Difference between revisions of "Key Management"
From MgmtWiki
(Created page with "==Full Title or Meme== ==Problems== * The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itsel...") |
(→Full Title or Meme) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Full Title or Meme== | ==Full Title or Meme== | ||
| + | Devices with keys in storage are lost, broken or upgraded. The user's want their data (and, in some cases, money) recovered. [[Key Management]] is the typical answer. | ||
==Problems== | ==Problems== | ||
* The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed. | * The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed. | ||
| + | |||
| + | * Most [[Key Management]] schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for [[Cryptocurrency]] wallets. As should be expected, they were hacked.<ref>Brian Krebs, ''Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach'' (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ </ref> "A breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults." | ||
==Reverences== | ==Reverences== | ||
[[Category: Security]] | [[Category: Security]] | ||
Latest revision as of 22:00, 5 September 2023
Full Title or Meme
Devices with keys in storage are lost, broken or upgraded. The user's want their data (and, in some cases, money) recovered. Key Management is the typical answer.
Problems
- The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed.
- Most Key Management schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for Cryptocurrency wallets. As should be expected, they were hacked.[1] "A breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults."
Reverences
- ↑ Brian Krebs, Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
