-machine (M2M) transactions that power the automation of critical business operations and data transfers are typically protected with some form of data-in-transit…

Keep Reading

Nov 11 2014

A Video Is Worth a Million Words

It is a well-known fact that system administrators with root-level privileges have wider access to company’s critical information assets than the C-level executives. With great power comes great responsibility, and most people will also act responsibly. But as an information security officer, would you trust this power and responsibility to someone you cannot identify or whose actions you cannot verify…

Keep Reading

Oct 27 2014

[Infographic] 4 Steps to Secure Shell Key Management Bliss

Secure Shell is an essential component in the day-to-day functions for many IT professionals. In fact, a recent Forrester study found 82% of organizations use Secure Shell and 68% consider Secure Shell important or critical to their business.

While most enterprises use Secure Shell to run and maintain essential business processes, few have ever examined their deployment process of Secure Shell. Secure Shell keys are often created without any oversight or management, and the elevated privileges that accompany Secure Shell keys means there is a higher risk for data breaches and compliance…

Keep Reading

Oct 7 2014

Potential Pitfalls of MAS TRM Guidelines

Monetary Authority of Singapore (MAS) revised its Technology Risk Management Guidelines (TRM) in June 2013. Financial Institutions (FI) operating in Singapore have since been reviewing the guidelines against their own security procedures and infrastructures, to determine necessary enhancements to match the new requirements. While the guidelines are not legally binding, MAS uses them when performing risk assessments of the…

Keep Reading

Oct 1 2014

Heartbleed and Shellshock – Different Vulnerabilities, Same Lesson

Just last month we hosted a webinar called “Heartbleed – You Stopped the Bleeding but Did You Fix the Problem?”. Heartbleed allows an attacker to retrieve the contents of memory from vulnerable servers. As a result, any private credentials that might have been resident in memory can no longer be considered private. That is why many enterprises and public facing web services advised their users to change their…

Keep Reading

Sep 7 2014

Elliptic Curves and More: Universal SSH Key Manager Version 1.3.3

The latest version of Universal SSH Key Manager brings an important update: support for elliptic curve cryptography (ECC) keys. If you’re not familiar with ECC, suffice it to say that it’s an approach to public-key cryptography based on elliptic curves which is said to provide the same level of security as traditional RSA or DSA but with smaller key sizes while also using faster and lighter…

Keep Reading

Aug 20 2014

Heads Up for Federal CISOs and CIOs: NIST Publishes Guidelines for SSH Key Management

For those of us who follow the activities of NIST, yesterday marked the arrival of a remarkable document with a characteristically bland NIST-style title:  “Security of Automated Access Management Using Secure Shell”. The release of this report (NIST Interagency Report 7966) has great significance for organizations that use Secure Shell – which is just about every medium to large enterprise, most government agencies and many large non-profits. So what is…

Keep Reading

Aug 18 2014

Black Blob of Death Threatens Data Center Security

Researchers at SSH Communications Security recently uncovered a serious security vulnerability that impacts data centers in the vast majority of banks and financial institutions. Okay, so admittedly, it almost sounds like a story from The Onion or some made up news by a bored blogger. But this really isn’t a satirical post about the over-hyping of security issues or fake news. The Black Blob of Death is…

Keep Reading

Aug 1 2014

With “Backoff” POS Malware, Attackers Use Your Security Tools Against You

Yesterday the US Department of Homeland Security issued a warning to US businesses against a new POS malware attack called “Backoff”. The attackers are targeting common remote access systems like Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop, Pulseway and join.me. To make matters worse, this little bug is difficult for anti-virus software to…

Keep Reading

Jul 23 2014

Snowden Calls On Employees To Leak Company Secrets

During the Hackers On Planet Earth (HOPE) conference, Edward Snowden and Daniel Ellsberg called on insiders (employees) to spill corporate and government secrets.  Snowden is calling for the development of encryption and obfuscation tools to make this easier. The goal is to anonymously expose malfeasance without any repercussions. They believe that people should be able to do this without paying any price and without being held accountable. Superficially this all sounds like a good idea, but who gets to decide what should be leaked or stolen and what constitutes improper behavior?  What else could be leaked or…

Keep Reading

Jul 15 2014

Now Distributed People Can Stop Complaining About z/OS

Many companies have a mix of distributed platforms and mainframes (z/OS) in their environment. Most distributed users do not understand z/OS too well and don’t want to, but they still have to deal with it. This is a frustrating reality for distributed and z/OS users alike. That is until now!

We have come up with a solution for this type of problem based on customer feedback. Distributed and mainframe can now securely submit JCL jobs to z/OS by simply executing a put command from any distributed or z/OS platform.   As requested, the distributed user does not need to know anything about z/OS to do this. Your z/OS system programmer can write some reusable JCL jobs for your distributed users to use, maybe with some easy to change parameters. Then any distributed user can submit a job from any platform or client without ever logging into a z/OS…

Keep Reading