Mitigating the Security Risks of SSH
- Aug 25, 2006
- The True Issues
- Mitigating Organizational Risk
- Mitigating Agent-Forwarding Risk
- Mitigating Port-Forwarding Risk
- Final Ideas
- Passwords: So Important, Yet So Misused
- Creating Apps for New Markets: Exploring the PocketPC Platform
- Text File Operations in .NET
- Desktop Search Tools — A Security Investigator's New Best Friend
- Zune: Reflections on the First Generation
- Seven Steps to Improving Your VB Code
- Moka5: Virtualization in Your Pocket
- SSH Security Primer: Server Security Settings
- SSH Security Primer: Client Security
- Security on a Dime: Low-Cost Alternatives to SSH
- Windows Media Encoder: Quality Video Training Done on the Cheap
- Mitigating the Security Risks of SSH
- Virtual PC and VMware: A Comparative Review
- SSH Issues: Does Installing SSH Enable More Exploits Than it Solves?
- Learning Linux the Easy Way - With Cygwin
- Rsyncing to New Heights in Linux Lore
- Converting Video for Your Pocket PC the Easy Way
- Pocket PC: The ONE Device for Portable Digital Media
- Visual Basic 2005: Maximizing the VB Experience with New and Old Features
- Faster Coding with the "My" Object in Visual Basic 2005
- Design and Install the Perfect PC—On Your Mac
- Evaluating Your Firewall
- UNIX Key Security
- UNIX Security 101
- Social Networking for the Anti-Socialites
How would Scrooge handle today's emphasis on social networking?
- Out of Sight
Must data be live for you to Live?
- Great password information at a small price
Where can cash-strapped security pro's get great information on security basics??
- It's Here; Put Away Your Pre-Conceptions on What an OS Must Be: Part III
Having witnessed the PC revolution, Traenk pauses to reflect on the GUI world...
- It's Here; Put Away Your Pre-Conceptions on What an OS Must Be: Part V
It's been a long while since you had a chance to be excited about a new version of an 'old' OS. Now is your chance.
- It's Here; Put Away Your Pre-Conceptions on What an OS Must Be: Part IV
Graphical User Interfaces were important. So was cost control. Just what must an OS be?
- Embedded finesse
What's need for Embedded Wave II
- It's Here; Put Away Your Pre-Conceptions on What an OS Must Be: Part II
In the last blog in this series, Traenk relates his first experiences with computers and with coding. But now, some years have passed. . .
- It's Here; Put Away Your Pre-Conceptions on What an OS Must Be: Part I
Traenk relates his past experience with Operating Systems that goes back 25 years, ok, more than that but he ain't tellin'
- Casting Out Daemons
It's a new computer, and it's also a chance to try out a new vendor.
- Step 1: Legislation
Not sure how we've associated improved and secure coding practice with legislation?
- Are Intrusion Studies Worth the Money? Still more 2009 predictions
There are dozens of security vulnerability scanning tools. Increasingly security analysts take great pains to emphasize their hacking skills. Companies pay out great money to find if they are 'vulnerable'. And in the middle of this, Traenk wonders what the point is to the exercise.
- Approaching People Versus Technical Approaches: More 2009 Security Predictions
Traenk loves computers and technologies. He loves to be a Technical Editor for books. But his views towards security seem to be straying from the Technical to the Personal.
- Browser Password Managers
While exploring Chrome as a browser, I stumbled onto some excellent Browser Password Manager criteria and an online test that helps you assess your browser's security
- 2009 Security Predictions: Part II
It's that time of year to see what security developments and surprises are waiting for us in 2009
- 2009 Info Security Predictions: Part I
Traenk ruminates over what's likely to hit security professionals in the coming year.
- Year End Ideas
It's that time of year for bold proclamations and year-end housekeeping
- This Internet Thing! It's so Invasive!
New ISP = New Challenges and Worries
- Another semester done: Lessons Learned for me
I teach a Visual Basic .Net class at the local university. Today, I am tired because this was one special class.
- Embedded Woes part II
The growing linkage of embedded controllers to the Internet may provide special risks to our lives. These controllers exist in automobiles, appliances, specialized electronics. What are likely to be some of those special risks that may occur?
- The People Side
Cisco has sponsored some excellent research on the People Side of Security
- Duty-Loaf designs and Security
Security isn't found in what you've bought or what patches are applied. It's in the process design.
- Embedded Security Woes: Part 1
What are the coming woes as the embedded world is increasingly linked to public networks like the Internet?
- Zune has finally arrived...None too soon
The latest Zune software and the Zune Marketplace (and the general death of DRM musicfication) have upped the Zune Joy Factor
- NICE Security Site
You really need to add this to y0ur stack of security web links: http://enisa.europa.eu/
- Learn Silverlight during Lunch
There's a lot of new technology to learn. What's Microsoft doing for you, the technology innovator who's got lots of learning but way too little time???
- Nice features in Visual Studio 2008
The class is going well, and this semester's gang is really doing well with Visual Studio 2008
- More Embedded Basics
All of us developers are being pulled into the embedded world. What's that mean?
- Embedded? We don't need no stinkin' embedded devices
Traenk is learning about embedded devices, and it is a confusing world to someone more comfortable with full-featured computers.
- The case for embedded anything
As the need more more pervasive, more secure embedded designs grows, JT offers a series of blogs on the embedded world
- One for All or All for one purpose?
What are your thoughts on those all in one boxes?
- New sparks for a smokin' good time
You're a geek, a new-ground finder in the IT woods. What's waiting for you, and to be sure, what are you waiting for?
- Appliances Equal Ready-Made Security Risks
What does Embedded really mean?
- Vrtually Impossible
Virtualizing Sloppy Practice Makes Security Virtually Impossible
- Hacking as a Service (HaaS)
Remember stories of teens munching Doritos while making off with all your data? Those days of innocence are long gone.
- Gary McGraw Does IT Again
Good books by Gary McGraw predict today's security issues again.
- P2P Piloting Your Car
Will the coming computerization of our appliances and vehicles be implemented securely?
- Computer Welt
John, maybe like Dustin Sullivan, wonders if those who bring embedded systems are ready
- Old technology and Nostalgia
John wonders what to do with yesterday's dreams and how to implement Green IT at home
- Monitoring versus Privacy Rights?
Is there any right to privacy? Do modern monitoring systems go to far or not far enough?
- Independence from Clunky, Kludgy Forms of Input
Put a Fork in me, I'm Done!
- Need help from InformIT Readers
Need advice finding a portable Digital Recorder for my motorcycle rides
- guard your CISSP status
New procedures at (ISC)2 may foster your mistake
- Application security--the new unknown
I've been reading and enjoying Gary McGraw's three books on application security. Each and all is a phenomenal read. [And worth buying...Won't loan mine]
- Where is the computer?
Take a look around you. Can you spot the computer in your apartment, in your living room?
- Hack a Mac: New Pressures @ CanSecWest
I wrote this a few months ago. Now that the Mac crumbled in 2 minutes during the Pwn to Own contest at CanSecWest, the ideas are especially important
- Marcus Ranum has engaging security postings
Do you like despair.com's postings? Marcus provides a humor with a security bent.
- MVP again, with work, and Visual Studio 2008
- John Traenkenschuh writes about the continuing improvements made to Visual Basic...
- Physical security is Information Security
- Pundits predict the eventual merging of Physical Security and Information Security fields. That may not be a bad thing?
- 2008 Security predictions
- I think 2008 will be a real year of change for the Security Practitioner and Security field.
- Compact Irony
Have you studied the articles regarding the iPhone? Who knew a mobile device could inflict such damage? You did, of course...
- Giving Back: Act II
Center for Internet Security Benchmark is Done!
- Closed goes Open?
- What IS the real impact to the .Net Framework source code being available to developers?
- Giving Back
Anyone can complain about firewall security. Maybe you can do something about it?
- Open Source Security
I like Open Source, but I don't like vendors who munge versions or who don't update their code quickly enough. That said, can't you type 'make'?
- Are Certifications Worth It?
You scan the available certifications and wonder, "Are They Really Worth the Trouble?"
- VB goodies
VB .Net Free Learning Tools
Like this article? We recommend
Firewalls and Internet Security: Repelling the Wily Hacker, 2nd Edition
Mitigating Organizational Risk
Why would anyone propose running SSH on most major platforms? For more than a decade, architectures have settled on standard utilities and protocols. For example, Telnet and FTP are commonly used on all kinds of servers, including some established long before TCP/IP, UNIX, the C programming language, etc. But while Telnet and FTP are common denominators, they’re lowest common denominators when you consider their security issues. In response, organizations look to SSH to take the place of these insecure protocols. SSH is very scriptable and makes automation easy by allowing common code to run on several platforms; for example, by using Perl. Instead of working the script through two separate utilities, you can stay "in session" with SSH. File size seem too small? Kick off another transfer via SSH seamless processing power that allows both file transfer and command execution. It even allows for authentication to work without pesky passwords and authentication processes. It encrypts all traffic, so the security people feel warm and fuzzy. It’s an easy sell.
Now, how do you make sure that all those administrators and platform security architectures are on the same page? You must create a cross-platform SSH implementation team that will take ownership of the issues. This group can ensure that security is consistent across platforms, by identifying implementation weaknesses on some of those platforms.
For example, you must control access to the private-key file used with authentication. Imagine that the desktop Windows administrator has no clue how important PCs are to server security. He or she has implemented the FAT file system, making any sort of file access security very difficult. To make remote administration easy, the same person has opened the administrative shares and Remote Desktop access to Everyone. With this kind of design, a hacker can collect private keys like flowers for the plucking. With these private keys (used with multiplatform scripts), the hacker can take on any identity s/he wants—the time needed varying only in relationship to the private key’s passphrase complexity.
Don’t want me to pick on Windows administrators? Perhaps you’re serving out home directories with NFS instead. Have you studied NFS security? Got poor home directory permissions on top of poor NFS permissions?
This is just one example of how one platform’s foolishness endangers all others. Once I heard an administrator strongly recommend that we all use the same host key on our servers. This approach would remove the pesky warning that users get regarding host identity. How likely is phishing in a big intranet? Here again, one person’s ideas remove a vital security component from SSH. The best way to have a consistent, complete security model is to have a group of experts assemble the plan, document it, and weave it into server and client implementation and maintenance processes.
This group must be empowered to choose the best settings, despite complaints from administrators and developers alike. The group must be responsible for security openings found during an intrusion study performed by a credible external group. You must confirm the security plan, right? The group should find a monitoring system, either purchased or self-written, that checks production settings. You might even create a process that periodically overwrites existing files with a baseline file containing documented security settings. (It’s amazing what vendors, customers, etc. with root access can do to your settings files!)
Let me warn you: SSH security begins with use of the server-side security features. There must be agreement on which server settings are optional and which are mandatory, with which specific settings enabled. Is SSH protocol 1 good enough? One version of SSH has a configuration file with security features commented out. It’s assumed that you—and the hacker 0wning your server—have compiled SSH with security embedded. Is that good enough, and did anyone on your team catch that fail-open security design from the factory?
There will be some tough, very detailed questions to answer. If reading books and articles isn’t enough, management should work with a consultant whose costs are shared across all platform owners.
Account Sign In
View your cart