ssh – Techdirt (original) (raw)

Akamai: 12-Year-Old SSH Vulnerability Fueling Internet-Of-Broken-Things DDoS Attacks, And Worse

from the security-as-a-distant-afterthought dept

We’ve increasingly covered how the “internet of poorly secured things” has contributed to a rise in larger DDoS attacks than ever before. The barely-there security standards implemented by companies more interested in hype than quality meant it didn’t take long before hackers were able to incorporate “smart” refrigerators, power outlets, TVs and other IoT devices in the kind of DDoS attacks that recently took down security researchers like Brian Krebs. The end result is DDoS attacks that continue to break records, first 620Gbps in the Krebs attack, then more recently a 1.1 terabits per second attack on a French web host.

But just how bad have things become? A new report by Akamai warns that hackers are using a 12-year-old vulnerability in OpenSSH to funnel malicious network traffic through IoT devices. SSH certainly can be implemented securely, but as with every other security aspect of the IoT, many hardware vendors aren’t bothering to do so. Akamai’s data indicates roughly 2 million devices have been compromised by this type of hack, which the firm dubs SSHowDowN.

CVE-2004-1653 is a default configuration in old versions of OpenSSH that can be exploited by an attacker to forward ports, letting a hacker route malicious traffic through the device as part of the overall DDoS command and control infrastructure. To pull this off you need the device’s admin username and password; certainly not a problem in the IoT space where default logins are often the norm. Akamai notes that many IoT devices not only ship with this vulnerability intact, but with no ability to fix it:

“We?re entering a very interesting time when it comes to DDoS and other web attacks; ?The Internet of Unpatchable Things? so to speak,? explained Ory Segal, senior director, Threat Research, Akamai. ?New devices are being shipped from the factory not only with this vulnerability exposed, but also without any effective way to fix it. We?ve been hearing for years that it was theoretically possible for IoT devices to attack. That, unfortunately, has now become the reality.”

Of course the internet-of-poorly-secured things isn’t just useful for DDoS attacks. Brian Krebs has penned a new blog post noting how criminals are often using hacked IoT hardware as proxies to obscure their real location as they engage in tax return fraud and other criminal activity, courtesy of your not-so-smart WiFi-enabled tea kettle or home-automation system. An anonymous researcher tells Krebs he was able to track the various “honeypot” systems he configured as they were traded and sold as malware-infested proxies in exchange for bitcoin.

In short, flimsy Internet of Things security, combined with already often-dubious embedded security in routers, is kind of a throwback to the wild west of the 1990s when the idea of your mom’s PC as a botnet participant was kind of novel. Krebs’ source puts it this way:

“In a way, this feels like 1995-2000 with computers,” my source told me. “Devices were getting online, antivirus wasn?t as prevalent, and people didn?t know an average person?s computer could be enslaved to do something else. The difference now is, the number of vendors and devices has proliferated, and there is an underground ecosystem with the expertise to fuzz, exploit, write the custom software. Plus, what one person does can be easily shared to a small group or to the whole world.”

And again, while the abysmal state of IoT security can often be funny, firms like Gartner predict that the population of Internet of Things devices will top 20.8 billion by 2020, up from 6.4 billion or so today. Researchers like Bruce Schneier have been warning for some time that the check is about to come due in the form of attacks that may put human lives at risk at an unprecedented scale, lighting a fire under researchers who believe that automated cyberdefense and self-healing network technologies we haven’t invented yet are what stand between us and the not-so-smart device cyber apocalypse.

Filed Under: ddos, iot, security, ssh
Companies: akamai

How The NSA Works Hard To Break Encryption Any Way It Can

from the brute-force dept

Spiegel has published a detailed article, relying mostly on documents that Ed Snowden leaked, looking at the many ways in which the NSA breaks encryption (and the few situations where it still has not been able to do so). As we’ve seen from previous leaks, the NSA stupidly treats encryption as a “threat.”

And, sure, it is a “threat” to the way in which the NSA snoops on everything, but for the vast majority of users, it’s a way to protect their privacy from snooping eyes. The report does reveal that certain encryption standards appear to still cause problems for the NSA, including PGP (which you already use for email, right?), OTR (used in some secure chat systems) and VoIP cryptography system ZRTP. Phil Zimmermann, who helped develop both PGP and ZRTP should be pretty damn proud of his achievements here.

As the report notes, the NSA has the most trouble around open source programs, because it’s much more difficult to insert helpful backdoors:

Experts agree it is far more difficult for intelligence agencies to manipulate open source software programs than many of the closed systems developed by companies like Apple and Microsoft. Since anyone can view free and open source software, it becomes difficult to insert secret back doors without it being noticed. Transcripts of intercepted chats using OTR encryption handed over to the intelligence agency by a partner in Prism — an NSA program that accesses data from at least nine American internet companies such as Google, Facebook and Apple — show that the NSA’s efforts appear to have been thwarted in these cases: “No decrypt available for this OTR message.” This shows that OTR at least sometimes makes communications impossible to read for the NSA.

When it comes to non-open source systems, well, there the NSA has its ways in. In fact, the NSA seems rather proud of the fact that it can make “cryptographic modifications to commercial or indigenous cryptographic information security devices or systems in order to make them exploitable.”

The report also shows that VPNs are targeted by the NSA, and it has had a fair bit of luck in breaking many of them (especially those that rely on PPTP — which has long been recognized as being insecure, but is still widely used by some VPN providers). However, it also shows that the NSA has been able to crack IPsec VPN connections as well. In short: your VPN probably isn’t secure from the NSA if it wants in.

The NSA also has apparently been able to crack HTTPS connections, and does so regularly:

The NSA and its allies routinely intercept such connections — by the millions. According to an NSA document, the agency intended to crack 10 million intercepted https connections a day by late 2012. The intelligence services are particularly interested in the moment when a user types his or her password. By the end of 2012, the system was supposed to be able to “detect the presence of at least 100 password based encryption applications” in each instance some 20,000 times a month.

HTTPS is still a lot more secure against non-NSA-level hackers, but it certainly shows that it’s not a perfect solution.

Another big reveal: the NSA has the ability (at least some of the time) to decrypt SSH (Secure Shell) which many of us use to access computers/servers remotely.

There’s lots more in the article and in the many, many included documents (just a few of which are shown below). It’s well worth reading.

However, the key point is that the NSA is working very, very hard to undermine key encryption systems used around the internet to keep people safe. And rather than sharing when those systems are cracked and helping to make them stronger, the NSA is exploiting those cracks to its own advantage. That may not be a surprise, but for years the NSA has insisted that it is helping to make encryption stronger to better protect the public. The revelations from this article suggest that isn’t even remotely close to true.

Filed Under: encryption, gchq, nsa, otr, pgp, ssh, ssl, surveillance, zrtp