by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : January and February 2016
IS THE SECURE SHELL (SSH) vulnerability going to be this year’s OpenSSL? As with the stock market, it’s a mug’s game to predict the future, but warning flags have been raised in response to reports of prob- lems with major security devices. It was issues with the OpenSSL version of the Secure Sockets Layer encryption that led to the discovery two years ago of the Heartbleed bug, which many security professionals called one of the scariest things they had seen. It allowed anyone who could get to an infected device to compromise the private keys used to identify ser- vice providers and encrypt data traffic. Eventually, hundreds of thousands of servers around the world were found to be vulnerable to Heartbleed, and even now no one seems to know whether all the holes have been plugged. In December 2015, Ju- niper Networks said it had found “unauthorized code” in its ScreenOS, the operat- ing system that runs on its widely used NetScreen firewalls. That code would allow a knowledgeable attacker to gain administra- tive access to NetScreen devices via SSH and Telnet, the company said, and decrypt virtual private net- work connections. Juniper has since made several fixes to its software to close down the gap. A recent fix to the Dual_EC random number generator used in the fire- walls has been a long time coming because it report- edly contained a backdoor accessible to the National Security Agency and others. Now researchers have found suspicious code in Fortinet’s FortiOS firewalls and say it was also essen- tially an SSH backdoor. Fortinet, however, has downplayed the allegation, saying it was a “manage- ment authentication issue” that was fixed some time ago. Coincidentally, the National Institute of Standards and Technology recently released new guid- ance on the security of SSH key-based access, which it said organizations often overlook. That is a bad thing, as NIST also points out, because misuse of SSH keys “could lead to unau- thorized access, often with high privileges.” In other words, it’s po- tentially handing the keys to the kingdom to people who will gratefully accept the gift — and then take you for all you are worth. NIST specifically men- tions backdoor keys as one of the seven categories of vulnerability in SSH, which is widely used to manage servers, routers and other security devices as well as firewalls. It’s also used to provide privileged access to servers and networks. However, NIST pointed out, SSH public-key authentication can also be used to create a back- door by generating a new key pair and adding a new authorized key to an existing authorized key’s file. That allows someone to get around the access management system and its monitoring and auditing capabilities. Other vulnerabilities NIST cited include poor SSH implementation; im- properly configured access controls; stolen, leaked, derived and unterminated keys; unintended use of keys; theft of keys as at- tackers inside the system move from server to server and steal credentials along the way; and the always present human error. The recent firewall rev- elations are by no means the only reported problems with SSH. In the middle of last year, researchers also discovered vulnerabilities with the OpenSSH ver- sion of the protocol, which allowed attackers to get around limits on authenti- cation attempts and launch brute-force attacks on targeted servers. The big problem with those kinds of vulnerabili- ties is not necessarily that they exist. If they are quick- ly noticed and patched, any likely damage is minimized. But the OpenSSL bug went unnoticed for several years, so the door to networks and systems that used the protocol was open all that time. Likewise, the OpenSSH bug could have been present on versions of the FreeBSD operating system as far back as 2007. Heartbleed redux? Not so far, it seems, but the year is young. • Are we headed for a Heartbleed redux with Secure Shell? BY BRIAN ROBINSON CYBEREYE NIST specifically mentions backdoor keys as one of the seven categories of vulnerability in Secure Shell. GCN JANUARY/FEBRUARY 2016 • GCN.COM 11 0216gcn_011.indd 11 2/1/16 12:04 PM
March and April 2016