ContraRisk Security Podcast 0002: keys, certificates and fast-changing websites

Jeff Hudson

Jeff Hudson, Venafi

» Listen now on the podcast page »

Keeping track of SSH keys and SSL certificates can be a real headache. Knowing who has access to what gets very complex when there are thousands of these things washing about in the organisation. A new report by the Ponemon Institute, sponsored by Venafi, has come up with some big, scary numbers in terms of the financial risk companies are running if they fail to get on top of this issue. And however you feel about such headline-friendly statistics, the fact is that there’s a real problem out there. Some of it is at the techie level: it’s all too easy to type ssh-keygen and grab yourself a key pair for some task at hand – such as SSH’ing into a remote server without all that tedious password stuff. Then you forget about the keys and leave them on some poorly secured, yet still Internet-connected, server just waiting to be discovered by your friendly neighbourhood hacker. However, according to Jeff Hudson, CEO of Venafi, the bigger problem is at the top of the organisation, where C-level executives haven’t even heard of SSH or SSL and have no clue as to how much the organisation is at risk if things go wrong. In this episode, he talks to me about this endemic problem.

If you want an example of what can go wrong with SSH keys, look no further than Github. Researchers recently found that, not only were developers accidentally uploading their private keys to the online code repository, it was also possible to use Github’s search engine to look for them. Freelance journalist and ContraRisk contributor Danny Bradbury has been following this story and wrote about it for The Guardian. He explains to me what happened and what it signifies. In our chat, we also touch upon the recent Twitter password hack and the killing (for now) of government snooping laws in Canada.

Rhodri Davies

Rhodri Davies, HP

Websites are always a security nightmare, what with SQL injection, cross-site scripting, cross-site request forgery and a plethora of other vulnerabilities. Many stem from a poor understanding of security issues on the part of web developers, many of whom have come from a design, rather than a coding, background. But the issue is not made any easier when developers face tight deadlines and a website that’s constantly and rapidly evolving. Rhodri Davies, managed security services chief technologist at HP’s Enterprise Security Services, explains to me the challenge of maintaining security when a website changes at a rapid pace.

And finally, seasoned journalist and ContraRisk contributor Steve Gold delves into what’s behind US President Barack Obama’s recent State of the Union address. Obama used the occasion to propose new levels of information sharing among government and private organisations concerned with the country’s critical infrastructure. Normally, this sort of rhetoric raises privacy concerns, but as Steve explains to me, this time there’s a lot of support for this high-level security agenda.

» Listen now on the podcast page »

Or subscribe via iTunes (see right).

Leave a Reply

Your email address will not be published. Required fields are marked *