A widely used method of computer encryption has a little-noticed problem that could allow confidential data stored by almost all Fortune 500 companies and everything stored on U.S. government classified computers to be “fairly easily” stolen or destroyed.
The warning comes from the inventor of the encryption method, known as Secure Shell or SSH.
“In the worst-case scenario, most of the data on the servers of every company in the developed world gets wiped out,” Tatu Ylonen, chief executive officer of SSH Communications Security Corp., told The Washington Times.
Mr. Ylonen said a computer programmer could create a virus that would exploit SSH’s weaknesses and spread throughout servers to steal, distort or destroy confidential data.
“It would take days, perhaps only hours,” to write such a virus, he said.
What’s more, the same security vulnerabilities plague the U.S. government’s classified networks, say the contractors who build them.
“I would venture to say that there is a very similar situation [in classified networks] to the one in the commercial space,” said Don Fergus, a senior vice president at Patriot Technologies Inc., an information technology and security firm in Frederick, Md.
Mr. Ylonen said encryption methods’ vulnerabilities prevent companies from honestly passing an audit for compliance with U.S. cybersecurity standards for government or the private sector.
He said that all of the “major audit protocols” for federal financial regulations and cybersecurity require that network managers know who can access their systems.
About “90 percent of U.S. companies are out of compliance with regulations governing financial institutions because of this issue,” Mr. Ylonen said.
Read more: http://www.washingtontimes.com/news/2012/dec/25/glitch-imperils-swath-of-encrypted-records/#ixzz2GB20ZQjP