Network trust and security in doubt

Switching off the PSTN and the uncertain future of SSL certificates is creating doubt over network security and trust, cyber security expert Bill Caelli argues.

Cyber security specialist, Bill Caelli.

Cyber security specialist, Bill Caelli.

The decommissioning of the public switched telephone network (PSTN) across Australia over the next few years could accelerate the deterioration of one of communication technology’s most valuable assets: Trust.

Speaking ahead of his presentation at the 2011 Computer Control Audit Security (CACS) conference in Brisbane, cyber security specialist, Bill Caelli, told Computerworld Australia that decommissioning the PSTN would result in faster speeds — but at the potential cost of trusted computing.

“We are about to move our total nation, through the NBN (National Broadband Network), to internet-based activity... Whereas in the past I trusted Telstra to give me a trusted connection, I now have to trust a broad range of who knows who to create the connection,” he said.

“The connection system itself has moved beyond the actual carrier to another level and we don’t know what the training, education, security and resilience of all those other internet service providers is; we don’t know how secure the DNS (domain name service) is.”

According to Caelli, the DNS-SEC security standard was developed to add authentication security for an element of trust, similar to the PSTN, into the DNS. However, the standard was ageing and received very low levels of adoption and implementation.

Exacerbating the issue, Caelli said, was the industry’s high reliance on Secure Socket Layer (SSL) certificates to provide security. However, the security of the certificates themselves were now in doubt.

“SSL certificates themselves depend on a root certificate which can be verified and digitally signed by an issuing authority,” he said.

“But as we have seen with DigiNotar in the Netherlands, that system has been broken by hackers and they can now issue fraudulent certificates.

“The issue is that the SSL system depends upon the trustworthiness of the people who issue them ... and with a broken system we now have a real problem on our hands."

Importantly, the number of sites issuing SSL certificates also meant that the number of certificates which now had to be checked posed a massive task.

“The average browser now has one hell of a lot — a massive amount — of certificates to check whether or not they are now no longer valid,” Caelli said.

“SSL has become unwieldy. It just doesn’t scale.”

As a solution, Caelli called for an accelerated use of DNSSEC to provide authentication combined with the security capabilities embedded in internet protocol version six (IPv6).

“You combine DNS security, which gives us trust we are getting to the right place, and IPv6 with IPSEC, which gives us a confidential or encrypted channel, and we start to get a solution,” he said.

“The problem is that IPv6 is hardly in existence yet.

“If nothing much is happening in safety and security, then what is the role of government? The government absolutely needs to look at it.”

Caelli also pointed to a major need for security training among senior IT practitioners around the country, arguing that the level of understanding on issues around network security was generally low.

“Cloud computing will critically depend on the naming system to get to the right ‘you’ in the cloud,” he said.

“How many CIOs would be able to do a proper risk assessment on that?

“A recent survey in America showed 50 per cent of CIOs in the Fortune 1000 didn’t have a background in IT. They are lawyers as what they are mostly doing is administering outsourcing contracts.”

Caelli also pointed to a decline dedicated IT departments at universities and tertiary education institutions in response to falling student enrolments as a future network security issue.

Follow Tim Lohman on Twitter: @Tlohman

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CSO newsletter!

Error: Please check your email address.

Tags NetworkingCACS 2011DNSSSLipv6cyber securityDigiNator

More about Australian Computer SocietyBilletworkSECSocketTelstra Corporation

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Lohman

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place