I’m sitting in a Starbucks in Vegas (on my EVDO card, not some risky open WiFi, of course) and nearly snort my coffee when I read the latest assault against reason by desperate vendors. (Via Slashdot, adding their own FUD).
The title of the article is, “Encryption could make you more vulnerable, warn experts”. In short, a few vendors describe new “key management” attacks, where an attacker, should they steal the keys and lock you out, can hold your data hostage.
However, experts from IBM Internet Security Systems, Juniper, nCipher and elsewhere said that data encryption also brings new risks, in particular via attacks – deliberate or accidental – on the key management infrastructure. … “Organizations experienced with encryption are standing back and saying this is potentially a nightmare. It is potentially bringing your business to a grinding halt.” Encryption is also as big an interest for the bad guys as the good guys, warned Anton Grashion, European security strategist for Juniper. “As soon as you let the cat out of the bag, they’ll be using it too,” he said. “For example, it looks like a great opportunity to start attacking key infrastructures.” “It’s a new class of DoS attack,” agreed Moulds. “If you can go in and revoke a key and then demand a ransom, it’s a fantastic way of attacking a business.
Folks, I think we ALL agree that key management is important and needs to be secure. Does anyone see the need to create BS headlines about new kinds of attacks we’ve never once seen in practice? No? Not you in the back of the room? Good, I guess we’re all rational here.
I realize we’ll never get rid of FUD in our industry and I use it myself from time to time, but if you’re so desperate you basically just make sh*t up, maybe you need to consider alternative marketing approaches.
There are more than enough justifiable reasons to invest in appropriate key management. Josh Corman of IBM (full disclosure, I know Josh) offers a more reasonable risk:
“One fear I have is that we’re all going to hide all our information, but companies are information-driven, so we take tactical decision and stifle ability to collaborate,” he said.
Too bad he had to be quoted in this hack job.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Encryption, Key Management, FUD
Reader interactions
7 Replies to “Stupid Vendor FUD Of The Day”
I read that same article somewhere this weekend (forgot exactly where), and I felt much the same. Whenever we build something new, there will be new vulnerabilities and attack vectors.
Yes, if you lose keys, you are locked out of your car. That is true for your data as well. Given the fact that crypto keys should be a little harder to bruteforce than car doors, the observation that any attack against the key infrastructure could have potentially huge impacts is a valid one.
Yet, it should be obvious to anyone who deploys an encryption solution that protecting keys in a crypto environment is crucial; losing them would be Bad, just as losing their confidiality would be bad.
However, the “logical” conclusion that this should lead to MORE products is plainly wrong. Better is worse than good enough.
Good to see the excoriation of sloppy thinking/reporting. The article was basically arguing that aggregation can lead to bad things.
Of course, aggregation done badly can result in poor consequences. The benefits of aggregation though are compelling and the measures to protect against attacks are well recognized. If you’‘ve deployed a database, an email server, LDAP, Web Service at any reasonable scale, the system design and operational measures to minimize downsides are well known and understood.
I expect we’‘ll hear the same uninformed commentary about “cloud computing”, “software as service offerings” and other areas.
Many years ago I read a very instrumental sentence (probably Schneier), and I am going to modify it here: If you think technology alone can solve your security problems, then you don’‘t understand security, you don’‘t understand the problems and you don’‘t understand the technology.
It appears that those quoted are also new to encryption. The attack is precisely as new as encryption itself. And what is the point of this article if not FUD?
Marketing run amuck. I think the basic thought process must be something along the lines of “because there are more risk factors, there must therefore be increased risk exposure, and thus you’‘re at greater risk.” Of course, anybody who’s implemented crypto systems will tell you that these are not new by any means. Makes for a sensational headline, though, that’s quite counterproductive.
Next we will here how passwords make us less secure because someone might crack it and change it on us.
Anything to make people read I guess.
SSH made me more vulnerable too! When I turned off remote telnet access and switched to SSH, I suddenly opened myself to a new attack vector of SSH brute forcing and people trying to social engineer me for my SSH key! Should have stuck with telnet!