Log in

Site menu:



Site search

August 2020



Rumors and Preparedness

There are rumors circulating around SANS and full-disclosure circles that there is a 0day SSH exploit in the wild that might be announced sometime around the upcoming Black Hat event. Whether or not it is true is to be seen, but beyond the question of “is it or isn’t it,” it’s interesting to consider the evolution of a rumor’s details, and how you choose to respond. Do you believe that recent versions of SSH are not susceptible and feel safe if you only use recent versions? Do you upgrade any older versions you have and feel somewhat safe that you’ve minimized your window of exposure? Just how recent is recent? Do you think that this could be a sensitized reaction primed by all the reports of cyberwar that we’ve been hearing lately? Do you think it could be a well-timed vehicle to garner support for the Cybersecurity Act of 2009? Do you think it’s a publicity stunt for BH?

Keep in mind that rumors love a vacuum, and details will be invented to fill a void of information – but don’t let that stop you from reasonable and affordable precautions:

  • If you haven’t already done so, it would probably be a good idea, in any event, to upgrade to the latest version of SSH.
  • If you have no publicly accessible SSH servers, don’t assume that you are totally safe – it is possible that other systems on your network are compromised and can serve as launch points for internal attacks.
  • If you can disable SSH on any servers, setup additional IP level access controls, or even change the listening port to make systems less discoverable, you might consider doing so, if such a reaction is not too expensive relative to the value of your systems.
  • Examine your highest risk SSH systems for anything unusual (e.g. strange processes or network activity, anti-forensics, file, or log tampering, rootkits, etc.)

Am I suggesting these to foment fear? Hardly. These are just some ways in which we might choose to respond to such rumors. Another way would be to bury our heads in the sand. Or we might learn to expect the unexpected, invest in preparedness, and to sleep somewhat more soundly.

If the rumor turns out to be a hoax or a stunt, then this will fade into the history of other rumors. If, however, it (or its ilk) turns out to be true, then what? The updated packages that will be provided by vendors and distros won’t help after the fact. Neither will the “zero day” signatures that will be pushed by your IPS provider, at least not directly. But there is a way that you can use those signatures, ex post facto, to know if any of your systems might have been affected, and to precisely determine the scope of any breach.

With a full historical capture of network traffic, you could simply play back the entirety of your SSH traffic within your capture window to your recently enlightened IPS system, enabling it to retrospectively determine if any of your systems were compromised in the past (obviously, the same method could be used for any “known only after the fact” event, be it an exploit, attack, data leakage, etc.) Presuming a sufficiently large capture window, a signature positive would provide a map for targetted response, and a negative would provide peace of mind. How large is sufficiently large? That question can only be answered as particularly as its twin “how much insurance do I need?”.

By the way, did you hear that eating fish might cause Mad Cow Disease? Fish eaters might want to look into more life insurance.

Share: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Twitter
  • Reddit
  • Slashdot
  • LinkedIn
  • Facebook
  • email
  • Print

You must be logged in to post a comment.