News

On May 10, 2005, The New York Times published an article concerning a breach at Cisco System, in which an intruder seized programming instructions for many of the computers that control the flow of Internet traffic. The attention was focused on a 16-year-old in Uppsala, Sweden, who was charged in March with breaking into university computers in his hometown. The crucial element in the attack that provided access at Cisco and elsewhere was the intruder's use of a vulnerable version of Secure Shell software.

Should organizations using Secure Shell become worried? Is this something that could also happen in your network?

SSH1 vs. SSH2

There are two versions of the Secure Shell protocol. The current version, Secure Shell version 2 (SSH2) introduced by SSH Communications Security in 1998 provides several security improvements compared to the original Secure Shell version 1 (SSH1). SSH Communications Security considers SecSh v1 vulnerable and does not recommend its use. The first step in eliminating vulnerabilities in your Secure Shell environment would be to upgrade all SSH1 to SSH2.


Security Maintenance Challenge

But it is not just environments running old SSH1 protocol versions that may be vulnerable against known exploits that can result in similar incidents like the one mentioned in The New York Times article.

For example, several vulnerabilities have been discovered over recent years in the widely used open-source implementation of Secure Shell protocol, OpenSSH.

Keeping OpenSSH environments secure requires constantly updating the environment with latest security patches. However, updating OpenSSH servers involves an extremely laborious and time-consuming process of source-code compilation, testing, installation, and configuration. In large-scale environments this leads to a heavy administrative burden and increased costs. As a result, during the times of constrained IT budgets many organizations have been forced to neglect frequent security patches and software updates making them vulnerable.

Even if organizations are willing to go through the costly process of manually maintaining the software on a regular basis, lack of centralized management can still present a risk. The New York Times writes:

“Government investigators and other computer experts watched helplessly while monitoring the activity, unable to secure some systems as quickly as others were found compromised."

Given the increased use of automation and sophistication of attacks, the window of opportunity for reacting to new security threats is becoming smaller. Therefore, centralized, real-time management of security systems is a critical building block in comprehensive enterprise security.


Solution - SSH Tectia

SSH Communications Security, the original developer of the Secure Shell protocol, provides end-to-end communications security solutions specifically for the enterprise. Its SSH Tectia solution has been developed to overcome the security and manageability issues of large-scale Secure Shell environments.

By standardizing on SSH Tectia throughout heterogeneous enterprise networks, including Windows, Unix, Linux, and IBM mainframes, organizations can cost-effectively implement secure practices for maintaining and using Secure Shell.
The key features and benefits of SSH Tectia for ensuring secure operation include:

• Centralized Secure Shell software management enabling real-time updates to a large number of hosts and reducing the window of opportunity for exploits.
• Centralized Secure Shell monitoring allowing fast identification of system anomalies.
• Enterprise-class support and maintenance services including 24x7 support option enabling fast problem resolution.
• FIPS 140-2 certification of cryptographic libraries serving as a proof of reliable implementation of cryptographic functions.
• The enterprise-proven Secure Shell code of SSH Tectia is based on the 10 years to in-depth experience of the original development team of secure shell, and based fully on the secure, industry-proven SSH2 protocol.

Source: The New York Times, May 10, 2005,
http://tech.nytimes.com/2005/05/10/technology/10cisco.html


SSH Letter to the New York Times

The New York Times has also published the Letter SSH has written to the Editor.
http://www.nytimes.com/2005/06/09/opinion/l09internet.html?pagewanted=print

Below is the extract from the New York Times:





Computer Break-In
To the Editor:

Re "Internet Attack Is Called Broad and Long Lasting" (front page, May 10):

Many readers may perceive that all protocols, products and versions may be vulnerable, and this needs to be clarified.

The article attributes the intruder's ability to penetrate the Cisco network to his "use of a corrupted version of a standard software program, SSH." Many things can cause an application to become corrupt, including improper system access or lack of security policy enforcement.

The article also implies that there is only one version of the standard software program SSH when in fact there are a number of implementations, ranging from freeware to utilities from several companies.

SSH is a very generic term; it can mean the protocol, the product or the company that originally developed the protocol, SSH Communications Security. There are also two versions of the SSH protocol: SSH1, which was found to be vulnerable in 1998; and SSH2, which resolved SSH1's vulnerabilities years ago.

George Adams
President and Chief Exec., SSH Communications Security Inc.
Wellesley, Mass., May 20, 2005

© 2005 SSH Communications Security Corp. All rights reserved. ssh® is a registered trademark of SSH Communications Security Corp in the United States and in certain other jurisdictions. All other names and marks are property of their respective owners.