I’m sitting in a Starbucks in Vegas (on my EVDO card, not some risky open WiFi, of course) and nearly snort my coffee when I read the latest assault against reason by desperate vendors. (Via Slashdot, adding their own FUD).
The title of the article is, “Encryption could make you more vulnerable, warn experts”. In short, a few vendors describe new “key management” attacks, where an attacker, should they steal the keys and lock you out, can hold your data hostage.
However, experts from IBM Internet Security Systems, Juniper, nCipher and elsewhere said that data encryption also brings new risks, in particular via attacks – deliberate or accidental – on the key management infrastructure. … “Organizations experienced with encryption are standing back and saying this is potentially a nightmare. It is potentially bringing your business to a grinding halt.” Encryption is also as big an interest for the bad guys as the good guys, warned Anton Grashion, European security strategist for Juniper. “As soon as you let the cat out of the bag, they’ll be using it too,” he said. “For example, it looks like a great opportunity to start attacking key infrastructures.” “It’s a new class of DoS attack,” agreed Moulds. “If you can go in and revoke a key and then demand a ransom, it’s a fantastic way of attacking a business.
Folks, I think we ALL agree that key management is important and needs to be secure. Does anyone see the need to create BS headlines about new kinds of attacks we’ve never once seen in practice? No? Not you in the back of the room? Good, I guess we’re all rational here.
I realize we’ll never get rid of FUD in our industry and I use it myself from time to time, but if you’re so desperate you basically just make sh*t up, maybe you need to consider alternative marketing approaches.
There are more than enough justifiable reasons to invest in appropriate key management. Josh Corman of IBM (full disclosure, I know Josh) offers a more reasonable risk:
“One fear I have is that we’re all going to hide all our information, but companies are information-driven, so we take tactical decision and stifle ability to collaborate,” he said.
Too bad he had to be quoted in this hack job.