Difference between revisions of "Key Management"
From MgmtWiki
(→Problems) |
(→Problems) |
||
| Line 4: | Line 4: | ||
* The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed. | * The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed. | ||
| − | |||
* Most [[Key Management]] schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for [[Cryptocurrency]] wallets. As should be expected, they were hacked.<ref>Brian Krebs, ''Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach'' (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ </ref> "A breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults." | * Most [[Key Management]] schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for [[Cryptocurrency]] wallets. As should be expected, they were hacked.<ref>Brian Krebs, ''Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach'' (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/ </ref> "A breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults." | ||
Revision as of 21:57, 5 September 2023
Full Title or Meme
Problems
- The Heartbleed bug shipped on March 14, 2012, it was not publicly discovered for two years. At its core, the issue was not the bug itself - as bugs are inevitable - but rather the design that left private keys in the user space of the application. 9 years later key management systems do this and worse today. They copy keys around in the clear, leaving them in environment variables and largely un-ACLed files stored in user space. Essentially, we are just one bug away from another Heartbleed-like exposure because the way we manage keys has not fundamentally changed.
- Most Key Management schemes involve storage of some recovery mechanism in the cloud. That's similar to what Last Pass did for Cryptocurrency wallets. As should be expected, they were hacked.[1] "A breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults."
Reverences
- ↑ Brian Krebs, Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (2023-09-05) https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
