Comment by affinepplan
2 years ago
it's in the national security interest of the United States to have its industries use high-quality crypto
see: colonial oil pipeline hack
2 years ago
it's in the national security interest of the United States to have its industries use high-quality crypto
see: colonial oil pipeline hack
It's in the national security interest of the United States to have its industries use robust security practices.
Industries with secure fences that are regularly patrolled are entirely different to industries with partial coverage by unpatrolled rusty fences and a freestanding door frame that has a titanium unpickable lock.
Passwords get compromised that's a fact.
How the single employee password that got breached was obtained is still (AFAIK) a mystery - but this will always happen ... given many employess, at least one will eventually make a mistake.
After that, the VPN had no multifactor authentication, the network had no internal honey subnets, canary accounts, sanity checks, etc.
High-quality crypto alone does not make for secure systems.
And systems can be secure with lower quality crypto if the systems are robust.
I feel that examples argues the opposite.
It's not entirely known how every step of that attack went down, but "breaking low quality crypto" hasn't factored into any incident write up I've ever seen.
However, nearly all ransomware uses rsa. Therefore in this particular case, high quality crypto caused harm.
(To state the obvious, I'm not advocating for bad crypto, just discussing this case).