Remote Access Solutions
Understand the challenges OEMs face and how to solve them.The High Cost of Free Software
How to close the holes created by Open Source
“Many critical open sources projects are being worked by one part-time volunteer,” said Jim Zemlin, Executive Director of the Linux Foundation in a recent interview. “It’s completely out of proportion to the role these projects play in society and the Internet.”
OpenSSL, OpenSSH, Bash and other open source projects survive on donations of less than $2,000 a year, and that makes them vulnerable, according to Zemlin. Money pays for “eyeballs” that find bugs before products are released. Open-source development groups don’t have any.
While open source can be used free of charge, the losses can be considerable. Heartbleed, the famous OpenSSL is estimated to have cost hundreds of millions of dollars in both loses due to theft and remediation expenses. A Zero-Day exploit of OpenSSH could run even higher with all fingers pointing at the Linux OEMs.
It’s likely a majority of Linux OEMs have installed OpenSSH on nearly every one of their products to facilitate remote support. That makes OEM systems a highly vulnerable entry point to the entire customer network.
Zemlin called Heartbleed “a wake-up call” for the entire open-source community. He said Heartbleed happened because, “OpenSSL is really just two guys named Steve and their dog, and the dog doesn’t do code reviews.” OpenBSD, the developers of OpenSSH, recently made an appeal for donations to literally keep the power on for their servers.
One source for the money needed to improve the security of open-source can is increased donations. The other is commercialization.
Commercialization is a “hardening” process for open-source which makes it safer. Hardening can include testing, packaging, wrapping, patching, or simply supporting the open source technology — actions which Linux OEMs do in the course of developing and/or supporting their own products. OpenSSH and its various clients are not hardened. They are implemented after the fact, often in an ad hoc manner. They live “in the open” where they are directly exposed to exploit.
The Linux OEMs that got caught by Heartbleed had no warning and no practical alternatives. The Linux OEMs that use OpenSSH have both.
iTivity is a Linux remote access and support solution that provides a protected environment for SSH to run in. iTivity moves SSH out of the open, so it’s no longer exposed to attack. Unlike other remote support solutions, iTivity allows support techs to continue using their favorite SSH clients as well as other Linux utilities.
iTivity was first released in 2002 and has been deployed to support more than 200,000 Linux systems worldwide ranging from small engineered devices to massive servers. To date, iTivity has not suffered a single reported security incident.
By eliminating security risk and increasing support tech efficiency, iTivity lowers the cost of using free SSH.
The dirty secret. Linux OEMs use SSH because it’s free even though it puts customers at risk.
SSH on Medical Devices “Easy” Vector for Attacking Hospital Networks
Speaking at last week’s Security Analyst Summit in February 2016, Scott Erven, a medical device security advocate described how medical devices are putting hospital networks and patient data at risk. Erven reported that hundreds of hospitals, clinics, and health...
SSH Key Management SNAFU Opens Hosting Customers To Attack
Web hosting provider Linode jeopardized the security of its customers' virtual machines, potentially allowing attackers to hijack the SSH connections initiated by customer system administrators, according to IT watchdog site, The Register. Linode promotes “High...
SSH Backdoor in Fortinet Hardware Compromises Customers
Exactly 30 days after the announcement that Juniper Networks had jeopardized customer security by shipping products with a hard-coded SSH password, security appliance manufacturer Fortinet has announced that many of their products contain a similar hard-coded backdoor...
6 Year-Old OpenSSH Exploit Discovered
Security firm Qualys has identified a zero-day vulnerability in OpenSSH clients that could allow a malicious server to steal private user keys, according to an eWeek article. The vulnerability is present in all OpenSSH client versions released since March 7, 2010...