Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encryption Could Make You More Vulnerable

Posted by CmdrTaco on from the also-condoms-give-you-aids dept.

narramissic writes "It sounds like a headline straight out of The Onion, but security researchers from IBM Internet Security Systems, Juniper, nCipher and elsewhere are warning that the use of data encryption could make organizations vulnerable to new risks and threats. There is potential for 'A new class of DoS attack,' says Richard Moulds, nCipher's product strategy EVP. 'If you can go in and revoke a key and then demand a ransom, it's a fantastic way of attacking a business.'"

11 of 126 comments (clear)

  1. It's not so much 'more vulnerable' by KublaiKhan · · Score: 5, Insightful

    I'd call it 'differently vulnerable' rather than 'more vulnerable'--all things come with inherent risks, and the risks of any particular action must be weighed against the rewards thereof.

    Encryption is necessary for many businesses, and if such attacks are truly a worry, they should be addressed in the same manner as any other risk.

    --
    In Xanadu did Kubla Khan
    A stately pleasure dome decree
    1. Re:It's not so much 'more vulnerable' by AndGodSed · · Score: 5, Insightful

      Yes, but splashing "MORE VULNERABLE" on a headline preys better on the fears of the uninformed than "DIFFERENTLY VULNERABLE"

      We all know headlines exist solely to generate traffic...

      --

      Seven Days with Ubuntu Unity

  2. Hmm by moogied · · Score: 5, Insightful

    This sounds more like a problem in the encryption SYSTEM. Its kind of like saying "Encryption makes you weaker because your more likely to use passwords. Which can be brute forced!"

    --
    So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
    1. Re:Hmm by DarkOx · · Score: 4, Insightful

      Yes but if encryption leads people to keep records they would not have kept or destroyed otherwise it could pose a risk if its eventually cracked.

      Its like Mom always said; never write something down without expecting someone else to eventually read it. If its dangerous or hurtful information it should be destroyed. If its really important keep it in the only place its really safe your head.

      Business are keeping more and more customer information. Information is leaked all the time stored encrypted or not. Encryption is likely to give an often false impression of security. People may think they are safely storing facts that will only be available to them and their organization and customers might end up really unhappy if they discover they were wrong about that some time.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  3. Re:revoke isn't that big by 0xygen · · Score: 3, Insightful

    I believe they are referring to keys in situations where the keys are used to encrypt / decrypt business critical data, rather than say SSL certificates.

  4. Mission option for every security discussion by wsanders · · Score: 5, Insightful

    5) Buy our stuff!

    Really, I've never seen a setup where stealing ONE (or a few) keys could result in a situation where a whole enterprise gets shut down for ransom.

    More likely, consider the situation where only two guys have the password to the domain name registrar's account, they get laid off, and a year later some one realizes the company domain expires in two days. Before anyone figures out how to renew it, it's in the hands of a pr0n site. There's your missing/lost key scenario, happens all the time.

    --
    Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
  5. Revoking a key may be a red herring by davidwr · · Score: 3, Insightful

    Traditionally, you store the data in one place and the key in another. You may even encrypt the key with a smaller key, called a password, that is stored in someone's head.

    If someone tricks the key-checking mechanism into thinking a key is revoked, that's not a huge problem: All a revoked key means is that you may not be able to TRUST the key or the data it protects anymore. It doesn't mean you can't get at the data.

    This is no worse than if a burglar broke into the building storing your paper forms. You can no longer automatically trust that those forms weren't tampered with. You have to either re-authenticate each of them or accept the fact that they may have been altered.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  6. Game over ... by Sepiraph · · Score: 3, Insightful

    If your attacker can get a hold of your key and alter it, your system is already compromised... thus it is incorrect to claim that encryption can lead to MORE vulnerability because without it you are as good as dead.

  7. Users are always the weakest link by Psmylie · · Score: 4, Insightful
    Where I work, we have a policy to have encryption on every laptop. It has to be minimum of 8 characters and include a mix of capital and lower case, a number and one special character. Compared to every other password requirement we have, that's relatively strong.

    The problem comes in when people can't remember the encryption password. Either they lock themselves out of the laptop or they do something brilliant like write the password on a post-it and tape it to the laptop case.

    No matter what strategy you have, your own customers will find a way to mess it up.

    --

    psmylie's dictionary: Godzillion (noun) Any number large enough to destroy Tokyo

  8. Not new or groundbreaking by pedrop357 · · Score: 4, Insightful

    This is like saying that using locks on your car can leave you vulnerable. Sure, they keep casual thieves out and the newer systems keep go a long way towards preventing someone from hotwiring your car.

    BUT, a mischevious person could put epoxy in all the keyholes, essentially revoking your keys and causing a denial-of-service.

    Which is better, a small risk of being locked out of your data/car, or the larger risk of theft and/or misuse of your data/car due to lack of security?

  9. Keeping doors unlocked is better? by a1ok · · Score: 3, Insightful

    Whenever I leave my apartment, I'm always worried about losing my house keys and getting locked out. So I guess I should just never lock the door, since that makes me vulnerable to a DoS (can't get in) if I misplace my keys? Of course, this is a bad analogy as door locks aren't very secure; anyway this definition of 'vulnerability' is a bit strange :)
    Considering this warning comes from a bunch of security companies, maybe this is some new trend of disclaimers, like anti-virus vendors warning that their product can only reduce but not eliminate attacks - in case a customer is stupid and tries to blame the encryption vendor for losing their keys, they can say 'I told you so' and point to these articles :D