News

Grants of Free SSH® Secure ShellTM 2.1 Provided to over Two Million Users at U.S. Universities and Awards for Individuals to Help Reduce Threat of DoS Attacks

On Jan. 10, 2000, 60,000 subscribers of Pacific Bell Internet were told to change their passwords or have their accounts blocked because hackers gained access to those passwords and account names. One of the hackers was arrested and charged with a felony of unlawful access and grand theft because he had used a stolen account and password to break into other systems and close down another Internet provider. The Pacific Bell story was highlighted by the San Francisco Chronicle. However, what was not reported was that similar thefts of passwords and accounts are an everyday event at universities throughout the country and have, surprisingly often, led to damaging and embarrassing break-ins at commercial and government sites, including those of Department of Defense research facilities.

On March 1, 2000, SSH Communications Security (SSH) and the SANS Institute will move to eliminate a cause of a large percentage of password thefts - the use of clear-text password transmission - at unprotected university sites. SSH and SANS have granted every accredited university in the United States an unlimited, no-cost license for use of encryption software that eliminates clear-text transmission and provides encrypted file transfer. SSH and SANS also announced a competition for financial grants to universities that will serve as centers of excellence to help other universities make effective and immediate use of the new technology.

According to Steve Acheson, SANS' universal SSH program manager, "Unprotected Internet use by universities is one of the least understood and most problematic threats to electronic commerce. University computers have enormous processing power and high bandwidth Internet connections. Once these systems are compromised, they are perfect weapons for hackers to use in attacking companies and government agencies. The real beneficiary of this gift is the Internet community. Each time a university makes its computers safer, the threat of denial of service and other attacks drops. SANS is enormously grateful to SSH for providing SSH Secure Shell 2.1 for such an important need."

The encryption software is based on SSH2, the second generation of the Secure Shell standard, a secure login program developed by SSH Communications Security Ltd. for protecting confidential data across networks. Secure Shell establishes an encrypted connection between two systems, bringing strong security to such networks. Once launched, the program transparently provides strong authentication and secure communications over unsecure channels.

Secure Shell is used in thousands of commercial organizations, particularly where system administrators need to access their computers remotely. The openness of university systems and networks, on the other hand, combined with high-bandwidth access to the Internet, makes Secure Shell protection essential on nearly every staff, faculty and student account. Unlike commercial organizations, universities have fewer financial resources to invest in this level of security. The universal Secure Shell grant removes these financial barriers and promotes the widespread adoption of Secure Shell at universities.

"We are pleased to share our technology to help eliminate the possibilities of hacking into university networks," said George Adams, president and CEO of SSH, Inc. "Protecting communications while blocking misuse, vandalism and theft of valuable information will help the university community and the development of a secure Internet for us all."

To obtain the software, universities simply register at the SSH site at www.ssh.com where they can download both the server and client versions of Secure Shell. Many universities are expected to embed the client software on CDs to distribute to students, faculty and staff this fall, rendering the use of encryption transparent to students and other users. SANS will encourage the widespread adoption of Secure Shell technology by offering awards of $5,000 to university faculty, staff and students who develop innovative tools for automated installation, distribution and management, as well as to those who share the techniques with other universities. Other awards will be made to individuals who demonstrate effective methods of overcoming the natural political and technical barriers to Secure Shell implementation. Details on the awards program will be announced this March at the SANS2000 Conference in Orlando, where more than 200 university security administrators are expected to gather.

This announcement was made possible, in part, by eight months of work by technical representatives of 13 leading universities, including: the University of North Carolina, Georgia Tech, the University of Virginia, RPI, UC Davis, Northeastern, the University of Wisconsin, UC Irvine, Harvard, the University of Minnesota, Carnegie Mellon, UC Berkeley, and Swarthmore. With the administrative assistance of SANS, these volunteers polled 134 other universities to determine what capabilities were needed in an encryption tool. Not surprisingly for universities, the tool had to be free.

About the SANS Institute

The SANS Institute is a cooperative research and education organization through which 91,000 security, system, and network professionals share the challenges they are facing and jointly develop solutions. SANS conducts graduate-level education in advanced security topics ranging from Intrusion Detection to Windows2000 Security to Firewalls and Perimeter Protection. SANS also provides the information technology community with weekly digests of major security developments. SANS established the Global Incident Analysis Center (GIAC) and is the home of the international security skills certification program (the GIAC Training and Certification Program) through which advanced security technologists can learn and demonstrate mastery of important security skills. Please visit SANS at www.sans.org.

© 2002 SSH Communications Security Corp. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. All other names and marks are property of their respective owners.