Sign in / up

* Posts by Larry Frank

2 publicly visible posts • joined 19 Dec 2011

US cyber-army's cyber-warriors 'cyber-humiliated by cyber-civvies in cyber-games'

Larry Frank

Maybe they have the wrong concept?

The current operating concept is that to be a good defender, you need to be a good attacker. While that sounds right, not sure there is any evidence it is right.

The role of defender is actually a lot more structured and a lot more disciplined than the role of an attacker and there is little or no evidence that taking time to be trained up to do attack (as opposed to understanding how attacks are done/happen) takes away to much time from learning to configure networks, secure applications, monitor for anomalous behavior, etc...

There are so many ways to attack a network that it is very unlikely that anyone can know them all and, frankly, the attacker only needs one success while the defender can stop thousands of attacks but fails if there is one discovered vulnerability that is exploited. Spending a lot of time learning exotic attack methods won't help if the attacks are coming in on mundane paths you didn't think were important.

2 1

Security mandates aim to shore up shattered SSL system

Larry Frank
Thumb Down

Pretty weak as a standard

If this is a weak as they are prepared to go in UPGRADING the security requirement - I am afraid that we haven't seen the last of the hacks and flurry of activity related to poorly operated CA/PKI systems... Just a few thoughts - US Federal policy mandated that PKI stop issuing and relying on 1024 bit RSA in 2008. While not all comply - it would seem sensible that the new standard had set something higher than the current (fairly weak) level of secutity represented by RSA 1024. While they are at it - how about standards for hash algorithms. Hashing wasn't mentioned - and there are still CAs out there who use MD5 (maybe none of this crowd?) SHA-1 is rapdily becoming less trust worthy - again, US Federal requirements are pushing to SHA-2.

Worse, I noticed NO requirement for the strength of authentication by the RA to the CA - wasn't the Comodo attack because of a password the hacker found on line? Wouldn't it be a good idea for a PKI to use PKI to protect itself from fraudlent approval of a certificate request by an RA? I saw nothing requiring that CAs have multi party controls for administration. At the core of the DigiNotar hack was the architecture of the CA enclave which allowed the hacker to get into a related system and become an admin. Really to little to late...

0 0