Developed in 1995 to combat the password sniffing problem that plagued the Internet, the Secure Shell Protocol (SSH) has become one of the most important security practices used today and the de-facto standard for system administrators. It underpins the security of applications used inside millions of organizations, including the cloud environments of giants like Google, Amazon, and Facebook.
Now, almost 30 years later, researchers have devised an attack known as Terrapin that could cripple cryptographic SSH protections that the networking world relies on. Terrapin uses prefix truncation to downgrade the security of SSH channels, affecting several negotiation protocols. For a detailed explanation of the new attack vector, see the technical research paper here.
Our Chief Strategist Vince Berk shares his thoughts on Terrapin and shows how CipherInsights from Quantum Xchange is an effective network monitoring tool to identify if any of the Terrapin-vulnerable encryption modes exists and if they are in active use.
“You don’t yet know today what you’ll need to be looking at tomorrow.”
This used to be my very favorite line when discussing security spending more than a decade ago when budgets flowed to detection and protection: firewalls to block inbound threats, IDS to detect threats on the wire, virus scanners to detect malware on the endpoint. At the time, security visibility consisted mostly of syslog and was not considered a money-making proposition.
Since then, the world has changed, and so too has cybersecurity spending. Visibility and forensic recall have grown significantly. In most cybersecurity incidents the investigative power of tooling with a memory of what happened is invaluable, allowing incident responders to assess the scope of the incident and ensure comprehensive cleanup. Although things have improved significantly, the recent Terrapin attack shows that the journey to security visibility is far from complete.
A quick recap on Terrapin, a vulnerability affecting certain key negotiations in SSH.
SSH is a widely used secure administration tool. It has become the de-facto standard for administrative tasks on servers, routers, cloud systems, and many more. It is also frequently used for secure file transfer between systems. Although the command appears atomic in nature, it supports many cryptographic methods under the hood. Terrapin is an attack against just two of those. During the session initialization it is possible for a malicious actor to get in the middle and decrypt all traffic – a bad situation.
Much like the aftermath of the Heartbleed vulnerability, many system and network administrators are left wondering, “where am I vulnerable?” Since Terrapin affects only a small portion of the cryptographic methods available to SSH, a scan of the network or configuration will produce large amounts of false alerts. Most SSH servers can speak to the effected ciphers, but do they in practice?
Forensic recall of visibility data embodies the question that needs asking, “In the last six months, which servers or clients have used any of the effected ciphers in their SSH communications?” Answer that question and the hardening against Terrapin is going to be focused and quick. It is the difference between a network as designed vs. the network as built.
And so, my question of years past still rings true. We did not know a few weeks back that today we need to be looking at exactly what ciphers are used by SSH on our network.
Thankfully, CipherInsights from Quantum Xchange is here to help answer the Terrapin question, in addition many other critical enterprise crypto questions. Are your systems in compliance with PCI-DSS 4.0? Are all your credentials encrypted in transit as required by your cyber insurance? What will it take to transition to a quantum-safe cryptographic state? Know the answers, deploy CipherInsights today!
