Tatu Ylonen: Security is 'Getting Worse'
It's much too easy for someone to break the encryption itself by creating fake certificates.Tatu Ylonen CEO , SSH Communications Security
Tatu Ylonen has garnered fame in technology circles as the inventor of Secure Shell (SSH), the widely used protocol to protect data communications. The CEO of SSH Communications Security -- whose crypto-based technology invented in 1995 continues to be used in hundreds of millions of computers, routers and servers -- recently spoke with Network World on a variety of security topics. (At the Black Hat Conference this week, his company is also announcing CryptoAuditor.)
In the past we've discussed your growing up in Finland during the Cold War. And we've talked about how you invented SSH encryption as an open protocol in the 1990s when the U.S. was trying to force vendors to install a key-escrow system in every product using encryption so the government could gain access to encrypted data. So do you think the world's security is better now or worse?
I think it's getting worse. Consumer privacy is disappearing totally. And SSL [Secure Sockets Layer] is being questioned and the problem isn't the protocol itself but the key infrastructure. There have been several incidents where someone has stolen from the certificate authorities.
This stolen SSL certificate issue is certainly well known. Do you think SSL is useless?
Probably not useless but less useful than ever. It's much too easy for someone to break the encryption itself by creating fake certificates. Any major government can do it, as well as criminal organizations. And they are doing it. Definitely, we see the example for this in the Flame virus, forging certificates.
But what if anything could replace the SSL certificate infrastructure?
For consumers in the short term, no. But SSH is an option, especially for automation. It would require an extension to SSH. I actively proposed it to replace SSL 15 years ago but I was basically railroaded at the IETF by Microsoft and Sun!
As you mentioned, consumer privacy is disappearing online, especially with the kind of hyperactive marketing we do full-tilt in the U.S. Does the European viewpoint on data privacy for consumers seem to differ?
Laws are tighter in Europe but people use the same services. The real problem in my view is that you can target information to modify how they think. ... When you can control information for people -- it's an extremely powerful political tool.
That brings to mind that the Russia parliament just passed an Internet censorship bill. What do you think about that?
It's worrisome. Information that's gathered is highly valued for cyberwarfare because people can always get access codes and backdoors into people's home computers with malware, via e-mail or whatever. On the enterprise side, firewalls are becoming less and less protective because it's difficult to do firewalling when traffic is encrypted. Take the highly specific malware, such as when RSA was compromised. That was a customized email pretending to be something else. The more you know about targets, the more you can send them.
Stuxnet and Flame are now believed to be cyberwarfare tools developed by the U.S. and Israel, with President Obama authorizing use of Stuxnet against Iran. Is this kind of cyber-weapon something that should be part of arms negotiations, for instance, or just the new normal for governments?
It's fast going to be the new normal. Secret wars? I hope not. But it might be. Flame took advantage of a fake Microsoft Update Service. Whoever controls your Internet access can install anything they want.
Attackers can gain a lot of information from the information we leave about ourselves on social networking sites. Is social networking too risky to use?
The technology is too important to not use it. We need the Internet and social-networking tools.
So when it comes to SSH, is this still an open protocol?
SSH is fully open and implementations are fully interoperable. We have extensions in our products, which are mostly used in embedded systems. It's to protect passwords and any other data you don't want to pass in the clear over the Internet or even your internal network. It's mostly used by systems administrators. There have basically been two version of the SSH protocol over the years, SSH1 and SSH2, which has been around about 15 years.
So we've heard a lot over the years about SSH used in the enterprise. But what about for cloud services? Does it fit there?
Every cloud service provider uses SSH to manage the cloud. Amazon uses SSH to manage the underlying infrastructure in two layers. There's a need to manage the keys for automation. Those keys provide access from one computer to another. Banks and every other major system out there could have 100,000 servers and 200,000 to 400,000 authentication keys. When we talk to the cloud service providers, it's in the eight digits in terms of the numbers of servers. How do we make that scale and automate the system?
Key management has always been a tough problem. But you say this issue of figuring out key management is now harder than ever?
We work a lot with the large banks that use SSH. When we go to look at their networks, which are automated, they have something like eight authentication keys for access to the network. Some haven't changed in 10 years! It's a ticking time bomb. Sometimes they don't know who can access the systems. At one large bank, there are 200 systems administrators setting up keys for 200,000 systems. These are small files. Someone could copy all the keys in a USB stick. The key continues to provide access even after you've left the organization. The authorization keys grant you the same access as a password. You can change the encryption software. This is something that's a problem. This has been fairly little known and unnoticed for the last 15 years. Organizations haven't really handled the management of the keys. It's so technical, so deep inside the systems. Auditors haven't known about it. This is a top focus for us. Starting this spring, we've been piloting Universal SSH Key Manager, piloting it with a customer, for machine-to-machine communications. It solves three problems, knowing what you have, the trusted relationship with computers, and automating the management of the keys. One customer has a 15-person dedicated team doing key management, and they've had three failed projects trying to solve this problem.
So what is the CryptoAuditor product that SSH Communications Security is announcing today?
It's for auditing encrypted connections for visibility of content in an encrypted session. You have internal firewalls and all the connections are encrypted. We work with DLP [data-loss prevention] providers and others with the ICAP protocol. The goal is to control what gets transmitted across the firewall, and for auditing.
Companies investing in IoT technology need to understand the importance of the service and whether that type of service makes absolute sense for their company.
Decision-makers in enterprises often wrongly differentiate between the security requirements during the PC era as opposed to post-PC era. Consequently, mobile security does not feature high on their list of priorities, which I believe should happen ASAP, says Pekka Usva.
Content Security today requires a comprehensive multi-layered approach utilising multiple technologies, says David Wigley, CEO, ContentKeeper.
Combining great technology - that is well deployed, well maintained - with user base conscious of the threat landscape results in effective security posture, says Kris Hagerman, Chief Executive Officer, Sophos.