Category Archives: Tatu Ylonen

Auditors get guidance on SSH key management

Posted on by

A new guide for auditors says SSH key management should be on their checklist because the proliferation of unmanaged keys for the ubiquitous encryption protocol means IT networks can’t be guaranteed as secure. The guidance, “SSH: Practitioner Considerations,” was published Tuesday by the nonprofit global membership association, ISACA, previously known as the Information Systems Audit and Control Association. The guidance includes an appendix listing controls that companies can use to ensure proper management of SSH keys. Secure Shell or SSH is an open-source cryptographic protocol used to enable secure, encrypted access by individual users to servers and other computer assets across the networks of a distributed enterprise. It also facilitates automated machine-to-machine communications in the same secure fashion. But without careful management, the digital keys that enable that communication can proliferate and end up stored in insecure, easily found locations on the network. “When auditors sign off on accounts …. when [a publicly traded] company management makes […]

The post Auditors get guidance on SSH key management appeared first on Cyberscoop.

Continue reading Auditors get guidance on SSH key management

SSH inventor analyzes tools the CIA wrote to exploit his protocol

Posted on by

The CIA hacking tools called Gyrfalcon and BothanSpy, as described in documents released by anti-secrecy group WikiLeaks, are “effective, but surprisingly unsophisticated,” according to Tatu Ylonen. And he should know — he invented the security protocol they exploit. In a blog post he published Wednesday, Ylonen — inventor of the Secure Shell or SSH security protocol — analyzes the descriptions of the tools provided by WikiLeaks. The group, which has not released the source code for the exploits, published classified “user guides” for the two tools earlier in July as part of a trove of stolen documentation about CIA hacking tools they’ve dubbed Vault 7. “From the [documents], it is easy to figure out how they work,” Ylonen told CyberScoop of the exploits, which are designed to let hackers move around an IT network once they’ve compromised a single machine. In an interview, he speculated they probably would have taken “a few weeks of work” to develop, […]

The post SSH inventor analyzes tools the CIA wrote to exploit his protocol appeared first on Cyberscoop.

Continue reading SSH inventor analyzes tools the CIA wrote to exploit his protocol