So secure that it's insecure

A few months ago, Jeremiah Grossman, WhiteHatSec CEO, gave a detailed account of the efforts he had to go through to get access to his encrypted disk image.  He had forgotten his password.

Luckily, it all worked out in the end. With the help of very smart people, he managed to retrieve the password.

So we know the encrypted disk image was very secure since even he could not access it.

But was it secure?

Let's start with two definitions from ISO 27000:2012

Availability:
property of being accessible and usable upon demand by an authorized entity.

Information Security:
preservation of confidentiality (2.13), integrity (2.36) and availability (2.10) of information

The definitions show us that "availability" is an important aspect of information security. The data must be "available on demand". In this case, the data was clearly not available on demand. Therefore the preservation of availability was not achieved. This means that an information security "event" occurred.

The  encrypted disk image was so secure that it was insecure. The ultimate insider attack.

Agreed, the logic outlined above is a bit contorted, but you get the idea.

Most people think about security in terms of confidentiality - the system was "hacked". However, don't forget that availability is the third leg of the information security triad:

• confidentiality
• integrity
• availability

For a system to be secure, it must preserve all three properties.

Useful Links

• ISO/IEC 27000:2012 (Free) 
• WhiteHatSec blog:Password Cracking AES-256 DMGs and Epic Self-Pwnage

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot