SSH FUD Busting | TechSNAP 90

SSH FUD Busting | TechSNAP 90

We bust the FUD around the media’s overreaction to SSH Key mismanagement, plus the details on millions of WordPress databases exposed by a popular plugin.

Plus a rockin round-up and a batch of your questions, and our answers!

All that and more on this week’s TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? use go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains


Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed


Support the Show:


Show Notes:

Get TechSNAP on your Android:

Browser Affiliate Extension:

  • Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox
  • Shop Amazon – Year End Deals

    W3 Total Cache (a popular wordpress plugin) may expose sensitive data

    • W3 Total Cache is a very popular and powerful caching plugin
    • The recently discovered problems are technically a configuration error, not a vulnerability, but because it is the default configuration, most sites are vulnerable
    • It can provide significant speed gains over stock wordpress
    • Page Cache – By creating flat .html versions of the page after it is dynamically generated, subsequent anonymous visitors can be shown the cached version of the page, significantly reducing server load and response times
    • Database Cache – By caching the results of database queries, if the same read query needs to be is executed again, the cached result can be used, significantly reducing the number of database queries required to render a page
    • Object Cache – A higher level cache than the database cache, Objects may be constructed from the results of many queries and plugins, caching the complete object may result in significant page load time improvements
    • Minify Cache – By removing comments and whitespace from .css and .js files and gzipping them, less bandwidth is required to download the file
    • JS and CSS Combining – By combining many files into only 1 or 2 files, the total number of requests to the server is reduced, which can markedly improve performance
    • CDN Offloading – W3TC can automatically change the URLs of content such as .css and .js files in addition to media such as images and thumbnails. My loading these content from a CDN instead of the main site, users get faster responses and the site gets reduced load. W3TC can also use multiple subdomains for the loading, allowing it to take advantage of browser’s parallel downloading features
    • All of these caches offer a number of numbers, allowing you to choose between caching to disk, advanced caching to disk, Opcode caches such as APC or dedicated caches such as memcache
    • All of these features make W3TC very popular and well respected
    • However, W3TC defaults to disk based caching because it does not require any additional configuration or server side features (such as APC or the IP address of a memcache server)
    • The problem stems from the fact that W3TC keeps its database and object caches in a web accessible directory (alongside the page and minification caches, which need to be web accessible)
    • This means that if your web server is configured to allow directory listing, any visitor can browse to /wp-content/w3tc/dbcache and see a list of all of the items in your database cache, and by downloading and analyzing these files, they may be able to recover sensitive information, such as the hashed passwords of users or administrators
    • If an attacker were to get the password hash for an administrative account, if they brute forced that hash, they could then take over that wordpress installation
    • Disabling directory indexing does not entirely solve the problem, as the filenames of the cache objects are the md5 hash of the string: w3tc${host}${site_id}_sql_${query}
    • You should configure your web server to deny access to the /wp-content/w3tc/dbcache , /wp-content/w3tc/objectcache and /wp-content/w3tc/log directories (using .htaccess will work for apache)
    • If you use an Opcode cache, or Memcache, you site is not affected by this configuration error
    • Make sure your memcache instances are secured, as if they are publicly addressable, any information cached in them may be accessible
    • The creators of W3TC are working on an update to address the issue
    • Allan’s slides on improving your Blog with ScaleEngine

    Inventor of SSH warns that improper key management makes SSH less secure than it should be

    • This news story has created a significant amount of FUD due to the general media’s lack of understanding of what SSH is and what it does
    • SSH is not vulnerable or compromised
    • The story started with an interview of Tatu Ylonen, the inventor of SSH
    • “In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out."
    • The problem is actually caused by users, and bad management practises
    • Users often generate many SSH keys, and store them unencrypted in predictable locations (~/.ssh/id_rsa) where they may be stolen if someone compromises their account or the server they are stored on
    • Many logins, especially those that are shared, will contain large authorized_keys files, allowing many keys to access that account, often these lists are not pruned because keys are hard to identify
    • While auditing a large financial institution, auditors found more than 1 million unaccounted-for keys — 10 percent of which granted root access, or control of the server at the most basic level
    • federal rules for classified computer networks cover the “issuance and assignment and storage of keys” but do not dictate what should be done with used keys. Auditing guidelines require that administrators be able to enumerate exactly who has access to specific systems, but often times SSH access is not properly accounted for, as each line in the authorized_keys file is not easily linked to a specific person, and the control of those keys is not guaranteed
    • A stolen SSH key is what lead to the compromise of the FreeBSD Packaging Building Cluster last month
    • It is recommended that companies refresh keys on a regular basis and remove old keys to prevent them being used to access sensitive servers, although most companies do not have such a policy
    • Tools such as puppet can help with the management of authorized_keys files across a large number of servers, but it is up to the user to ensure the security of their private key
    • One solution to this problem may be a new feature of OpenSSH that allows it to be configured to check the results of a command, before optionally checking the authorized_keys file
    • This feature can be used to check for keys in directory services such as LDAP or Active Directory, simplifying the administration of multiple servers and SSO by storing cannonical keys in a central location



    Amazon Book:

    Audible Book Pick: The Master Switch: The Rise and Fall of Information Empires Audio Book

Question? Comments? Contact us here!