Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Exposed SSH Key Means US Emergency Alert System Can Be Hacked

timothy posted about a year ago | from the what's-with-all-the-tsunami-alerts-lately? dept.

Communications 86

wiredmikey writes "Recently discovered security flaws in the Emergency Alerting System (EAS) which is widely used by TV and radio stations across the United States, has made the systems vulnerable to remote attack. The vulnerability stems from an SSH key that is hard-coded into DASDEC-I and DASDEC-II devices made by Monroe Electronics. Unless the default settings were altered during deployment, impacted systems are using a known key that could enable an attacker with full access if the systems are publicly faced or if they've already compromised the network. By exploiting the vulnerability, an attacker could disrupt a station's ability to transmit and/or could send out false emergency information. 'Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,' said Mike Davis, a principal research scientist at IOActive. The DHS issued an alert on the vulnerability, and IOActive, the firm that discovered the flaw, has published additional technical details (PDF) on the security issue."

cancel ×

86 comments

Sorry! There are no comments related to the filter you selected.

Zombie apocalypse false report (5, Funny)

intermodal (534361) | about a year ago | (#44227049)

when I saw the first part of the blurb, I thought, "the least they could do is publicize the security hole by announcing the zombie apocalypse." Guess they beat me to the punch.

Re:Zombie apocalypse false report (1)

Anonymous Coward | about a year ago | (#44227135)

The real story is that this is a cover-up for a real zombie outbreak. The feds think they can keep it contained and hide the evidence, but we'll all know better in a month.

Re:Zombie apocalypse false report (3, Funny)

Anonymous Coward | about a year ago | (#44227165)

When I saw the second part of the blurb, I thought, "They *say* there wasn't a zombie apocalypse and that it was just a security flaw, but maybe that's only because they managed to contain the outbreak in Montana." :-)

Re:Zombie apocalypse false report (3, Funny)

egamma (572162) | about a year ago | (#44228131)

When I saw the second part of the blurb, I thought, "They *say* there wasn't a zombie apocalypse and that it was just a security flaw, but maybe that's only because they managed to contain the outbreak in Montana." :-)

I grew up in Montana. I've been to Great Falls. If there were zombies in February, the zombies arose from the grave and them promptly iced over, and were then disassembled using chainsaws.

Re:Zombie apocalypse false report (1)

HairyNevus (992803) | about a year ago | (#44228363)

Goddamnit, getting my YubiKey today was the safest I've felt in a while. But, 2 ACs posting the same idea within 2 minutes of each other can't be wrong. Makes me wonder...by the time I get a shotgun, what will the next threat be?

Re:Zombie apocalypse false report (1)

MickyTheIdiot (1032226) | about a year ago | (#44227211)

It has already happened [wikipedia.org]

Check out the last incident on the list, from February of this year.

Re:Zombie apocalypse false report (1)

MickyTheIdiot (1032226) | about a year ago | (#44227253)

...or rather this is the second incident of it happening, not the first.

Re:Zombie apocalypse false report (-1)

Anonymous Coward | about a year ago | (#44227357)

Passion Natural Water-Based Lubricant - 55 Gallon /a>

I knew getting back in the "dating game" would be a challenge after being out of it for over 5 years. When I was released from Joliet, I had to learn all the new things "the dating crowd" was trying. I knew about scented candles and Luther Vandross CDs, and sure was glad to hear people still use them. But I had no idea that "lube" was so popular with the "romantics" out there. All it took was one stroll through the Walgreens personal hygiene aisle to prove I had to learn a new thing.

"Where to start?", I wondered. I wanted something simple. However, all I saw in the stores were lubricants that were flavored with cinnamon and paprika, or designed to somehow "heat" your private parts. No way, Jose! (I experienced the "heat" thing personally once after an adventurous incident with a toaster. I'll stick with "room temperature" from now on, thank you very much.)

Luckily, I found a plain, old-fashioned lubricant that would not make me smell like a dessert topping. And it came in this HUGE tub! No more awkward late-night Walgreens runs for me, once I could get my hands on this lubricant bin. Now, I admit the price tag was kinda hefty. But after selling the ol' Pontiac Sunfire and borrowing some cash from Aunt Gladys, I was "ready to place my order."

The product only took a week to arrive, and got to my apartment just in time for my first real "date" since the gas station incident. You can bet I was nervous for this one. When I got off the bus to meet Carla in front of the Chili's, I just about had a heart attack! The only thing keeping me calm was knowing that I could not possibly run out of lube that night. I gave Carla a reassuring nod and smile, as if to say "Don't worry, Carla, I have plenty of lubricant for later."

The dinner was great, and after knocking back a couple Mojo Mango Margaritas, we were ready to head back to my apartment. I winked and told Carla, "Let's SLIP on out of here," to see if she understood the lubricant lingo. I think she did. Throughout the bus ride back, I grinned and hummed Luther Vandross tunes to set the mood.

When we got to my place, I already had a candle burning. It was by "Glade", which I think you pronounce like the singer Sade, because it is an exotic candle that smells just like real pine. After we got comfortable, I asked Carla if she could help me with the lube. She looked at me weird, and I couldn't tell if it was because she thought it was "too soon" or because I was pushing a mechanical lift to get the drum barrel out of the storage closet.

So I "took the initiative", as women like men to do, and rolled the barrel out into the living room. "Ready to tap the keg?" I joked, and by "keg" I meant "55-gallon barrel of personal lubricant." She looked at me all shocked, and said "That's it, I'm out of here!" I asked why, since she didn't need to run to Walgreens for more lubricant - there was plenty right here. But she didn't answer, and got up to leave anyway. Then, as Carla was about to pass me and the barrel, she tripped on my dog Poochie and fell right into the lube barrel! The force of the impact downed the barrel and knocked its lid off, sending 55 gallons of water-based lubricant across my faux-hardwood floors.

Carla was completely drenched, and her momentum slid her to the front door - which she somehow managed to pry open with a pair of oven mitts. The last thing I knew, "No-Fun Carla" was screaming profanities and sliding down three flights of steps. I didn't pay much attention because I was too busy trying to salvage the lube. I managed to get about half of it back into the barrel - the other half probably seeped into Mrs. Pulaski's unit below me. I never bothered to ask if she appreciated the free gift of lubricant.

Anyway, despite my "user error", I was quite pleased with the product. These days it's hard to find 55 gallons of scent-free water-based lubricant, and you can find it right here at a discount rate! I had to give it only "4 Stars" because it didn't come with a lifting apparatus. I had to buy my own mechanical lift separately to haul the bin to my future "dates". So if you're ready for fun, "slide" on down to a high quality product at a bargain price!

Re:Zombie apocalypse false report (1)

thunderclap (972782) | about a year ago | (#44227555)

Why would anyone need a Barrel of lube? What, you're a porn star now? (55 gallons is a standard barrel)

Re:Zombie apocalypse false report (0)

Anonymous Coward | about a year ago | (#44228309)

bravo!

Re:Zombie apocalypse false report (1)

folderol (1965326) | about a year ago | (#44228471)

Anyone else notice you just can't get the same class of zombie apocalypse that you used to see years ago?

Re:Zombie apocalypse false report (0)

Anonymous Coward | about a year ago | (#44230963)

I came here to make this joke and the very first comment beat me to it. I'm so unoriginal...

Re:Zombie apocalypse false report (1)

lipanitech (2620815) | about a year ago | (#44236089)

Everyone is obsessed with zombies right now it's the zombie craze it's only fitting they break threw with a zombie apocalypse story.

Hard-Coded? (3, Insightful)

drummerboybac (1003077) | about a year ago | (#44227051)

If the implications are that it can be changed by modifying the default settings, its not really hard-coded, is it ?

Re:Hard-Coded? (3, Insightful)

CastrTroy (595695) | about a year ago | (#44227263)

There's a hard coded default, and that's bad enough. In order to do stuff like this correctly, the system should not have a default code, and it should not start until a new securely generated key has been created.

Re:Hard-Coded? (1)

NatasRevol (731260) | about a year ago | (#44227355)

What, and add two more steps to the install??

Insanity!

Re:Hard-Coded? (1)

Anonymous Coward | about a year ago | (#44227421)

These pieces of equipment are run by people who can't us the terms "hacker" correctly and who waive their hands in the air about "cyber attacks."

For morons, in other words.

Re:Hard-Coded? (0)

Anonymous Coward | about a year ago | (#44227981)

Nah, this system isn't made for you.

Re:Hard-Coded? (0)

1s44c (552956) | about a year ago | (#44228849)

Nah, this system isn't made for you.

It looks like this system is made for anyone who knows how to use SSH and can figure out how to get this emergency broadcast system to broadcast their message. I expect regular Zombie, Vampire, Killer Bee, and Klingon invasions for the next few months and maybe a few party political broadcasts by right-wing Christian nut-jobs.

Look on the bright side, it's better than regular TV.

Re:Hard-Coded? (2)

Em Adespoton (792954) | about a year ago | (#44228621)

These pieces of equipment are run by people who can't us the terms "hacker" correctly and who waive their hands in the air about "cyber attacks."

For morons, in other words.

I agree... anyone who waives their hands is a moron. You can waive my hands from my cold dead (animated) body.

Re:Hard-Coded? (1)

1s44c (552956) | about a year ago | (#44228895)

I agree... anyone who waives their hands is a moron. You can waive my hands from my cold dead (animated) body.

Anyone that waves their hands about, in an enclosed space such as a train or a bus, whilst talking on a phone, is beyond moron.

Re:Hard-Coded? (1)

Em Adespoton (792954) | about a year ago | (#44229491)

*whoosh*

But yeah; that's due to the talking on a phone part. People need to waive their phone use prior to waving so they don't make waves.

Re:Hard-Coded? (4, Interesting)

bughunter (10093) | about a year ago | (#44227363)

If the implications are that it can be changed by modifying the default settings, its not really hard-coded, is it ?

FTFS:
Unless the default settings were altered during deployment, impacted systems are using a known key

You missed an important bit there. It's very probably stored on an EPROM or SD Card, requiring physical access to the DASDECs. Some of my employer's products are used in the same market (local TV stations) and that's a pretty common method of configuring equipment for a particular customer.

Hard-coded, as in: Yes it's code, but there's no external interface protocol which permits changing the keys. In order to alter it, you have to remove the unit from the rack, take the cover off, and then you can upload a new config file. More recent products use external USB ports, but I bet these DASDECs are older than that...

Re:Hard-Coded? (1)

h4rr4r (612664) | about a year ago | (#44227399)

What moron decided to use the same key on all of them is my question. If it is really on EPROM then you really need to avoid stupidity like this since it is harder to change later.

Re:Hard-Coded? (1)

thunderclap (972782) | about a year ago | (#44227581)

Pre-internet when this was built that wasn't stupid thinking. It was called redundancy. Yes it should have been updated.

Re:Hard-Coded? (1)

cdrudge (68377) | about a year ago | (#44228137)

Pre-internet when this was built that wasn't stupid thinking.

SSH came about sometime in 1995 or later. The Internet, regardless of when you want to consider it "invented", predates that considerably. DASDEC products didn't come about until 2004.

There is ZERO reason to key them all the same.

Re:Hard-Coded? (1)

ebno-10db (1459097) | about a year ago | (#44229149)

It was updated. FTA:

According to an advisory from the company, most (but not all) of their customers have installed the updated firmware.

The problem is getting customers to do the update. In typical egocentric Slashdot fashion, many posters will sanctimoniously say that they do daily checks for security updates or whatever. The problem is that they forget that broadcasters, and many other folks, have a lot of things to worry about in addition to Internet security. Maybe the answer is just to take stuff like this off the Internet. They had ways of handling this before it was popular to connect everything including your toaster to the Internet. Which reminds me, I keep getting burnt toast and I'm trying to trace down a Chinese IP address ...

Re:Hard-Coded? (1)

penix1 (722987) | about a year ago | (#44233035)

There is also another reason...

You haven't worked for a state agency before if you think the "customer" is the emergency management team. It is the IT departments that have control of all the equipment as well as have the responsibility for its maintenance and upkeep.

Having said all that, is it really the job of even the IT department to fix a flaw in equipment supplied by a vendor? Or is it the job of the vendor (who usually has a maintenance contract for it) to do that fixing?

Re:Hard-Coded? (1)

1s44c (552956) | about a year ago | (#44228919)

What moron decided to use the same key on all of them is my question. If it is really on EPROM then you really need to avoid stupidity like this since it is harder to change later.

Vendor: "But it's perfectly secure because we promise to keep the key safe!"
PHB of whatever government department: "I see no problem with that"

Re:Hard-Coded? (1)

a_big_favor (2550262) | about a year ago | (#44227391)

Those defaults are hardcoded...The blurb is only kind of misleading.

Bee Doe! Bee Doe! Bee Doe! (1)

ackthpt (218170) | about a year ago | (#44227077)

Yep, I'll suddenly get more emergency alerts over my satellite radio, for whatever reason they do them now.

Warning purple fuzzy minions attacking everyone on Earth!

Ok... that one would make sense as it isn't location specific.

Re:Bee Doe! Bee Doe! Bee Doe! (1)

Charliemopps (1157495) | about a year ago | (#44227453)

And don't forget your cellphone. The problem is the weather service sends out stupid alerts I don't care about and I have no way to filter them. I have a weather radio at home and I never turn it on because it goes off at least once a week at 3am with "Thunderstorm warning!!!!" Ok, yea, as if the thunder and my panicking dog didn't already alert me to that. Then there's the flash flood warnings. I live on high ground, and work on the 6th floor of a highrise and even if I didn't what the hell am I supposed to do about either situation?

I want an alert for when I need to go in the basement, leave town, or get out my gun. Other than that, I don't want to hear about it.

Re:Bee Doe! Bee Doe! Bee Doe! (0)

Anonymous Coward | about a year ago | (#44227579)

Re:Bee Doe! Bee Doe! Bee Doe! (2)

dgatwood (11270) | about a year ago | (#44227471)

At least they chose an obviously fake alert. Imagine if they had announced a terrorist threat to a major sporting event. They could have easily caused a mass panic with thousands of casualties. This is why we must take cyber-security seriously. Specifically:

  • The community needs to continue beefing up vulnerability databases to make it easier for people to get alerts about software and hardware that they own and use, rather than generic warnings that contain dozens of products, 99% of which they don't care about. (That said, I do have to at least give CERT credit for finally making their email alerts useful instead of the useless "Click this link for an updated vulnerability summary" emails that they used to send out.)
  • Every college and university must make computer security classes mandatory for all CS and CE majors so that the systems they design are secure by default instead of defective by design.
  • Language developers must make common unsafe programming techniques impossible. For example, string taint support should be turned on by default, it should not be possible to remove that taint from a user-provided string, and it should be a fatal error for a tainted string to appear anywhere in the query string for a mysqli or PDO query.
  • Support for the base (non-parameterized) mysql library should be removed from all languages unless someone manually recompiles the libraries to include it, with a warning that the support will be removed entirely within two years.

And so on. Notice how none of these things involve secret government organizations monitoring exabytes worth of data each day to "protect" us.

Re:Bee Doe! Bee Doe! Bee Doe! (0)

Anonymous Coward | about a year ago | (#44232487)

Terrorists at a sports event - what is the fun in that? zombies or UFOs are more fun. And there is always someone who will believe anyway, because they "saw it on TV!"

Re:Bee Doe! Bee Doe! Bee Doe! (1)

dbIII (701233) | about a year ago | (#44233171)

They could have easily caused a mass panic with thousands of casualties

Reality is not a disaster movie. In real disasters people are surprisingly sensible.

Re:Bee Doe! Bee Doe! Bee Doe! (1)

bickerdyke (670000) | about a year ago | (#44235083)

That's why provoking a mass panic by faking a deasaster could be even more evil that the deasaster itself....

Say no to drugs! (1)

dbIII (701233) | about a year ago | (#44235279)

Watch out kids. If you take illegal drugs you might end up looking just as stupid as the poster above who managed to get the thing he read turned around backwards in his brain.

Misdirection (5, Funny)

belthize (990217) | about a year ago | (#44227125)

I think this is just misdirection and cover up.

'Earlier this year we were shown an example of an intrusion on the EAS when the Montana Television Network's regular programming was interrupted by news of a zombie apocalypse. Although there was no zombie apocalypse, it did highlight just how vulnerable the system is,

How do we know there was no zombie apocalypse. Maybe they're just claiming a vulnerability to pretend the apocalypse was a fake. When was the last time you talked to somebody in Montana, would you even know if it'd been overrun ?
 

Re:Misdirection (5, Funny)

Picass0 (147474) | about a year ago | (#44227219)

Plausible.

Most people when meeting somebody from Montana wouldn't be able to tell if they are "living" or "living dead".

Re:Misdirection (2)

idontgno (624372) | about a year ago | (#44227419)

I lived in Montana for a few years in my youth.

I can confirm that I was like unto the undead during that period. It was living death, except colder in the winter.

The only living thing there is cattle, and that's only because you can't market zombie beef yet.

Re:Misdirection (3, Funny)

MickyTheIdiot (1032226) | about a year ago | (#44227427)

They only got 4 calls about the alert.

That was a full 50% of their audience.

Re:Misdirection (0)

Anonymous Coward | about a year ago | (#44227627)

I just got back from Montana. No need to worry, all the zombies are just fine. We just let them loose from time to time to eat all the Californians that keep showing up..

Re:Misdirection (1)

ebno-10db (1459097) | about a year ago | (#44229173)

I just got back from Montana. No need to worry, all the zombies are just fine. We just let them loose from time to time to eat all the Californians that keep showing up..

Interesting idea. Can we borrow some of you zombies for my state?

Re:Misdirection (1)

Hillgiant (916436) | about a year ago | (#44228339)

Everyone knows that so-called "Montana" is just a ridiculous liberal myth.

Re:Misdirection (2)

1s44c (552956) | about a year ago | (#44228981)

If Montana was overrun by Zombies would anyone care?

Now if Hannah Montana was fighting off a zombie invasion, maybe with a chainsaw, that would be a great film.

Re:Misdirection (1)

pillageplunder (183475) | about a year ago | (#44232385)

More to the point...what is the criticality in your life that Montana has been over-run. As In: Montana has been over-run by a Zombie Apocalypse. This affects your life exactly...HOW?

Sure, that is what they are saying (1)

h4rr4r (612664) | about a year ago | (#44227183)

So this is the cover story they are using this time?
I guess they need some way to explain it away. Just like the Chinese did with SARS to keep people from finding out the truth.

hardcoded secrets (1)

markhahn (122033) | about a year ago | (#44227229)

"bad form"? it's just security-through-obscurity. it's tempting to try to enumerate some ground rules for security (like "never hardcode a secret"), but if someone is violating these sorts of commonsense rules, would they ever read such a list?

Re:hardcoded secrets (1)

Anonymous Coward | about a year ago | (#44227245)

FAST
GOOD
CHEAP

choose two

Zombie Apocalypse (0)

Anonymous Coward | about a year ago | (#44227255)

Although there was no zombie apocalypse

Tell that to all the zombies. Oh wait, you can't, they were all victims of the Zombie Apocalypse.

The "hack" earlier this year was not a hack. (1)

Lumpy (12016) | about a year ago | (#44227281)

They found the freaking phone number that these units still use to make brain dead Government officials able to use it. IT probably had a easy to guess 4 digit password.

seen any publickey scanning? (1)

markhahn (122033) | about a year ago | (#44227283)

normally, any system on the internet will receive lots of bruteforce ssh scans, using password authentication. I wonder if this botch means that Bad Guys will be scanning with publickey as well. (obviously, the set of known and interesting private keys is much less effective than the usual catalog of common passwords...)

Otherwise known as (1)

sl4shd0rk (755837) | about a year ago | (#44227413)

id_nsa.pub

for fucks sake people (4, Informative)

smash (1351) | about a year ago | (#44227423)

It's really not that hard.

  1. Password protect your private keys!
  2. don't listen to port 22 on the internet from anywhere. require VPN, ipsec tunnel, at the bare minimum, hosts.allow from a specific management network, or some other method to secure the connection first. security is layered, don't rely on a single authentication to give people to keys to the castle, or someone will fuck you
  3. use multiple service accounts with least privilege access so compromise of one doesn't impact another

The fact that an emergency services network has been left in a state like this is bordering on.... no, IS criminal negligence.

Re:for fucks sake people (2)

Loughla (2531696) | about a year ago | (#44228123)

The sad fact is the people who actually make calls about infrastructure like emergency alert, power and water have absolutely no idea what most of the words in your post actually mean.

Re:for fucks sake people (1)

93 Escort Wagon (326346) | about a year ago | (#44228881)

It's unlikely those decision makers are the same people who hard-coded an ssh key into the device. They don't even know what ssh is.

Re:for fucks sake people (0)

Anonymous Coward | about a year ago | (#44232295)

I've designed and authored devices and protocols for a similar, but not directly related domain.

I can tell you that management directed me to:

1) Remove encryption (easier to debug)
2) Do not re-implement encryption (waste of money, does not assist profits) with any debug flag or jumper or other setting to solve #1
3) Build in a back door for our field techs
4) Build in a default password so the customer can reset the device when locked out (different from the back door) through negligence
5) Communicate over port 80 to be harder (less likely) to be firewalled off in stock networks
6) Reboot, reclaiming logspace on error conditions instead of halting on dangerous error conditions (nominally to increase chance of recovery by freeing up temporary storage space for use).
7) Implement remote firmware push. Due to things much like...the reasons above involving "cheap as a two cent whore" this was over an open TCP/IP management port on an addressable subnet...

Then I quit.

Some of the managers do know what SSH is. They just don't care and will never be held accountable because the client does not know.

There is also the highly likely condition of "chief developer was terminated, and their checklist never made it into the build"

Captcha: gunplay

Sounds about right when I recall the platforms I was working with....

Re:for fucks sake people (1)

smash (1351) | about a year ago | (#44233463)

Does not surprise me in the slightest. Which is why black boxes like this should be on an entirely segregated and firewalled network, and have nothing on the device exposed directly to the internet (or any other not-fully-trusted network).. If any devices or vendors "need" remote access or their device to have access to the internet, I demand to know which IPs/ports/protocols so they can be added to the firewall, specifically due to issues like this. If they are not supplied, they don't get access, and management are informed as to where the holdup is. Yes, I'm lucky to have a fairly small management team who "get it" and share my concerns regarding the security and integrity of our assets (so long as my paranoia is explained/justified, which thankfully I am able to convince them of).

Re:for fucks sake people (1)

Chuck Milam (1998) | about a year ago | (#44228159)

All things being relative, this is a government contract/project, so I guess we should feel lucky it wasn't open port 23 telnet with a null password. Therefore, they'll probably get a reward for using that newfangled SSH encryption stuff (circa 1995, but who's keeping score?)

Re:for fucks sake people (1)

gl4ss (559668) | about a year ago | (#44228341)

well.. they could spend the money either on tapping your daughters video chats OR for training people responsible for these systems, they didn't have money for both and tapping the skype feeds was easier so they went with it.

Re:for fucks sake people (2)

1s44c (552956) | about a year ago | (#44229225)

There is no security reason to move SSH to a different port. It's dead easy to work out what port it's on as it has a clear banner. VPN and ipsec are not more secure than SSH and often cause more problems as they can bridge trusted to untrusted networks.

If you want to setup SSH right:

Turn off all password authentication.

Turn off everything else in the config you are not using, like host based and kerberos authentication.

Use big key lengths.

Check you only have current and correct keys in authorized_keys

Limit keys by IP address or with forced commands if possible

Disable root logins and all common user names if it makes you feel more secure

Use privilege separation

You may optionally limit connections per IP with iptables or an equivalent firewall but don't trust that fail2ban crap

Set log level verbose so it actually logs what key was used to authenticate who

Another one gets it wrong (1)

dbIII (701233) | about a year ago | (#44232995)

If someone follows their advice they are wide open in situations like the one we are discussing! A stolen key would let someone in if you don't have a passphrase on the key.

Thus I see your "Turn off all password authentication" as stupid and dangerous advice since it will be read by every ssh newbie (and a lot who are not newbies) as meaning not to use a passphrase on the key. If you are going to mention passwords at all you need to make that clear, otherwise you are setting people up for an easy attack by stolen key the next time a laptop goes missing.

Re:Another one gets it wrong (1)

smash (1351) | about a year ago | (#44233499)

Password auth in SSH and password protected keys are two entirely different things - password auth on your key is a client side thing; to enforce key use you turn off password auth in SSH. Unfortunately, I'm not aware of a way to enforce password protection on private keys on the server end. So your options are to generate the private key with the user under supervision or via a script or such which forces them to supply a passphrase.

It is also why you also block access to networks you don't know and preferably secure via some other method (IPSEC/VPN/etc.) first. That way, even if someone steals the private key, and it has no passphrase, they still need to get onto one of your designated management networks/machines before they can even be allowed to hit the SSH port.

When securing your stuff - always try and assume "what if", e.g., "what if someone steals a private key from a compromised client?". You can't mitigate every single possible scenario, you can certainly make it a lot more difficult than just hitting the machine from the internet via a stolen/backdoor key or passphrase.

Anyone who has public/private key access should be informed that any suspected private key disclosure MUST be reported.

Re:Another one gets it wrong (1)

dbIII (701233) | about a year ago | (#44234257)

Doesn't matter - the above post had a long list of things but left out the one thing that offers protection from the compromised key the article is about and gave some advice that can be misinterpreted as not doing the one thing that can stop it.

Re:Another one gets it wrong (1)

1s44c (552956) | about a year ago | (#44235489)

I refer you again to the line about keeping current keys in authorized keys and again to the fact you should not be allowed to managed anything more important than a pocket calculator.

Re:Another one gets it wrong (1)

dbIII (701233) | about a year ago | (#44235723)

Don't take criticism well do you?

Re:Another one gets it wrong (1)

1s44c (552956) | about a year ago | (#44249763)

Don't take criticism well do you?

It's not that, I just don't take ignorant fools who think they know what they are talking about well.

Re:Another one gets it wrong (1)

dbIII (701233) | about a year ago | (#44250349)

I'm not the one that missed the passphrase. If that makes me the incompetent one you must have an incredibly low opinion of yourself.

Re:Another one gets it wrong (1)

smash (1351) | about a year ago | (#44251627)

Removing a key from authorized_keys relies on the fact that you happen to KNOW it has been stolen. If you don't know, you're fucked. Password protect your keys!

Re:Another one gets it wrong (1)

dbIII (701233) | about a year ago | (#44258323)

I refer you again to the line about keeping current keys in authorized keys

Obviously that is not going to help in any way at all until it's already been revealed that the key is stolen - most likely by somebody using it to get in and create some sort of incident.
If I'm not fit to use a calculator by spotting these things that you are not then where does that leave you? Not fit to brush your teeth without risking an accident or something? You are better with the insults than with ssh so I'll leave it up to you to choose one.

Re:Another one gets it wrong (1)

1s44c (552956) | about a year ago | (#44235483)

I never said leave your car unlocked with the keys in the ignition, that doesn't mean I'm advising people to do that. I really hope you don't manage anything more serious than your home system because you don't have a clue.

'Check you only have current and correct keys in authorized_keys' means getting rid of keys that have, or may have, leaked. I never said don't use passphrases but ultimately you can't trust them because you can't trust users to do the right thing.

Re:Another one gets it wrong (1)

dbIII (701233) | about a year ago | (#44235773)

You wrote about not using passwords, which just about everyone other than a sysadmin is going to assume means not using a passphrase on the key either. Look at older posts here every single time ssh passwords are mentioned to get a depressingly huge number of examples of people making that mistake.
I didn't insult you for your bad advice so lay off the childish bullying insults on the messenger. Do you really think I'm so insecure as to take you seriously, and do you really lay the boot in so rudely to people who are that insecure? Stop showing off your bad side, it's embarrassing, and please just stick to the topic.

Re:for fucks sake people (1)

smash (1351) | about a year ago | (#44233361)

I'm not talking about moving it to a different port. I'm talking about blocking port 22 inbound using your firewall or hosts.allow, except for a specific set of management IPs that are preferably on the end of an IPSEC tunnel or other VPN service. If not, at least reduce the IP space that is allowed to hit that port to a well defined set of IPs that you either own or at the bare minimum belong to the ISP you use. There is ZERO reason to be listening on port 22 for connections from say, China or Russia!

Having port 22 exposed to the internet (or whatever port you move SSH to which as you say is no real defense) is just completely fucking retarded, and inexcusable in a high value service (read: high value target) supposedly installed and maintained by professionals.

Re:for fucks sake people (0)

Anonymous Coward | about a year ago | (#44233635)

Why use IP addresses, if you want to be really secure, use the real MAC address of the devices that can connect....more secure, and far easier to manage....

Re:for fucks sake people (1)

smash (1351) | about a year ago | (#44233789)

Because you don't see the originating machine's MAC address when it is over the WAN.

Re:for fucks sake people (1)

smash (1351) | about a year ago | (#44233801)

ALSO - mac addresses can be changed just as easily as an IP address. if you want to be more secure, you use IPSEC, which is more secure and far easier to manage anyway - the IP is all you see.

Re:for fucks sake people (1)

ducomputergeek (595742) | about a year ago | (#44229363)

We rot13 out keys, nothing could be safer I tell you!

not leaked (0)

Anonymous Coward | about a year ago | (#44228189)

If the same default key is send to everyone with the device, it's not a _private_ key.

Semantico-linguistic glitch (1)

vikingpower (768921) | about a year ago | (#44228751)

- pedantic mode on - "...although there was no zombie apocalypse..." implies that there COULD have been one for real. Gosh. These 'mericans !

General Zod (0)

Anonymous Coward | about a year ago | (#44229637)

So this is how General Zod took over everyone's TVs in "Man of Steel"!

Stating the obvious (1)

ALeader71 (687693) | about a year ago | (#44230413)

We have potentially thousands of these devices in the field that were deployed with the default factory configuration? That's security 101 -- Don't go with the factory settings. I haven't looked up the manual for these devices so I can't say how difficult it is to change the "hard coded" SSH keys but apparently the article suggests that it is possible to generate and deploy your own SSH keys provided the sending station(s) have the public keys required to encode and send these broadcasts. It requires quires quite a bit of coordination on the part of the installers or station engineers but it is possible.

Thoughts?

Re:Stating the obvious (1)

ALeader71 (687693) | about a year ago | (#44230513)

UPDATE

Check out page 29 and 30 of the manual. They include a method to push updated SSH keys out to other DASDEC devices. So it isn't as complicated as I first assumed.

http://www.digitalalertsystems.com/pdf/DASDEC_II_manual.pdf [digitalalertsystems.com]

really? (1)

spongman (182339) | about a year ago | (#44230609)

Although there was no zombie apocalypse...

oh, phew. thanks for that.

Can use this as an example (1)

dbIII (701233) | about a year ago | (#44232923)

Now we can use this as an example every time the "key only" idiots pop up and start yelling at those that suggest using a passphrase as well. Such idiots spout "never use a password" which is utterly stupid and dangerous advice when they ignorantly extend it to hatred of key+passphrase combinations.
If someone gets the key it should never be enough to let them into anything other than trivial systems where it doesn't matter who has access.

Wait, (1)

Anonymous Coward | about a year ago | (#44233665)

there was no zombie apocalypse!?!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>