In recent news SSHD (SSH daemon) backdoors have been all the buzz, though SSHD rootkits are nothing new. What’s interesting with the new SSHD rootkit is the level of sophistication where the ssh, ssh-agent, and sshd binaries were all replaced. As a result, changing the password on a compromised system will do you no good, the attacker already has root access! As is well known, the main goal of the rootkit is to steal passwords, but this is not the end goal. The end goal is to use the stolen credentials to access systems for their data, and to sell the information for profit.
The use of SSH is widespread in organizations, system administrators commonly rely on it to perform tasks like secure remote system management within their datacenters. When it comes to cloud computing, there is no difference, SSH is commonly used to manage workloads running in private or public cloud environments. Many organizations use cloud computing as an extension to their datacenter; securing the data and controlling trust – as in, who has access to data and how it is accessed, has never been more critical. To any organization, losing control over SSH is a very serious problem. Research on the cost of losing control of trust published by Ponemon institute showed that the most alarming threat to organizations for key & certificate management is the compromise of SSH.
Once a system is compromised via SSH exploit it is very difficult to detect and remove. Simply because the attacker has root privilege and can do pretty much anything they want to do to the system. If there is anything that we can learn from history, it is that criminals will go where the money is; they will take advantage of every weakness in any systems, exploiting them for their own nefarious gain. Cloud computing takes advantage of economies of scale, unfortunately this also means that any exploit that can be taken advantage of – an SSH exploit for example – results in a larger fallout.
So far it has not been confirmed whether the recently discovered SSH rootkit can steal the private key from compromised systems. Simply because the private key is not stored on the system. What has been confirmed is that rootkit hooks the functions used to dump the private key into a file. Evidently SSH exploits are growing in number and are being taken advantage of by cyber-criminals. At the RSA conference this week in the keynote, Microsoft stated something that is very evident and real – PKI (Public Key Infrastructure) is under attack. The question, what are enterprises going to do about it? There are some alarming truths when it comes to the handling of encryption assets like SSH keys that put most organizations at high risk.
Manual key and certificate management – 60 percent of global 2000 organizations manage their keys and certificates manually; that is via spreadsheets maintained by application administrators.
Silo management – If you take into account the number of application administrators the average enterprise has, a new problem is added to the equation: not only are keys and certificates managed manually, but there is a silo effect where multiple organizations within the enterprise each manage their own keys and certificates, in spreadsheets! The result, no enterprise-wide visibility into the trust assets – the key and certificate inventory.
Overbearing volume – The average enterprise has over 17,000 keys and certificates; it is no wonder we see mistakes made by system administrators resulting in damaged brand reputation, like the recent McAfee incident where a digital certificate was inadvertently revoked. As a result trust broke down, and Mac users could no longer verify if an application could be trusted or not.
No third party vetting – SSH has no equivalent to a Certificate Authority that can vet if the system is to trust the SSH keys or not. System administrators must manage this trust relationship themselves. When dealing with multiple internal organizations and tens of thousands of keys and certificates to manage, mistakes will be made and in many cases, shortcuts are taken.
There is an increase in outages and exploits related to the mismanagement of keys and certificates. For SSH key theft alone, according to the Ponemon Institute, an enterprise can expect over $U.S. 75 million in potential cost exposure.
Organizations need to take proactive measures to gain control over trust in the management of cryptographic keys and certificates; manual procedures and processes are no longer sufficient. Make sure your organization has an automated key and certificate lifecycle management solution in place. How is your organization protecting itself from PKI attack? How does your organization work around some of the challenges outlined?