Tatu Ylonen, chief executive officer of SSH Communications Security Corp., and the inventor of the SSH (Secure Shell) encryption method, says many government agency’s and Fortune 500 company’s data is at risk of being stolen.
A widely used method of computer encryption has a little-noticed problem that could allow confidential data stored by almost all Fortune 500 companies and everything stored on U.S. government classified computers to be “fairly easily” stolen or destroyed.
It’s not due to any defect in SSH, but because of the mis-management of keys – the code used to encrypt and decrypt data. Keys are often created and later discarded, but often stored in unsecured folders that can easily be found by a hacker, or a hacker’s virus or trojan.
In one example, a major bank was audited by Mr. Ylonen’s company, and it was found that SSH had been used for more than 5,000 different applications spread across as many as 100,000 servers.
They also found over 1 million unaccounted-for keys, and 10 percent of those gave root access, or access to the server at the most basic level.
Mr. Ylonen retired in 2005, although he has remained a director of the company he founded. And although the problem is not in the SSH encryption method itself, he does feel “a moral responsibility” for the problem, and has decided to come out of retirement to try to find a solution.