DoD urges less network anonymity, more PKI use

By Robert Westervelt, News Editor 30 Jul 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The United States needs to be more agile in defending against attacks from cybercriminals who are constantly infiltrating domestic networks, said Robert Lentz, CISO at the U.S. Department of Defense, during a keynote address to Black Hat USA 2009 attendees.

"One of the top challenges is strengthening our network underpinnings," Lentz said. "We have shifted radically from government-built services and capabilities to commercial services and capabilities."

Black Hat 2009 SearchSecurity.com has all the news and newsmakers at the annual hacker conference. Visit our Black Hat 2009 news page.

With one of the largest public key infrastructure (PKI) networks in the world, Lentz admitted some significant challenges around the technology, including ease-of-use issues and PKI vulnerabilities. He, however, called for the need to embrace the technology to "drive anonymity out of the network as much as possible." PKI drives anonymity out of networks because it requires digitial certificates to verify the identity of people on a network.

Lentz referred to a presentation given Tuesday by noted network security researcher Dan Kaminsky of IOActive, who demonstrated vulnerabilities in the X.509 cryptography found in public key infrastructures (PKI). Kaminsky also reviewed the continued use of faulty hash algorithms by certificate authorities. He revealed that through a simple alteration of the common name in an X.509 certificate, an attacker could trick the certificate authority into certifying the legitimacy of a malicious site.

Lentz reiterated a call from government officials for public-private cooperation to share research and defend against cyberattacks "This is truly an important time for all of us in the security profession," Lentz said. "We have to accomplish a shift to get to a resilient cyber-ecosystem … We need all of you in this room to partner together as a nation and with our international allies to make this shift happen."

He also spoke of the need to deploy DNSSEC, a suite of specifications that use public key cryptography to digitally sign responses to DNS lookups, to better secure the Internet domain naming system. He also reaffirmed the federal government's commitment to support the transition from IPv4 to IPv6.

"For us in the DoD, the race is real and daunting, and we have a lot of significant challenges in front of us," Lentz said.

Lentz said the government continues its research into attack surfaces to produce an agile, dynamic defense capable of not only detecting but being able to take a proactive role to prevent future attacks against government infrastructure before they happen. While virtualization technologies represent a technical challenge for the government, it also opens opportunities for the government to manage attack surfaces appropriately.

"It's all threaded in this area of driving anonymity out of network," Lentz said.

Tags: Monitoring Network Traffic and Network Forensics,  PKI and Digital Certificates,  Hacker Tools and Techniques: Underground Sites and Hacking Groups,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Monitoring Network Traffic and Network Forensics Botnet masters turn to Google, social networks to avoid detection Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing PKI and Digital Certificates Best Authentication Products Researchers to demonstrate new EV SSL man-in-the-middle hacks Portable security storage device could replace OTP devices What is most misunderstood about EV SSL certificates? VeriSign addresses MD5 flaw Rogue digital certificates strike blow to Internet security Can any firm or organization get a digital signature certificate? How to obtain a digital certificate for a server PKI and digital certificates: Security, authentication and implementation What is the best way to administer exams to students via computer? PKI and Digital Certificates Research Hacker Tools and Techniques: Underground Sites and Hacking Groups Russian cybercriminals target H1N1 Swine Flu fears Metasploit Project acquisition ups ante for penetration testing market Successful rogue antivirus hinges on social engineering DEFCON survey suggests hacker community on vacation New hacker skills optimize revenue Maturing cybercriminal economy buoyed by business savvy hackers Juniper pulls ATM hacking presentation from Black Hat Botnet platform helps cybercriminals bid for zombie PCs Man pleads guilty in online banking hacking scam ATM malware lets attackers take over machines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bridge  (SearchSecurity.com) computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) inverse mapping  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) network forensics  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary