Encryption Could Make You More Vulnerable

narramissic writes "It sounds like a headline straight out of The Onion, but security researchers from IBM Internet Security Systems, Juniper, nCipher and elsewhere are warning that the use of data encryption could make organizations vulnerable to new risks and threats. There is potential for 'A new class of DoS attack,' says Richard Moulds, nCipher's product strategy EVP. 'If you can go in and revoke a key and then demand a ransom, it's a fantastic way of attacking a business.'"

It's not so much 'more vulnerable'

[KublaiKhan]

I'd call it 'differently vulnerable' rather than 'more vulnerable'--all things come with inherent risks, and the risks of any particular action must be weighed against the rewards thereof.

Encryption is necessary for many businesses, and if such attacks are truly a worry, they should be addressed in the same manner as any other risk.

Hmm

[moogied]

This sounds more like a problem in the encryption SYSTEM. Its kind of like saying "Encryption makes you weaker because your more likely to use passwords. Which can be brute forced!"

Re:revoke isn't that big

[0xygen]

I believe they are referring to keys in situations where the keys are used to encrypt / decrypt business critical data, rather than say SSL certificates.

Re:It's not so much 'more vulnerable'

[AndGodSed]

Yes, but splashing "MORE VULNERABLE" on a headline preys better on the fears of the uninformed than "DIFFERENTLY VULNERABLE"

We all know headlines exist solely to generate traffic...

Mission option for every security discussion

[wsanders]

5) Buy our stuff!

Really, I've never seen a setup where stealing ONE (or a few) keys could result in a situation where a whole enterprise gets shut down for ransom.

More likely, consider the situation where only two guys have the password to the domain name registrar's account, they get laid off, and a year later some one realizes the company domain expires in two days. Before anyone figures out how to renew it, it's in the hands of a pr0n site. There's your missing/lost key scenario, happens all the time.

Revoking a key may be a red herring

[davidwr]

Traditionally, you store the data in one place and the key in another. You may even encrypt the key with a smaller key, called a password, that is stored in someone's head.

If someone tricks the key-checking mechanism into thinking a key is revoked, that's not a huge problem: All a revoked key means is that you may not be able to TRUST the key or the data it protects anymore. It doesn't mean you can't get at the data.

This is no worse than if a burglar broke into the building storing your paper forms. You can no longer automatically trust that those forms weren't tampered with. You have to either re-authenticate each of them or accept the fact that they may have been altered.

So the point is?

[a-zarkon!]

If you're implementing an encryption solution and don't understand the potential impacts, you probably shouldn't be implementing encryption. Encryption is great and necessary, but in the case of things like file encryption introduces another layer of complexity and point of failure into your system. Now instead of worrying about just an unrestorable backup of the data - you need to have a restorable backup AND a key recovery/additional decryption key/key escrow solution.... And for what it's worth, I'm a lot more concerned about a user losing/forgetting a key than I am about evil hackerz ransoming my key. (Thanks for the additional FUD though, that'll make my job easier next time I need to argue for encryption)

Maybe I'm just being silly or showing my old-school mentality, but I think it's important to try to identify these types of potential "gotchas" before I click setup.exe.

Game over ...

[Sepiraph]

If your attacker can get a hold of your key and alter it, your system is already compromised... thus it is incorrect to claim that encryption can lead to MORE vulnerability because without it you are as good as dead.

Re:Hmm

[DarkOx]

Yes but if encryption leads people to keep records they would not have kept or destroyed otherwise it could pose a risk if its eventually cracked.

Its like Mom always said; never write something down without expecting someone else to eventually read it. If its dangerous or hurtful information it should be destroyed. If its really important keep it in the only place its really safe your head.

Business are keeping more and more customer information. Information is leaked all the time stored encrypted or not. Encryption is likely to give an often false impression of security. People may think they are safely storing facts that will only be available to them and their organization and customers might end up really unhappy if they discover they were wrong about that some time.

There is always a risk

[Z00L00K]

of some kind of attack regardless of your actions.

Encryption is making things harder for those that want to penetrate your business, but use it with care. Too much will do more harm than benefit. Set up boundaries in your systems and encrypt the communication. That's the reasonable way to do things.

Encryption of hard disks may be useful on laptops, but is relatively useless on stationary computers and servers, and will probably only add to the performance overhead. Just be sure that all hard disks are erased before the computers are retired and you have been saving yourself a lot of trouble.

If someone stores data encrypted anyway and the key is lost - well - tough luck unless you have a good policy where backup keys are stored in a safe place.

Only a few businesses will benefit from extreme levels of encryption, and those are mostly working in the military area. In these cases it may be better to just call it a day and consider all data where the key is missing or manhandled as compromised.

Users are always the weakest link

[Psmylie]

Where I work, we have a policy to have encryption on every laptop. It has to be minimum of 8 characters and include a mix of capital and lower case, a number and one special character. Compared to every other password requirement we have, that's relatively strong.

The problem comes in when people can't remember the encryption password. Either they lock themselves out of the laptop or they do something brilliant like write the password on a post-it and tape it to the laptop case.

No matter what strategy you have, your own customers will find a way to mess it up.

Not new or groundbreaking

[pedrop357]

This is like saying that using locks on your car can leave you vulnerable. Sure, they keep casual thieves out and the newer systems keep go a long way towards preventing someone from hotwiring your car.

BUT, a mischevious person could put epoxy in all the keyholes, essentially revoking your keys and causing a denial-of-service.

Which is better, a small risk of being locked out of your data/car, or the larger risk of theft and/or misuse of your data/car due to lack of security?

Keeping doors unlocked is better?

[a1ok]

Whenever I leave my apartment, I'm always worried about losing my house keys and getting locked out. So I guess I should just never lock the door, since that makes me vulnerable to a DoS (can't get in) if I misplace my keys? Of course, this is a bad analogy as door locks aren't very secure; anyway this definition of 'vulnerability' is a bit strange :)
Considering this warning comes from a bunch of security companies, maybe this is some new trend of disclaimers, like anti-virus vendors warning that their product can only reduce but not eliminate attacks - in case a customer is stupid and tries to blame the encryption vendor for losing their keys, they can say 'I told you so' and point to these articles :D

Re:It's not so much 'more vulnerable'

[sm62704]

Not actually having RTFM (What?) but I don't see how this makes you vulnerable at all. You have your data backed up, right? Offsite and secure? How is having your hard drive unencryptable any different than a head crash or a building fire?

And as to encrypted email, you can always send it again.

Making people fear encryption because of this verges on sociopathic. BTW, BACK UPI YOUR DATA DAMMIT

-mcgrew (not the security guy)

Re:Users are always the weakest link

[Psmylie]

Yeah, we can get them back in. Not while they're traveling, though. They're kinda out of luck until they get back into the office.

People not remembering their encryption password is by far the lesser of two evils, though. I'd rather have the data be totally inaccessible than be accessed by the wrong people.

mod parent up!

[bazorg]

+1 Cromulent!

Re:It's not so much 'more vulnerable'

[DdJ]

I'd call it 'differently vulnerable' rather than 'more vulnerable'--all things come with inherent risks, and the risks of any particular action must be weighed against the rewards thereof.

Yeup, it's almost exactly analogous to using locks in the real world. If your car does not use locks, someone can steal it. If your car does use locks, someone can steal your keys, and deny you access to your own car. Most people use keys anyway.

I agree, but...

[an.echte.trilingue]

I agree, but I would go so far as to say you are less vulnerable with encryption.

The highest level of attack that the article mentions is DOS by which attackers steal your keys and ransom them back to you. Indeed, this would be a bad day for the IT department and the affected departments of the company could lose days or even a week of productivity, which is damaging indeed.

Compare this to the risks of not running encryption. A similarly motivated and skilled attacker as discussed above could easily grab things like log ins just by monitoring your traffic. Once he finds that login with the proper credentials, not only can he execute a DOS as outlined above, but he can also potentially steal all of your client information, your internal financial information and implant rootkits on all your servers so as to be able to come back for more later. One of the best ways to lose your entire customer base is to tell them that they have to cancel their credit cards because you got their numbers stolen.

This kind of stuff has killed companies. No thanks, I'll keep my ssh and ssl.

Re:To sum up:

[Dan541]

Remember, people who really want to get at your stuff will do so no matter how smart you think your security is. Locks are just for keeping honest people away.

Sorry but thats just absurd.

There are hundreds and thousands of case's where security has stopped crimminals in their tracks. Most people cant get past a $30 lock.

~Dan