Security Watch

(In)Secure Shell?

A worm can find its way into the previously secure SSH app to create a cascade of failures.

Hacking
Researchers at the Massachusetts Institute of Technology (MIT) have published a paper describing how a worm could spread over SSH (Secure Shell) connections to create a "cascade failure" of connected systems. Malicious hackers could use the SSH known_hosts file to obtain a list of user-visited machines. An SSH worm with access to known_host files could push supercomputing, grid and cluster systems into cascade failure.

The known_host file used by SSH lists the address of all systems a user has connected to via SSH. This information could be replicated by scanning for an open SSH port. The authors describe how a worm could operate faster by using the information in the file. Further, they consider the ramifications on a user community by attacking all the SSH servers that community may use.

There are many ways such malware could do exactly what the authors propose. It could simply monitor the system for some period of time, watching for SSH connections and developing its own list of hosts to attack; it could watch network traffic from some other compromised hosts on the network and observe the SSH connections; it could modify the way SSH works, or proxy the SSH connection attempts and relay such information back to a controlling host or resource (such as an IRC channel) and accumulate a list that way. Granted, the authors have proposed the simplest approach, but in the context of security research, the question is whether it's possible to prevent the accumulation of an SSH hosts list. Other than preventing the malware from being introduced to the systems or network in the first place, it doesn't appear that there is.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

SSH is one of the more secure applications around. It's been in use a long time, with relatively few vulnerabilities; it's also rarely been a malware target. But now that the idea's been proposed, no doubt there will now be malware looking for the known_host file and, if possible, trying to do something with it. This presumes there is an attackable vulnerability in SSH which doesn't get patched immediately. From Cybertrust's perspective, such a vulnerability on such a critical system should be mitigated as soon as possible. Were such a vulnerability announced, or evidence of a zero-day attack arise, mitigations would be publicized almost immediately, given how many SSH systems are in place, and how critical they are to their owners.

Netscape has released version 8.0.1 of its browser—less than 24 hours after the release of 8.0—in order to fix 44 security holes.

One seriously has to question the release process for Netscape's browser. Why would they release a patch for 44 security holes the day after a new browser was released? Most people will obtain the new major version, not the .1 version release which contains the security fixes. This means those vulnerabilities are going to be out in the public realm when they never needed to be.

Human Factors
A judge in Minnesota allowed the presence of the encryption program PGP on a machine to be used as evidence in a case involving a man who took nude pictures of a 9-year-old girl, even though the encryption may have not been used.

An appeal by the defendant had been filed on grounds that the prosecutors had suggested that the presence of the encryption program on the defendant's computer suggested intent to hide his activities.

The courts ruled that evidence of the PGP program could be submitted because "We find that evidence of appellant's Internet use and the existence of an encryption program on his computer was at least somewhat relevant to the state's case against him." Some have warned that the ruling could set a dangerous precedent if simply having encryption tools could legally imply criminal intent.

Governance
The Federal Trade Commission, along with 35 government authorities in some 20 nations, launched "Operation Spam Zombies," a campaign to encourage Internet service providers to crack down on compromised computers within their networks that are being used to spew spam onto the Internet. Among the measures recommended by the FTC is blocking, when possible, a common Internet port used for e-mail. This isn't a legal issue; it's more a list of security best practices to help ISPs cut down on bot networks.

This has been discussed for some time now. If ISPs don't take care of their own problem customers and legislation may eventually force their hands. This will definitely up the ante for bot-herd owners, making them more selective about when, and how, they use their herds. It should mean fewer profits for spamming bot owners, which may lead to an increase in infection attempts and more use of security vulnerabilities (rather than social engineering) to infect new machines. Everything will depend on how effective the various government entities are at enforcing their suggestions.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular