Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encryption Could Make You More Vulnerable

Posted by CmdrTaco on from the also-condoms-give-you-aids dept.

narramissic writes "It sounds like a headline straight out of The Onion, but security researchers from IBM Internet Security Systems, Juniper, nCipher and elsewhere are warning that the use of data encryption could make organizations vulnerable to new risks and threats. There is potential for 'A new class of DoS attack,' says Richard Moulds, nCipher's product strategy EVP. 'If you can go in and revoke a key and then demand a ransom, it's a fantastic way of attacking a business.'"

8 of 126 comments (clear)

  1. Re:To sum up: by rasputin465 · · Score: 4, Funny

    So it's agreed then. We'll drop ssh and use telnet from now on.

  2. Re:Mission option for every security discussion by grassy_knoll · · Score: 4, Funny

    More likely, consider the situation where only two guys have the password to the domain name registrar's account, they get laid off, and a year later some one realizes the company domain expires in two days. Before anyone figures out how to renew it, it's in the hands of a pr0n site. There's your missing/lost key scenario, happens all the time.


    Still trying to explain that web site you "accidentally" visited, eh?

    [badum-ching]
    --
    A Human Right
  3. Re:It's not so much 'more vulnerable' by mjpaci · · Score: 2, Funny

    If this were an Apple story, would it be "Different Vulnerable"?

    Just a q.

    --mike

  4. Let's extend this to other common security devices by dschl · · Score: 5, Funny

    The use of door locks and deadbolts could make organizations vulnerable to new risks and threats, a panel of security experts warned Monday.

    Many organizations are locking their doors to relieve concerns over material theft or loss - for example, U.S. break and enter statutes do not apply to unlocked doors.

    However, experts from IBM Internet Security Systems, Juniper, nCipher and elsewhere said that locking doors also brings new risks, in particular via attacks - deliberate or accidental - on the key management infrastructure.

    The change comes particularly with the shift from leaving doors open, as was common in the 1800's, to locking doors and securing buildings with perimeter fences - often in response to regulatory demands - said Richard Moulds, nCipher's product strategy EVP.

    "Lot of organizations are new to door locks," he added. "Their only exposure to it has been with padlocks on remote sites, but that's something very few staff have to deal with, and infrequently. When you shift to locking your entire building, right down to the individual executive offices, if you lose the key you trash your access - it's a self-inflicted denial-of-service attack.

    "Organizations experienced with door locks are standing back and saying this is potentially a nightmare. It is potentially bringing your business to a grinding halt."

    Locking doors is also as big an interest for the bad guys as the good guys, warned Anton Grashion, European security strategist for Juniper. "As soon as you let the cat out of the bag, they'll be using it too," he said. "For example, it looks like a great opportunity to start attacking key infrastructures, as a little bit of epoxy in the keyhole, and whammo, your building is inaccessible."

    "It's a new class of DoS attack," agreed Moulds. "If you can go in and damage a lock and then demand a 'protection money' so that it doesn't happen again, it's a fantastic way of attacking a business."

    Another risk is that over-zealous use of door locking will damage an organization's ability to legitimately share and use critical business facilities, noted Joshua Corman, principal security strategist for IBM ISS.

    "One fear I have is that we're all going to hide and lock up all of our assets such as pens, paper and coffee makers, but companies are asset-driven, so we take tactical decision and stifle ability to collaborate," he said.

    "Sometimes, the result of implementing security technology is actually a net increase in risk," added Richard Reiner, chief security and technology officer at Telus Security Solutions.

    --
    Slashdot - the place where you can look like a genius by restating the obvious
  5. They are CINNAMON BUNS, DAMMIT! by ElboRuum · · Score: 2, Funny

    That seemed a little strident considering the topic. My apologies for shouting.

  6. Re:It's not so much 'more vulnerable' by gwern · · Score: 3, Funny

    No, for an Apple story you just know someone would try to make an 'iVulerable' joke.

  7. Re:To sum up: by Intron · · Score: 2, Funny

    If I lived in South Africa I would have bigger things to worry about. Like figuring out a 15,000 mile commute.

    --
    Intron: the portion of DNA which expresses nothing useful.
  8. Re:Other way to protect data: Split the data by ffflala · · Score: 2, Funny

    Say you have a secret. Divide the secret into 3 parts and find 3 people to hold the key. Each person holds 2 parts of the key. If any one person is unavailable, the key can still be used, but no one person can use the key alone.

    If you or your friend had played enough Oblivion you'd recognize the inherent weakness in this idea: one of the three can frame the other two as a vampire, claim to be a vampire hunter, safely dispatch them in the open and then possess all 3 keys.

    http://www.uesp.net/wiki/Oblivion:A_Brotherhood_Betrayed