Security News SSH protects the world’s most sensitive networks. It just got a lot weaker

vtqhtr413

Level 26
Thread author
Well-known
Aug 17, 2017
1,567
Sometime around the start of 1995, an unknown person planted a password sniffer on the network backbone of Finland’s Helsinki University of Technology (now known as Aalto University). Once in place, this piece of dedicated hardware surreptitiously inhaled thousands of user names and passwords before it was finally discovered. Some of the credentials belonged to employees of a company run by Tatu Ylönen, who was also a database researcher at the university.

The event proved to be seminal, not just for Ylönen's company but for the entire world. Until that point, people like Ylönen connected to networks using tools which implemented protocols such as Telnet, rlogin, rcp, and rsh. All of these transmitted passwords (and all other data) as plaintext, providing an endless stream of valuable information to sniffers. Ylönen, who at the time knew little about implementing strong cryptography in code, set out to develop the Secure Shell Protocol (SSH) in early 1995, about three months after the discovery of the password sniffer.

As one of the first network tools to route traffic through an impregnable tunnel fortified with a still-esoteric feature known as "public key encryption," SSH quickly caught on around the world. Besides its unprecedented security guarantees, SSH was easy to install on a wide array of operating systems, including the myriad ones that powered the devices administrators used—and the servers those devices connected to remotely. SSH also supported X11 forwarding, which allowed users to run graphical applications on a remote server.

Ylönen submitted SSH to the Internet Engineering Taskforce in 1996, and it quickly became an almost ubiquitous tool for remotely connecting computers. Today, it’s hard to overstate the importance of the protocol, which underpins the security of apps used inside millions of organizations, including cloud environments crucial to Google, Amazon, Facebook, and other large companies.

“Password sniffing attacks were very common at that time, with new incidents reported almost weekly, and arguably it was the biggest security problem on the Internet at the time,” Ylönen wrote in an online interview. “I did intend SSH to become as widely used as possible. It was critically needed for securing networks and computing systems, and it for the most part solved the password sniffing problem.”

Now, nearly 30 years later, researchers have devised an attack with the potential to undermine, if not cripple, cryptographic SSH protections that the networking world takes for granted.

Meet Terrapin​

Named Terrapin, the new hack works only when an attacker has an active adversary-in-the middle position on the connection between the admins and the network they remotely connect to. Also known as a man-in-the-middle or MitM attack, this occurs when an attacker secretly positioned between two parties intercepts communications and assumes the identity of both the recipient and the sender. This provides the ability to both intercept and to alter communications. While this position can be difficult for an attacker to achieve, it’s one of the scenarios from which SSH was thought to have immunity.
 

vtqhtr413

Level 26
Thread author
Well-known
Aug 17, 2017
1,567
A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure.

SSH-Snake was discovered by the Sysdig Threat Research Team (TRT), who describe it as a "self-modifying worm" that stands out from traditional SSH worms by avoiding the patterns typically associated with scripted attacks.

The worm searches for private keys in various locations, including shell history files, and uses them to stealthily spread to new systems after mapping the network.

SSH-Snake is available as an open-source asset for automated SSH-based network traversal, which can start from one system and show the relationship with other hosts connected through SSH.

However, researchers at Sysdig, a cloud security company, say that SSH-Snake takes the typical lateral movement concept to a new level because it is more rigorous in its search for private keys.
 

vtqhtr413

Level 26
Thread author
Well-known
Aug 17, 2017
1,567
If you're looking to add an extra layer of security to your Linux desktop or server, fail2ban is a great option to help prevent unwanted SSH logins. SSH is essential for many Linux users, as it allows for the ability to log into remote servers and desktops to do various admin tasks. And although SSH is considerably more secure than what it replaced (Telnet), it's not a guarantee on its own.

For example, a brute force attack will pummel your machine with login attempts until it gets the login credentials correct. You don't want that to happen. Fortunately, there's a piece of software that can help prevent such problems. The software in question is called fail2ban and it can automatically block IP addresses being used for unwanted login attempts. Let me walk you through the process of installing and configuring fail2ban.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top