Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

SSH hole putting big business at risk

MIT researchers warn about real holes, real dangers to secure networks.

Article comments

Secure business networks are at risk thanks to a vulnerability in a fundamental protocol, according to security researchers at the Massachussetts Institute of Technology (MIT).

Researchers have highlighted the increasing danger of attacks exploiting weaknesses in SSH (Secure Shell), and warned that such attacks are likely to be automated in the near future. The risks are not theoretical - SSH weaknesses were involved in a spate of attacks last year, including the theft of source code from Cisco Systems and a series of compromises affecting major universities, corporations, national laboratories, super-computing centres and military institutions, the researchers said.

Grid systems, which link research institutions together in order to share data and processing power, are particularly vulnerable because they create close links between a large number of institutions, according to MIT. Among the victims of last year's attacks were several research institutions connected to TeraGrid, a research grid.

However, universities are not the only ones affected. SSH is used in most Unix and Linux networks to secure remote command execution, file transfer and other services. "As SSH has become one of our most trusted services, attacks that highlight its limitations have become widespread," the paper said.

In writing the paper, called "Inoculating SSH Against Address-Harvesting Worms", MIT researchers Stuart Schechter, Jaeyeon Jung, Will Stockwell and Cynthia McLain collected information from a number of organisational networks, and found that most networks are vulnerable to a weakness involving SSH's known_hosts databases.

These databases, stored on SSH clients, include the list of remote hosts each user has previously contacted via SSH, along with the hosts' public keys, a component used by SSH to create a secure connection. The problem is that when a client is compromised by an attacker or malicious code, the known_hosts database is easy to use in targeting other hosts.

"Such reliable target lists reduce both the time required to find vulnerable hosts and the likelihood that attacks will raise alarms due to failed connections or authentications," said the study. Because worms using the list don't need to rely on techniques such as port scanning, they are likely to evade most current virus detection mechanisms, the researchers said.

An analysis of data from more than 2,000 user accounts containing known_hosts files found that only a small number of hosts would need to be compromised in order to compromise most of the hosts in a system. "We found that a surprisingly large fraction of the known_hosts entries were to hosts on distant networks, that the bulk of these entries could be reached by compromising a small fraction of the user accounts in our survey, and that 62.8 percent of identity keys encountered were stored unencrypted," the study said.

So far these weaknesses have only been exploited manually, but most of the components for creating worms to target known_hosts are already available, the paper said.

"While a worm of this type has not been seen since the first Internet worm of 1988, attacks have been growing in sophistication and most of the tools required are already in use by attackers. It's only a matter of time before someone writes a worm like this," commented cryptographer Bruce Schneier in a blog entry.

In the short term, sysadmins can protect themselves by encrypting known_hosts using an cryptographic hash, similar to the techniques used to protect password files. This requires changes to SSH, however - a known_hosts hashing scheme proposed by MIT has been implemented in OpenSSH 4.0 and in a patch for earlier versions of SSH.

Schechter presented the findings to as part of the keynote speech for The First International Workshop on Cluster Security at CCGrid 2005 in Cardiff, Wales earlier this month. MIT's research and related materials are presented on the university's website.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *