What’s easier than hacking the Federal Government? Apparently, it’s downloading SSH keys from an Amazon public cloud storage server that has not been password protected.
As reported in The Hacker News, “UpGuard cyber risk analyst Chris Vickery discovered a cache of 60,000 documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access.” These files included SSH keys as well as the security credentials of a lead senior engineer at Federal contractor Booz Allen Hamilton—credentials that could grant administrative access to a highly-protected Pentagon system. Vickery warned Gizmodo, “Exposing a private key belonging to a Booz Allen IT engineer is potentially catastrophic for malicious intrusion possibilities.”
Why don’t SSH keys get the respect they deserve? It may be that many organizations don’t realize the extent of the privileges that SSH keys control. SSH keys are used to verify the identity of machines, controlling access from one machine to another over a strongly encrypted and authentication communications tunnel. Because SSH keys are considered more secure than usernames and passwords, they are most often used for providing the most sensitive, privileged access to critical machines. Given their potential for compromising machine identities, you’d think that SHH keys would be handled with kid gloves. But, in practice, that’s not always the case.
The recent Booz Allen leak isn’t the first time that compromised machine identities have put US national security at risk. With examples from Snowden to OPM and now secrets in the cloud, the problem of unprotected machine identities has often been overlooked. Kevin Bocek, Venafi VP of security strategy notes, “Many doubted that Edward Snowden could have used a digital certificate to gain unauthorized access until a leaked NSA memo confirmed it. In this latest instance, the SSH keys likely provided access to sensitive US defense systems running at the US National Geospatial-Intelligence Agency (NGA) or its defense contractor Booz Allen Hamilton.”
The problem of unprotected SSH keys and cloud administrator setup is not isolated or new. One out of five public Amazon Machine Images (AMI) were found to have backdoors in research conducted by SecureWorks. A compelling example of these backdoors being used in an attack is the Ukrainian power grid compromise in December 2015, which was enabled by a long-term backdoor using an unauthorized SSH key inserted by Russian attackers. “This same vulnerability would almost certainly go undetected in US and Western European critical infrastructure,” warns Bocek. “In 2014, Forrester found that 47% of security professional had already responded to a breach involving SSH keys over the previous two years.”
Industry needs to wake up to the risks of leaving SSH keys unprotected. NIST developed guidance for enterprises to identify the risk and eliminate backdoors and unauthorized access like the one that left US secrets exposed. NIST provides clear guidance on the policies that organizations need to protect the most privileged sensitive and privileged access for machines. Bocek recommends, “Enforce these policies with technology that can find all keys – from the datacenter to the cloud – and can make sure SSH keys are constantly changed to minimize their exposure to misuse.”
Does your organization have the technology to ensure that your SSH keys never go missing?